gotosocial/internal/middleware/cors.go
Daenney 5e2bf0bdca
[chore] Improve copyright header handling (#1608)
* [chore] Remove years from all license headers

Years or year ranges aren't required in license headers. Many projects
have removed them in recent years and it avoids a bit of yearly toil.

In many cases our copyright claim was also a bit dodgy since we added
the 2021-2023 header to files created after 2021 but you can't claim
copyright into the past that way.

* [chore] Add license header check

This ensures a license header is always added to any new file. This
avoids maintainers/reviewers needing to remember to check for and ask
for it in case a contribution doesn't include it.

* [chore] Add missing license headers

* [chore] Further updates to license header

* Use the more common // indentend comment format
* Remove the hack we had for the linter now that we use the // format
* Add SPDX license identifier
2023-03-12 16:00:57 +01:00

85 lines
2.2 KiB
Go

// GoToSocial
// Copyright (C) GoToSocial Authors admin@gotosocial.org
// SPDX-License-Identifier: AGPL-3.0-or-later
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
package middleware
import (
"time"
"github.com/gin-contrib/cors"
"github.com/gin-gonic/gin"
)
// CORS returns a new gin middleware which allows CORS requests to be processed.
// This is necessary in order for web/browser-based clients like Pinafore to work.
func CORS() gin.HandlerFunc {
cfg := cors.Config{
// todo: use config to customize this
AllowAllOrigins: true,
// adds the following:
// "chrome-extension://"
// "safari-extension://"
// "moz-extension://"
// "ms-browser-extension://"
AllowBrowserExtensions: true,
AllowMethods: []string{
"POST",
"PUT",
"DELETE",
"GET",
"PATCH",
"OPTIONS",
},
AllowHeaders: []string{
// basic cors stuff
"Origin",
"Content-Length",
"Content-Type",
// needed to pass oauth bearer tokens
"Authorization",
// needed for websocket upgrade requests
"Upgrade",
"Sec-WebSocket-Extensions",
"Sec-WebSocket-Key",
"Sec-WebSocket-Protocol",
"Sec-WebSocket-Version",
"Connection",
},
AllowWebSockets: true,
ExposeHeaders: []string{
// needed for accessing next/prev links when making GET timeline requests
"Link",
// needed so clients can handle rate limits
"X-RateLimit-Reset",
"X-RateLimit-Limit",
"X-RateLimit-Remaining",
"X-Request-Id",
// websocket stuff
"Connection",
"Sec-WebSocket-Accept",
"Upgrade",
},
MaxAge: 2 * time.Minute,
}
return cors.New(cfg)
}