feat: support CORS by using rest.WithCors(...) (#1212)

* feat: support CORS by using rest.WithCors(...) * chore: add comments * refactor: lowercase unexported methods * ci: fix lint errors
2021-11-07 22:42:40 +08:00
parent e8efcef108
commit c28e01fed3
9 changed files with 238 additions and 145 deletions
--- a/rest/internal/cors/handlers.go
+++ b/rest/internal/cors/handlers.go
@@ -0,0 +1,64 @@
+package cors
+
+import "net/http"
+
+const (
+	allowOrigin      = "Access-Control-Allow-Origin"
+	allOrigins       = "*"
+	allowMethods     = "Access-Control-Allow-Methods"
+	allowHeaders     = "Access-Control-Allow-Headers"
+	allowCredentials = "Access-Control-Allow-Credentials"
+	exposeHeaders    = "Access-Control-Expose-Headers"
+	allowHeadersVal  = "Content-Type, Origin, X-CSRF-Token, Authorization, AccessToken, Token, Range"
+	exposeHeadersVal = "Content-Length, Access-Control-Allow-Origin, Access-Control-Allow-Headers"
+	methods          = "GET, HEAD, POST, PATCH, PUT, DELETE"
+	allowTrue        = "true"
+	maxAgeHeader     = "Access-Control-Max-Age"
+	maxAgeHeaderVal  = "86400"
+)
+
+// Handler handles cross domain not allowed requests.
+// At most one origin can be specified, other origins are ignored if given, default to be *.
+func Handler(origin ...string) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		setHeader(w, getOrigin(origin))
+
+		if r.Method != http.MethodOptions {
+			w.WriteHeader(http.StatusNotFound)
+		} else {
+			w.WriteHeader(http.StatusNoContent)
+		}
+	})
+}
+
+// Middleware returns a middleware that adds CORS headers to the response.
+func Middleware(origin ...string) func(http.HandlerFunc) http.HandlerFunc {
+	return func(next http.HandlerFunc) http.HandlerFunc {
+		return func(w http.ResponseWriter, r *http.Request) {
+			setHeader(w, getOrigin(origin))
+
+			if r.Method == http.MethodOptions {
+				w.WriteHeader(http.StatusNoContent)
+			} else {
+				next(w, r)
+			}
+		}
+	}
+}
+
+func getOrigin(origins []string) string {
+	if len(origins) > 0 {
+		return origins[0]
+	} else {
+		return allOrigins
+	}
+}
+
+func setHeader(w http.ResponseWriter, origin string) {
+	w.Header().Set(allowOrigin, origin)
+	w.Header().Set(allowMethods, methods)
+	w.Header().Set(allowHeaders, allowHeadersVal)
+	w.Header().Set(exposeHeaders, exposeHeadersVal)
+	w.Header().Set(allowCredentials, allowTrue)
+	w.Header().Set(maxAgeHeader, maxAgeHeaderVal)
+}
--- a/rest/internal/cors/handlers_test.go
+++ b/rest/internal/cors/handlers_test.go
@@ -0,0 +1,76 @@
+package cors
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestCorsHandlerWithOrigins(t *testing.T) {
+	tests := []struct {
+		name    string
+		origins []string
+		expect  string
+	}{
+		{
+			name:   "allow all origins",
+			expect: allOrigins,
+		},
+		{
+			name:    "allow one origin",
+			origins: []string{"local"},
+			expect:  "local",
+		},
+		{
+			name:    "allow many origins",
+			origins: []string{"local", "remote"},
+			expect:  "local",
+		},
+	}
+
+	methods := []string{
+		http.MethodOptions,
+		http.MethodGet,
+		http.MethodPost,
+	}
+
+	for _, test := range tests {
+		for _, method := range methods {
+			test := test
+			t.Run(test.name+"-handler", func(t *testing.T) {
+				r := httptest.NewRequest(method, "http://localhost", nil)
+				w := httptest.NewRecorder()
+				handler := Handler(test.origins...)
+				handler.ServeHTTP(w, r)
+				if method == http.MethodOptions {
+					assert.Equal(t, http.StatusNoContent, w.Result().StatusCode)
+				} else {
+					assert.Equal(t, http.StatusNotFound, w.Result().StatusCode)
+				}
+				assert.Equal(t, test.expect, w.Header().Get(allowOrigin))
+			})
+		}
+	}
+
+	for _, test := range tests {
+		for _, method := range methods {
+			test := test
+			t.Run(test.name+"-middleware", func(t *testing.T) {
+				r := httptest.NewRequest(method, "http://localhost", nil)
+				w := httptest.NewRecorder()
+				handler := Middleware(test.origins...)(func(w http.ResponseWriter, r *http.Request) {
+					w.WriteHeader(http.StatusOK)
+				})
+				handler.ServeHTTP(w, r)
+				if method == http.MethodOptions {
+					assert.Equal(t, http.StatusNoContent, w.Result().StatusCode)
+				} else {
+					assert.Equal(t, http.StatusOK, w.Result().StatusCode)
+				}
+				assert.Equal(t, test.expect, w.Header().Get(allowOrigin))
+			})
+		}
+	}
+}