331 lines
10 KiB
Go
331 lines
10 KiB
Go
package fasthttp
|
|
|
|
import (
|
|
"fmt"
|
|
"net/http"
|
|
"strconv"
|
|
"strings"
|
|
|
|
"git.loafle.net/commons/cors-go"
|
|
"git.loafle.net/commons/cors-go/internal"
|
|
"git.loafle.net/commons/logging-go"
|
|
"github.com/valyala/fasthttp"
|
|
)
|
|
|
|
// Cors http handler
|
|
type Cors interface {
|
|
Handle(ctx *fasthttp.RequestCtx) (requestDone bool)
|
|
Handler(h fasthttp.RequestHandler) fasthttp.RequestHandler
|
|
}
|
|
|
|
// Cors http handler
|
|
type fasthttpcors struct {
|
|
co cors.Options
|
|
// Set to true when allowed origins contains a "*"
|
|
allowedOriginsAll bool
|
|
// Normalized list of plain allowed origins
|
|
allowedOrigins []string
|
|
// List of allowed origins containing wildcards
|
|
allowedWOrigins []internal.Wildcard
|
|
// Set to true when allowed headers contains a "*"
|
|
allowedHeadersAll bool
|
|
// Normalized list of allowed headers
|
|
allowedHeaders []string
|
|
// Normalized list of allowed methods
|
|
allowedMethods []string
|
|
// Normalized list of exposed headers
|
|
exposedHeaders []string
|
|
}
|
|
|
|
// New creates a new Cors handler with the provided options.
|
|
func New(co cors.Options) Cors {
|
|
c := &fasthttpcors{
|
|
co: co,
|
|
exposedHeaders: internal.Convert(co.ExposedHeaders, http.CanonicalHeaderKey),
|
|
}
|
|
|
|
// Normalize options
|
|
// Note: for origins and methods matching, the spec requires a case-sensitive matching.
|
|
// As it may error prone, we chose to ignore the spec here.
|
|
|
|
// Allowed Origins
|
|
// Allowed Origins
|
|
if len(co.AllowedOrigins) == 0 {
|
|
if co.AllowOriginFunc == nil {
|
|
// Default is all origins
|
|
c.allowedOriginsAll = true
|
|
}
|
|
} else {
|
|
c.allowedOrigins = []string{}
|
|
c.allowedWOrigins = []internal.Wildcard{}
|
|
for _, origin := range co.AllowedOrigins {
|
|
// Normalize
|
|
origin = strings.ToLower(origin)
|
|
if origin == "*" {
|
|
// If "*" is present in the list, turn the whole list into a match all
|
|
c.allowedOriginsAll = true
|
|
c.allowedOrigins = nil
|
|
c.allowedWOrigins = nil
|
|
break
|
|
} else if i := strings.IndexByte(origin, '*'); i >= 0 {
|
|
// Split the origin in two: start and end string without the *
|
|
w := internal.Wildcard{origin[0:i], origin[i+1 : len(origin)]}
|
|
c.allowedWOrigins = append(c.allowedWOrigins, w)
|
|
} else {
|
|
c.allowedOrigins = append(c.allowedOrigins, origin)
|
|
}
|
|
}
|
|
}
|
|
|
|
// Allowed Headers
|
|
if len(co.AllowedHeaders) == 0 {
|
|
// Use sensible defaults
|
|
c.allowedHeaders = []string{"Origin", "Accept", "Content-Type"}
|
|
} else {
|
|
// Origin is always appended as some browsers will always request for this header at preflight
|
|
c.allowedHeaders = internal.Convert(append(co.AllowedHeaders, "Origin"), http.CanonicalHeaderKey)
|
|
for _, h := range co.AllowedHeaders {
|
|
if h == "*" {
|
|
c.allowedHeadersAll = true
|
|
c.allowedHeaders = nil
|
|
break
|
|
}
|
|
}
|
|
}
|
|
|
|
// Allowed Methods
|
|
if len(co.AllowedMethods) == 0 {
|
|
// Default is spec's "simple" methods
|
|
c.allowedMethods = []string{"GET", "POST", "HEAD"}
|
|
} else {
|
|
c.allowedMethods = internal.Convert(co.AllowedMethods, strings.ToUpper)
|
|
}
|
|
|
|
return c
|
|
}
|
|
|
|
// Default creates a new Cors handler with default options.
|
|
func Default() Cors {
|
|
return New(cors.Options{})
|
|
}
|
|
|
|
// AllowAll create a new Cors handler with permissive configuration allowing all
|
|
// origins with all standard methods with any header and credentials.
