From ef28bcb28fbea95e5618215ead78ea14035671d9 Mon Sep 17 00:00:00 2001
From: Andrea Spacca <andrea.spacca@gmail.com>
Date: Sat, 4 Apr 2020 14:29:33 +0200
Subject: [PATCH] ISSUE-296 add CORS

---
 README.md        |  1 +
 cmd/cmd.go       |  9 +++++++++
 go.mod           |  1 +
 go.sum           |  2 ++
 server/server.go | 24 +++++++++++++++++++++++-
 5 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 112d30a..4370578 100644
--- a/README.md
+++ b/README.md
@@ -106,6 +106,7 @@ gdrive-local-config-path | path to store local transfer.sh config cache for gdri
 gdrive-chunk-size | chunk size for gdrive upload in megabytes, must be lower than available memory (8 MB) | |
 lets-encrypt-hosts | hosts to use for lets encrypt certificates (comma seperated) | |
 log | path to log file| |
+cors-domains | comma separated list of domains for CORS, setting it enable CORS | |
 
 If you want to use TLS using lets encrypt certificates, set lets-encrypt-hosts to your domain, set tls-listener to :443 and enable force-https.
 
diff --git a/cmd/cmd.go b/cmd/cmd.go
index 6507025..efebca9 100644
--- a/cmd/cmd.go
+++ b/cmd/cmd.go
@@ -207,6 +207,11 @@ var globalFlags = []cli.Flag{
 		Usage: "comma separated list of ips not allowed to connect to the service",
 		Value: "",
 	},
+	cli.StringFlag{
+		Name:  "cors-domains",
+		Usage: "comma separated list of domains allowed for CORS requests",
+		Value: "",
+	},
 }
 
 type Cmd struct {
@@ -245,6 +250,10 @@ func New() *Cmd {
 			options = append(options, server.Listener(v))
 		}
 
+		if v := c.String("cors-domains"); v != "" {
+			options = append(options, server.CorsDomains(v))
+		}
+
 		if v := c.String("tls-listener"); v == "" {
 		} else if c.Bool("tls-listener-only") {
 			options = append(options, server.TLSListener(v, true))
diff --git a/go.mod b/go.mod
index 8f9b3fe..9f6634c 100644
--- a/go.mod
+++ b/go.mod
@@ -16,6 +16,7 @@ require (
 	github.com/garyburd/redigo v1.6.0 // indirect
 	github.com/golang/gddo v0.0.0-20200310004957-95ce5a452273
 	github.com/golang/protobuf v1.3.5 // indirect
+	github.com/gorilla/handlers v1.4.2
 	github.com/gorilla/mux v1.7.4
 	github.com/gorilla/securecookie v1.1.1 // indirect
 	github.com/hashicorp/golang-lru v0.5.3 // indirect
diff --git a/go.sum b/go.sum
index 6a9f1b0..3af19ae 100644
--- a/go.sum
+++ b/go.sum
@@ -127,6 +127,8 @@ github.com/googleapis/gax-go v2.0.0+incompatible/go.mod h1:SFVmujtThgffbyetf+mdk
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5 h1:sjZBwGj9Jlw33ImPtvFviGYvseOtDM7hkSKB7+Tv3SM=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
+github.com/gorilla/handlers v1.4.2 h1:0QniY0USkHQ1RGCLfKxeNHK9bkDHGRYGNDFBCS+YARg=
+github.com/gorilla/handlers v1.4.2/go.mod h1:Qkdc/uu4tH4g6mTK6auzZ766c4CA0Ng8+o/OAirnOIQ=
 github.com/gorilla/mux v1.7.3 h1:gnP5JzjVOuiZD07fKKToCAOjS0yOpj/qPETTXCCS6hw=
 github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
 github.com/gorilla/mux v1.7.4 h1:VuZ8uybHlWmqV03+zRzdwKL4tUnIp1MAQtp1mIFE1bc=
diff --git a/server/server.go b/server/server.go
index 16c3197..5a7168a 100644
--- a/server/server.go
+++ b/server/server.go
@@ -26,6 +26,7 @@ package server
 
 import (
 	"errors"
+	gorillaHandlers "github.com/gorilla/handlers"
 	"log"
 	"math/rand"
 	"mime"
@@ -85,6 +86,13 @@ func Listener(s string) OptionFn {
 
 }
 
+func CorsDomains(s string) OptionFn {
+	return func(srvr *Server) {
+		srvr.CorsDomains = s
+	}
+
+}
+
 func GoogleAnalytics(gaKey string) OptionFn {
 	return func(srvr *Server) {
 		srvr.gaKey = gaKey
@@ -275,6 +283,7 @@ type Server struct {
 
 	TLSListenerOnly bool
 
+	CorsDomains           string
 	ListenerString        string
 	TLSListenerString     string
 	ProfileListenerString string
@@ -413,11 +422,24 @@ func (s *Server) Run() {
 
 	s.logger.Printf("Transfer.sh server started.\nusing temp folder: %s\nusing storage provider: %s", s.tempPath, s.storage.Type())
 
+	var cors func(http.Handler) http.Handler
+	if len(s.CorsDomains) > 0 {
+		cors = gorillaHandlers.CORS(
+			gorillaHandlers.AllowedHeaders([]string{"*"}),
+			gorillaHandlers.AllowedOrigins(strings.Split(s.CorsDomains, ",")),
+			gorillaHandlers.AllowedMethods([]string{"GET", "HEAD", "POST", "PUT", "DELETE", "OPTIONS"}),
+		)
+	} else {
+		cors = func(h http.Handler) http.Handler {
+			return h
+		}
+	}
+
 	h := handlers.PanicHandler(
 		IPFilterHandler(
 			handlers.LogHandler(
 				LoveHandler(
-					s.RedirectHandler(r)),
+					s.RedirectHandler(cors(r))),
 				handlers.NewLogOptions(s.logger.Printf, "_default_"),
 			),
 			s.ipFilterOptions,