Implement CORS middleware with configurable allowed origins and update config structure

2026-01-10 01:06:37 +01:00
parent 7f6fe23219
commit 11436e93c5
3 changed files with 33 additions and 15 deletions
--- a/go_cloud/internal/config/config.go
+++ b/go_cloud/internal/config/config.go
@@ -16,6 +16,7 @@ type Config struct {
 	NextcloudUser    string
 	NextcloudPass    string
 	NextcloudBase    string
+	AllowedOrigins   string
 }

 func Load() *Config {
@@ -31,6 +32,7 @@ func Load() *Config {
 		NextcloudUser:    os.Getenv("NEXTCLOUD_USER"),
 		NextcloudPass:    os.Getenv("NEXTCLOUD_PASSWORD"),
 		NextcloudBase:    getEnv("NEXTCLOUD_BASEPATH", "/"),
+		AllowedOrigins:   getEnv("ALLOWED_ORIGINS", "https://b0esche.cloud,http://localhost:8080"),
 	}
 }

--- a/go_cloud/internal/http/routes.go
+++ b/go_cloud/internal/http/routes.go
@@ -37,7 +37,7 @@ func NewRouter(cfg *config.Config, db *database.DB, jwtManager *jwt.Manager, aut
 	r.Use(middleware.RequestID)
 	r.Use(middleware.Logger)
 	r.Use(middleware.Recoverer)
-	r.Use(middleware.CORS)
+	r.Use(middleware.CORS(cfg.AllowedOrigins))
 	r.Use(middleware.RateLimit)

 	// Health check
--- a/go_cloud/internal/middleware/middleware.go
+++ b/go_cloud/internal/middleware/middleware.go
@@ -21,22 +21,38 @@ var RequestID = middleware.RequestID
 var Logger = middleware.Logger
 var Recoverer = middleware.Recoverer

-// CORS middleware
-func CORS(next http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("Access-Control-Allow-Origin", "*")
-		w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, PATCH, DELETE, OPTIONS")
-		w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization")
-		w.Header().Set("Access-Control-Allow-Credentials", "true")
-		w.Header().Set("Access-Control-Max-Age", "3600")
+// CORS middleware - accepts allowedOrigins comma-separated string
+func CORS(allowedOrigins string) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			origin := r.Header.Get("Origin")
+			// Check if origin is allowed
+			if origin != "" {
+				// Simple check - in production you'd want to parse allowedOrigins properly
+				for _, allowed := range strings.Split(allowedOrigins, ",") {
+					if strings.TrimSpace(allowed) == origin {
+						w.Header().Set("Access-Control-Allow-Origin", origin)
+						w.Header().Set("Access-Control-Allow-Credentials", "true")
+						break
+					}
+				}
+			}
+			// Fallback to * if no credentials needed
+			if w.Header().Get("Access-Control-Allow-Origin") == "" {
+				w.Header().Set("Access-Control-Allow-Origin", "*")
+			}
+			w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, PATCH, DELETE, OPTIONS")
+			w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization")
+			w.Header().Set("Access-Control-Max-Age", "3600")

-		if r.Method == http.MethodOptions {
-			w.WriteHeader(http.StatusOK)
-			return
-		}
+			if r.Method == http.MethodOptions {
+				w.WriteHeader(http.StatusOK)
+				return
+			}

-		next.ServeHTTP(w, r)
-	})
+			next.ServeHTTP(w, r)
+		})
+	}
 }

 // TODO: Implement rate limiter