feat: add CORS middleware (#46)

Author: mojixcoder

middlewares/cors.go

@@ -0,0 +1,181 @@
+package middlewares
+
+import (
+	"net/http"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/mojixcoder/kid"
+)
+
+// CorsConfig is the config used to build CORS middleware.
+type CorsConfig struct {
+	// AllowedOrigins specifies which origins can access the resource.
+	// If "*" is in the list, all origins will be allowed.
+	//
+	// Defaults to ["*"]
+	AllowedOrigins []string
+
+	// AllowOriginFunc is a custom function for validating the origin.
+	// The origin will always be set and you don't need to check that in this function.
+	//
+	// If you set this function the rest of validation logic will be ignored.
+	//
+	// Defaults to nil.
+	AllowOriginFunc func(c *kid.Context, origin string) bool
+
+	// AllowedMethods is the list of allowed HTTP methods.
+	//
+	// Defaults to ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"].
+	AllowedMethods []string
+
+	// AllowedHeaders is the list of the custom headers which are allowed to be sent.
+	//
+	// If "*" is in the list, all headers will be allowed.
+	AllowedHeaders []string
+
+	// ExposedHeaders a list of headers that clients are allowed to access.
+	//
+	// Defaults to [].
+	ExposedHeaders []string
+
+	// MaxAge is the maximum duration that the response to the preflight request can be cached before another call is made.
+	// In second percision.
+	//
+	// Will not be used if 0.
+	// Defaults to 0.
+	MaxAge time.Duration
+
+	// AllowCredentials if true, cookies will be allowed to be included in cross-site HTTP requests.
+	//
+	// defaults to false.
+	AllowCredentials bool
+
+	// AllowPrivateNetwork if true, allow requests from sites on “public” IP to this server on a “private” IP.
+	//
+	// defaults to false.
+	AllowPrivateNetwork bool
+
+	// allowAllOrigins will be true if "*" is in allowed origins.
+	allowAllOrigins bool
+}
+
+// DefaultCorsConfig is the default CORS config.
+var DefaultCorsConfig = CorsConfig{
+	AllowedOrigins: []string{"*"},
+	AllowedMethods: []string{
+		http.MethodGet, http.MethodPost, http.MethodPut,
+		http.MethodPatch, http.MethodDelete, http.MethodOptions,
+	},
+}
+
+// NewCors returns a new CORS config.
+func NewCors() kid.MiddlewareFunc {
+	return NewCorsWithConfig(DefaultCorsConfig)
+}
+
+// NewCorsWithConfig returns a new CORS middleware with the given config.
+func NewCorsWithConfig(cfg CorsConfig) kid.MiddlewareFunc {
+	setCorsDefaults(&cfg)
+
+	allowedMethods := strings.Join(cfg.AllowedMethods, ", ")
+	allowedHeaders := strings.Join(cfg.AllowedHeaders, ", ")
+	exposedHeaders := strings.Join(cfg.ExposedHeaders, ", ")
+	maxAge := strconv.Itoa(int(cfg.MaxAge.Seconds()))
+	allowCreds := "false"
+	if cfg.AllowCredentials {
+		allowCreds = "true"
+	}
+
+	return func(next kid.HandlerFunc) kid.HandlerFunc {
+		return func(c *kid.Context) {
+			req := c.Request()
+			header := c.Response().Header()
+			preflight := isPreflight(req)
+
+			header.Set("Vary", "Origin")
+
+			origin := req.Header.Get("Origin")
+			if origin == "" {
+				next(c)
+				return
+			}
+
+			if !cfg.isAllowedOrigin(c, origin) {
+				next(c)
+				return
+			}
+
+			if cfg.allowAllOrigins && !cfg.AllowCredentials {
+				header.Set("Access-Control-Allow-Origin", "*")
+			} else {
+				header.Set("Access-Control-Allow-Origin", origin)
+			}
+
+			if cfg.AllowPrivateNetwork && req.Header.Get("Access-Control-Request-Private-Network") == "true" {
+				header.Set("Access-Control-Allow-Private-Network", "true")
+			}
+
+			setHeader(header, "Access-Control-Allow-Credentials", allowCreds, "false")
+			setHeader(header, "Access-Control-Expose-Headers", exposedHeaders, "")
+
+			switch preflight {
+			case false:
+				next(c)
+			case true:
+				setHeader(header, "Access-Control-Allow-Methods", allowedMethods, "")
+				setHeader(header, "Access-Control-Allow-Headers", allowedHeaders, "")
+				setHeader(header, "Access-Control-Max-Age", maxAge, "0")
+
+				c.NoContent(http.StatusNoContent)
+			}
+		}
+	}
+}
+
+// isPreflight checks if this is a preflight request.
+func isPreflight(req *http.Request) bool {
+	return req.Method == http.MethodOptions && req.Header.Get("Access-Control-Request-Method") != ""
+}
+
+// isAllowedOrigin validates the origin.
+func (cors *CorsConfig) isAllowedOrigin(c *kid.Context, origin string) bool {
+	if cors.AllowOriginFunc != nil {
+		return cors.AllowOriginFunc(c, origin)
+	}
+
+	if cors.allowAllOrigins {
+		return true
+	}
+
+	for _, v := range cors.AllowedOrigins {
+		if v == "*" {
+			cors.allowAllOrigins = true
+			return true
+		}
+		if v == origin {
+			return true
+		}
+	}
+
+	return false
+}
+
+// setHeader sets the header if not empty.
+func setHeader(header http.Header, key, value, emptyValue string) {
+	if value != emptyValue {
+		header.Set(key, value)
+	}
+}
+
+// setCorsDefaults sets the default CORS configs.
+func setCorsDefaults(cfg *CorsConfig) {
+	if len(cfg.AllowedOrigins) == 0 {
+		cfg.AllowedOrigins = DefaultCorsConfig.AllowedOrigins
+	}
+
+	if len(cfg.AllowedMethods) == 0 {
+		cfg.AllowedMethods = DefaultCorsConfig.AllowedMethods
+	}
+}

