hot fix #5 dev day #70

2026-06-04 18:52:56 +00:00 · 2025-10-24 23:21:57 +02:00
parent b8839fc1ff
commit 81389c108f
13 changed files with 45 additions and 37 deletions
@@ -120,12 +120,26 @@ func main() {
 		// CORS: reflect the Origin only if it is allowed. In development, also allow localhost/127.0.0.1 any port.
 		origin := c.Request.Header.Get("Origin")
 		allowed := false
+		// 1) Explicit exact-origin allow list
 		for _, ao := range config.AppConfig.AllowedOrigins {
 			if ao == origin {
 				allowed = true
 				break
 			}
 		}
+		// 2) Wildcard support: ALLOWED_ORIGINS="*" means reflect any non-empty Origin
+		if !allowed {
+			for _, ao := range config.AppConfig.AllowedOrigins {
+				if ao == "*" && origin != "" {
+					allowed = true
+					break
+				}
+			}
+		}
+		// 3) If no ALLOWED_ORIGINS provided at all, reflect any non-empty Origin (useful for per-instance unknown domains)
+		if !allowed && len(config.AppConfig.AllowedOrigins) == 0 && origin != "" {
+			allowed = true
+		}
 		if !allowed && origin != "" && config.AppConfig.AppEnv != "production" {
 			// Relaxed rule for local dev
 			if strings.HasPrefix(origin, "http://localhost:") || strings.HasPrefix(origin, "http://127.0.0.1:") || strings.HasPrefix(origin, "https://localhost:") || strings.HasPrefix(origin, "https://127.0.0.1:") {