Added logic to handle CORS allowed origins and aborting request for n…

…on-allowed origins
DiceDB · Dec 26, 2024 · 7ea1922 · 7ea1922
1 parent b0302d9
commit 7ea1922
Showing 1 changed file with 27 additions and 1 deletion.
diff --git a/main.go b/main.go
@@ -47,10 +47,36 @@ func main() {
 
 	// CORS middleware
 	router.Use(func(c *gin.Context) {
-		c.Writer.Header().Set("Access-Control-Allow-Origin", "*")
+		origin := c.Request.Header.Get("Origin")
+		allowedOrigins := configValue.Server.AllowedOrigins
+		isAllowed := false
+
+		if len(allowedOrigins) == 0 {
+			// Allow all origins, if none are specified in config
+			c.Writer.Header().Set("Access-Control-Allow-Origin", "*")
+		} else {
+			for _, allowedOrigin := range allowedOrigins {
+				if origin == allowedOrigin {
+					isAllowed = true
+					break
+				}
+			}
+
+			if isAllowed {
+				c.Writer.Header().Set("Access-Control-Allow-Origin", origin)
+			} else {
+				http.Error(c.Writer, "403 - Forbidden", http.StatusForbidden)
+				c.Abort()
+				return
+			}
+		}
 		c.Writer.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS")
 		c.Writer.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization")
+
 		if c.Request.Method == "OPTIONS" {
+			if len(allowedOrigins) == 0 || isAllowed {
+				c.Writer.Header().Set("Access-Control-Allow-Origin", origin)
+			}
 			c.AbortWithStatus(http.StatusOK)
 			return
 		}