gtsocial-umbx

Unnamed repository; edit this file 'description' to name the repository.
Log | Files | Refs | README | LICENSE

cors.go (2422B)

      1 // GoToSocial
      2 // Copyright (C) GoToSocial Authors admin@gotosocial.org
      3 // SPDX-License-Identifier: AGPL-3.0-or-later
      4 //
      5 // This program is free software: you can redistribute it and/or modify
      6 // it under the terms of the GNU Affero General Public License as published by
      7 // the Free Software Foundation, either version 3 of the License, or
      8 // (at your option) any later version.
      9 //
     10 // This program is distributed in the hope that it will be useful,
     11 // but WITHOUT ANY WARRANTY; without even the implied warranty of
     12 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     13 // GNU Affero General Public License for more details.
     14 //
     15 // You should have received a copy of the GNU Affero General Public License
     16 // along with this program.  If not, see <http://www.gnu.org/licenses/>.
     17 
     18 package middleware
     19 
     20 import (
     21 	"time"
     22 
     23 	"github.com/gin-contrib/cors"
     24 	"github.com/gin-gonic/gin"
     25 )
     26 
     27 // CORS returns a new gin middleware which allows CORS requests to be processed.
     28 // This is necessary in order for web/browser-based clients like Semaphore to work.
     29 func CORS() gin.HandlerFunc {
     30 	cfg := cors.Config{
     31 		// todo: use config to customize this
     32 		AllowAllOrigins: true,
     33 
     34 		// adds the following:
     35 		// 	"chrome-extension://"
     36 		// 	"safari-extension://"
     37 		// 	"moz-extension://"
     38 		// 	"ms-browser-extension://"
     39 		AllowBrowserExtensions: true,
     40 		AllowMethods: []string{
     41 			"POST",
     42 			"PUT",
     43 			"DELETE",
     44 			"GET",
     45 			"PATCH",
     46 			"OPTIONS",
     47 		},
     48 		AllowHeaders: []string{
     49 			// basic cors stuff
     50 			"Origin",
     51 			"Content-Length",
     52 			"Content-Type",
     53 
     54 			// needed to pass oauth bearer tokens
     55 			"Authorization",
     56 
     57 			// Some clients require this; see:
     58 			//   - https://docs.joinmastodon.org/methods/statuses/#headers
     59 			//   - https://github.com/superseriousbusiness/gotosocial/issues/1664
     60 			"Idempotency-Key",
     61 
     62 			// needed for websocket upgrade requests
     63 			"Upgrade",
     64 			"Sec-WebSocket-Extensions",
     65 			"Sec-WebSocket-Key",
     66 			"Sec-WebSocket-Protocol",
     67 			"Sec-WebSocket-Version",
     68 			"Connection",
     69 		},
     70 		AllowWebSockets: true,
     71 		ExposeHeaders: []string{
     72 			// needed for accessing next/prev links when making GET timeline requests
     73 			"Link",
     74 
     75 			// needed so clients can handle rate limits
     76 			"X-RateLimit-Reset",
     77 			"X-RateLimit-Limit",
     78 			"X-RateLimit-Remaining",
     79 			"X-Request-Id",
     80 
     81 			// websocket stuff
     82 			"Connection",
     83 			"Sec-WebSocket-Accept",
     84 			"Upgrade",
     85 		},
     86 		MaxAge: 2 * time.Minute,
     87 	}
     88 
     89 	return cors.New(cfg)
     90 }