|
|
func AllowAll() Cors {
|
|
return New(cors.Options{
|
|
AllowedOrigins: []string{"*"},
|
|
AllowedMethods: []string{"HEAD", "GET", "POST", "PUT", "PATCH", "DELETE"},
|
|
AllowedHeaders: []string{"*"},
|
|
AllowCredentials: true,
|
|
})
|
|
}
|
|
|
|
func (c *fasthttpcors) Handle(ctx *fasthttp.RequestCtx) (requestDone bool) {
|
|
if string(ctx.Method()) == "OPTIONS" && ctx.Request.Header.Peek("Access-Control-Request-Method") != nil {
|
|
logging.Logger().Info("Handler: Preflight request")
|
|
c.handlePreflight(ctx)
|
|
// Preflight requests are standalone and should stop the chain as some other
|
|
// middleware may not handle OPTIONS requests correctly. One typical example
|
|
// is authentication middleware ; OPTIONS requests won't carry authentication
|
|
// headers (see #1)
|
|
if c.co.OptionsPassthrough {
|
|
return false
|
|
}
|
|
|
|
ctx.SetStatusCode(fasthttp.StatusOK)
|
|
return true
|
|
}
|
|
|
|
logging.Logger().Info("Handler: Actual request")
|
|
c.handleActualRequest(ctx)
|
|
|
|
return false
|
|
}
|
|
|
|
// Handler apply the CORS specification on the request, and add relevant CORS headers
|
|
// as necessary.
|
|
func (c *fasthttpcors) Handler(h fasthttp.RequestHandler) fasthttp.RequestHandler {
|
|
return fasthttp.RequestHandler(func(ctx *fasthttp.RequestCtx) {
|
|
if string(ctx.Method()) == "OPTIONS" && ctx.Request.Header.Peek("Access-Control-Request-Method") != nil {
|
|
logging.Logger().Info("Handler: Preflight request")
|
|
c.handlePreflight(ctx)
|
|
// Preflight requests are standalone and should stop the chain as some other
|
|
// middleware may not handle OPTIONS requests correctly. One typical example
|
|
// is authentication middleware ; OPTIONS requests won't carry authentication
|
|
// headers (see #1)
|
|
if c.co.OptionsPassthrough {
|
|
h(ctx)
|
|
} else {
|
|
ctx.SetStatusCode(fasthttp.StatusOK)
|
|
}
|
|
} else {
|
|
logging.Logger().Info("Handler: Actual request")
|
|
c.handleActualRequest(ctx)
|
|
h(ctx)
|
|
}
|
|
})
|
|
}
|
|
|
|
// handlePreflight handles pre-flight CORS requests
|
|
func (c *fasthttpcors) handlePreflight(ctx *fasthttp.RequestCtx) {
|
|
origin := string(ctx.Request.Header.Peek("Origin"))
|
|
|
|
if string(ctx.Method()) != "OPTIONS" {
|
|
logging.Logger().Info(fmt.Sprintf(" Preflight aborted: %s!=OPTIONS", string(ctx.Method())))
|
|
return
|
|
}
|
|
// Always set Vary headers
|
|
// see https://github.com/rs/fasthttpcors/issues/10,
|
|
// https://github.com/rs/fasthttpcors/commit/dbdca4d95feaa7511a46e6f1efb3b3aa505bc43f#commitcomment-12352001
|
|
ctx.Response.Header.Add("Vary", "Origin")
|
|
ctx.Response.Header.Add("Vary", "Access-Control-Request-Method")
|
|
ctx.Response.Header.Add("Vary", "Access-Control-Request-Headers")
|
|
|
|
if origin == "" {
|
|
logging.Logger().Info(" Preflight aborted: empty origin")
|
|
return
|
|
}
|
|
if !c.isOriginAllowed(origin) {
|
|
logging.Logger().Info(fmt.Sprintf(" Preflight aborted: origin '%s' not allowed", origin))
|
|
return
|
|
}
|
|
|
|
reqMethod := string(ctx.Request.Header.Peek("Access-Control-Request-Method"))
|
|
if !c.isMethodAllowed(reqMethod) {
|
|
logging.Logger().Info(fmt.Sprintf(" Preflight aborted: method '%s' not allowed", reqMethod))
|
|
return
|
|
}
|
|
reqHeaders := internal.ParseHeaderList(string(ctx.Request.Header.Peek("Access-Control-Request-Headers")))
|
|
if !c.areHeadersAllowed(reqHeaders) {
|
|
logging.Logger().Info(fmt.Sprintf(" Preflight aborted: headers '%v' not allowed", reqHeaders))
|
|
return
|
|
}
|
|
if c.allowedOriginsAll && !c.co.AllowCredentials {
|
|
ctx.Response.Header.Set("Access-Control-Allow-Origin", "*")
|
|
} else {
|
|
ctx.Response.Header.Set("Access-Control-Allow-Origin", origin)
|
|
}
|
|
// Spec says: Since the list of methods can be unbounded, simply returning the method indicated
|
|
// by Access-Control-Request-Method (if supported) can be enough
|
|
ctx.Response.Header.Set("Access-Control-Allow-Methods", strings.ToUpper(reqMethod))
|
|
if len(reqHeaders) > 0 {
|
|
// Spec says: Since the list of headers can be unbounded, simply returning supported headers
|
|
// from Access-Control-Request-Headers can be enough
|
|
ctx.Response.Header.Set("Access-Control-Allow-Headers", strings.Join(reqHeaders, ", "))
|
|
}
|
|
if c.co.AllowCredentials {
|
|
ctx.Response.Header.Set("Access-Control-Allow-Credentials", "true")
|
|
}
|
|
if c.co.MaxAge > 0 {
|
|
ctx.Response.Header.Set("Access-Control-Max-Age", strconv.Itoa(c.co.MaxAge))
|
|
}
|
|
// logging.Logger().Info(fmt.Sprintf(" Preflight response headers: %v", ctx.Response.Header.))
