feat: CORS组件支持使用配置文件更灵活的配置处理跨域的逻辑;

2021-12-10 22:56:18 +08:00
parent f899b927cf
commit 8bcd7a7a2c
6 changed files with 99 additions and 4 deletions
--- a/server/middleware/cors.go
+++ b/server/middleware/cors.go
@@ -1,11 +1,13 @@
 package middleware

 import (
+	"github.com/flipped-aurora/gin-vue-admin/server/config"
+	"github.com/flipped-aurora/gin-vue-admin/server/global"
 	"github.com/gin-gonic/gin"
 	"net/http"
 )

-// 处理跨域请求,支持options访问
+// Cors 直接放行所有跨域请求并放行所有 OPTIONS 方法
 func Cors() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		method := c.Request.Method
@@ -24,3 +26,48 @@ func Cors() gin.HandlerFunc {
 		c.Next()
 	}
 }
+
+// CorsByRules 按照配置处理跨域请求
+func CorsByRules() gin.HandlerFunc {
+	// 放行全部
+	if global.GVA_CONFIG.Cors.Mode == "allow-all" {
+		return Cors()
+	}
+	return func(c *gin.Context) {
+		whitelist := checkCors(c.GetHeader("origin"))
+
+		// 通过检查, 添加请求头
+		if whitelist != nil {
+			c.Header("Access-Control-Allow-Origin", whitelist.AllowOrigin)
+			c.Header("Access-Control-Allow-Headers", whitelist.AllowHeaders)
+			c.Header("Access-Control-Allow-Methods", whitelist.AllowMethods)
+			c.Header("Access-Control-Expose-Headers", whitelist.ExposeHeaders)
+			if whitelist.AllowCredentials {
+				c.Header("Access-Control-Allow-Credentials", "true")
+			}
+		}
+
+		// 严格白名单模式且未通过检查，直接拒绝处理请求
+		if whitelist == nil && global.GVA_CONFIG.Cors.Mode == "strict-whitelist" {
+			c.AbortWithStatus(http.StatusForbidden)
+		} else {
+			// 非严格白名单模式，无论是否通过检查均放行所有 OPTIONS 方法
+			if c.Request.Method == "OPTIONS" {
+				c.AbortWithStatus(http.StatusNoContent)
+			}
+		}
+
+		// 处理请求
+		c.Next()
+	}
+}
+
+func checkCors(currentOrigin string) *config.CORSWhitelist {
+	for _, whitelist := range global.GVA_CONFIG.Cors.Whitelist {
+		// 遍历配置中的跨域头，寻找匹配项
+		if currentOrigin == whitelist.AllowOrigin {
+			return &whitelist
+		}
+	}
+	return nil
+}