mirror of
https://github.com/superseriousbusiness/gotosocial
synced 2024-12-12 16:50:28 +01:00
a156188b3e
* update dependencies, bump Go version to 1.19 * bump test image Go version * update golangci-lint * update gotosocial-drone-build * sign * linting, go fmt * update swagger docs * update swagger docs * whitespace * update contributing.md * fuckin whoopsie doopsie * linterino, linteroni * fix followrequest test not starting processor * fix other api/client tests not starting processor * fix remaining tests where processor not started * bump go-runners version * don't check last-webfingered-at, processor may have updated this * update swagger command * update bun to latest version * fix embed to work the same as before with new bun Signed-off-by: kim <grufwub@gmail.com> Co-authored-by: tsmethurst <tobi.smethurst@protonmail.com>
140 lines
2.9 KiB
Go
140 lines
2.9 KiB
Go
package cors
|
|
|
|
import (
|
|
"net/http"
|
|
"strings"
|
|
|
|
"github.com/gin-gonic/gin"
|
|
)
|
|
|
|
type cors struct {
|
|
allowAllOrigins bool
|
|
allowCredentials bool
|
|
allowOriginFunc func(string) bool
|
|
allowOrigins []string
|
|
normalHeaders http.Header
|
|
preflightHeaders http.Header
|
|
wildcardOrigins [][]string
|
|
}
|
|
|
|
var (
|
|
DefaultSchemas = []string{
|
|
"http://",
|
|
"https://",
|
|
}
|
|
ExtensionSchemas = []string{
|
|
"chrome-extension://",
|
|
"safari-extension://",
|
|
"moz-extension://",
|
|
"ms-browser-extension://",
|
|
}
|
|
FileSchemas = []string{
|
|
"file://",
|
|
}
|
|
WebSocketSchemas = []string{
|
|
"ws://",
|
|
"wss://",
|
|
}
|
|
)
|
|
|
|
func newCors(config Config) *cors {
|
|
if err := config.Validate(); err != nil {
|
|
panic(err.Error())
|
|
}
|
|
|
|
for _, origin := range config.AllowOrigins {
|
|
if origin == "*" {
|
|
config.AllowAllOrigins = true
|
|
}
|
|
}
|
|
|
|
return &cors{
|
|
allowOriginFunc: config.AllowOriginFunc,
|
|
allowAllOrigins: config.AllowAllOrigins,
|
|
allowCredentials: config.AllowCredentials,
|
|
allowOrigins: normalize(config.AllowOrigins),
|
|
normalHeaders: generateNormalHeaders(config),
|
|
preflightHeaders: generatePreflightHeaders(config),
|
|
wildcardOrigins: config.parseWildcardRules(),
|
|
}
|
|
}
|
|
|
|
func (cors *cors) applyCors(c *gin.Context) {
|
|
origin := c.Request.Header.Get("Origin")
|
|
if len(origin) == 0 {
|
|
// request is not a CORS request
|
|
return
|
|
}
|
|
host := c.Request.Host
|
|
|
|
if origin == "http://"+host || origin == "https://"+host {
|
|
// request is not a CORS request but have origin header.
|
|
// for example, use fetch api
|
|
return
|
|
}
|
|
|
|
if !cors.validateOrigin(origin) {
|
|
c.AbortWithStatus(http.StatusForbidden)
|
|
return
|
|
}
|
|
|
|
if c.Request.Method == "OPTIONS" {
|
|
cors.handlePreflight(c)
|
|
defer c.AbortWithStatus(http.StatusNoContent) // Using 204 is better than 200 when the request status is OPTIONS
|
|
} else {
|
|
cors.handleNormal(c)
|
|
}
|
|
|
|
if !cors.allowAllOrigins {
|
|
c.Header("Access-Control-Allow-Origin", origin)
|
|
}
|
|
}
|
|
|
|
func (cors *cors) validateWildcardOrigin(origin string) bool {
|
|
for _, w := range cors.wildcardOrigins {
|
|
if w[0] == "*" && strings.HasSuffix(origin, w[1]) {
|
|
return true
|
|
}
|
|
if w[1] == "*" && strings.HasPrefix(origin, w[0]) {
|
|
return true
|
|
}
|
|
if strings.HasPrefix(origin, w[0]) && strings.HasSuffix(origin, w[1]) {
|
|
return true
|
|
}
|
|
}
|
|
|
|
return false
|
|
}
|
|
|
|
func (cors *cors) validateOrigin(origin string) bool {
|
|
if cors.allowAllOrigins {
|
|
return true
|
|
}
|
|
for _, value := range cors.allowOrigins {
|
|
if value == origin {
|
|
return true
|
|
}
|
|
}
|
|
if len(cors.wildcardOrigins) > 0 && cors.validateWildcardOrigin(origin) {
|
|
return true
|
|
}
|
|
if cors.allowOriginFunc != nil {
|
|
return cors.allowOriginFunc(origin)
|
|
}
|
|
return false
|
|
}
|
|
|
|
func (cors *cors) handlePreflight(c *gin.Context) {
|
|
header := c.Writer.Header()
|
|
for key, value := range cors.preflightHeaders {
|
|
header[key] = value
|
|
}
|
|
}
|
|
|
|
func (cors *cors) handleNormal(c *gin.Context) {
|
|
header := c.Writer.Header()
|
|
for key, value := range cors.normalHeaders {
|
|
header[key] = value
|
|
}
|
|
}
|