From 7f0ebf92335edd0c483bc437924f823f69e1978f Mon Sep 17 00:00:00 2001
From: Gaius <gaius.qi@gmail.com>
Date: Wed, 26 Apr 2023 16:29:44 +0800
Subject: [PATCH] feat: add CORS middleware to manager (#2304)

Signed-off-by: Gaius <gaius.qi@gmail.com>
---
 manager/middlewares/cors.go | 51 +++++++++++++++++++++++++++++++++++++
 manager/router/router.go    |  8 +-----
 2 files changed, 52 insertions(+), 7 deletions(-)
 create mode 100644 manager/middlewares/cors.go

diff --git a/manager/middlewares/cors.go b/manager/middlewares/cors.go
new file mode 100644
index 00000000000..a0333875db6
--- /dev/null
+++ b/manager/middlewares/cors.go
@@ -0,0 +1,51 @@
+/*
+ *     Copyright 2023 The Dragonfly Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package middlewares
+
+import (
+	"net/http"
+	"strings"
+
+	"github.com/gin-gonic/gin"
+	"github.com/go-http-utils/headers"
+)
+
+func CORS() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		origin := c.GetHeader(headers.Origin)
+		if origin == "" {
+			c.Next()
+			return
+		}
+
+		c.Header(headers.AccessControlAllowOrigin, origin)
+		c.Header(headers.AccessControlAllowCredentials, "true")
+
+		if c.Request.Method != http.MethodOptions {
+			c.Next()
+			return
+		}
+
+		// Preflight OPTIONS request.
+		c.Header(headers.AccessControlAllowHeaders, c.GetHeader("Access-Control-Request-Headers"))
+		c.Header(headers.AccessControlAllowMethods, strings.Join([]string{http.MethodGet, http.MethodHead, http.MethodPut, http.MethodPost, http.MethodDelete, http.MethodPatch}, ","))
+		c.Header(headers.AccessControlMaxAge, "600000")
+		c.Status(http.StatusNoContent)
+
+		c.Abort()
+	}
+}
diff --git a/manager/router/router.go b/manager/router/router.go
index e55149a068a..7f64dcd53b1 100644
--- a/manager/router/router.go
+++ b/manager/router/router.go
@@ -21,7 +21,6 @@ import (
 	"time"
 
 	"github.com/casbin/casbin/v2"
-	"github.com/gin-contrib/cors"
 	"github.com/gin-contrib/static"
 	ginzap "github.com/gin-contrib/zap"
 	"github.com/gin-gonic/gin"
@@ -66,17 +65,12 @@ func Init(cfg *config.Config, logDir string, service service.Service, enforcer *
 		r.Use(otelgin.Middleware(OtelServiceName))
 	}
 
-	// CORS
-	corsConfig := cors.DefaultConfig()
-	corsConfig.AllowAllOrigins = true
-	corsConfig.AllowCredentials = true
-
 	// Middleware
 	r.Use(gin.Recovery())
 	r.Use(ginzap.Ginzap(logger.GinLogger.Desugar(), time.RFC3339, true))
 	r.Use(ginzap.RecoveryWithZap(logger.GinLogger.Desugar(), true))
 	r.Use(middlewares.Error())
-	r.Use(cors.New(corsConfig))
+	r.Use(middlewares.CORS())
 
 	rbac := middlewares.RBAC(enforcer)
 	jwt, err := middlewares.Jwt(cfg.Auth.JWT, service)