package middleware import ( "carrotskin/pkg/config" "github.com/gin-gonic/gin" ) // CORS 跨域中间件 func CORS(cfg *config.Config) gin.HandlerFunc { // 从注入的配置读取 CORS 设置 allowedOrigins := cfg.Security.AllowedOrigins if len(allowedOrigins) == 0 { // 默认允许所有来源 allowedOrigins = []string{"*"} } isTestEnv := cfg.IsTestEnvironment() return gin.HandlerFunc(func(c *gin.Context) { origin := c.GetHeader("Origin") // 检查是否允许该来源 allowOrigin := "*" // 测试环境下强制使用 *,否则按配置处理 if !isTestEnv && len(allowedOrigins) > 0 && allowedOrigins[0] != "*" { allowOrigin = "" for _, allowed := range allowedOrigins { if allowed == origin || allowed == "*" { allowOrigin = origin break } } } if allowOrigin != "" { c.Header("Access-Control-Allow-Origin", allowOrigin) // 只有在非通配符模式下才允许credentials if allowOrigin != "*" { c.Header("Access-Control-Allow-Credentials", "true") } } c.Header("Access-Control-Allow-Headers", "Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization, accept, origin, Cache-Control, X-Requested-With") c.Header("Access-Control-Allow-Methods", "POST, OPTIONS, GET, PUT, DELETE") c.Header("Access-Control-Max-Age", "86400") // 缓存预检请求结果24小时 if c.Request.Method == "OPTIONS" { c.AbortWithStatus(204) return } c.Next() }) }