From af3a2ff17cf4ba97ad4b6d482798250dd62aee01 Mon Sep 17 00:00:00 2001 From: Franklin Harding Date: Sun, 26 May 2019 19:25:51 -0700 Subject: [PATCH 01/16] More sensical CORSMethodMiddleware * Only sets Access-Control-Allow-Methods on valid preflight requests * Does not return after setting the Access-Control-Allow-Methods header * Does not append OPTIONS header to Access-Control-Allow-Methods regardless of whether there is an OPTIONS method matcher * Adds tests for the listed behavior --- middleware.go | 73 ++++++++++++++++++----------- middleware_test.go | 112 +++++++++++++++++++++++++++++++++------------ 2 files changed, 130 insertions(+), 55 deletions(-) diff --git a/middleware.go b/middleware.go index ceb812ce..3be59c9f 100644 --- a/middleware.go +++ b/middleware.go @@ -32,41 +32,60 @@ func (r *Router) useInterface(mw middleware) { r.middlewares = append(r.middlewares, mw) } -// CORSMethodMiddleware sets the Access-Control-Allow-Methods response header -// on a request, by matching routes based only on paths. It also handles -// OPTIONS requests, by settings Access-Control-Allow-Methods, and then -// returning without calling the next http handler. +// CORSMethodMiddleware automatically sets the Access-Control-Allow-Methods response header +// on preflight requests for routes that have an OPTIONS method matcher to all the method +// matchers on the route. See the example for usage. func CORSMethodMiddleware(r *Router) MiddlewareFunc { return func(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { - var allMethods []string + if isPreflight(req) { + allMethods, err := getAllMethodsForRoute(r, req) + if err == nil { + w.Header().Set("Access-Control-Allow-Methods", strings.Join(allMethods, ",")) + } + } - err := r.Walk(func(route *Route, _ *Router, _ []*Route) error { - for _, m := range route.matchers { - if _, ok := m.(*routeRegexp); ok { - if m.Match(req, &RouteMatch{}) { - methods, err := route.GetMethods() - if err != nil { - return err - } + next.ServeHTTP(w, req) + }) + } +} - allMethods = append(allMethods, methods...) - } - break - } - } - return nil - }) +// isPreflight returns true when the request is a valid preflight request according to the +// following rules from https://developer.mozilla.org/en-US/docs/Glossary/preflight_request: +// * The request method is OPTIONS +// * The request has a non-empty Access-Control-Request-Method header +// * The request has a non-empty Access-Control-Request-Headers header +// * The request has a non-empty Origin header +// and otherwise returns false. +func isPreflight(req *http.Request) bool { + requestMethod := req.Header.Get("Access-Control-Request-Method") + requestHeaders := req.Header.Get("Access-Control-Request-Headers") + origin := req.Header.Get("Origin") - if err == nil { - w.Header().Set("Access-Control-Allow-Methods", strings.Join(append(allMethods, "OPTIONS"), ",")) + return req.Method == http.MethodOptions && requestMethod != "" && requestHeaders != "" && origin != "" +} + +// getAllMethodsForRoute returns all the methods from method matchers matching a given +// request. +func getAllMethodsForRoute(r *Router, req *http.Request) ([]string, error) { + var allMethods []string + + err := r.Walk(func(route *Route, _ *Router, _ []*Route) error { + for _, m := range route.matchers { + if _, ok := m.