Refactor CORS and CSRF middleware to use options directly and remove default config functions

cmd/start.go

@@ -11,6 +11,7 @@ import (
 	"git.coopcloud.tech/wiki-cafe/member-console/internal/auth"
 	"git.coopcloud.tech/wiki-cafe/member-console/internal/logging"
 	"git.coopcloud.tech/wiki-cafe/member-console/internal/middleware"
+	"github.com/rs/cors"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
@@ -50,11 +51,14 @@ var startCmd = &cobra.Command{
 		// Register auth handlers
 		authConfig.RegisterHandlers(httpRequestRouter)
 
-		// Create CORS configuration
-		corsConfig := middleware.DefaultCORSConfig()
+		// Create CORS configuration with default options
+		corsOptions := cors.Options{
+			// Define minimal defaults - GET method is required
+			AllowedMethods: []string{"GET"},
+		}
 		
-		// Start with minimal default configuration
-		csrfConfig := middleware.DefaultCSRFConfig()
+		// Create empty CSRF configuration with default values
+		var csrfConfig middleware.CSRFConfig
 		
 		// Set CSRF secret from config or generate a random one
 		csrfSecret := viper.GetString("csrf-secret")
@@ -94,7 +98,7 @@ var startCmd = &cobra.Command{
 			middleware.Timeout(32*time.Second), // Set request timeout
 			middleware.MaxBodySize(1024*1024),  // 1MB size limit
 			middleware.SecureHeaders(),         // Set secure headers
-			middleware.CORS(corsConfig),        // CORS configuration
+			middleware.CORS(corsOptions),       // CORS configuration
 			middleware.CSRF(csrfConfig),        // CSRF protection
 			authConfig.Middleware(),            // OIDC authentication middleware
 		)

internal/middleware/cors.go

@@ -6,38 +6,12 @@ import (
 	"github.com/rs/cors"
 )
 
-type CORSConfig struct {
-	AllowedOrigins   []string
-	AllowedMethods   []string
-	AllowedHeaders   []string
-	ExposedHeaders   []string
-	AllowCredentials bool
-	MaxAge           int
-}
-
-func DefaultCORSConfig() CORSConfig {
-	return CORSConfig{
-		AllowedOrigins:   []string{},
-		AllowedMethods:   []string{"GET"},
-		AllowedHeaders:   []string{},
-		ExposedHeaders:   []string{},
-		AllowCredentials: false,
-		MaxAge:           0,
-	}
-}
-
 // CORS middleware handles Cross-Origin Resource Sharing
-func CORS(config CORSConfig) Middleware {
-	c := cors.New(cors.Options{
-		AllowedOrigins:   config.AllowedOrigins,
-		AllowedMethods:   config.AllowedMethods,
-		AllowedHeaders:   config.AllowedHeaders,
-		ExposedHeaders:   config.ExposedHeaders,
-		AllowCredentials: config.AllowCredentials,
-		MaxAge:           config.MaxAge,
-	})
+func CORS(options cors.Options) Middleware {
+	// Create a CORS handler with the provided options
+	c := cors.New(options)
 
 	return func(next http.Handler) http.Handler {
 		return c.Handler(next)
 	}
-}
+}

internal/middleware/csrf.go

@@ -43,16 +43,6 @@ type CSRFConfig struct {
 	Ignore []func(r *http.Request) bool
 }
 
-// DefaultCSRFConfig returns a minimal configuration for CSRF middleware
-// It only sets values that must be provided, allowing the CSRF package
-// to use its own defaults for everything else.
-func DefaultCSRFConfig() CSRFConfig {
-	return CSRFConfig{
-		Secret: nil, // Must be set by the application
-		Ignore: []func(r *http.Request) bool{},
-	}
-}
-
 // CSRF middleware provides Cross-Site Request Forgery protection
 func CSRF(config CSRFConfig) Middleware {
 	// Only set options that are explicitly configured
@@ -105,10 +95,12 @@ func CSRF(config CSRFConfig) Middleware {
 				if r.URL.Path == config.Path || (len(r.URL.Path) >= len(config.Path) &&
 					r.URL.Path[:len(config.Path)] == config.Path) {
 					// Check if the request should be ignored
-					for _, ignoreFunc := range config.Ignore {
-						if ignoreFunc(r) {
-							next.ServeHTTP(w, r)
-							return
+					if config.Ignore != nil {
+						for _, ignoreFunc := range config.Ignore {
+							if ignoreFunc(r) {
+								next.ServeHTTP(w, r)
+								return
+							}
 						}
 					}
 					csrfHandler(next).ServeHTTP(w, r)