From 11436e93c5604e451f2130ba86477ebfeb610c91 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Leon=20B=C3=B6sche?= Date: Sat, 10 Jan 2026 01:06:37 +0100 Subject: [PATCH] Implement CORS middleware with configurable allowed origins and update config structure --- go_cloud/internal/config/config.go | 2 + go_cloud/internal/http/routes.go | 2 +- go_cloud/internal/middleware/middleware.go | 44 +++++++++++++++------- 3 files changed, 33 insertions(+), 15 deletions(-) diff --git a/go_cloud/internal/config/config.go b/go_cloud/internal/config/config.go index f9e464c..83b9601 100644 --- a/go_cloud/internal/config/config.go +++ b/go_cloud/internal/config/config.go @@ -16,6 +16,7 @@ type Config struct { NextcloudUser string NextcloudPass string NextcloudBase string + AllowedOrigins string } func Load() *Config { @@ -31,6 +32,7 @@ func Load() *Config { NextcloudUser: os.Getenv("NEXTCLOUD_USER"), NextcloudPass: os.Getenv("NEXTCLOUD_PASSWORD"), NextcloudBase: getEnv("NEXTCLOUD_BASEPATH", "/"), + AllowedOrigins: getEnv("ALLOWED_ORIGINS", "https://b0esche.cloud,http://localhost:8080"), } } diff --git a/go_cloud/internal/http/routes.go b/go_cloud/internal/http/routes.go index 6939e2d..06146ac 100644 --- a/go_cloud/internal/http/routes.go +++ b/go_cloud/internal/http/routes.go @@ -37,7 +37,7 @@ func NewRouter(cfg *config.Config, db *database.DB, jwtManager *jwt.Manager, aut r.Use(middleware.RequestID) r.Use(middleware.Logger) r.Use(middleware.Recoverer) - r.Use(middleware.CORS) + r.Use(middleware.CORS(cfg.AllowedOrigins)) r.Use(middleware.RateLimit) // Health check diff --git a/go_cloud/internal/middleware/middleware.go b/go_cloud/internal/middleware/middleware.go index 7c3f9fc..2f7b090 100644 --- a/go_cloud/internal/middleware/middleware.go +++ b/go_cloud/internal/middleware/middleware.go @@ -21,22 +21,38 @@ var RequestID = middleware.RequestID var Logger = middleware.Logger var Recoverer = middleware.Recoverer -// CORS middleware -func CORS(next http.Handler) http.Handler { - return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - w.Header().Set("Access-Control-Allow-Origin", "*") - w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, PATCH, DELETE, OPTIONS") - w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization") - w.Header().Set("Access-Control-Allow-Credentials", "true") - w.Header().Set("Access-Control-Max-Age", "3600") +// CORS middleware - accepts allowedOrigins comma-separated string +func CORS(allowedOrigins string) func(http.Handler) http.Handler { + return func(next http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + origin := r.Header.Get("Origin") + // Check if origin is allowed + if origin != "" { + // Simple check - in production you'd want to parse allowedOrigins properly + for _, allowed := range strings.Split(allowedOrigins, ",") { + if strings.TrimSpace(allowed) == origin { + w.Header().Set("Access-Control-Allow-Origin", origin) + w.Header().Set("Access-Control-Allow-Credentials", "true") + break + } + } + } + // Fallback to * if no credentials needed + if w.Header().Get("Access-Control-Allow-Origin") == "" { + w.Header().Set("Access-Control-Allow-Origin", "*") + } + w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, PATCH, DELETE, OPTIONS") + w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization") + w.Header().Set("Access-Control-Max-Age", "3600") - if r.Method == http.MethodOptions { - w.WriteHeader(http.StatusOK) - return - } + if r.Method == http.MethodOptions { + w.WriteHeader(http.StatusOK) + return + } - next.ServeHTTP(w, r) - }) + next.ServeHTTP(w, r) + }) + } } // TODO: Implement rate limiter