(*routeRegexp); ok { + if m.Match(req, &RouteMatch{}) { + methods, err := route.GetMethods() + if err != nil { + return err + } - if req.Method == "OPTIONS" { - return + allMethods = append(allMethods, methods...) } + break } + } + return nil + }) - next.ServeHTTP(w, req) - }) - } + return allMethods, err } diff --git a/middleware_test.go b/middleware_test.go index 24016cbb..c8db06e8 100644 --- a/middleware_test.go +++ b/middleware_test.go @@ -3,7 +3,6 @@ package mux import ( "bytes" "net/http" - "net/http/httptest" "testing" ) @@ -337,42 +336,99 @@ func TestMiddlewareMethodMismatchSubrouter(t *testing.T) { } func TestCORSMethodMiddleware(t *testing.T) { - router := NewRouter() - - cases := []struct { - path string - response string - method string - testURL string - expectedAllowedMethods string + testCases := []struct { + name string + registerRoutes func(r *Router) + requestHeader http.Header + requestMethod string + requestPath string + expectedAccessControlAllowMethodsHeader string + expectedResponse string }{ - {"/g/{o}", "a", "POST", "/g/asdf", "POST,PUT,GET,OPTIONS"}, - {"/g/{o}", "b", "PUT", "/g/bla", "POST,PUT,GET,OPTIONS"}, - {"/g/{o}", "c", "GET", "/g/orilla", "POST,PUT,GET,OPTIONS"}, - {"/g", "d", "POST", "/g", "POST,OPTIONS"}, + { + name: "does not set without OPTIONS matcher", + registerRoutes: func(r *Router) { + r.HandleFunc("/foo", stringHandler("a")).Methods(http.MethodGet, http.MethodPut, http.MethodPatch) + }, + requestMethod: "GET", + requestPath: "/foo", + expectedAccessControlAllowMethodsHeader: "", + expectedResponse: "a", + }, + { + name: "does not set on non OPTIONS", + registerRoutes: func(r *Router) { + r.HandleFunc("/foo", stringHandler("a")).Methods(http.MethodGet, http.MethodPut, http.MethodPatch) + r.HandleFunc("/foo", stringHandler("b")).Methods(http.MethodOptions) + }, + requestMethod: "GET", + requestPath: "/foo", + expectedAccessControlAllowMethodsHeader: "", + expectedResponse: "a", + }, + { + name: "does not set without preflight headers", + registerRoutes: func(r *Router) { + r.HandleFunc("/foo", stringHandler("a")).Methods(http.MethodGet, http.MethodPut, http.MethodPatch) + r.HandleFunc("/foo", stringHandler("b")).Methods(http.MethodOptions) + }, + requestMethod: "OPTIONS", + requestPath: "/foo", + expectedAccessControlAllowMethodsHeader: "", + expectedResponse: "b", + }, + { + name: "does not set on error", + registerRoutes: func(r *Router) { + r.HandleFunc("/foo", stringHandler("a")) + }, + requestMethod: "OPTIONS", + requestPath: "/foo", + expectedAccessControlAllowMethodsHeader: "", + expectedResponse: "a", + }, + { + name: "sets header on valid preflight", + registerRoutes: func(r *Router) { + r.HandleFunc("/foo", stringHandler("a")).Methods(http.MethodGet, http.MethodPut, http.MethodPatch) + r.HandleFunc("/foo", stringHandler("b")).Methods(http.MethodOptions) + }, + requestMethod: "OPTIONS", + requestPath: "/foo", + requestHeader: http.Header{ + "Access-Control-Request-Method": []string{"GET"}, + "Access-Control-Request-Headers": []string{"Authorization"}, + "Origin": []string{"http://example.com"}, + }, + expectedAccessControlAllowMethodsHeader: "GET,PUT,PATCH,OPTIONS", + expectedResponse: "b", + }, } - for _, tt := range cases { - router.HandleFunc(tt.path, stringHandler(tt.response)).Methods(tt.method) - } + for _, tt := range testCases { + t.Run(tt.name, func(t *testing.T) { + router := NewRouter() - router.Use(CORSMethodMiddleware(router)) + tt.registerRoutes(router) - for _, tt := range cases { - rr := httptest.NewRecorder() - req := newRequest(tt.method, tt.testURL) + router.Use(CORSMethodMiddleware(router)) - router.ServeHTTP(rr, req) + rw := NewRecorder() + req := newRequest(tt.requestMethod, tt.requestPath) + req.Header = tt.requestHeader - if rr.Body.String() != tt.response { - t.Errorf("Expected body '%s', found '%s'", tt.response, rr.Body.String()) - } + router.ServeHTTP(rw, req) - allowedMethods := rr.Header().Get("Access-Control-Allow-Methods") + actualMethodsHeader := rw.Header().Get("Access-Control-Allow-Methods") + if actualMethodsHeader != tt.expectedAccessControlAllowMethodsHeader { + t.Fatalf("Expected Access-Control-Allow-Methods to equal %s but got %s", tt.expectedAccessControlAllowMethodsHeader, actualMethodsHeader) + } - if allowedMethods != tt.expectedAllowedMethods { - t.Errorf("Expected Access-Control-Allow-Methods '%s', found '%s'", tt.expectedAllowedMethods, allowedMethods) - } + actualResponse := rw.Body.String() + if actualResponse != tt.expectedResponse { + t.Fatalf("Expected response to equal %s but got %s", tt.expectedResponse, actualResponse) + } + }) } } From 26bc453c6fc6185631384857b273c67e19dfc34b Mon Sep 17 00:00:00 2001 From: Franklin Harding Date: Sun, 26 May 2019 19:27:25 -0700 Subject: [PATCH 02/16] Add example for CORSMethodMiddleware --- example_cors_method_middleware_test.go | 37 ++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 example_cors_method_middleware_test.go diff --git a/example_cors_method_middleware_test.go b/example_cors_method_middleware_test.go new file mode 100644 index 00000000..96272999 --- /dev/null +++ b/example_cors_method_middleware_test.go @@ -0,0 +1,37 @@ +package mux_test + +import ( + "fmt" + "net/http" + "net/http/httptest" + + "github.com/gorilla/mux" +) + +func ExampleCORSMethodMiddleware() { + r := mux.NewRouter() + + r.HandleFunc("/foo", func(w http.ResponseWriter, r *http.Request) { + // Do something here + }).Methods(http.MethodGet, http.MethodPut, http.MethodPatch) + r.HandleFunc("/foo", func(w http.ResponseWriter, r *http.Request) { + w.Header().Set("Access-Control-Allow-Origin", "http://example.com") + w.Header().Set("Access-Control-Max-Age", "86400") + }).Methods(http.MethodOptions) + + r.Use(mux.CORSMethodMiddleware(r)) + + rw := httptest.NewRecorder() + req, _ := http.NewRequest("OPTIONS", "/foo", nil) // needs to be OPTIONS + req.Header.Set("Access-Control-Request-Method", "POST") // needs to be non-empty + req.Header.Set("Access-Control-Request-Headers", "Authorization") // needs to be non-empty + req.Header.Set("Origin", "http://example.com") // needs to be non-empty + + r.ServeHTTP(rw, req) + + fmt.Println(rw.Header().Get("Access-Control-Allow-Methods")) + fmt.Println(rw.Header().Get("Access-Control-Allow-Origin")) + // Output: + // GET,PUT,PATCH,OPTIONS + // http://example.com +} From 3148d8356ef14cb1bbacde2703bd9d0c7ca2c9ce Mon Sep 17 00:00:00 2001 From: Franklin Harding Date: Sun, 26 May 2019 20:26:06 -0700 Subject: [PATCH 03/16] Do not check for preflight and add documentation to the README --- README.md | 56 ++++++++++++++++++++++++++++++++++++++++++++++ middleware.go | 29 +++++++----------------- middleware_test.go | 8 +++---- 3 files changed, 68 insertions(+), 25 deletions(-) diff --git a/README.md b/README.md index 08f63a10..6731fdfc 100644 --- a/README.md +++ b/README.md @@ -492,6 +492,62 @@ r.Use(amw.Middleware) Note: The handler chain will be stopped if your middleware doesn't call `next.ServeHTTP()` with the corresponding parameters. This can be used to abort a request if the middleware writer wants to. Middlewares _should_ write to `ResponseWriter` if they _are_ going to terminate the request, and they _should not_ write to `ResponseWriter` if they _are not_ going to terminate it. +### CORSMethodMiddleware + +`CORSMethodMiddleware` intends to make it easier to strictly set the `Access-Control-Allow-Methods` response header. You will still need to use your own CORS handler to set the other CORS headers such as `Access-Control-Allow-Origin`. + +`CORSMethodMiddleware` will