gotosocial/internal/middleware/cors.go

// GoToSocial
// Copyright (C) GoToSocial Authors admin@gotosocial.org
// SPDX-License-Identifier: AGPL-3.0-or-later
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program.  If not, see <http://www.gnu.org/licenses/>.

package middleware

import (
	"time"

	"github.com/gin-contrib/cors"
	"github.com/gin-gonic/gin"
)

// CORS returns a new gin middleware which allows CORS requests to be processed.
// This is necessary in order for web/browser-based clients like Semaphore to work.
func CORS() gin.HandlerFunc {
	cfg := cors.Config{
		// todo: use config to customize this
		AllowAllOrigins: true,

		// adds the following:
		// 	"chrome-extension://"
		// 	"safari-extension://"
		// 	"moz-extension://"
		// 	"ms-browser-extension://"
		AllowBrowserExtensions: true,
		AllowMethods: []string{
			"POST",
			"PUT",
			"DELETE",
			"GET",
			"PATCH",
			"OPTIONS",
		},
		AllowHeaders: []string{
			// basic cors stuff
			"Origin",
			"Content-Length",
			"Content-Type",

			// needed to pass oauth bearer tokens
			"Authorization",

			// Some clients require this; see:
			//   - https://docs.joinmastodon.org/methods/statuses/#headers
			//   - https://codeberg.org/superseriousbusiness/gotosocial/issues/1664
			"Idempotency-Key",

			// needed for websocket upgrade requests
			"Upgrade",
			"Sec-WebSocket-Extensions",
			"Sec-WebSocket-Key",
			"Sec-WebSocket-Protocol",
			"Sec-WebSocket-Version",
			"Connection",
		},
		AllowWebSockets: true,
		ExposeHeaders: []string{
			// needed for accessing next/prev links when making GET timeline requests
			"Link",

			// needed so clients can handle rate limits
			"X-RateLimit-Reset",
			"X-RateLimit-Limit",
			"X-RateLimit-Remaining",
			"X-Request-Id",

			// websocket stuff
			"Connection",
			"Sec-WebSocket-Accept",
			"Upgrade",
		},
		MaxAge: 2 * time.Minute,
	}

	return cors.New(cfg)
}
[chore] Improve copyright header handling (#1608) * [chore] Remove years from all license headers Years or year ranges aren't required in license headers. Many projects have removed them in recent years and it avoids a bit of yearly toil. In many cases our copyright claim was also a bit dodgy since we added the 2021-2023 header to files created after 2021 but you can't claim copyright into the past that way. * [chore] Add license header check This ensures a license header is always added to any new file. This avoids maintainers/reviewers needing to remember to check for and ask for it in case a contribution doesn't include it. * [chore] Add missing license headers * [chore] Further updates to license header * Use the more common // indentend comment format * Remove the hack we had for the linter now that we use the // format * Add SPDX license identifier 2023-03-12 16:00:57 +01:00			`// GoToSocial`
			`// Copyright (C) GoToSocial Authors admin@gotosocial.org`
			`// SPDX-License-Identifier: AGPL-3.0-or-later`
			`//`
			`// This program is free software: you can redistribute it and/or modify`
			`// it under the terms of the GNU Affero General Public License as published by`
			`// the Free Software Foundation, either version 3 of the License, or`
			`// (at your option) any later version.`
			`//`
			`// This program is distributed in the hope that it will be useful,`
			`// but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`// GNU Affero General Public License for more details.`
			`//`
			`// You should have received a copy of the GNU Affero General Public License`
			`// along with this program. If not, see <http://www.gnu.org/licenses/>.`
[chore] The Big Middleware and API Refactor (tm) (#1250) * interim commit: start refactoring middlewares into package under router * another interim commit, this is becoming a big job * another fucking massive interim commit * refactor bookmarks to new style * ambassador, wiz zeze commits you are spoiling uz * she compiles, we're getting there * we're just normal men; we're just innocent men * apiutil * whoopsie * i'm glad noone reads commit msgs haha :blob_sweat: * use that weirdo go-bytesize library for maxMultipartMemory * fix media module paths 2023-01-02 13:10:50 +01:00
			`package middleware`

