6fbd1f5ffc
Backend: - Fix migrations 037-041 to use UUID v7 (uuid_generate_v7) - Fix CORS defaults to include localhost:8963 - Fix FRONTEND_URL default to localhost:8963 - Update superadmin password hash with pepper - Add PASSWORD_PEPPER environment variable Frontend: - Replace mockJobs with real API calls in home page - Replace mockNotifications with notificationsApi in context - Replace mockApplications with applicationsApi in dashboard - Fix register/user page to call real registerCandidate API - Fix hardcoded values in backoffice and messages pages Auth: - Support both HTTPOnly cookie and Bearer token authentication - Login returns token + sets HTTPOnly cookie - Logout clears HTTPOnly cookie - Token valid for 24h
44 lines
1.1 KiB
Go
44 lines
1.1 KiB
Go
package middleware
|
|
|
|
import (
|
|
"net/http"
|
|
"os"
|
|
"strings"
|
|
)
|
|
|
|
// CORSMiddleware handles Cross-Origin Resource Sharing
|
|
// IMPORTANT: Configure CORS_ORIGINS env var in production
|
|
func CORSMiddleware(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
origins := os.Getenv("CORS_ORIGINS")
|
|
if origins == "" {
|
|
origins = "http://localhost:3000,http://localhost:8963,http://localhost:3001"
|
|
}
|
|
|
|
origin := r.Header.Get("Origin")
|
|
allowOrigin := ""
|
|
|
|
// Check if origin is in allowed list
|
|
for _, o := range strings.Split(origins, ",") {
|
|
if strings.TrimSpace(o) == origin {
|
|
allowOrigin = origin
|
|
break
|
|
}
|
|
}
|
|
|
|
if allowOrigin != "" {
|
|
w.Header().Set("Access-Control-Allow-Origin", allowOrigin)
|
|
}
|
|
|
|
w.Header().Set("Access-Control-Allow-Credentials", "true")
|
|
w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, PATCH, DELETE, OPTIONS")
|
|
w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization, X-CSRF-Token")
|
|
|
|
if r.Method == "OPTIONS" {
|
|
w.WriteHeader(http.StatusOK)
|
|
return
|
|
}
|
|
|
|
next.ServeHTTP(w, r)
|
|
})
|
|
}
|