middlewares/cors_test.go

@@ -0,0 +1,157 @@
+package middlewares
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"strconv"
+	"testing"
+	"time"
+
+	"github.com/mojixcoder/kid"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestSetHeader(t *testing.T) {
+	testCases := []struct {
+		key         string
+		val         string
+		emptyVal    string
+		expectedRes string
+	}{
+		{key: "empty_max_age", val: strconv.Itoa(int(time.Duration(0).Seconds())), emptyVal: "0", expectedRes: ""},
+		{key: "max_age", val: strconv.Itoa(int((time.Hour).Seconds())), emptyVal: "0", expectedRes: "3600"},
+		{key: "empty_headers", val: "", emptyVal: "", expectedRes: ""},
+		{key: "headers", val: "headers", emptyVal: "", expectedRes: "headers"},
+		{key: "empty_creds", val: "false", emptyVal: "false", expectedRes: ""},
+		{key: "creds", val: "true", emptyVal: "false", expectedRes: "true"},
+	}
+
+	header := make(http.Header)
+
+	for _, testCase := range testCases {
+		t.Run(testCase.key, func(t *testing.T) {
+			setHeader(header, testCase.key, testCase.val, testCase.emptyVal)
+			assert.Equal(t, testCase.expectedRes, header.Get(testCase.key))
+		})
+	}
+}
+
+func TestSetCorsDefaults(t *testing.T) {
+	cors := &CorsConfig{}
+
+	setCorsDefaults(cors)
+	assert.Equal(t, DefaultCorsConfig.AllowedOrigins, cors.AllowedOrigins)
+	assert.Equal(t, DefaultCorsConfig.AllowedMethods, cors.AllowedMethods)
+
+	cors = &CorsConfig{AllowedMethods: []string{http.MethodConnect}}
+
+	setCorsDefaults(cors)
+	assert.Equal(t, []string{http.MethodConnect}, cors.AllowedMethods)
+}
+
+func TestIsPreflight(t *testing.T) {
+	req := httptest.NewRequest(http.MethodOptions, "/test", nil)
+	assert.False(t, isPreflight(req))
+
+	req.Header.Set("Access-Control-Request-Method", http.MethodGet)
+	assert.True(t, isPreflight(req))
+}
+
+func TestCorsConfig_isAllowedOrigin(t *testing.T) {
+	cfg := CorsConfig{AllowedOrigins: []string{"http://localhost:2376"}}
+
+	assert.True(t, cfg.isAllowedOrigin(nil, "http://localhost:2376"))
+	assert.False(t, cfg.isAllowedOrigin(nil, "http://localhost:2377"))
+	assert.False(t, cfg.allowAllOrigins)
+
+	cfg.AllowedOrigins = []string{"*"}
+
+	assert.True(t, cfg.isAllowedOrigin(nil, "http://localhost:2376"))
+	assert.True(t, cfg.allowAllOrigins)
+	assert.True(t, cfg.isAllowedOrigin(nil, "http://localhost:2377"))
+
+	cfg.AllowOriginFunc = func(c *kid.Context, origin string) bool {
+		return false
+	}
+
+	assert.False(t, cfg.isAllowedOrigin(nil, "http://localhost:2376"))
+}
+
+func TestNewCors(t *testing.T) {
+	k := kid.New()
+	k.Use(NewCors())
+
+	res := httptest.NewRecorder()
+	req := httptest.NewRequest(http.MethodOptions, "/test", nil)
+	req.Header.Add("Access-Control-Request-Method", http.MethodPost)
+	req.Header.Add("Origin", "http://localhost:2376")
+
+	k.ServeHTTP(res, req)
+
