Merge pull request #108 from go-authgate/worktree-new

appleboy · web-flow · commit 850311dc2626 · 2026-03-15T13:58:58.000+08:00
feat(middleware): add configurable CORS support for API endpoints
diff --git a/.env.example b/.env.example
@@ -232,3 +232,15 @@ EXPIRED_TOKEN_CLEANUP_INTERVAL=1h      # How often to run the cleanup (default:
 # - Increase AUDIT_SHUTDOWN_TIMEOUT (e.g., 30s) if audit buffer is large
 # - Keep close timeouts short (5s) to prevent hanging on shutdown
 # - All operations support cancellation with Ctrl+C during startup
+
+# ============================================================
+# CORS (Cross-Origin Resource Sharing)
+# ============================================================
+# Enable CORS for /oauth/* API endpoints so SPA frontends (React, Vue, etc.)
+# can call token, introspect, and device code endpoints from a different origin.
+# Disabled by default — HTML page endpoints are never affected.
+# CORS_ENABLED=false
+# CORS_ALLOWED_ORIGINS=http://localhost:3000,https://app.example.com
+# CORS_ALLOWED_METHODS=GET,POST,PUT,DELETE,OPTIONS
+# CORS_ALLOWED_HEADERS=Origin,Content-Type,Authorization
+# CORS_MAX_AGE=12h
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -97,7 +97,7 @@ In addition to Device Code Flow, AuthGate supports Authorization Code Flow with
 - `internal/services/` - Business logic layer (user, device, authorization, token, client, audit services)
 - `internal/handlers/` - HTTP request handlers for all endpoints
 - `internal/models/` - GORM database models (User, OAuthApplication, UserAuthorization, DeviceCode, AuthorizationCode, AccessToken, OAuthConnection, AuditLog)
-- `internal/middleware/` - Gin middleware (auth, CSRF, rate limiting, metrics auth)
+- `internal/middleware/` - Gin middleware (auth, CSRF, rate limiting, metrics auth, CORS)
 - `internal/metrics/` - Prometheus metrics collection and caching (supports memory, Redis, Redis-aside)
 - `internal/cache/` - Cache implementations (memory, Redis, Redis-aside)
 - `internal/client/` - HTTP client with exponential backoff retry
@@ -261,6 +261,7 @@ Key configuration categories (see `.env.example` and `docs/CONFIGURATION.md` for
 - `ENABLE_RATE_LIMIT`, `RATE_LIMIT_STORE` (memory/redis) - Rate limiting
 - `ENABLE_AUDIT_LOGGING` - Comprehensive audit trails
 - `SESSION_FINGERPRINT` - Session security (User-Agent validation)
+- `CORS_ENABLED`, `CORS_ALLOWED_ORIGINS` - CORS for SPA frontends (applied to `/oauth/*` only)
 
 **OAuth Providers**
 
diff --git a/docs/CONFIGURATION.md b/docs/CONFIGURATION.md
@@ -14,6 +14,7 @@ This guide covers all configuration options for AuthGate, including environment
 - [HTTP Retry with Exponential Backoff](#http-retry-with-exponential-backoff)
 - [User Cache](#user-cache)
 - [Rate Limiting](#rate-limiting)
+- [CORS (Cross-Origin Resource Sharing)](#cors-cross-origin-resource-sharing)
 
