mw/cors.go

package mw

import "net/http"

const (
	allowedMethods = "GET, HEAD, PUT, PATCH, POST, DELETE, OPTIONS"
	allowedHeaders = "Content-Type, Authorization, X-Request-ID"
)

// CORS sets cross-origin resource sharing headers for the provided origins.
// Returns 204 No Content for OPTIONS preflight requests.
// Pass the outermost origins first; an empty slice is a no-op.
func CORS(origins []string) func(http.Handler) http.Handler {
	originSet := make(map[string]struct{}, len(origins))
	for _, o := range origins {
		originSet[o] = struct{}{}
	}

	return func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			origin := r.Header.Get("Origin")
			if origin != "" {
				if _, allowed := originSet[origin]; allowed {
					w.Header().Set("Access-Control-Allow-Origin", origin)
					w.Header().Set("Access-Control-Allow-Methods", allowedMethods)
					w.Header().Set("Access-Control-Allow-Headers", allowedHeaders)
					w.Header().Set("Access-Control-Allow-Credentials", "true")
					w.Header().Set("Vary", "Origin")
				}
			}
			if r.Method == http.MethodOptions {
				w.WriteHeader(http.StatusNoContent)
				return
			}
			next.ServeHTTP(w, r)
		})
	}
}

// CORSAllowAll is a convenience wrapper that allows any origin.
// Use only in development — never in production.
func CORSAllowAll() func(http.Handler) http.Handler {
	return func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			origin := r.Header.Get("Origin")
			if origin == "" {
				origin = "*"
			}
			w.Header().Set("Access-Control-Allow-Origin", origin)
			w.Header().Set("Access-Control-Allow-Methods", allowedMethods)
			w.Header().Set("Access-Control-Allow-Headers", allowedHeaders)
			w.Header().Set("Vary", "Origin")
			if r.Method == http.MethodOptions {
				w.WriteHeader(http.StatusNoContent)
				return
			}
			next.ServeHTTP(w, r)
		})
	}
}
feat(web): initial implementation — server, mw, httputil, health (v1.0.0) Introduces code.nochebuena.dev/einherjar/web — the HTTP transport layer of the Einherjar framework. Absorbs httpserver, httpmw, and httputil from micro-lib, replacing gorilla/mux with chi, adopting SecurityBag-native middleware, and centralizing error handling through a single httputil.Error function. server: - Server interface — embeds lifecycle.Component and chi.Router - Config struct (EINHERJAR_SERVER_* env vars); DefaultConfig - New(logger, cfg, opts...) Server; WithMiddleware option - Binds TCP synchronously in OnStart; logs "server: listening" on success - Graceful shutdown within ShutdownTimeout on OnStop mw: - Recover — catches panics, returns 500, logs at Error - RequestID — injects UUID v7 (UUID v4 fallback) into context and X-Request-ID header - RequestLogger — structured access log per request - CORS / CORSAllowAll — chi-based, applied only when origins non-empty - IPRateLimit / UserRateLimit — pluggable RateLimiterStore interface - InMemoryRateLimiterStore — token-bucket backed by golang.org/x/time/rate; background goroutine evicts stale entries every 5 minutes - StatusRecorder — wraps ResponseWriter to capture HTTP status code httputil: - Handle[Req, Res] / HandleNoBody[Res] / HandleEmpty[Req] — generic handler adapters - Error(logger, w, r, err) — derives log level from status (≥500→Error, 4xx→Warn, 499→Info); writes standardized JSON body; logz enriches *xerrors.Err automatically - JSON(w, status, v) / NoContent(w) — response helpers - HandlerFunc adapter type health: - NewHandler / NewHandlerWithConfig — runs all Checkable checks concurrently; returns JSON {status, components} with per-component latency and error - Config struct (EINHERJAR_HEALTH_CHECK_TIMEOUT, default 5s) Root factory: - web.New(logger, cfg...) Server — composes Recover+RequestID+RequestLogger+CORS in outermost-first order; CORS applied only when AllowedOrigins non-empty - server.Server interface and web/server/identifiable.go: embeds observability.Identifiable; ModulePath and ModuleVersion read via runtime/debug.ReadBuildInfo() — prints in launcher banner 2026-05-29 15:48:11 +00:00			`package mw`

			`import "net/http"`

			`const (`
			`allowedMethods = "GET, HEAD, PUT, PATCH, POST, DELETE, OPTIONS"`
			`allowedHeaders = "Content-Type, Authorization, X-Request-ID"`
			`)`

			`// CORS sets cross-origin resource sharing headers for the provided origins.`
			`// Returns 204 No Content for OPTIONS preflight requests.`
			`// Pass the outermost origins first; an empty slice is a no-op.`
			`func CORS(origins []string) func(http.Handler) http.Handler {`
			`originSet := make(map[string]struct{}, len(origins))`
			`for _, o := range origins {`
			`originSet[o] = struct{}{}`
			`}`

			`return func(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`origin := r.Header.Get("Origin")`
			`if origin != "" {`
			`if _, allowed := originSet[origin]; allowed {`
			`w.Header().Set("Access-Control-Allow-Origin", origin)`
			`w.Header().Set("Access-Control-Allow-Methods", allowedMethods)`
			`w.Header().Set("Access-Control-Allow-Headers", allowedHeaders)`
			`w.Header().Set("Access-Control-Allow-Credentials", "true")`
			`w.Header().Set("Vary", "Origin")`
			`}`
			`}`
			`if r.Method == http.MethodOptions {`
			`w.WriteHeader(http.StatusNoContent)`
			`return`
			`}`
			`next.ServeHTTP(w, r)`
			`})`
			`}`
			`}`

			`// CORSAllowAll is a convenience wrapper that allows any origin.`
			`// Use only in development — never in production.`
			`func CORSAllowAll() func(http.Handler) http.Handler {`
			`return func(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`origin := r.Header.Get("Origin")`
			`if origin == "" {`
			`origin = "*"`
			`}`
			`w.Header().Set("Access-Control-Allow-Origin", origin)`
			`w.Header().Set("Access-Control-Allow-Methods", allowedMethods)`
			`w.Header().Set("Access-Control-Allow-Headers", allowedHeaders)`
			`w.Header().Set("Vary", "Origin")`
			`if r.Method == http.MethodOptions {`
			`w.WriteHeader(http.StatusNoContent)`
			`return`
			`}`
			`next.ServeHTTP(w, r)`
			`})`
			`}`
			`}`