Set CORS Headers when needed if CORS is enabled

- Enable CORS with and without RateLimiter
2025-02-25 18:55:24 -06:00 · 2016-03-02 21:24:40 -03:00
parent 3177f30829
commit 6b1abb404f
2 changed files with 23 additions and 34 deletions
--- a/api/context.go
+++ b/api/context.go
@@ -21,6 +21,15 @@ import (

 var sessionCache *utils.Cache = utils.NewLru(model.SESSION_CACHE_SIZE)

+var allowedMethods []string = []string{
+	"POST",
+	"GET",
+	"OPTIONS",
+	"PUT",
+	"PATCH",
+	"DELETE",
+}
+
 type Context struct {
 	Session           model.Session
 	RequestId         string
@@ -166,10 +175,6 @@ func (h handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		// All api response bodies will be JSON formatted by default
 		w.Header().Set("Content-Type", "application/json")

-		if len(*utils.Cfg.ServiceSettings.AllowCorsFrom) > 0 {
-			w.Header().Set("Access-Control-Allow-Origin", *utils.Cfg.ServiceSettings.AllowCorsFrom)
-		}
-
 		if r.Method == "GET" {
 			w.Header().Set("Expires", "0")
 		}
@@ -238,38 +243,22 @@ func (h handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	}
 }

-func (cw *CorsWrapper) ServeHTTP(
-	w http.ResponseWriter,
-	r *http.Request) {
-	allowedMethods := []string{
-		"POST",
-		"GET",
-		"OPTIONS",
-		"PUT",
-		"PATCH",
-		"DELETE",
-	}
-
-	allowedHeaders := []string{
-		"Accept",
-		"Content-Type",
-		"Content-Length",
-		"Accept-Encoding",
-		"Authorization",
-		"X-CSRF-Token",
-		"X-Auth-Token",
-	}
-
+func (cw *CorsWrapper) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	if len(*utils.Cfg.ServiceSettings.AllowCorsFrom) > 0 {
-		w.Header().Set("Access-Control-Allow-Origin", *utils.Cfg.ServiceSettings.AllowCorsFrom)
+		origin := r.Header.Get("Origin")
+		if *utils.Cfg.ServiceSettings.AllowCorsFrom == "*" || strings.Contains(*utils.Cfg.ServiceSettings.AllowCorsFrom, origin) {
+			w.Header().Set("Access-Control-Allow-Origin", origin)

-		w.Header().Set(
-			"Access-Control-Allow-Methods",
-			strings.Join(allowedMethods, ", "))
+			if r.Method == "OPTIONS" {
+				w.Header().Set(
+					"Access-Control-Allow-Methods",
+					strings.Join(allowedMethods, ", "))

-		w.Header().Set(
-			"Access-Control-Allow-Headers",
-			strings.Join(allowedHeaders, ", "))
+				w.Header().Set(
+					"Access-Control-Allow-Headers",
+					r.Header.Get("Access-Control-Request-Headers"))
+			}
+		}
 	}

 	if r.Method == "OPTIONS" {
--- a/api/server.go
+++ b/api/server.go
@@ -42,7 +42,7 @@ func StartServer() {
 	l4g.Info(utils.T("api.server.start_server.starting.info"))
 	l4g.Info(utils.T("api.server.start_server.listening.info"), utils.Cfg.ServiceSettings.ListenAddress)

-	var handler http.Handler = Srv.Router
+	var handler http.Handler = &CorsWrapper{Srv.Router}

 	if utils.Cfg.RateLimitSettings.EnableRateLimiter {
 		l4g.Info(utils.T("api.server.start_server.rate.info"))