From 6b1abb404fc823be1bd0e2eeb21faaec25d03c99 Mon Sep 17 00:00:00 2001
From: Elias Nahum <nahumhbl@gmail.com>
Date: Wed, 2 Mar 2016 21:24:40 -0300
Subject: Set CORS Headers when needed if CORS is enabled - Enable CORS with
 and without RateLimiter

---
 api/context.go | 59 ++++++++++++++++++++++++----------------------------------
 1 file changed, 24 insertions(+), 35 deletions(-)

(limited to 'api/context.go')

diff --git a/api/context.go b/api/context.go
index 918ba3557..edcdcbfef 100644
--- a/api/context.go
+++ b/api/context.go
@@ -21,6 +21,15 @@ import (
 
 var sessionCache *utils.Cache = utils.NewLru(model.SESSION_CACHE_SIZE)
 
+var allowedMethods []string = []string{
+	"POST",
+	"GET",
+	"OPTIONS",
+	"PUT",
+	"PATCH",
+	"DELETE",
+}
+
 type Context struct {
 	Session           model.Session
 	RequestId         string
@@ -166,10 +175,6 @@ func (h handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		// All api response bodies will be JSON formatted by default
 		w.Header().Set("Content-Type", "application/json")
 
-		if len(*utils.Cfg.ServiceSettings.AllowCorsFrom) > 0 {
-			w.Header().Set("Access-Control-Allow-Origin", *utils.Cfg.ServiceSettings.AllowCorsFrom)
-		}
-
 		if r.Method == "GET" {
 			w.Header().Set("Expires", "0")
 		}
@@ -238,38 +243,22 @@ func (h handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
-func (cw *CorsWrapper) ServeHTTP(
-	w http.ResponseWriter,
-	r *http.Request) {
-	allowedMethods := []string{
-		"POST",
-		"GET",
-		"OPTIONS",
-		"PUT",
-		"PATCH",
-		"DELETE",
-	}
-
-	allowedHeaders := []string{
-		"Accept",
-		"Content-Type",
-		"Content-Length",
-		"Accept-Encoding",
-		"Authorization",
-		"X-CSRF-Token",
-		"X-Auth-Token",
-	}
-
+func (cw *CorsWrapper) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	if len(*utils.Cfg.ServiceSettings.AllowCorsFrom) > 0 {
-		w.Header().Set("Access-Control-Allow-Origin", *utils.Cfg.ServiceSettings.AllowCorsFrom)
-
-		w.Header().Set(
-			"Access-Control-Allow-Methods",
-			strings.Join(allowedMethods, ", "))
-
-		w.Header().Set(
-			"Access-Control-Allow-Headers",
-			strings.Join(allowedHeaders, ", "))
+		origin := r.Header.Get("Origin")
+		if *utils.Cfg.ServiceSettings.AllowCorsFrom == "*" || strings.Contains(*utils.Cfg.ServiceSettings.AllowCorsFrom, origin) {
+			w.Header().Set("Access-Control-Allow-Origin", origin)
+
+			if r.Method == "OPTIONS" {
+				w.Header().Set(
+					"Access-Control-Allow-Methods",
+					strings.Join(allowedMethods, ", "))
+
+				w.Header().Set(
+					"Access-Control-Allow-Headers",
+					r.Header.Get("Access-Control-Request-Headers"))
+			}
+		}
 	}
 
 	if r.Method == "OPTIONS" {
-- 
cgit v1.2.3-1-g7c22