b0esche/b0esche_cloud
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Implement CORS middleware with configurable allowed origins and update config structure

Browse Source
This commit is contained in:
Leon Bösche
2026-01-10 01:06:37 +01:00
parent 7f6fe23219
commit 11436e93c5
3 changed files with 33 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
go_cloud/internal/config/config.go
View File

@@ -16,6 +16,7 @@ type Config struct {
NextcloudUser string NextcloudUser string
NextcloudPass string NextcloudPass string
NextcloudBase string NextcloudBase string
AllowedOrigins string
} }
func Load() *Config { func Load() *Config {
@@ -31,6 +32,7 @@ func Load() *Config {
NextcloudUser: os.Getenv("NEXTCLOUD_USER"), NextcloudUser: os.Getenv("NEXTCLOUD_USER"),
NextcloudPass: os.Getenv("NEXTCLOUD_PASSWORD"), NextcloudPass: os.Getenv("NEXTCLOUD_PASSWORD"),
NextcloudBase: getEnv("NEXTCLOUD_BASEPATH", "/"), NextcloudBase: getEnv("NEXTCLOUD_BASEPATH", "/"),
AllowedOrigins: getEnv("ALLOWED_ORIGINS", "https://b0esche.cloud,http://localhost:8080"),
} }
} }

2
go_cloud/internal/http/routes.go
View File

@@ -37,7 +37,7 @@ func NewRouter(cfg *config.Config, db *database.DB, jwtManager *jwt.Manager, aut
r.Use(middleware.RequestID) r.Use(middleware.RequestID)
r.Use(middleware.Logger) r.Use(middleware.Logger)
r.Use(middleware.Recoverer) r.Use(middleware.Recoverer)
r.Use(middleware.CORS) r.Use(middleware.CORS(cfg.AllowedOrigins))
r.Use(middleware.RateLimit) r.Use(middleware.RateLimit)
// Health check // Health check

44
go_cloud/internal/middleware/middleware.go
View File

@@ -21,22 +21,38 @@ var RequestID = middleware.RequestID
var Logger = middleware.Logger var Logger = middleware.Logger
var Recoverer = middleware.Recoverer var Recoverer = middleware.Recoverer
// CORS middleware // CORS middleware - accepts allowedOrigins comma-separated string
func CORS(next http.Handler) http.Handler { func CORS(allowedOrigins string) func(http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { return func(next http.Handler) http.Handler {
w.Header().Set("Access-Control-Allow-Origin", "*") return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, PATCH, DELETE, OPTIONS") origin := r.Header.Get("Origin")
w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization") // Check if origin is allowed
w.Header().Set("Access-Control-Allow-Credentials", "true") if origin != "" {
w.Header().Set("Access-Control-Max-Age", "3600") // Simple check - in production you'd want to parse allowedOrigins properly
for _, allowed := range strings.Split(allowedOrigins, ",") {
if strings.TrimSpace(allowed) == origin {
w.Header().Set("Access-Control-Allow-Origin", origin)
w.Header().Set("Access-Control-Allow-Credentials", "true")
break
}
}
}
// Fallback to * if no credentials needed
if w.Header().Get("Access-Control-Allow-Origin") == "" {
w.Header().Set("Access-Control-Allow-Origin", "*")
}
w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, PATCH, DELETE, OPTIONS")
w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization")
w.Header().Set("Access-Control-Max-Age", "3600")
if r.Method == http.MethodOptions { if r.Method == http.MethodOptions {
w.WriteHeader(http.StatusOK) w.WriteHeader(http.StatusOK)
return return
} }
next.ServeHTTP(w, r) next.ServeHTTP(w, r)
}) })
}
} }
// TODO: Implement rate limiter // TODO: Implement rate limiter