Security fixes: - Fix sensitive data exposure: UserResponse no longer contains email/phone - Add UserSelfResponse for authenticated user's own data - Protect Gorse endpoints with admin role requirement - Add rate limiting (10 req/min) to auth endpoints - Fix CORS configuration to use allowed origins list - Add pagination parameter validation (max 100 per page) Changes: - dto/dto.go: Add UserSelfResponse type - dto/user_converter.go: Add ConvertUserToSelfResponse - handler/user_handler.go: Use secure response types - middleware/cors.go: Implement origin whitelist - middleware/ratelimit.go: Enhance rate limiter - router/router.go: Add auth rate limit, protect Gorse - service/admin_*.go: Use ConvertUserToResponse
53 lines
1.2 KiB
Go
53 lines
1.2 KiB
Go
package middleware
|
|
|
|
import (
|
|
"net/http"
|
|
"strings"
|
|
|
|
"github.com/gin-gonic/gin"
|
|
)
|
|
|
|
var allowedOrigins = []string{
|
|
"https://bbs.littlelan.cn",
|
|
"http://localhost:3000",
|
|
"http://localhost:5173",
|
|
"http://127.0.0.1:3000",
|
|
"http://127.0.0.1:5173",
|
|
}
|
|
|
|
func CORS() gin.HandlerFunc {
|
|
return func(c *gin.Context) {
|
|
origin := c.GetHeader("Origin")
|
|
allowedOrigin := ""
|
|
|
|
for _, o := range allowedOrigins {
|
|
if o == origin {
|
|
allowedOrigin = o
|
|
break
|
|
}
|
|
}
|
|
|
|
if allowedOrigin == "" {
|
|
if strings.HasPrefix(origin, "http://localhost") || strings.HasPrefix(origin, "http://127.0.0.1") {
|
|
allowedOrigin = origin
|
|
}
|
|
}
|
|
|
|
if allowedOrigin != "" {
|
|
c.Header("Access-Control-Allow-Origin", allowedOrigin)
|
|
c.Header("Access-Control-Allow-Credentials", "true")
|
|
}
|
|
|
|
c.Header("Access-Control-Allow-Methods", "GET, POST, PUT, PATCH, DELETE, OPTIONS")
|
|
c.Header("Access-Control-Allow-Headers", "Origin, Content-Type, Accept, Authorization, Connection, Upgrade, Sec-WebSocket-Key, Sec-WebSocket-Version, Sec-WebSocket-Protocol, Sec-WebSocket-Extensions")
|
|
c.Header("Access-Control-Expose-Headers", "Content-Length, Connection, Upgrade")
|
|
|
|
if c.Request.Method == "OPTIONS" {
|
|
c.AbortWithStatus(http.StatusNoContent)
|
|
return
|
|
}
|
|
|
|
c.Next()
|
|
}
|
|
}
|