			`import (`
			`"time"`

			`"github.com/gin-contrib/cors"`
			`"github.com/gin-gonic/gin"`
			`)`

			`// CORS returns a new gin middleware which allows CORS requests to be processed.`
[chore] Replace pinafore with semaphore (#1801) * Replace pinafore with semaphore * Typo 2023-05-21 22:40:43 +02:00			`// This is necessary in order for web/browser-based clients like Semaphore to work.`
[chore] The Big Middleware and API Refactor (tm) (#1250) * interim commit: start refactoring middlewares into package under router * another interim commit, this is becoming a big job * another fucking massive interim commit * refactor bookmarks to new style * ambassador, wiz zeze commits you are spoiling uz * she compiles, we're getting there * we're just normal men; we're just innocent men * apiutil * whoopsie * i'm glad noone reads commit msgs haha :blob_sweat: * use that weirdo go-bytesize library for maxMultipartMemory * fix media module paths 2023-01-02 13:10:50 +01:00			`func CORS() gin.HandlerFunc {`
			`cfg := cors.Config{`
			`// todo: use config to customize this`
			`AllowAllOrigins: true,`

			`// adds the following:`
			`// "chrome-extension://"`
			`// "safari-extension://"`
			`// "moz-extension://"`
			`// "ms-browser-extension://"`
			`AllowBrowserExtensions: true,`
			`AllowMethods: []string{`
			`"POST",`
			`"PUT",`
			`"DELETE",`
			`"GET",`
			`"PATCH",`
			`"OPTIONS",`
			`},`
			`AllowHeaders: []string{`
			`// basic cors stuff`
			`"Origin",`
			`"Content-Length",`
			`"Content-Type",`

			`// needed to pass oauth bearer tokens`
			`"Authorization",`

[bugfix] Add idempotency-key to allowed CORS headers (#1670) 2023-04-03 12:01:24 +02:00			`// Some clients require this; see:`
			`// - https://docs.joinmastodon.org/methods/statuses/#headers`
[chore] Rewrite all remaining Github links 2025-04-27 13:36:27 +02:00			`// - https://codeberg.org/superseriousbusiness/gotosocial/issues/1664`
[bugfix] Add idempotency-key to allowed CORS headers (#1670) 2023-04-03 12:01:24 +02:00			`"Idempotency-Key",`

[chore] The Big Middleware and API Refactor (tm) (#1250) * interim commit: start refactoring middlewares into package under router * another interim commit, this is becoming a big job * another fucking massive interim commit * refactor bookmarks to new style * ambassador, wiz zeze commits you are spoiling uz * she compiles, we're getting there * we're just normal men; we're just innocent men * apiutil * whoopsie * i'm glad noone reads commit msgs haha :blob_sweat: * use that weirdo go-bytesize library for maxMultipartMemory * fix media module paths 2023-01-02 13:10:50 +01:00			`// needed for websocket upgrade requests`
			`"Upgrade",`
			`"Sec-WebSocket-Extensions",`
			`"Sec-WebSocket-Key",`
			`"Sec-WebSocket-Protocol",`
			`"Sec-WebSocket-Version",`
			`"Connection",`
			`},`
			`AllowWebSockets: true,`
			`ExposeHeaders: []string{`
			`// needed for accessing next/prev links when making GET timeline requests`
			`"Link",`

			`// needed so clients can handle rate limits`
			`"X-RateLimit-Reset",`
			`"X-RateLimit-Limit",`
			`"X-RateLimit-Remaining",`
			`"X-Request-Id",`

			`// websocket stuff`
			`"Connection",`
			`"Sec-WebSocket-Accept",`
			`"Upgrade",`
			`},`
			`MaxAge: 2 * time.Minute,`
			`}`

			`return cors.New(cfg)`
			`}`