(next http.Handler)
| 326 | } |
| 327 | |
| 328 | func (s *Server) corsMiddleware(next http.Handler) http.Handler { |
| 329 | return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { |
| 330 | origin := strings.TrimSpace(r.Header.Get("Origin")) |
| 331 | if origin != "" { |
| 332 | if s.isAllowedOrigin(r, origin) { |
| 333 | w.Header().Set("Access-Control-Allow-Origin", origin) |
| 334 | w.Header().Set("Access-Control-Allow-Credentials", "true") |
| 335 | w.Header().Set("Access-Control-Allow-Methods", "GET, POST, OPTIONS") |
| 336 | w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization, If-Match") |
| 337 | w.Header().Add("Vary", "Origin") |
| 338 | if r.Method == http.MethodOptions { |
| 339 | w.WriteHeader(http.StatusNoContent) |
| 340 | return |
| 341 | } |
| 342 | } else { |
| 343 | s.logCORSRejection(origin) |
| 344 | } |
| 345 | } |
| 346 | next.ServeHTTP(w, r) |
| 347 | }) |
| 348 | } |
| 349 | |
| 350 | // logCORSRejection emits one log line per unique origin so a |
| 351 | // misconfigured ZENNOTES_ALLOWED_ORIGINS surfaces in operator logs |
nothing calls this directly
no test coverage detected