 ---
 
@@ -880,6 +881,43 @@ INTROSPECT_RATE_LIMIT=20
 
 ---
 
+## CORS (Cross-Origin Resource Sharing)
+
+When building a Single-Page Application (SPA) or mobile app that calls AuthGate's OAuth API endpoints from a different origin, you need to enable CORS. By default, CORS is **disabled** — enabling it only affects `/oauth/*` API endpoints (token, device code, introspect, revoke, userinfo). HTML page endpoints are never affected.
+
+### Quick Start
+
+```bash
+# .env
+CORS_ENABLED=true
+CORS_ALLOWED_ORIGINS=http://localhost:3000,https://app.example.com
+```
+
+### Configuration
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `CORS_ENABLED` | `false` | Enable CORS for API endpoints |
+| `CORS_ALLOWED_ORIGINS` | _(none)_ | Comma-separated list of allowed origins |
+| `CORS_ALLOWED_METHODS` | `GET,POST,PUT,DELETE,OPTIONS` | Allowed HTTP methods |
+| `CORS_ALLOWED_HEADERS` | `Origin,Content-Type,Authorization` | Allowed request headers |
+| `CORS_MAX_AGE` | `12h` | How long browsers cache preflight responses |
+
+### How It Works
+
+- **Preflight requests** (`OPTIONS`) are handled automatically by the CORS middleware and return the appropriate `Access-Control-Allow-*` headers.
+- **Credentials** (`cookies`, `Authorization` header) are allowed — `Access-Control-Allow-Credentials: true` is set so token introspection and authenticated requests work from browser JS.
+- **Disallowed origins** receive a `403 Forbidden` response with no CORS headers.
+- **Same-origin requests** (no `Origin` header) are unaffected.
+
+### Production Notes
+
+- Only list origins you trust — avoid using `*` (wildcard) with credentials.
+- The CORS middleware is applied **only** to the `/oauth/*` route group, not to login pages, admin UI, or static assets.
+- For maximum security, set `CORS_ALLOWED_ORIGINS` to the exact origins of your frontend applications.
+
+---
+
 **Next Steps:**
 
 - [Architecture Guide](ARCHITECTURE.md) - Understand the system design
diff --git a/go.mod b/go.mod
@@ -8,6 +8,7 @@ require (
 	github.com/appleboy/go-httpclient v0.10.0
 	github.com/appleboy/go-httpretry v0.11.0
 	github.com/appleboy/graceful v1.3.0
+	github.com/gin-contrib/cors v1.7.6
 	github.com/gin-contrib/sessions v1.0.4
 	github.com/gin-gonic/gin v1.12.0
 	github.com/golang-jwt/jwt/v5 v5.3.1
diff --git a/go.sum b/go.sum
@@ -67,6 +67,8 @@ github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/gabriel-vasile/mimetype v1.4.13 h1:46nXokslUBsAJE/wMsp5gtO500a4F3Nkz9Ufpk2AcUM=
 github.com/gabriel-vasile/mimetype v1.4.13/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
+github.com/gin-contrib/cors v1.7.6 h1:3gQ8GMzs1Ylpf70y8bMw4fVpycXIeX1ZemuSQIsnQQY=
+github.com/gin-contrib/cors v1.7.6/go.mod h1:Ulcl+xN4jel9t1Ry8vqph23a60FwH9xVLd+3ykmTjOk=
 github.com/gin-contrib/gzip v0.0.6 h1:NjcunTcGAj5CO1gn4N8jHOSIeRFHIbn51z6K+xaN4d4=
 github.com/gin-contrib/gzip v0.0.6/go.mod h1:QOJlmV2xmayAjkNS2Y8NQsMneuRShOU/kjovCXNuzzk=
 github.com/gin-contrib/sessions v1.0.4 h1:ha6CNdpYiTOK/hTp05miJLbpTSNfOnFg5Jm2kbcqy8U=
diff --git a/internal/bootstrap/router.go b/internal/bootstrap/router.go
@@ -156,6 +156,14 @@ func setupAllRoutes(
 
