feat: add CORS middleware for API routes

This commit is contained in:
2026-05-19 02:46:44 +02:00
parent 3a4fa82f14
commit ccfb469299
2 changed files with 46 additions and 1 deletions

45
internal/server/cors.go Normal file
View File

@@ -0,0 +1,45 @@
package server
import (
"net/http"
"os"
"strings"
"github.com/gin-gonic/gin"
)
func CORSMiddleware() gin.HandlerFunc {
allowAll := os.Getenv("MAL_CORS_ALLOW_ALL") == "1"
return func(c *gin.Context) {
origin := c.GetHeader("Origin")
if origin != "" && (allowAll || isAllowedOrigin(origin)) {
c.Header("Access-Control-Allow-Origin", origin)
c.Header("Vary", "Origin")
c.Header("Access-Control-Allow-Methods", "GET,POST,DELETE,OPTIONS")
c.Header("Access-Control-Allow-Headers", "Authorization,Content-Type")
c.Header("Access-Control-Max-Age", "600")
}
if c.Request.Method == http.MethodOptions && strings.HasPrefix(c.Request.URL.Path, "/api/") {
c.Status(http.StatusNoContent)
c.Abort()
return
}
c.Next()
}
}
func isAllowedOrigin(origin string) bool {
if strings.HasPrefix(origin, "moz-extension://") {
return true
}
if strings.HasPrefix(origin, "http://localhost:") || strings.HasPrefix(origin, "https://localhost:") {
return true
}
if strings.HasPrefix(origin, "http://127.0.0.1:") || strings.HasPrefix(origin, "https://127.0.0.1:") {
return true
}
return false
}

View File

@@ -22,7 +22,7 @@ func ProvideRouter(htmlRender render.HTMLRender) *gin.Engine {
gin.SetMode(gin.ReleaseMode)
}
r := gin.New()
r.Use(gin.Logger(), gin.Recovery())
r.Use(CORSMiddleware(), gin.Logger(), gin.Recovery())
r.Static("/static", "./static")
r.Static("/dist", "./dist")
r.HTMLRender = htmlRender