feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers

2026-04-02 11:19:50 +08:00
parent e59a77bc49
commit dcc1f186f8
298 changed files with 62603 additions and 0 deletions
--- a/internal/api/middleware/cors.go
+++ b/internal/api/middleware/cors.go
@@ -0,0 +1,67 @@
+package middleware
+
+import (
+	"net/http"
+	"strings"
+
+	"github.com/gin-gonic/gin"
+
+	"github.com/user-management-system/internal/config"
+)
+
+var corsConfig = config.CORSConfig{
+	AllowedOrigins: []string{"*"},
+	AllowCredentials: true,
+}
+
+func SetCORSConfig(cfg config.CORSConfig) {
+	corsConfig = cfg
+}
+
+func CORS() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		cfg := corsConfig
+
+		origin := c.GetHeader("Origin")
+		if origin != "" {
+			allowOrigin, allowed := resolveAllowedOrigin(origin, cfg.AllowedOrigins, cfg.AllowCredentials)
+			if !allowed {
+				if c.Request.Method == http.MethodOptions {
+					c.AbortWithStatus(http.StatusForbidden)
+					return
+				}
+				c.AbortWithStatus(http.StatusForbidden)
+				return
+			}
+			c.Writer.Header().Set("Access-Control-Allow-Origin", allowOrigin)
+			if cfg.AllowCredentials {
+				c.Writer.Header().Set("Access-Control-Allow-Credentials", "true")
+			}
+		}
+
+		if c.Request.Method == http.MethodOptions {
+			c.Writer.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS")
+			c.Writer.Header().Set("Access-Control-Allow-Headers", "Authorization, Content-Type, X-Requested-With, X-CSRF-Token")
+			c.Writer.Header().Set("Access-Control-Max-Age", "3600")
+			c.AbortWithStatus(http.StatusNoContent)
+			return
+		}
+
+		c.Next()
+	}
+}
+
+func resolveAllowedOrigin(origin string, allowedOrigins []string, allowCredentials bool) (string, bool) {
+	for _, allowed := range allowedOrigins {
+		if allowed == "*" {
+			if allowCredentials {
+				return origin, true
+			}
+			return "*", true
+		}
+		if strings.EqualFold(origin, allowed) {
+			return origin, true
+		}
+	}
+	return "", false
+}