ZDDC
9ef90800b1
Three improvements bundled because they all ship as zddc-server v0.0.2: * /.admin/ debug dashboard with /whoami, /config, /logs sub-routes. Authorization via a top-level `admins:` glob list in <ZDDC_ROOT>/.zddc (root-only — subdir entries deliberately ignored to prevent privilege escalation via subtree write access). Non-admin requests get 404 so the page is invisible. Recent logs surface via a 500-entry slog ring buffer teed off the existing TextHandler. Lets operators debug without kubectl exec. * Default ZDDC_EMAIL_HEADER changes from `X-Email` to `X-Auth-Request-Email` — the oauth2-proxy / nginx auth-request convention that the TND helm chart already sets explicitly. Operators who set the env var explicitly are unaffected; deployments relying on the previous default need to set ZDDC_EMAIL_HEADER=X-Email or update their proxy. * dispatch() rejects any URL whose segments contain a dot prefix other than the recognized virtual prefixes (.admin, cfg.IndexPath / .archive). Matches the existing listing-pipeline filter so hidden subtrees on the served PVC (e.g. /srv/.devshell — used by the in-cluster dev-shell for persistent home-dir state) become unreachable via direct HTTP fetch, not just hidden in listings. Refreshes the X-Email reference in website/index.html accordingly. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
54 lines
1.9 KiB
Go
54 lines
1.9 KiB
Go
package handler
|
|
|
|
import (
|
|
"net/http"
|
|
|
|
"codeberg.org/VARASYS/ZDDC/zddc/internal/config"
|
|
)
|
|
|
|
// CORSMiddleware applies a per-origin CORS policy keyed off cfg.CORSOrigins.
|
|
//
|
|
// On any request whose Origin header exactly matches an entry in the
|
|
// allowlist, the middleware echoes that origin in Access-Control-Allow-Origin
|
|
// and sets Access-Control-Allow-Credentials: true (we use credentials so the
|
|
// reverse-proxy-set email header / cookies cross the boundary). Vary: Origin
|
|
// is always set when the allowlist is non-empty so caches do not collapse
|
|
// per-origin responses.
|
|
//
|
|
// OPTIONS preflight requests are answered directly with 204 + the appropriate
|
|
// allow-methods/headers, bypassing later middleware (so preflight does not
|
|
// require auth). Non-OPTIONS requests pass through to the next handler.
|
|
//
|
|
// Requests with no Origin header, or an Origin that does not match the
|
|
// allowlist, get no CORS response headers — the browser blocks them
|
|
// naturally. An empty allowlist disables CORS entirely.
|
|
func CORSMiddleware(cfg config.Config, next http.Handler) http.Handler {
|
|
if len(cfg.CORSOrigins) == 0 {
|
|
return next
|
|
}
|
|
allow := make(map[string]struct{}, len(cfg.CORSOrigins))
|
|
for _, o := range cfg.CORSOrigins {
|
|
allow[o] = struct{}{}
|
|
}
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
origin := r.Header.Get("Origin")
|
|
if origin != "" {
|
|
if _, ok := allow[origin]; ok {
|
|
h := w.Header()
|
|
h.Set("Access-Control-Allow-Origin", origin)
|
|
h.Set("Access-Control-Allow-Credentials", "true")
|
|
h.Add("Vary", "Origin")
|
|
if r.Method == http.MethodOptions {
|
|
if reqHeaders := r.Header.Get("Access-Control-Request-Headers"); reqHeaders != "" {
|
|
h.Set("Access-Control-Allow-Headers", reqHeaders)
|
|
}
|
|
h.Set("Access-Control-Allow-Methods", "GET, OPTIONS")
|
|
h.Set("Access-Control-Max-Age", "600")
|
|
w.WriteHeader(http.StatusNoContent)
|
|
return
|
|
}
|
|
}
|
|
}
|
|
next.ServeHTTP(w, r)
|
|
})
|
|
}
|