set the `Access-Control-Allow-Methods` header to all the method matchers (e.g. `r.Methods(http.MethodGet, http.MethodPut, http.MethodOptions)` -> `Access-Control-Allow-Methods: GET,PUT,OPTIONS`) on a route. Note that there must be an `OPTIONS` method matcher for the middleware to set the headers. + +Here is an example of using `CORSMethodMiddleware` along with a custom `OPTIONS` handler to set all the required CORS headers: + +```go +package main + +import ( + "net/http" + "github.com/gorilla/mux" +) + +func main() { + r := mux.NewRouter() + r.HandleFunc("/foo", fooHandler).Methods(http.MethodGet, http.MethodPut, http.MethodPatch, http.MethodOptions) + r.Use(mux.CORSMethodMiddleware(r)) + + http.ListenAndServe(":8080", r) +} + +func fooHandler(w http.ResponseWriter, r *http.Request) { + w.Header().Set("Access-Control-Allow-Origin", "*") + if r.Method == http.MethodOptions { + return + } + + w.Write([]byte("foo")) +} +``` + +And an `OPTIONS` request to `/foo` would look like: + +```bash +* Trying ::1... +* TCP_NODELAY set +* Connected to localhost (::1) port 8080 (#0) +> GET /foo HTTP/1.1 +> Host: localhost:8080 +> User-Agent: curl/7.64.0 +> Accept: */* +> +< HTTP/1.1 200 OK +< Access-Control-Allow-Methods: GET,PUT,PATCH,OPTIONS +< Access-Control-Allow-Origin: * +< Date: Mon, 27 May 2019 03:25:07 GMT +< Content-Length: 3 +< Content-Type: text/plain; charset=utf-8 +< +* Connection #0 to host localhost left intact +foo +``` + ### Testing Handlers Testing handlers in a Go web application is straightforward, and _mux_ doesn't complicate this any further. Given two files: `endpoints.go` and `endpoints_test.go`, here's how we'd test an application using _mux_. diff --git a/middleware.go b/middleware.go index 3be59c9f..c5125370 100644 --- a/middleware.go +++ b/middleware.go @@ -33,15 +33,17 @@ func (r *Router) useInterface(mw middleware) { } // CORSMethodMiddleware automatically sets the Access-Control-Allow-Methods response header -// on preflight requests for routes that have an OPTIONS method matcher to all the method -// matchers on the route. See the example for usage. +// on requests for routes that have an OPTIONS method matcher to all the method matchers on +// the route. See the example for usage. func CORSMethodMiddleware(r *Router) MiddlewareFunc { return func(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { - if isPreflight(req) { - allMethods, err := getAllMethodsForRoute(r, req) - if err == nil { - w.Header().Set("Access-Control-Allow-Methods", strings.Join(allMethods, ",")) + allMethods, err := getAllMethodsForRoute(r, req) + if err == nil { + for _, v := range allMethods { + if v == "OPTIONS" { + w.Header().Set("Access-Control-Allow-Methods", strings.Join(allMethods, ",")) + } } } @@ -50,21 +52,6 @@ func CORSMethodMiddleware(r *Router) MiddlewareFunc { } } -// isPreflight returns true when the request is a valid preflight request according to the -// following rules from https://developer.mozilla.org/en-US/docs/Glossary/preflight_request: -// * The request method is OPTIONS -// * The request has a non-empty Access-Control-Request-Method header -// * The request has a non-empty Access-Control-Request-Headers header -// * The request has a non-empty Origin header -// and otherwise returns false. -func isPreflight(req *http.Request) bool { - requestMethod := req.Header.Get("Access-Control-Request-Method") - requestHeaders := req.Header.Get("Access-Control-Request-Headers") - origin := req.Header.Get("Origin") - - return req.Method == http.MethodOptions && requestMethod != "" && requestHeaders != "" && origin != "" -} - // getAllMethodsForRoute returns all the methods from method matchers matching a given // request. func getAllMethodsForRoute(r *Router, req *http.Request) ([]string, error) { diff --git a/middleware_test.go b/middleware_test.go index c8db06e8..de29d6e6 100644 --- a/middleware_test.go +++ b/middleware_test.go @@ -356,25 +356,25 @@ func TestCORSMethodMiddleware(t *testing.T) { expectedResponse: "a", }, { - name: "does not set on non OPTIONS", + name: "sets on non OPTIONS", registerRoutes: func(r *Router) { r.HandleFunc("/foo", stringHandler("a")).Methods(http.MethodGet, http.MethodPut, http.MethodPatch) r.HandleFunc("/foo", stringHandler("b")).Methods(http.MethodOptions) }, requestMethod: "GET", requestPath: "/foo", - expectedAccessControlAllowMethodsHeader: "", + expectedAccessControlAllowMethodsHeader: "GET,PUT,PATCH,OPTIONS", expectedResponse: "a", }, { - name: "does not set without preflight headers", + name: "sets without preflight headers", registerRoutes: func(r *Router) { r.HandleFunc("/foo", stringHandler("a")).Methods(http.MethodGet, http.MethodPut, http.MethodPatch) r.HandleFunc("/foo", stringHandler("b")).Methods(http.MethodOptions) }, requestMethod: "OPTIONS", requestPath: "/foo", - expectedAccessControlAllowMethodsHeader: "", + expectedAccessControlAllowMethodsHeader: "GET,PUT,PATCH,OPTIONS", expectedResponse: "b", }, { From b6e908d1e5fdc34e979e33d9f458406404972f12 Mon Sep 17 00:00:00 2001 From: Franklin Harding Date: Sun, 26 May 2019 20:33:41 -0700 Subject: [PATCH 04/16] Use http.MethodOptions instead of "OPTIONS" --- middleware.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/middleware.go b/middleware.go index c5125370..05064609 100644 --- a/middleware.go +++ b/middleware.go @@ -41,7 +41,7 @@ func CORSMethodMiddleware(r *Router) MiddlewareFunc { allMethods, err := getAllMethodsForRoute(r, req) if err == nil { for _, v := range allMethods { - if v == "OPTIONS" { + if v == http.MethodOptions { w.Header().Set("Access-Control-Allow-Methods", strings.Join(allMethods, ",")) } } From 4675152f2f719d36150d023646fc53fab1b70bd5 Mon Sep 17 00:00:00 2001 From: Franklin Harding Date: Sun, 26 May 2019 21:00:57 -0700 Subject: [PATCH 05/16] Add link to CORSMethodMiddleware section to readme --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 6731fdfc..107bb775 100644 --- a/README.md +++ b/README.md @@ -30,6 +30,7 @@ The name mux stands for "HTTP request multiplexer". Like the standard `http.Serv * [Walking Routes](#walking-routes) * [Graceful Shutdown](#graceful-shutdown) * [Middleware](#middleware) +* [CORS Method Middleware](#corsmethodmiddleware) * [Testing Handlers](#testing-handlers) * [Full Example](#full-example) From 80c843e7753bd266b217bc547392e484682c0e03 Mon Sep 17 00:00:00 2001 From: Franklin Harding Date: Mon, 27 May 2019 10:07:01 -0700 Subject: [PATCH 06/16] Add test for unmatching route methods --- middleware_test.go | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/middleware_test.go b/middleware_test.go index de29d6e6..478fe5e8 100644 --- a/middleware_test.go +++ b/middleware_test.go @@ -403,6 +403,23 @@ func TestCORSMethodMiddleware(t *testing.T) { expectedAccessControlAllowMethodsHeader: "GET,PUT,PATCH,OPTIONS", expectedResponse: "b", }, + { + name: "does not set methods from unmatching routes", + registerRoutes: func(r *Router) { + r.HandleFunc("/foo", stringHandler("c")).Methods(http.MethodDelete) + r.HandleFunc("/foo/bar", stringHandler("a")).Methods(http.MethodGet, http.MethodPut, http.MethodPatch) + r.HandleFunc("/foo/bar", stringHandler("b")).Methods(http.MethodOptions) + }, + requestMethod: "OPTIONS", + requestPath: "/foo/bar", + requestHeader: http.Header{ + "Access-Control-Request-Method": []string{"GET"}, + "Access-Control-Request-Headers": []string{"Authorization"}, + "Origin": []string{"http://example.com"}, + }, + expectedAccessControlAllowMethodsHeader: "GET,PUT,PATCH,OPTIONS", + expectedResponse: "b", + }, } for _, tt := range testCases { From 5f61438fd02339ce578050565c9c513d86cc1f9b Mon Sep 17 00:00:00 2001 From: Franklin Harding Date: Fri, 28 Jun 2019 12:58:51 -0700 Subject: [PATCH 07/16] Rename CORS Method Middleware to Handling CORS Requests in README --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 107bb775..31d91881 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,7 @@ The name mux stands for "HTTP request multiplexer". Like the standard `http.Serv * [Walking Routes](#walking-routes) * [Graceful Shutdown](#graceful-shutdown) * [Middleware](#middleware) -* [CORS Method Middleware](#corsmethodmiddleware) +* [Handling CORS Requests](#handling-cors-requests) * [Testing Handlers](#testing-handlers) * [Full Example](#full-example) @@ -493,7 +493,7 @@ r.Use(amw.Middleware) Note: The handler chain will be stopped if your middleware doesn't call `next.ServeHTTP()` with the corresponding parameters. This can be used to abort a request if the middleware writer wants to. Middlewares _should_ write to `ResponseWriter` if they _are_ going to terminate the request, and they _should not_ write to `ResponseWriter` if they _are not_ going to terminate it. -### CORSMethodMiddleware +### Handling CORS Requests `CORSMethodMiddleware` intends to make it easier to strictly set the `Access-Control-Allow-Methods` response header. You will still need to use your own CORS handler to set the other CORS headers such as `Access-Control-Allow-Origin`. From 6eb5e65408e96899214c689d568d572d79693f56 Mon Sep 17 00:00:00 2001 From: Franklin Harding Date: Fri, 28 Jun 2019 12:59:46 -0700 Subject: [PATCH 08/16] Link CORSMethodMiddleware in README to godoc --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 31d91881..ff31f9b9 100644 --- a/README.md +++ b/README.md @@ -495,7 +495,7 @@ Note: The handler chain will be stopped if your middleware doesn't call `next.Se ### Handling CORS Requests -`CORSMethodMiddleware` intends to make it easier to strictly set the `Access-Control-Allow-Methods` response header. You will still need to use your own CORS handler to set the other CORS headers such as `Access-Control-Allow-Origin`. +[CORSMethodMiddleware](https://godoc.org/github.com/gorilla/mux#CORSMethodMiddleware) intends to make it easier to strictly set the `Access-Control-Allow-Methods` response header. You will still need to use your own CORS handler to set the other CORS headers such as `Access-Control-Allow-Origin`. `CORSMethodMiddleware` will set the `Access-Control-Allow-Methods` header to all the method matchers (e.g. `r.Methods(http.MethodGet, http.MethodPut, http.MethodOptions)` -> `Access-Control-Allow-Methods: GET,PUT,OPTIONS`) on a route. Note that there must be an `OPTIONS` method matcher for the middleware to set the headers. From 091bfb2e0fa8a1b9c20609186cbeacdf022d12be Mon Sep 17 00:00:00 2001 From: Franklin Harding Date: Fri, 28 Jun 2019 13:02:17 -0700 Subject: [PATCH 09/16] Break CORSMethodMiddleware doc into bullets for readability --- README.