CORS middleware. And fix middleware types for logging and securityheaders.

internal/middleware/cors.go

@@ -0,0 +1,121 @@
+package middleware
+
+import (
+	"net/http"
+	"strconv"
+	"strings"
+)
+
+// CORSConfig defines the configuration options for CORS middleware
+type CORSConfig struct {
+	// AllowedOrigins defines the origins that are allowed to access the resource
+	AllowedOrigins []string
+
+	// AllowedMethods defines the HTTP methods that are allowed
+	AllowedMethods []string
+
+	// AllowedHeaders defines the headers that are allowed in requests
+	AllowedHeaders []string
+
+	// ExposedHeaders defines the headers that can be read by the browser
+	ExposedHeaders []string
+
+	// AllowCredentials defines whether cookies, HTTP authentication and client SSL
+	// certificates can be transmitted in cross-origin requests
+	AllowCredentials bool
+
+	// MaxAge defines how long (in seconds) the results of a preflight request can be cached
+	MaxAge int
+}
+
+// DefaultCORSConfig returns a default configuration for CORS middleware
+func DefaultCORSConfig() CORSConfig {
+	return CORSConfig{
+		AllowedOrigins:   []string{},
+		AllowedMethods:   []string{"GET"},
+		AllowedHeaders:   []string{},
+		ExposedHeaders:   []string{},
+		AllowCredentials: false,
+		MaxAge:           0,
+	}
+}
+
+// CORS middleware handles Cross-Origin Resource Sharing
+func CORS(config CORSConfig) Middleware {
+	// Precompute values for better performance
+	allowedOriginsMap := make(map[string]bool)
+	for _, origin := range config.AllowedOrigins {
+		allowedOriginsMap[origin] = true
+	}
+
+	allowAllOrigins := allowedOriginsMap["*"]
+	allowedMethodsValue := strings.Join(config.AllowedMethods, ", ")
+	allowedHeadersValue := strings.Join(config.AllowedHeaders, ", ")
+	exposedHeadersValue := strings.Join(config.ExposedHeaders, ", ")
+
+	// Convert MaxAge to a string once
+	var maxAgeValue string
+	if config.MaxAge > 0 {
+		maxAgeValue = strconv.Itoa(config.MaxAge)
+	}
+
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			origin := r.Header.Get("Origin")
+
+			// Skip if no Origin header is present (same-origin request)
+			if origin == "" {
+				next.ServeHTTP(w, r)
+				return
+			}
+
+			// Check if the origin is allowed
+			var allowedOrigin string
+			if allowAllOrigins {
+				allowedOrigin = origin
+			} else if allowedOriginsMap[origin] {
+				allowedOrigin = origin
+			}
+
+			// Preflight OPTIONS request
+			if r.Method == http.MethodOptions {
+				// Set allowed methods
+				w.Header().Set("Access-Control-Allow-Methods", allowedMethodsValue)
+
+				// Set allowed headers
+				if len(allowedHeadersValue) > 0 {
+					w.Header().Set("Access-Control-Allow-Headers", allowedHeadersValue)
+				}
+
+				// Set max age for preflight request caching
+				if maxAgeValue != "" {
+					w.Header().Set("Access-Control-Max-Age", maxAgeValue)
+				}
+			}
+
+			// Set allowed origin
+			if allowedOrigin != "" {
+				w.Header().Set("Access-Control-Allow-Origin", allowedOrigin)
+			}
+
+			// Set exposed headers
+			if len(exposedHeadersValue) > 0 {
+				w.Header().Set("Access-Control-Expose-Headers", exposedHeadersValue)
+			}
+
+			// Set allow credentials
+			if config.AllowCredentials {
+				w.Header().Set("Access-Control-Allow-Credentials", "true")
+			}
+
+			// If it's a preflight request, we're done
+			if r.Method == http.MethodOptions {
+				w.WriteHeader(http.StatusNoContent)
+				return
+			}
+
+			// Process the actual request
+			next.ServeHTTP(w, r)
+		})
+	}
+}