backend/internal/middleware/cors.go

package middleware

import (
	"carrotskin/pkg/config"

	"github.com/gin-gonic/gin"
)

// CORS 跨域中间件
func CORS() gin.HandlerFunc {
	// 获取配置，如果配置未初始化则使用默认值
	var allowedOrigins []string
	var isTestEnv bool
	if cfg, err := config.GetConfig(); err == nil {
		allowedOrigins = cfg.Security.AllowedOrigins
		isTestEnv = cfg.IsTestEnvironment()
	} else {
		// 默认允许所有来源（向后兼容）
		allowedOrigins = []string{"*"}
		isTestEnv = false
	}

	return gin.HandlerFunc(func(c *gin.Context) {
		origin := c.GetHeader("Origin")

		// 检查是否允许该来源
		allowOrigin := "*"
		// 测试环境下强制使用 *，否则按配置处理
		if !isTestEnv && len(allowedOrigins) > 0 && allowedOrigins[0] != "*" {
			allowOrigin = ""
			for _, allowed := range allowedOrigins {
				if allowed == origin || allowed == "*" {
					allowOrigin = origin
					break
				}
			}
		}

		if allowOrigin != "" {
			c.Header("Access-Control-Allow-Origin", allowOrigin)
			// 只有在非通配符模式下才允许credentials
			if allowOrigin != "*" {
				c.Header("Access-Control-Allow-Credentials", "true")
			}
		}

		c.Header("Access-Control-Allow-Headers", "Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization, accept, origin, Cache-Control, X-Requested-With")
		c.Header("Access-Control-Allow-Methods", "POST, OPTIONS, GET, PUT, DELETE")
		c.Header("Access-Control-Max-Age", "86400") // 缓存预检请求结果24小时

		if c.Request.Method == "OPTIONS" {
			c.AbortWithStatus(204)
			return
		}

		c.Next()
	})
}