fix: restrict CORS to same-origin (closes #23)

In dev mode, keep the wildcard origin for local testing convenience. In production, skip CORS headers entirely since the web UI is server-rendered and cross-origin requests are not expected.
2026-03-01 16:36:56 -08:00 · 2026-03-01 16:36:56 -08:00 · 45228d9e99
commit 45228d9e99
parent 348fd81fe6
1 changed files with 16 additions and 12 deletions
--- a/internal/middleware/middleware.go
+++ b/internal/middleware/middleware.go
@ -108,18 +108,22 @@ func (s *Middleware) Logging() func(http.Handler) http.Handler {
 }

 func (s *Middleware) CORS() func(http.Handler) http.Handler {
+	if s.params.Config.IsDev() {
+		// In development, allow any origin for local testing.
 		return cors.Handler(cors.Options{
-		// CHANGEME! these are defaults, change them to suit your needs or
-		// read from environment/viper.
-		// AllowedOrigins: []string{"https://foo.com"}, // Use this to allow specific origin hosts
 			AllowedOrigins:   []string{"*"},
-		// AllowOriginFunc:  func(r *http.Request, origin string) bool { return true },
 			AllowedMethods:   []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"},
 			AllowedHeaders:   []string{"Accept", "Authorization", "Content-Type", "X-CSRF-Token"},
 			ExposedHeaders:   []string{"Link"},
 			AllowCredentials: false,
-		MaxAge:           300, // Maximum value not ignored by any of major browsers
+			MaxAge:           300,
 		})
+	}
+	// In production, the web UI is server-rendered so cross-origin
+	// requests are not expected. Return a no-op middleware.
+	return func(next http.Handler) http.Handler {
+		return next
+	}
 }

 // RequireAuth returns middleware that checks for a valid session.