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index ff31f9b9..a4cc1c2c 100644 --- a/README.md +++ b/README.md @@ -495,9 +495,12 @@ Note: The handler chain will be stopped if your middleware doesn't call `next.Se ### Handling CORS Requests -[CORSMethodMiddleware](https://godoc.org/github.com/gorilla/mux#CORSMethodMiddleware) intends to make it easier to strictly set the `Access-Control-Allow-Methods` response header. You will still need to use your own CORS handler to set the other CORS headers such as `Access-Control-Allow-Origin`. +[CORSMethodMiddleware](https://godoc.org/github.com/gorilla/mux#CORSMethodMiddleware) intends to make it easier to strictly set the `Access-Control-Allow-Methods` response header. -`CORSMethodMiddleware` will set the `Access-Control-Allow-Methods` header to all the method matchers (e.g. `r.Methods(http.MethodGet, http.MethodPut, http.MethodOptions)` -> `Access-Control-Allow-Methods: GET,PUT,OPTIONS`) on a route. Note that there must be an `OPTIONS` method matcher for the middleware to set the headers. +* You will still need to use your own CORS handler to set the other CORS headers such as `Access-Control-Allow-Origin` +* The middleware will set the `Access-Control-Allow-Methods` header to all the method matchers (e.g. `r.Methods(http.MethodGet, http.MethodPut, http.MethodOptions)` -> `Access-Control-Allow-Methods: GET,PUT,OPTIONS`) on a route +* If you do not specify any methods, then: +> _Important_: there must be an `OPTIONS` method matcher for the middleware to set the headers. Here is an example of using `CORSMethodMiddleware` along with a custom `OPTIONS` handler to set all the required CORS headers: From 1f56cdaacd4637b72108c23396291aa77033696a Mon Sep 17 00:00:00 2001 From: Franklin Harding Date: Fri, 28 Jun 2019 13:03:41 -0700 Subject: [PATCH 10/16] Add comment about specifying OPTIONS to example in README for CORSMethodMiddleware --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index a4cc1c2c..6920c158 100644 --- a/README.md +++ b/README.md @@ -514,6 +514,8 @@ import ( func main() { r := mux.NewRouter() + + // IMPORTANT: you must specify an OPTIONS method matcher for the middleware to set CORS headers r.HandleFunc("/foo", fooHandler).Methods(http.MethodGet, http.MethodPut, http.MethodPatch, http.MethodOptions) r.Use(mux.CORSMethodMiddleware(r)) From 1e92c8aa32b4f4c5de8cfbb39fd4a2dd32435001 Mon Sep 17 00:00:00 2001 From: Franklin Harding Date: Fri, 28 Jun 2019 13:14:47 -0700 Subject: [PATCH 11/16] Document cURL command used for testing CORS Method Middleware --- README.md | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 6920c158..92e422ee 100644 --- a/README.md +++ b/README.md @@ -532,7 +532,13 @@ func fooHandler(w http.ResponseWriter, r *http.Request) { } ``` -And an `OPTIONS` request to `/foo` would look like: +And an request to `/foo` using something like: + +```bash +curl localhost:8080/foo -v +``` + +Would look like: ```bash * Trying ::1... @@ -540,13 +546,13 @@ And an `OPTIONS` request to `/foo` would look like: * Connected to localhost (::1) port 8080 (#0) > GET /foo HTTP/1.1 > Host: localhost:8080 -> User-Agent: curl/7.64.0 +> User-Agent: curl/7.59.0 > Accept: */* > < HTTP/1.1 200 OK < Access-Control-Allow-Methods: GET,PUT,PATCH,OPTIONS < Access-Control-Allow-Origin: * -< Date: Mon, 27 May 2019 03:25:07 GMT +< Date: Fri, 28 Jun 2019 20:13:30 GMT < Content-Length: 3 < Content-Type: text/plain; charset=utf-8 < From 10c79f3317c3df322f008baf1cc88d4ee86c4c2a Mon Sep 17 00:00:00 2001 From: Franklin Harding Date: Fri, 28 Jun 2019 13:16:21 -0700 Subject: [PATCH 12/16] Update comment in example to "Handle the request" --- example_cors_method_middleware_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/example_cors_method_middleware_test.go b/example_cors_method_middleware_test.go index 96272999..00929fce 100644 --- a/example_cors_method_middleware_test.go +++ b/example_cors_method_middleware_test.go @@ -12,7 +12,7 @@ func ExampleCORSMethodMiddleware() { r := mux.NewRouter() r.HandleFunc("/foo", func(w http.ResponseWriter, r *http.Request) { - // Do something here + // Handle the request }).Methods(http.MethodGet, http.MethodPut, http.MethodPatch) r.HandleFunc("/foo", func(w http.ResponseWriter, r *http.Request) { w.Header().Set("Access-Control-Allow-Origin", "http://example.com") From 794440e8095e2a2faa729eda73127cf26d81c6bb Mon Sep 17 00:00:00 2001 From: Franklin Harding Date: Fri, 28 Jun 2019 13:17:54 -0700 Subject: [PATCH 13/16] Add explicit comment about OPTIONS matchers to CORSMethodMiddleware doc --- middleware.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/middleware.go b/middleware.go index 05064609..cf2b26dc 100644 --- a/middleware.go +++ b/middleware.go @@ -34,7 +34,8 @@ func (r *Router) useInterface(mw middleware) { // CORSMethodMiddleware automatically sets the Access-Control-Allow-Methods response header // on requests for routes that have an OPTIONS method matcher to all the method matchers on -// the route. See the example for usage. +// the route. Routes that do not explicitly handle OPTIONS requests will not be processed +// by the middleware. See examples for usage. func CORSMethodMiddleware(r *Router) MiddlewareFunc { return func(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { From 593185387262df8b6329143c25bbf71e05a5cbe8 Mon Sep 17 00:00:00 2001 From: Franklin Harding Date: Sat, 29 Jun 2019 00:28:21 -0700 Subject: [PATCH 14/16] Update circleci config to only check gofmt diff on latest go version --- .circleci/config.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index c0fb9de3..20501fce 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -11,8 +11,11 @@ jobs: - checkout - run: go version - run: go get -t -v ./... - - run: diff -u <(echo -n) <(gofmt -d .) - - run: if [[ "$LATEST" = true ]]; then go vet -v .; fi + - run: > + if [[ "$LATEST" = true ]]; then + diff -u <(echo -n) <(gofmt -d .) + go vet -v . + fi - run: go test -v -race ./... "latest": From 65ad3ea907c379bd9d64634bdabd44003402278a Mon Sep 17 00:00:00 2001 From: Franklin Harding Date: Sat, 29 Jun 2019 12:16:02 -0700 Subject: [PATCH 15/16] Break up gofmt and go vet checks into separate steps. --- .circleci/config.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 20501fce..cb6110b5 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -11,11 +11,8 @@ jobs: - checkout - run: go version - run: go get -t -v ./... - - run: > - if [[ "$LATEST" = true ]]; then - diff -u <(echo -n) <(gofmt -d .) - go vet -v . - fi + - run: if [[ "$LATEST" = true ]]; then diff -u <(echo -n) <(gofmt -d .); fi + - run: if [[ "$LATEST" = true ]]; then go vet -v .; fi - run: go test -v -race ./... "latest": From f5356bb94ad0e6dba8b0f9ca42ad32c670189ee3 Mon Sep 17 00:00:00 2001 From: Franklin Harding Date: Sat, 29 Jun 2019 12:33:23 -0700 Subject: [PATCH 16/16] Use canonical circleci config --- .circleci/config.yml | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index cb6110b5..d7d96d14 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -11,8 +11,20 @@ jobs: - checkout - run: go version - run: go get -t -v ./... - - run: if [[ "$LATEST" = true ]]; then diff -u <(echo -n) <(gofmt -d .); fi - - run: if [[ "$LATEST" = true ]]; then go vet -v .; fi + # Only run gofmt, vet & lint against the latest Go version + - run: > + if [[ "$LATEST" = true ]]; then + go get -u golang.org/x/lint/golint + golint ./... + fi + - run: > + if [[ "$LATEST" = true ]]; then + diff -u <(echo -n) <(gofmt -d .) + fi + - run: > + if [[ "$LATEST" = true ]]; then + go vet -v . + fi - run: go test -v -race ./... "latest":