|
|
}
|
|
|
|
// handleActualRequest handles simple cross-origin requests, actual request or redirects
|
|
func (c *fasthttpcors) handleActualRequest(ctx *fasthttp.RequestCtx) {
|
|
origin := string(ctx.Request.Header.Peek("Origin"))
|
|
method := string(ctx.Method())
|
|
|
|
if method == "OPTIONS" {
|
|
logging.Logger().Info(fmt.Sprintf(" Actual request no headers added: method == %s", method))
|
|
return
|
|
}
|
|
// Always set Vary, see https://github.com/rs/fasthttpcors/issues/10
|
|
ctx.Response.Header.Add("Vary", "Origin")
|
|
if origin == "" {
|
|
logging.Logger().Info(" Actual request no headers added: missing origin")
|
|
return
|
|
}
|
|
if !c.isOriginAllowed(origin) {
|
|
logging.Logger().Info(fmt.Sprintf(" Actual request no headers added: origin '%s' not allowed", origin))
|
|
return
|
|
}
|
|
|
|
// Note that spec does define a way to specifically disallow a simple method like GET or
|
|
// POST. Access-Control-Allow-Methods is only used for pre-flight requests and the
|
|
// spec doesn't instruct to check the allowed methods for simple cross-origin requests.
|
|
// We think it's a nice feature to be able to have control on those methods though.
|
|
if !c.isMethodAllowed(method) {
|
|
logging.Logger().Info(fmt.Sprintf(" Actual request no headers added: method '%s' not allowed", method))
|
|
|
|
return
|
|
}
|
|
if c.allowedOriginsAll && !c.co.AllowCredentials {
|
|
ctx.Response.Header.Set("Access-Control-Allow-Origin", "*")
|
|
} else {
|
|
ctx.Response.Header.Set("Access-Control-Allow-Origin", origin)
|
|
}
|
|
if len(c.exposedHeaders) > 0 {
|
|
ctx.Response.Header.Set("Access-Control-Expose-Headers", strings.Join(c.exposedHeaders, ", "))
|
|
}
|
|
if c.co.AllowCredentials {
|
|
ctx.Response.Header.Set("Access-Control-Allow-Credentials", "true")
|
|
}
|
|
// c.logf(" Actual response added headers: %v", headers)
|
|
}
|
|
|
|
// isOriginAllowed checks if a given origin is allowed to perform cross-domain requests
|
|
// on the endpoint
|
|
func (c *fasthttpcors) isOriginAllowed(origin string) bool {
|
|
if c.co.AllowOriginFunc != nil {
|
|
return c.co.AllowOriginFunc(origin)
|
|
}
|
|
if c.allowedOriginsAll {
|
|
return true
|
|
}
|
|
origin = strings.ToLower(origin)
|
|
for _, o := range c.allowedOrigins {
|
|
if o == origin {
|
|
return true
|
|
}
|
|
}
|
|
for _, w := range c.allowedWOrigins {
|
|
if w.Match(origin) {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
// isMethodAllowed checks if a given method can be used as part of a cross-domain request
|
|
// on the endpoing
|
|
func (c *fasthttpcors) isMethodAllowed(method string) bool {
|
|
if len(c.allowedMethods) == 0 {
|
|
// If no method allowed, always return false, even for preflight request
|
|
return false
|
|
}
|
|
method = strings.ToUpper(method)
|
|
if method == "OPTIONS" {
|
|
// Always allow preflight requests
|
|
return true
|
|
}
|
|
for _, m := range c.allowedMethods {
|
|
if m == method {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
// areHeadersAllowed checks if a given list of headers are allowed to used within
|
|
// a cross-domain request.
|
|
func (c *fasthttpcors) areHeadersAllowed(requestedHeaders []string) bool {
|
|
if c.allowedHeadersAll || len(requestedHeaders) == 0 {
|
|
return true
|
|
}
|
|
for _, header := range requestedHeaders {
|
|
header = http.CanonicalHeaderKey(header)
|
|
found := false
|
|
for _, h := range c.allowedHeaders {
|
|
if h == header {
|
|
found = true
|
|
}
|
|
}
|
|
if !found {
|
|
return false
|
|
}
|
|
}
|
|
return true
|
|
}
|