diff --git a/cmd/start.go b/cmd/start.go index bc84f45..49676a8 100644 --- a/cmd/start.go +++ b/cmd/start.go @@ -11,6 +11,7 @@ import ( "git.coopcloud.tech/wiki-cafe/member-console/internal/auth" "git.coopcloud.tech/wiki-cafe/member-console/internal/logging" "git.coopcloud.tech/wiki-cafe/member-console/internal/middleware" + "github.com/rs/cors" "github.com/spf13/cobra" "github.com/spf13/viper" ) @@ -50,11 +51,14 @@ var startCmd = &cobra.Command{ // Register auth handlers authConfig.RegisterHandlers(httpRequestRouter) - // Create CORS configuration - corsConfig := middleware.DefaultCORSConfig() + // Create CORS configuration with default options + corsOptions := cors.Options{ + // Define minimal defaults - GET method is required + AllowedMethods: []string{"GET"}, + } - // Start with minimal default configuration - csrfConfig := middleware.DefaultCSRFConfig() + // Create empty CSRF configuration with default values + var csrfConfig middleware.CSRFConfig // Set CSRF secret from config or generate a random one csrfSecret := viper.GetString("csrf-secret") @@ -94,7 +98,7 @@ var startCmd = &cobra.Command{ middleware.Timeout(32*time.Second), // Set request timeout middleware.MaxBodySize(1024*1024), // 1MB size limit middleware.SecureHeaders(), // Set secure headers - middleware.CORS(corsConfig), // CORS configuration + middleware.CORS(corsOptions), // CORS configuration middleware.CSRF(csrfConfig), // CSRF protection authConfig.Middleware(), // OIDC authentication middleware ) diff --git a/internal/middleware/cors.go b/internal/middleware/cors.go index daed6f2..dc83f7a 100644 --- a/internal/middleware/cors.go +++ b/internal/middleware/cors.go @@ -6,38 +6,12 @@ import ( "github.com/rs/cors" ) -type CORSConfig struct { - AllowedOrigins []string - AllowedMethods []string - AllowedHeaders []string - ExposedHeaders []string - AllowCredentials bool - MaxAge int -} - -func DefaultCORSConfig() CORSConfig { - return CORSConfig{ - AllowedOrigins: []string{}, - AllowedMethods: []string{"GET"}, - AllowedHeaders: []string{}, - ExposedHeaders: []string{}, - AllowCredentials: false, - MaxAge: 0, - } -} - // CORS middleware handles Cross-Origin Resource Sharing -func CORS(config CORSConfig) Middleware { - c := cors.New(cors.Options{ - AllowedOrigins: config.AllowedOrigins, - AllowedMethods: config.AllowedMethods, - AllowedHeaders: config.AllowedHeaders, - ExposedHeaders: config.ExposedHeaders, - AllowCredentials: config.AllowCredentials, - MaxAge: config.MaxAge, - }) +func CORS(options cors.Options) Middleware { + // Create a CORS handler with the provided options + c := cors.New(options) return func(next http.Handler) http.Handler { return c.Handler(next) } -} +} \ No newline at end of file diff --git a/internal/middleware/csrf.go b/internal/middleware/csrf.go index 81de5c6..55050aa 100644 --- a/internal/middleware/csrf.go +++ b/internal/middleware/csrf.go @@ -43,16 +43,6 @@ type CSRFConfig struct { Ignore []func(r *http.Request) bool } -// DefaultCSRFConfig returns a minimal configuration for CSRF middleware -// It only sets values that must be provided, allowing the CSRF package -// to use its own defaults for everything else. -func DefaultCSRFConfig() CSRFConfig { - return CSRFConfig{ - Secret: nil, // Must be set by the application - Ignore: []func(r *http.Request) bool{}, - } -} - // CSRF middleware provides Cross-Site Request Forgery protection func CSRF(config CSRFConfig) Middleware { // Only set options that are explicitly configured @@ -105,10 +95,12 @@ func CSRF(config CSRFConfig) Middleware { if r.URL.Path == config.Path || (len(r.URL.Path) >= len(config.Path) && r.URL.Path[:len(config.Path)] == config.Path) { // Check if the request should be ignored - for _, ignoreFunc := range config.Ignore { - if ignoreFunc(r) { - next.ServeHTTP(w, r) - return + if config.Ignore != nil { + for _, ignoreFunc := range config.Ignore { + if ignoreFunc(r) { + next.ServeHTTP(w, r) + return + } } } csrfHandler(next).ServeHTTP(w, r)