[chore] The Big Middleware and API Refactor (tm) (#1250)

* interim commit: start refactoring middlewares into package under router

* another interim commit, this is becoming a big job

* another fucking massive interim commit

* refactor bookmarks to new style

* ambassador, wiz zeze commits you are spoiling uz

* she compiles, we're getting there

* we're just normal men; we're just innocent men

* apiutil

* whoopsie

* i'm glad noone reads commit msgs haha :blob_sweat:

* use that weirdo go-bytesize library for maxMultipartMemory

* fix media module paths

internal/middleware/cors.go

@@ -0,0 +1,86 @@
+/*
+   GoToSocial
+   Copyright (C) 2021-2022 GoToSocial Authors admin@gotosocial.org
+
+   This program is free software: you can redistribute it and/or modify
+   it under the terms of the GNU Affero General Public License as published by
+   the Free Software Foundation, either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU Affero General Public License for more details.
+
+   You should have received a copy of the GNU Affero General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+package middleware
+
+import (
+	"time"
+
+	"github.com/gin-contrib/cors"
+	"github.com/gin-gonic/gin"
+)
+
+// CORS returns a new gin middleware which allows CORS requests to be processed.
+// This is necessary in order for web/browser-based clients like Pinafore to work.
+func CORS() gin.HandlerFunc {
+	cfg := cors.Config{
+		// todo: use config to customize this
+		AllowAllOrigins: true,
+
+		// adds the following:
+		// 	"chrome-extension://"
+		// 	"safari-extension://"
+		// 	"moz-extension://"
+		// 	"ms-browser-extension://"
+		AllowBrowserExtensions: true,
+		AllowMethods: []string{
+			"POST",
+			"PUT",
+			"DELETE",
+			"GET",
+			"PATCH",
+			"OPTIONS",
+		},
+		AllowHeaders: []string{
+			// basic cors stuff
+			"Origin",
+			"Content-Length",
+			"Content-Type",
+
+			// needed to pass oauth bearer tokens
+			"Authorization",
+
+			// needed for websocket upgrade requests
+			"Upgrade",
+			"Sec-WebSocket-Extensions",
+			"Sec-WebSocket-Key",
+			"Sec-WebSocket-Protocol",
+			"Sec-WebSocket-Version",
+			"Connection",
+		},
+		AllowWebSockets: true,
+		ExposeHeaders: []string{
+			// needed for accessing next/prev links when making GET timeline requests
+			"Link",
+
+			// needed so clients can handle rate limits
+			"X-RateLimit-Reset",
+			"X-RateLimit-Limit",
+			"X-RateLimit-Remaining",
+			"X-Request-Id",
+
+			// websocket stuff
+			"Connection",
+			"Sec-WebSocket-Accept",
+			"Upgrade",
+		},
+		MaxAge: 2 * time.Minute,
+	}
+
+	return cors.New(cfg)
+}