Files
backend/internal/middleware/cors.go
lafay 7d1c78f965
Some checks failed
Build / build (push) Successful in 7m52s
Build / build-docker (push) Has been cancelled
refactor: 移除全局单例、修复分层违规、统一错误与响应
2026-06-15 16:40:36 +08:00

55 lines
1.4 KiB
Go

package middleware
import (
"carrotskin/pkg/config"
"github.com/gin-gonic/gin"
)
// CORS 跨域中间件
func CORS(cfg *config.Config) gin.HandlerFunc {
// 从注入的配置读取 CORS 设置
allowedOrigins := cfg.Security.AllowedOrigins
if len(allowedOrigins) == 0 {
// 默认允许所有来源
allowedOrigins = []string{"*"}
}
isTestEnv := cfg.IsTestEnvironment()
return gin.HandlerFunc(func(c *gin.Context) {
origin := c.GetHeader("Origin")
// 检查是否允许该来源
allowOrigin := "*"
// 测试环境下强制使用 *,否则按配置处理
if !isTestEnv && len(allowedOrigins) > 0 && allowedOrigins[0] != "*" {
allowOrigin = ""
for _, allowed := range allowedOrigins {
if allowed == origin || allowed == "*" {
allowOrigin = origin
break
}
}
}
if allowOrigin != "" {
c.Header("Access-Control-Allow-Origin", allowOrigin)
// 只有在非通配符模式下才允许credentials
if allowOrigin != "*" {
c.Header("Access-Control-Allow-Credentials", "true")
}
}
c.Header("Access-Control-Allow-Headers", "Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization, accept, origin, Cache-Control, X-Requested-With")
c.Header("Access-Control-Allow-Methods", "POST, OPTIONS, GET, PUT, DELETE")
c.Header("Access-Control-Max-Age", "86400") // 缓存预检请求结果24小时
if c.Request.Method == "OPTIONS" {
c.AbortWithStatus(204)
return
}
c.Next()
})
}