 	// OAuth API routes (public, called by CLI)
 	oauth := r.Group("/oauth")
+	if cfg.CORSEnabled {
+		if len(cfg.CORSAllowedOrigins) == 0 {
+			log.Println(
+				"WARNING: CORS is enabled but CORS_ALLOWED_ORIGINS is empty — all cross-origin requests will be rejected",
+			)
+		}
+		oauth.Use(middleware.CORSMiddleware(cfg))
+	}
 	{
 		oauth.POST("/device/code", rateLimiters.deviceCode, h.device.DeviceCodeRequest)
 		oauth.POST("/token", rateLimiters.token, h.token.Token)
diff --git a/internal/config/config.go b/internal/config/config.go
@@ -201,6 +201,13 @@ type Config struct {
 	PKCERequired       bool          // Force PKCE for all public clients (default: false)
 	ConsentRemember    bool          // Skip consent page if user already authorized same scope (default: true)
 
+	// CORS settings
+	CORSEnabled        bool          // Enable CORS for API endpoints (default: false)
+	CORSAllowedOrigins []string      // Allowed origins (comma-separated via env, e.g. "http://localhost:3000")
+	CORSAllowedMethods []string      // Allowed HTTP methods (default: GET,POST,PUT,DELETE,OPTIONS)
+	CORSAllowedHeaders []string      // Allowed request headers (default: Origin,Content-Type,Authorization)
+	CORSMaxAge         time.Duration // Preflight cache duration (default: 12 hours)
+
 	// Bootstrap and shutdown timeout settings
 	DBInitTimeout         time.Duration // Database initialization timeout (default: 30s)
 	RedisConnTimeout      time.Duration // Redis connection timeout (default: 5s)
@@ -404,6 +411,19 @@ func Load() *Config {
 		RedisCloseTimeout:     getEnvDuration("REDIS_CLOSE_TIMEOUT", 5*time.Second),
 		CacheCloseTimeout:     getEnvDuration("CACHE_CLOSE_TIMEOUT", 5*time.Second),
 		DBCloseTimeout:        getEnvDuration("DB_CLOSE_TIMEOUT", 5*time.Second),
+
+		// CORS
+		CORSEnabled:        getEnvBool("CORS_ENABLED", false),
+		CORSAllowedOrigins: getEnvSlice("CORS_ALLOWED_ORIGINS", nil),
+		CORSAllowedMethods: getEnvSlice(
+			"CORS_ALLOWED_METHODS",
+			[]string{"GET", "POST", "PUT", "DELETE", "OPTIONS"},
+		),
+		CORSAllowedHeaders: getEnvSlice(
+			"CORS_ALLOWED_HEADERS",
+			[]string{"Origin", "Content-Type", "Authorization"},
+		),
+		CORSMaxAge: getEnvDuration("CORS_MAX_AGE", 12*time.Hour),
 	}
 }
 
