gotosocial/internal/middleware/cors.go

/*
   GoToSocial
   Copyright (C) 2021-2023 GoToSocial Authors admin@gotosocial.org

   This program is free software: you can redistribute it and/or modify
   it under the terms of the GNU Affero General Public License as published by
   the Free Software Foundation, either version 3 of the License, or
   (at your option) any later version.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU Affero General Public License for more details.

   You should have received a copy of the GNU Affero General Public License
   along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

package middleware

import (
	"time"

	"github.com/gin-contrib/cors"
	"github.com/gin-gonic/gin"
)

// CORS returns a new gin middleware which allows CORS requests to be processed.
// This is necessary in order for web/browser-based clients like Pinafore to work.
func CORS() gin.HandlerFunc {
	cfg := cors.Config{
		// todo: use config to customize this
		AllowAllOrigins: true,

		// adds the following:
		// 	"chrome-extension://"
		// 	"safari-extension://"
		// 	"moz-extension://"
		// 	"ms-browser-extension://"
		AllowBrowserExtensions: true,
		AllowMethods: []string{
			"POST",
			"PUT",
			"DELETE",
			"GET",
			"PATCH",
			"OPTIONS",
		},
		AllowHeaders: []string{
			// basic cors stuff
			"Origin",
			"Content-Length",
			"Content-Type",

			// needed to pass oauth bearer tokens
			"Authorization",

			// needed for websocket upgrade requests
			"Upgrade",
			"Sec-WebSocket-Extensions",
			"Sec-WebSocket-Key",
			"Sec-WebSocket-Protocol",
			"Sec-WebSocket-Version",
			"Connection",
		},
		AllowWebSockets: true,
		ExposeHeaders: []string{
			// needed for accessing next/prev links when making GET timeline requests
			"Link",

			// needed so clients can handle rate limits
			"X-RateLimit-Reset",
			"X-RateLimit-Limit",
			"X-RateLimit-Remaining",
			"X-Request-Id",

			// websocket stuff
			"Connection",
			"Sec-WebSocket-Accept",
			"Upgrade",
		},
		MaxAge: 2 * time.Minute,
	}

	return cors.New(cfg)
}
[chore] The Big Middleware and API Refactor (tm) (#1250) * interim commit: start refactoring middlewares into package under router * another interim commit, this is becoming a big job * another fucking massive interim commit * refactor bookmarks to new style * ambassador, wiz zeze commits you are spoiling uz * she compiles, we're getting there * we're just normal men; we're just innocent men * apiutil * whoopsie * i'm glad noone reads commit msgs haha :blob_sweat: * use that weirdo go-bytesize library for maxMultipartMemory * fix media module paths 2023-01-02 13:10:50 +01:00			`/*`
			`GoToSocial`
[chore] Update/add license headers for 2023 (#1304) 2023-01-05 12:43:00 +01:00			`Copyright (C) 2021-2023 GoToSocial Authors admin@gotosocial.org`
[chore] The Big Middleware and API Refactor (tm) (#1250) * interim commit: start refactoring middlewares into package under router * another interim commit, this is becoming a big job * another fucking massive interim commit * refactor bookmarks to new style * ambassador, wiz zeze commits you are spoiling uz * she compiles, we're getting there * we're just normal men; we're just innocent men * apiutil * whoopsie * i'm glad noone reads commit msgs haha :blob_sweat: * use that weirdo go-bytesize library for maxMultipartMemory * fix media module paths 2023-01-02 13:10:50 +01:00
			`This program is free software: you can redistribute it and/or modify`
			`it under the terms of the GNU Affero General Public License as published by`
			`the Free Software Foundation, either version 3 of the License, or`
			`(at your option) any later version.`

			`This program is distributed in the hope that it will be useful,`
			`but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`GNU Affero General Public License for more details.`

			`You should have received a copy of the GNU Affero General Public License`
			`along with this program. If not, see <http://www.gnu.org/licenses/>.`
			`*/`

			`package middleware`

			`import (`
			`"time"`

			`"github.com/gin-contrib/cors"`
			`"github.com/gin-gonic/gin"`
			`)`

			`// CORS returns a new gin middleware which allows CORS requests to be processed.`
			`// This is necessary in order for web/browser-based clients like Pinafore to work.`
			`func CORS() gin.HandlerFunc {`
			`cfg := cors.Config{`
			`// todo: use config to customize this`
			`AllowAllOrigins: true,`

			`// adds the following:`
			`// "chrome-extension://"`
			`// "safari-extension://"`
			`// "moz-extension://"`
			`// "ms-browser-extension://"`
			`AllowBrowserExtensions: true,`
			`AllowMethods: []string{`
			`"POST",`
			`"PUT",`
			`"DELETE",`
			`"GET",`
			`"PATCH",`
			`"OPTIONS",`
			`},`
			`AllowHeaders: []string{`
			`// basic cors stuff`
			`"Origin",`
			`"Content-Length",`
			`"Content-Type",`

			`// needed to pass oauth bearer tokens`
			`"Authorization",`

			`// needed for websocket upgrade requests`
			`"Upgrade",`
			`"Sec-WebSocket-Extensions",`
			`"Sec-WebSocket-Key",`
			`"Sec-WebSocket-Protocol",`
			`"Sec-WebSocket-Version",`
			`"Connection",`
			`},`
			`AllowWebSockets: true,`
			`ExposeHeaders: []string{`
			`// needed for accessing next/prev links when making GET timeline requests`
			`"Link",`

			`// needed so clients can handle rate limits`
			`"X-RateLimit-Reset",`
			`"X-RateLimit-Limit",`
			`"X-RateLimit-Remaining",`
			`"X-Request-Id",`

			`// websocket stuff`
			`"Connection",`
			`"Sec-WebSocket-Accept",`
			`"Upgrade",`
			`},`
			`MaxAge: 2 * time.Minute,`
			`}`

			`return cors.New(cfg)`
			`}`