gotosocial/internal/router/cors.go

/*
   GoToSocial
   Copyright (C) 2021-2022 GoToSocial Authors admin@gotosocial.org

   This program is free software: you can redistribute it and/or modify
   it under the terms of the GNU Affero General Public License as published by
   the Free Software Foundation, either version 3 of the License, or
   (at your option) any later version.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU Affero General Public License for more details.

   You should have received a copy of the GNU Affero General Public License
   along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

package router

import (
	"time"

	"github.com/gin-contrib/cors"
	"github.com/gin-gonic/gin"
)

var corsConfig = cors.Config{
	// TODO: make this customizable so instance admins can specify an origin for CORS requests
	AllowAllOrigins: true,

	// adds the following:
	// 	"chrome-extension://"
	// 	"safari-extension://"
	// 	"moz-extension://"
	// 	"ms-browser-extension://"
	AllowBrowserExtensions: true,
	AllowMethods: []string{
		"POST",
		"PUT",
		"DELETE",
		"GET",
		"PATCH",
		"OPTIONS",
	},
	AllowHeaders: []string{
		// basic cors stuff
		"Origin",
		"Content-Length",
		"Content-Type",

		// needed to pass oauth bearer tokens
		"Authorization",

		// needed for websocket upgrade requests
		"Upgrade",
		"Sec-WebSocket-Extensions",
		"Sec-WebSocket-Key",
		"Sec-WebSocket-Protocol",
		"Sec-WebSocket-Version",
		"Connection",
	},
	AllowWebSockets: true,
	ExposeHeaders: []string{
		// needed for accessing next/prev links when making GET timeline requests
		"Link",

		// needed so clients can handle rate limits
		"X-RateLimit-Reset",
		"X-RateLimit-Limit",
		"X-RateLimit-Remaining",
		"X-Request-Id",

		// websocket stuff
		"Connection",
		"Sec-WebSocket-Accept",
		"Upgrade",
	},
	MaxAge: 2 * time.Minute,
}

// useCors attaches the corsConfig above to the given gin engine
func useCors(engine *gin.Engine) error {
	c := cors.New(corsConfig)
	engine.Use(c)
	return nil
}
clean up some weirdness in the router (#80) 2021-07-07 14:46:42 +01:00			`/*`
			`GoToSocial`
Extend license notices to 2022 (#354) 2021-12-20 17:42:19 +00:00			`Copyright (C) 2021-2022 GoToSocial Authors admin@gotosocial.org`
clean up some weirdness in the router (#80) 2021-07-07 14:46:42 +01:00
			`This program is free software: you can redistribute it and/or modify`
			`it under the terms of the GNU Affero General Public License as published by`
			`the Free Software Foundation, either version 3 of the License, or`
			`(at your option) any later version.`

			`This program is distributed in the hope that it will be useful,`
			`but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`GNU Affero General Public License for more details.`

			`You should have received a copy of the GNU Affero General Public License`
			`along with this program. If not, see <http://www.gnu.org/licenses/>.`
			`*/`

			`package router`

			`import (`
			`"time"`

			`"github.com/gin-contrib/cors"`
			`"github.com/gin-gonic/gin"`
			`)`

			`var corsConfig = cors.Config{`
			`// TODO: make this customizable so instance admins can specify an origin for CORS requests`
			`AllowAllOrigins: true,`

			`// adds the following:`
			`// "chrome-extension://"`
			`// "safari-extension://"`
			`// "moz-extension://"`
			`// "ms-browser-extension://"`
			`AllowBrowserExtensions: true,`
			`AllowMethods: []string{`
			`"POST",`
			`"PUT",`
			`"DELETE",`
			`"GET",`
			`"PATCH",`
			`"OPTIONS",`
			`},`
			`AllowHeaders: []string{`
			`// basic cors stuff`
			`"Origin",`
			`"Content-Length",`
			`"Content-Type",`

			`// needed to pass oauth bearer tokens`
			`"Authorization",`

			`// needed for websocket upgrade requests`
			`"Upgrade",`
			`"Sec-WebSocket-Extensions",`
			`"Sec-WebSocket-Key",`
			`"Sec-WebSocket-Protocol",`
			`"Sec-WebSocket-Version",`
			`"Connection",`
			`},`
			`AllowWebSockets: true,`
			`ExposeHeaders: []string{`
			`// needed for accessing next/prev links when making GET timeline requests`
			`"Link",`

			`// needed so clients can handle rate limits`
			`"X-RateLimit-Reset",`
			`"X-RateLimit-Limit",`
			`"X-RateLimit-Remaining",`
			`"X-Request-Id",`

			`// websocket stuff`
			`"Connection",`
			`"Sec-WebSocket-Accept",`
			`"Upgrade",`
			`},`
			`MaxAge: 2 * time.Minute,`
			`}`

			`// useCors attaches the corsConfig above to the given gin engine`
Implement Cobra CLI tooling, Viper config tooling (#336) * start pulling out + replacing urfave and config * replace many many instances of config * move more stuff => viper * properly remove urfave * move some flags to root command * add testrig commands to root * alias config file keys * start adding cli parsing tests * reorder viper init * remove config path alias * fmt * change config file keys to non-nested * we're more or less in business now * tidy up the common func * go fmt * get tests passing again * add note about the cliparsing tests * reorganize * update docs with changes * structure cmd dir better * rename + move some files around * fix dangling comma 2021-12-07 12:31:39 +00:00			`func useCors(engine *gin.Engine) error {`
clean up some weirdness in the router (#80) 2021-07-07 14:46:42 +01:00			`c := cors.New(corsConfig)`
			`engine.Use(c)`
			`return nil`
			`}`