45 lines
980 B
Go
45 lines
980 B
Go
package middleware
|
|
|
|
import (
|
|
"authentication/helper"
|
|
"net/http"
|
|
"os"
|
|
"strings"
|
|
)
|
|
|
|
const defaultFrontendOrigin = "http://localhost:5173"
|
|
|
|
func allowedFrontendOrigins() map[string]struct{} {
|
|
raw := os.Getenv("FRONTEND_ORIGINS")
|
|
if strings.TrimSpace(raw) == "" {
|
|
raw = defaultFrontendOrigin
|
|
}
|
|
|
|
allowed := make(map[string]struct{})
|
|
for _, origin := range strings.Split(raw, ",") {
|
|
trimmed := strings.TrimSpace(origin)
|
|
if trimmed != "" {
|
|
allowed[trimmed] = struct{}{}
|
|
}
|
|
}
|
|
|
|
return allowed
|
|
}
|
|
|
|
func FrontendOriginWhitelist(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
origin := strings.TrimSpace(r.Header.Get("Origin"))
|
|
if origin == "" {
|
|
helper.RespondWithError(w, http.StatusBadRequest, "missing origin header")
|
|
return
|
|
}
|
|
|
|
if _, ok := allowedFrontendOrigins()[origin]; !ok {
|
|
helper.RespondWithError(w, http.StatusForbidden, "forbidden origin")
|
|
return
|
|
}
|
|
|
|
next.ServeHTTP(w, r)
|
|
})
|
|
}
|