DBT/clawgo
1
0
Fork 0
mirror of https://github.com/YspCoder/clawgo.git synced 2026-04-12 02:37:28 +08:00
Code Issues Packages Projects Releases Wiki Activity

Relax API CORS preflight handling

Browse Source
This commit is contained in:
LPF
2026-03-17 17:48:50 +08:00
parent 8da396c1ce
commit 4edfe8e2f0
2 changed files with 47 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
pkg/api/server.go
View File

@@ -238,10 +238,25 @@ func (s *Server) withCORS(next http.Handler) http.Handler {
next = http.NotFoundHandler()
}
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Access-Control-Allow-Origin", "*")
w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, PATCH, DELETE, OPTIONS")
w.Header().Set("Access-Control-Allow-Headers", "Authorization, Content-Type, X-Requested-With")
origin := strings.TrimSpace(r.Header.Get("Origin"))
if origin != "" {
w.Header().Set("Access-Control-Allow-Origin", origin)
w.Header().Add("Vary", "Origin")
} else {
w.Header().Set("Access-Control-Allow-Origin", "*")
}
allowMethods := strings.TrimSpace(r.Header.Get("Access-Control-Request-Method"))
if allowMethods == "" {
allowMethods = "GET, POST, PUT, PATCH, DELETE, OPTIONS"
}
w.Header().Set("Access-Control-Allow-Methods", allowMethods)
allowHeaders := strings.TrimSpace(r.Header.Get("Access-Control-Request-Headers"))
if allowHeaders == "" {
allowHeaders = "Authorization, Content-Type, X-Requested-With, Accept, Origin, Cache-Control, Pragma"
}
w.Header().Set("Access-Control-Allow-Headers", allowHeaders)
w.Header().Set("Access-Control-Expose-Headers", "*")
w.Header().Set("Access-Control-Max-Age", "86400")
if r.Method == http.MethodOptions {
w.WriteHeader(http.StatusNoContent)
return

29
pkg/api/server_test.go
View File

@@ -172,6 +172,35 @@ func TestHandleWebUIConfigPostSavesNormalizedConfig(t *testing.T) {
}
}
func TestWithCORSEchoesPreflightHeaders(t *testing.T) {
t.Parallel()
srv := NewServer("127.0.0.1", 0, "")
handler := srv.withCORS(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
}))
req := httptest.NewRequest(http.MethodOptions, "/api/config", nil)
req.Header.Set("Origin", "https://dash.clawgo.dev")
req.Header.Set("Access-Control-Request-Method", "POST")
req.Header.Set("Access-Control-Request-Headers", "authorization,content-type,x-clawgo-client")
rec := httptest.NewRecorder()
handler.ServeHTTP(rec, req)
if rec.Code != http.StatusNoContent {
t.Fatalf("expected 204, got %d", rec.Code)
}
if got := rec.Header().Get("Access-Control-Allow-Origin"); got != "https://dash.clawgo.dev" {
t.Fatalf("unexpected allow origin: %q", got)
}
if got := rec.Header().Get("Access-Control-Allow-Methods"); got != "POST" {
t.Fatalf("unexpected allow methods: %q", got)
}
if got := rec.Header().Get("Access-Control-Allow-Headers"); got != "authorization,content-type,x-clawgo-client" {
t.Fatalf("unexpected allow headers: %q", got)
}
}
func TestHandleWebUISessionsHidesInternalSessionsByDefault(t *testing.T) {
t.Parallel()