feat: CORS组件支持使用配置文件更灵活的配置处理跨域的逻辑;

3e1c04c3 · ShadowWalker · f3a7c67e · 3e1c04c3 · 3e1c04c3 · 3e1c04c3
6 changed file
--- a/server/config.docker.yaml
+++ b/server/config.docker.yaml
@@ -135,3 +135,19 @@ Timer:
    { tableName: "sys_operation_records" , compareField: "created_at", interval: "2160h" },
    #{ tableName: "log2" , compareField: "created_at", interval: "2160h" }
  ]
+
+# 跨域配置
+# 需要配合 server/initialize/router.go#L32 使用
+cors:
+  mode: whitelist # 放行模式: allow-all, 放行全部; whitelist, 白名单模式, 来自白名单内域名的请求添加 cors 头; strict-whitelist 严格白名单模式, 白名单外的请求一律拒绝
+  whitelist:
+    - allow-origin: example1.com
+      allow-headers: content-type
+      allow-methods: GET, POST
+      expose-headers: Content-Length, Access-Control-Allow-Origin, Access-Control-Allow-Headers, Content-Type
+      allow-credentials: true # 布尔值
+    - allow-origin: example2.com
+      allow-headers: content-type
+      allow-methods: GET, POST
+      expose-headers: Content-Length, Access-Control-Allow-Origin, Access-Control-Allow-Headers, Content-Type
+      allow-credentials: true # 布尔值
--- a/server/config.yaml
+++ b/server/config.yaml
@@ -179,4 +179,18 @@ Timer:
    #{ tableName: "log2" , compareField: "created_at", interval: "2160h" }
  ]

-
+# 跨域配置
+# 需要配合 server/initialize/router.go#L32 使用
+cors:
+  mode: whitelist # 放行模式: allow-all, 放行全部; whitelist, 白名单模式, 来自白名单内域名的请求添加 cors 头; strict-whitelist 严格白名单模式, 白名单外的请求一律拒绝
+  whitelist:
+    - allow-origin: example1.com
+      allow-headers: content-type
+      allow-methods: GET, POST
+      expose-headers: Content-Length, Access-Control-Allow-Origin, Access-Control-Allow-Headers, Content-Type
+      allow-credentials: true # 布尔值
+    - allow-origin: example2.com
+      allow-headers: content-type
+      allow-methods: GET, POST
+      expose-headers: Content-Length, Access-Control-Allow-Origin, Access-Control-Allow-Headers, Content-Type
+      allow-credentials: true # 布尔值
--- a/server/config/config.go
+++ b/server/config/config.go
@@ -23,4 +23,7 @@ type Server struct {

 	Excel Excel `mapstructure:"excel" json:"excel" yaml:"excel"`
 	Timer Timer `mapstructure:"timer" json:"timer" yaml:"timer"`
+
+	// 跨域配置
+	Cors CORS `mapstructure:"cors" json:"cors" yaml:"cors"`
 }
--- a/server/config/cors.go
+++ b/server/config/cors.go
+package config
+
+type CORS struct {
+	Mode      string          `mapstructure:"mode" json:"mode" yaml:"mode"`
+	Whitelist []CORSWhitelist `mapstructure:"whitelist" json:"whitelist" yaml:"whitelist"`
+}
+
+type CORSWhitelist struct {
+	AllowOrigin      string `mapstructure:"allow-origin" json:"allow-origin" yaml:"allow-origin"`
+	AllowMethods     string `mapstructure:"allow-methods" json:"allow-methods" yaml:"allow-methods"`
+	AllowHeaders     string `mapstructure:"allow-headers" json:"allow-headers" yaml:"allow-headers"`
+	ExposeHeaders    string `mapstructure:"expose-headers" json:"expose-headers" yaml:"expose-headers"`
+	AllowCredentials bool   `mapstructure:"allow-credentials" json:"allow-credentials" yaml:"allow-credentials"`
+}
--- a/server/initialize/router.go
+++ b/server/initialize/router.go
@@ -29,8 +29,9 @@ func Routers() *gin.Engine {
 	Router.StaticFS(global.GVA_CONFIG.Local.Path, http.Dir(global.GVA_CONFIG.Local.Path)) // 为用户头像和文件提供静态地址
 	// Router.Use(middleware.LoadTls())  // 打开就能玩https了
 	global.GVA_LOG.Info("use middleware logger")
-	// 跨域
-	//Router.Use(middleware.Cors()) // 如需跨域可以打开
+	// 跨域，如需跨域可以打开下面的注释
+	// Router.Use(middleware.Cors()) // 直接放行全部跨域请求
+	//Router.Use(middleware.CorsByRules()) // 按照配置的规则放行跨域请求
 	global.GVA_LOG.Info("use middleware cors")
 	Router.GET("/swagger/*any", ginSwagger.WrapHandler(swaggerFiles.Handler))
 	global.GVA_LOG.Info("register swagger handler")

--- a/server/middleware/cors.go
+++ b/server/middleware/cors.go
 package middleware

 import (
+	"github.com/flipped-aurora/gin-vue-admin/server/config"
+	"github.com/flipped-aurora/gin-vue-admin/server/global"
 	"github.com/gin-gonic/gin"
 	"net/http"
 )

-// 处理跨域请求,支持options访问
+// Cors 直接放行所有跨域请求并放行所有 OPTIONS 方法
 func Cors() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		method := c.Request.Method
@@ -24,3 +26,48 @@ func Cors() gin.HandlerFunc {
 		c.Next()
 	}
 }
+
+// CorsByRules 按照配置处理跨域请求
+func CorsByRules() gin.HandlerFunc {
+	// 放行全部
+	if global.GVA_CONFIG.Cors.Mode == "allow-all" {
+		return Cors()
+	}
+	return func(c *gin.Context) {
+		whitelist := checkCors(c.GetHeader("origin"))
+
+		// 通过检查, 添加请求头
+		if whitelist != nil {
+			c.Header("Access-Control-Allow-Origin", whitelist.AllowOrigin)
+			c.Header("Access-Control-Allow-Headers", whitelist.AllowHeaders)
+			c.Header("Access-Control-Allow-Methods", whitelist.AllowMethods)
+			c.Header("Access-Control-Expose-Headers", whitelist.ExposeHeaders)
+			if whitelist.AllowCredentials {
+				c.Header("Access-Control-Allow-Credentials", "true")
+			}
+		}
+
+		// 严格白名单模式且未通过检查，直接拒绝处理请求
+		if whitelist == nil && global.GVA_CONFIG.Cors.Mode == "strict-whitelist" {
+			c.AbortWithStatus(http.StatusForbidden)
+		} else {
+			// 非严格白名单模式，无论是否通过检查均放行所有 OPTIONS 方法
+			if c.Request.Method == "OPTIONS" {
+				c.AbortWithStatus(http.StatusNoContent)
+			}
+		}
+
+		// 处理请求
+		c.Next()
+	}
+}
+
+func checkCors(currentOrigin string) *config.CORSWhitelist {
+	for _, whitelist := range global.GVA_CONFIG.Cors.Whitelist {
+		// 遍历配置中的跨域头，寻找匹配项
+		if currentOrigin == whitelist.AllowOrigin {
+			return &whitelist
+		}
+	}
+	return nil
+}