@@ -2,24 +2,32 @@ import 'dart:io' show Platform; // To read environment variables
22
33import 'package:dart_frog/dart_frog.dart' ;
44import 'package:ht_api/src/middlewares/authentication_middleware.dart' ;
5+ import 'package:logging/logging.dart' ;
56import 'package:shelf_cors_headers/shelf_cors_headers.dart' as shelf_cors;
67
8+ final _log = Logger ('ApiV1Middleware' );
9+
710/// Checks if the request's origin is allowed based on the environment.
811///
912/// In production (when `CORS_ALLOWED_ORIGIN` is set), it performs a strict
1013/// check against the specified origin.
1114/// In development, it dynamically allows any `localhost` or `127.0.0.1`
1215/// origin to support the Flutter web dev server's random ports.
1316bool _isOriginAllowed (String origin) {
17+ _log.info ('[CORS] Checking origin: "$origin "' );
1418 final allowedOriginEnv = Platform .environment['CORS_ALLOWED_ORIGIN' ];
1519
1620 if (allowedOriginEnv != null && allowedOriginEnv.isNotEmpty) {
1721 // Production: strict check against the environment variable.
18- return origin == allowedOriginEnv;
22+ final isAllowed = origin == allowedOriginEnv;
23+ _log.info ('[CORS] Production check result: ${isAllowed ? 'ALLOWED' : 'DENIED' }' );
24+ return isAllowed;
1925 } else {
2026 // Development: dynamically allow any localhost origin.
21- return origin.startsWith ('http://localhost:' ) ||
27+ final isAllowed = origin.startsWith ('http://localhost:' ) ||
2228 origin.startsWith ('http://127.0.0.1:' );
29+ _log.info ('[CORS] Development check result: ${isAllowed ? 'ALLOWED' : 'DENIED' }' );
30+ return isAllowed;
2331 }
2432}
2533
@@ -28,25 +36,40 @@ Handler middleware(Handler handler) {
2836 // `/api/v1/`. The order of `.use()` is important: the last one in the
2937 // chain runs first.
3038 return handler
31- // 2. The authentication middleware runs after CORS, using the services
32- // provided from server.dart.
33- .use (authenticationProvider ())
34- // 1. The CORS middleware runs first. It uses an `originChecker` to
35- // dynamically handle origins, which is the correct way to manage
36- // CORS in a standard middleware chain.
3739 .use (
38- fromShelfMiddleware (
39- shelf_cors.corsHeaders (
40- originChecker: _isOriginAllowed,
41- headers: {
42- shelf_cors.ACCESS_CONTROL_ALLOW_CREDENTIALS : 'true' ,
43- shelf_cors.ACCESS_CONTROL_ALLOW_METHODS :
44- 'GET, POST, PUT, DELETE, OPTIONS' ,
45- shelf_cors.ACCESS_CONTROL_ALLOW_HEADERS :
46- 'Origin, Content-Type, Authorization, Accept' ,
47- shelf_cors.ACCESS_CONTROL_MAX_AGE : '86400' ,
48- },
49- ),
50- ),
40+ (handler) {
41+ // This is a custom middleware to wrap the auth provider with logging.
42+ final authMiddleware = authenticationProvider ();
43+ final authHandler = authMiddleware (handler);
44+
45+ return (context) {
46+ _log.info ('[REQ_LIFECYCLE] Entering authentication middleware...' );
47+ return authHandler (context);
48+ };
49+ },
50+ )
51+ .use (
52+ (handler) {
53+ // This is a custom middleware to wrap the CORS provider with logging.
54+ final corsMiddleware = fromShelfMiddleware (
55+ shelf_cors.corsHeaders (
56+ originChecker: _isOriginAllowed,
57+ headers: {
58+ shelf_cors.ACCESS_CONTROL_ALLOW_CREDENTIALS : 'true' ,
59+ shelf_cors.ACCESS_CONTROL_ALLOW_METHODS :
60+ 'GET, POST, PUT, DELETE, OPTIONS' ,
61+ shelf_cors.ACCESS_CONTROL_ALLOW_HEADERS :
62+ 'Origin, Content-Type, Authorization, Accept' ,
63+ shelf_cors.ACCESS_CONTROL_MAX_AGE : '86400' ,
64+ },
65+ ),
66+ );
67+ final corsHandler = corsMiddleware (handler);
68+
69+ return (context) {
70+ _log.info ('[REQ_LIFECYCLE] Entering CORS middleware...' );
71+ return corsHandler (context);
72+ };
73+ },
5174 );
5275}
0 commit comments