diff --git a/internal/middleware/cors.go b/internal/middleware/cors.go
@@ -0,0 +1,39 @@
+package middleware
+
+import (
+	"time"
+
+	"github.com/go-authgate/authgate/internal/config"
+
+	"github.com/gin-contrib/cors"
+	"github.com/gin-gonic/gin"
+)
+
+// CORSMiddleware returns a CORS middleware configured from application settings.
+// It allows cross-origin requests from the configured origins to API endpoints.
+func CORSMiddleware(cfg *config.Config) gin.HandlerFunc {
+	return cors.New(cors.Config{
+		AllowOrigins: cfg.CORSAllowedOrigins,
+		AllowMethods: cfg.CORSAllowedMethods,
+		AllowHeaders: cfg.CORSAllowedHeaders,
+		MaxAge:       cfg.CORSMaxAge,
+
+		// Expose standard OAuth response headers to browser JS
+		ExposeHeaders: []string{"Content-Length", "Content-Type"},
+
+		// Allow credentials (cookies, Authorization header) for token introspection
+		AllowCredentials: true,
+	})
+}
+
+// NewCORSConfig creates a cors.Config from application settings for testing purposes.
+func NewCORSConfig(origins, methods, headers []string, maxAge time.Duration) cors.Config {
+	return cors.Config{
+		AllowOrigins:     origins,
+		AllowMethods:     methods,
+		AllowHeaders:     headers,
+		MaxAge:           maxAge,
+		ExposeHeaders:    []string{"Content-Length", "Content-Type"},
+		AllowCredentials: true,
+	}
+}
diff --git a/internal/middleware/cors_test.go b/internal/middleware/cors_test.go
@@ -0,0 +1,168 @@
+package middleware
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/go-authgate/authgate/internal/config"
+
+	"github.com/gin-gonic/gin"
+	"github.com/stretchr/testify/assert"
+)
+
+func setupCORSRouter(cfg *config.Config) *gin.Engine {
+	gin.SetMode(gin.TestMode)
+	r := gin.New()
+	r.Use(CORSMiddleware(cfg))
+	r.GET("/oauth/tokeninfo", func(c *gin.Context) {
+		c.String(http.StatusOK, "ok")
+	})
+	r.POST("/oauth/token", func(c *gin.Context) {
+		c.String(http.StatusOK, "ok")
+	})
+	r.OPTIONS("/oauth/token", func(c *gin.Context) {
+		c.Status(http.StatusNoContent)
+	})
+	return r
+}
+
+func defaultCORSConfig() *config.Config {
+	return &config.Config{
+		CORSEnabled:        true,
+		CORSAllowedOrigins: []string{"http://localhost:3000"},
+		CORSAllowedMethods: []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"},
+		CORSAllowedHeaders: []string{"Origin", "Content-Type", "Authorization"},
+		CORSMaxAge:         12 * time.Hour,
+	}
+}
+
+func TestCORS_AllowedOrigin(t *testing.T) {
+	r := setupCORSRouter(defaultCORSConfig())
+
+	w := httptest.NewRecorder()
+	req, _ := http.NewRequest(http.MethodGet, "/oauth/tokeninfo", nil)
+	req.Header.Set("Origin", "http://localhost:3000")
+	r.ServeHTTP(w, req)
+
+	assert.Equal(t, http.StatusOK, w.Code)
+	assert.Equal(t, "http://localhost:3000", w.Header().Get("Access-Control-Allow-Origin"))
+	assert.Equal(t, "true", w.Header().Get("Access-Control-Allow-Credentials"))
+}
+
+func TestCORS_DisallowedOrigin(t *testing.T) {
+	r := setupCORSRouter(defaultCORSConfig())
+
+	w := httptest.NewRecorder()
+	req, _ := http.NewRequest(http.MethodGet, "/oauth/tokeninfo", nil)
+	req.Header.Set("Origin", "http://evil.com")
+	r.ServeHTTP(w, req)
+
+	// gin-contrib/cors returns 403 for disallowed origins
+	assert.Equal(t, http.StatusForbidden, w.Code)
+	assert.Empty(t, w.Header().Get("Access-Control-Allow-Origin"))
+}
+
+func TestCORS_PreflightRequest(t *testing.T) {
+	r := setupCORSRouter(defaultCORSConfig())
+
+	w := httptest.NewRecorder()
+	req, _ := http.NewRequest(http.MethodOptions, "/oauth/token", nil)