+	assert.Equal(t, http.StatusNoContent, res.Code)
+	assert.Equal(t, "Origin", res.Header().Get("Vary"))
+	assert.Equal(t, "*", res.Header().Get("Access-Control-Allow-Origin"))
+	assert.Equal(t, "GET, POST, PUT, PATCH, DELETE, OPTIONS", res.Header().Get("Access-Control-Allow-Methods"))
+
+	res = httptest.NewRecorder()
+	req = httptest.NewRequest(http.MethodPost, "/test", nil)
+	req.Header.Add("Origin", "http://localhost:2376")
+
+	k.ServeHTTP(res, req)
+
+	assert.Equal(t, http.StatusNotFound, res.Code)
+	assert.Equal(t, "Origin", res.Header().Get("Vary"))
+	assert.Equal(t, "*", res.Header().Get("Access-Control-Allow-Origin"))
+	assert.Empty(t, res.Header().Get("Access-Control-Allow-Methods"))
+}
+
+func TestNewCorsWithConfig(t *testing.T) {
+	cfg := CorsConfig{
+		AllowedOrigins:      []string{"http://localhost:2376"},
+		AllowedMethods:      []string{http.MethodGet, http.MethodPost},
+		AllowedHeaders:      []string{"Content-Type", "Accept"},
+		ExposedHeaders:      []string{"User-Agent"},
+		AllowCredentials:    true,
+		AllowPrivateNetwork: true,
+		MaxAge:              24 * time.Hour,
+	}
+
+	k := kid.New()
+	k.Use(NewCorsWithConfig(cfg))
+
+	res := httptest.NewRecorder()
+	req := httptest.NewRequest(http.MethodOptions, "/test", nil)
+	req.Header.Add("Access-Control-Request-Method", http.MethodPost)
+	req.Header.Add("Origin", "http://localhost:2376")
+	req.Header.Add("Access-Control-Request-Private-Network", "true")
+
+	k.ServeHTTP(res, req)
+
+	assert.Equal(t, http.StatusNoContent, res.Code)
+	assert.Equal(t, "Origin", res.Header().Get("Vary"))
+	assert.Equal(t, "http://localhost:2376", res.Header().Get("Access-Control-Allow-Origin"))
+	assert.Equal(t, "GET, POST", res.Header().Get("Access-Control-Allow-Methods"))
+	assert.Equal(t, "Content-Type, Accept", res.Header().Get("Access-Control-Allow-Headers"))
+	assert.Equal(t, "User-Agent", res.Header().Get("Access-Control-Expose-Headers"))
+	assert.Equal(t, "true", res.Header().Get("Access-Control-Allow-Credentials"))
+	assert.Equal(t, "true", res.Header().Get("Access-Control-Allow-Private-Network"))
+	assert.Equal(t, "86400", res.Header().Get("Access-Control-Max-Age"))
+
+	res = httptest.NewRecorder()
+	req = httptest.NewRequest(http.MethodOptions, "/test", nil)
+	req.Header.Add("Access-Control-Request-Method", http.MethodPost)
+
+	k.ServeHTTP(res, req)
+	assert.Equal(t, http.StatusNotFound, res.Code)
+	assert.Empty(t, res.Header().Get("Access-Control-Allow-Origin"))
+
+	res = httptest.NewRecorder()
+	req = httptest.NewRequest(http.MethodOptions, "/test", nil)
+	req.Header.Add("Access-Control-Request-Method", http.MethodPost)
+	req.Header.Add("Origin", "http://localhost:4000")
+
+	k.ServeHTTP(res, req)
+
+	assert.Equal(t, http.StatusNotFound, res.Code)
+	assert.Empty(t, res.Header().Get("Access-Control-Allow-Origin"))
+}