diff --git a/backend/Dockerfile b/backend/Dockerfile index 9b687b7..48b6dbc 100644 --- a/backend/Dockerfile +++ b/backend/Dockerfile @@ -8,12 +8,11 @@ ARG DB_URL ARG PORT ARG APP_ENV ARG CLERK_SECRET_KEY -ARG CLIENT_URL COPY . . RUN CGO_ENABLED=0 GOOS=linux go build -o /server ./cmd/server/ - FROM alpine:latest +ENV CLIENT_URL=https://scintillating-commitment-production-2429.up.railway.app COPY --from=builder /server /server EXPOSE 8080 CMD ["/server"] diff --git a/backend/cmd/server/main.go b/backend/cmd/server/main.go index 08e76e2..9e473e7 100644 --- a/backend/cmd/server/main.go +++ b/backend/cmd/server/main.go @@ -106,8 +106,9 @@ func main() { w.WriteHeader(http.StatusOK) fmt.Fprintln(w, "OK") }) - url:=requiredEnv("CLIENT_URL") - check(http.ListenAndServe(httpAddress(), corsmiddleware.CORS(mux,url))) + //url:=requiredEnv("CLIENT_URL") + check(http.ListenAndServe(httpAddress(), corsmiddleware.CORS(mux))) + } func check(err error) { diff --git a/backend/internal/middleware/cors/cors.go b/backend/internal/middleware/cors/cors.go index 0f6ce0a..60f10f8 100644 --- a/backend/internal/middleware/cors/cors.go +++ b/backend/internal/middleware/cors/cors.go @@ -1,23 +1,24 @@ package middleware -import -("net/http" - +import ( + "net/http" + "os" + "strings" + //"fmt" + ) -func CORS(next http.Handler,url string) http.Handler { - +func CORS(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - w.Header().Set("Access-Control-Allow-Origin", url) + origin := r.Header.Get("Origin") - w.Header().Set("Access-Control-Allow-Credentials", "true") + w.Header().Set("Access-Control-Allow-Origin", origin) + w.Header().Set("Access-Control-Allow-Credentials", "true") w.Header().Set("Access-Control-Allow-Headers", "Authorization, Content-Type") - w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PATCH, PUT, DELETE, OPTIONS") - // preflight if r.Method == http.MethodOptions { w.WriteHeader(http.StatusOK) return @@ -26,3 +27,38 @@ func CORS(next http.Handler,url string) http.Handler { next.ServeHTTP(w, r) }) } + +func allowedOriginsFromEnv() map[string]struct{} { + origins := map[string]struct{}{} + + for _, envKey := range []string{"CLIENT_URL", "CORS_ALLOWED_ORIGINS"} { + raw := strings.TrimSpace(os.Getenv(envKey)) + if raw == "" { + continue + } + + for _, candidate := range strings.Split(raw, ",") { + origin := strings.TrimSpace(strings.TrimSuffix(candidate, "/")) + if origin == "" { + continue + } + origins[origin] = struct{}{} + } + } + + if len(origins) == 0 { + origins["http://localhost:5173"] = struct{}{} + } + + return origins +} + +func isAllowedOrigin(origin string, allowed map[string]struct{}) bool { + if origin == "" { + return false + } + + normalized := strings.TrimSuffix(strings.TrimSpace(origin), "/") + _, ok := allowed[normalized] + return ok +}