+	req.Header.Set("Origin", "http://localhost:3000")
+	req.Header.Set("Access-Control-Request-Method", "POST")
+	req.Header.Set("Access-Control-Request-Headers", "Content-Type,Authorization")
+	r.ServeHTTP(w, req)
+
+	assert.Equal(t, http.StatusNoContent, w.Code)
+	assert.Equal(t, "http://localhost:3000", w.Header().Get("Access-Control-Allow-Origin"))
+	assert.Contains(t, w.Header().Get("Access-Control-Allow-Methods"), "POST")
+	assert.Contains(t, w.Header().Get("Access-Control-Allow-Headers"), "Content-Type")
+	assert.Contains(t, w.Header().Get("Access-Control-Allow-Headers"), "Authorization")
+	assert.NotEmpty(t, w.Header().Get("Access-Control-Max-Age"))
+}
+
+func TestCORS_PreflightDisallowedOrigin(t *testing.T) {
+	r := setupCORSRouter(defaultCORSConfig())
+
+	w := httptest.NewRecorder()
+	req, _ := http.NewRequest(http.MethodOptions, "/oauth/token", nil)
+	req.Header.Set("Origin", "http://evil.com")
+	req.Header.Set("Access-Control-Request-Method", "POST")
+	r.ServeHTTP(w, req)
+
+	assert.Empty(t, w.Header().Get("Access-Control-Allow-Origin"))
+}
+
+func TestCORS_MultipleOrigins(t *testing.T) {
+	cfg := defaultCORSConfig()
+	cfg.CORSAllowedOrigins = []string{"http://localhost:3000", "https://app.example.com"}
+	r := setupCORSRouter(cfg)
+
+	// First origin
+	w := httptest.NewRecorder()
+	req, _ := http.NewRequest(http.MethodGet, "/oauth/tokeninfo", nil)
+	req.Header.Set("Origin", "http://localhost:3000")
+	r.ServeHTTP(w, req)
+	assert.Equal(t, "http://localhost:3000", w.Header().Get("Access-Control-Allow-Origin"))
+
+	// Second origin
+	w = httptest.NewRecorder()
+	req, _ = http.NewRequest(http.MethodGet, "/oauth/tokeninfo", nil)
+	req.Header.Set("Origin", "https://app.example.com")
+	r.ServeHTTP(w, req)
+	assert.Equal(t, "https://app.example.com", w.Header().Get("Access-Control-Allow-Origin"))
+}
+
+func TestCORS_NoOriginHeader(t *testing.T) {
+	r := setupCORSRouter(defaultCORSConfig())
+
+	w := httptest.NewRecorder()
+	req, _ := http.NewRequest(http.MethodGet, "/oauth/tokeninfo", nil)
+	// No Origin header — same-origin request
+	r.ServeHTTP(w, req)
+
+	assert.Equal(t, http.StatusOK, w.Code)
+	assert.Empty(t, w.Header().Get("Access-Control-Allow-Origin"))
+}
+
+func TestCORS_ExposeHeaders(t *testing.T) {
+	r := setupCORSRouter(defaultCORSConfig())
+
+	w := httptest.NewRecorder()
+	req, _ := http.NewRequest(http.MethodGet, "/oauth/tokeninfo", nil)
+	req.Header.Set("Origin", "http://localhost:3000")
+	r.ServeHTTP(w, req)
+
+	exposed := w.Header().Get("Access-Control-Expose-Headers")
+	assert.Contains(t, exposed, "Content-Length")
+	assert.Contains(t, exposed, "Content-Type")
+}
+
+func TestCORS_POSTWithOrigin(t *testing.T) {
+	r := setupCORSRouter(defaultCORSConfig())
+
+	w := httptest.NewRecorder()
+	req, _ := http.NewRequest(http.MethodPost, "/oauth/token", nil)
+	req.Header.Set("Origin", "http://localhost:3000")
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	r.ServeHTTP(w, req)
+
+	assert.Equal(t, http.StatusOK, w.Code)
+	assert.Equal(t, "http://localhost:3000", w.Header().Get("Access-Control-Allow-Origin"))
+}
+
+func TestNewCORSConfig(t *testing.T) {
+	cfg := NewCORSConfig(
+		[]string{"http://localhost:3000"},
+		[]string{"GET", "POST"},
+		[]string{"Authorization"},
+		1*time.Hour,
+	)
+
+	assert.Equal(t, []string{"http://localhost:3000"}, cfg.AllowOrigins)
+	assert.Equal(t, []string{"GET", "POST"}, cfg.AllowMethods)
+	assert.Equal(t, []string{"Authorization"}, cfg.AllowHeaders)
+	assert.Equal(t, 1*time.Hour, cfg.MaxAge)
+	assert.True(t, cfg.AllowCredentials)
+}
