Auto CORS Preflight Handle wih Gorilla/Mux and Go


These days huge backend options usually appear to be a set of microservices interacting with one another and with a number of frontend (usually browser) functions.
These providers may very well be distributed throughout a number of digital or bodily machines and because of this each software (means server that hosts software) would get a completely different area identify / ip handle.
A frontend software usually makes use of Javascript or Typescript to work together with the backend, but when a request goes to a distinct (from the frontend server) server a browser may assume that it poses a possible threat to safety and block it. To unravel this difficulty the backend API ought to present headers with a legitimate origin (a website identify or ip the place the frontend software is situated). In the present day we gonna learn to correctly setup Gorilla/mux Internet API to eternally neglect about CORS.

What we must always present from backend

Take into account the next REST useful resource i.e. consumer:

  • GET /api/consumer/ – for getting all customers
  • GET /api/consumer/{id}/ – for getting single consumer by id
  • POST /api/consumer/ – for creating new consumer
  • PUT /api/consumer/{id}/ – for replace current consumer
  • DELETE /api/consumer/{id}/ – for delete current consumer

Mainly, we have now to implement the next issues:

  1. Add response to OPTIONS to endpoints: OPTIONS /api/consumer/ and
    OPTIONS /api/consumer/{id}/ with the next headers:

    • Entry-Management-Permit-Origin – area identify/ip or * for any
    • Entry-Management-Permit-Headers – right here we may merely set *
    • Entry-Management-Permit-Strategies – we may merely record all
      strategies, however i believe it’s higher to ship OPTIONS,
      GET, POST
      as a worth for /api/consumer/ and OPTIONS, GET,
      for /api/consumer/{id}/;
  2. Add non-compulsory origin examine on server aspect (if neccessary).

In the present day’s article is concerning the first one, yow will discover the second github.comgorillahandlers. it It has a middleware that restricts entry solely to particular origins. Maybe you seen that your backend shouldn’t be at all times required to answer OPTIONS request as a result of OPTIONS request shouldn’t be being despatched by browsers for simple requests. However within the above instance we have now to do that. When your api is kind of huge you need to continually add preflight handlers (see instance beneath) and each every now and then you may neglect to do this particularly when you have got simply completed designing some difficult endpoints. Utilizing our (Wissance LLC) resolution (open source github package) you possibly can neglect about including preflight handlers as a result of our package does this routinely. Please give us a star when you discover our bundle helpful for you (it’s essential to us).

The way to make all these works simply

We carried out our personal HandlerFunc that has a signature just like mux.Router.HandlerFunc however with some minor variations:

  1. We’re passing a pointer to mux.Router as a primary parameter. We did this as a result of we have now a requirement to work with subrouters too, check out this unit test you should utilize a reference.
  2. We’re passing handler strategies parameters as a final variardic parameter as a substitute of calling .Strategies() when assigning route handler, we expect this additionally makes issues easier.

Mainly for auto preflight dealing with we have to create WebApiHandler occasion and go the required origin worth to it as its second argument (Entry-Management-Permit-Origin header helps solely single worth) and use our HandlerFunc as a substitute of gorilla/mux, see instance:

        handler := NewWebApiHandler(true, AnyOrigin)
    // Get solely technique
        baseUrl := ""
    configResource := baseUrl + "/api/config/"
    handler.HandleFunc(handler.Router, configResource, 
    // full crud
    functionResourceRoot := baseUrl + "/api/operate/"
    handler.HandleFunc(handler.Router, functionResourceRoot, 
                           webApi.GetAllFunctions, "GET")
    handler.HandleFunc(handler.Router, functionResourceRoot, 
                           webApi.CreateFunction, "POST")
    functionResourceById := baseUrl + "/api/operate/{id:[0-9]+}/"
    handler.HandleFunc(handler.Router, functionResourceById, 
                           webApi.GetFunctionById, "GET")
    handler.HandleFunc(handler.Router, functionResourceById, 
                           webApi.UpdateFunction, "PUT")
    handler.HandleFunc(handler.Router, functionResourceById, 
                           webApi.DeleteFunction, "DELETE")
Enter fullscreen mode

Exit fullscreen mode

For the snippet above we have now so as to add 3 further preflight Handlers:


Earlier than we created our bundle we at all times have been writing handlers like this:


        func (webApi *WebApiContext) PreflightRoot(respWriter http.ResponseWriter, request *http.Request) {
            respWriter.Header().Set("Entry-Management-Permit-Strategies", "POST, GET, OPTIONS")

        func (webApi *WebApiContext) PreflightByID(respWriter http.ResponseWriter, request *http.Request) {
            respWriter.Header().Set("Entry-Management-Permit-Strategies", "GET, PUT, DELETE, OPTIONS")
Enter fullscreen mode

Exit fullscreen mode

We additionally ought to present what the webApi object is and the way a few of its request handler features look:

sort WebApiContext struct {
    Db     *gorm.DB // passing gorm to Context
    Config *config.AppConfig
        // different fields

func (webApi *WebApiContext) GetAllFunctions(respWriter http.ResponseWriter, request *http.Request) {
         // return right here array of features, physique omitted

func (webApi *WebApiContext) GetFunctionById(respWriter http.ResponseWriter, request *http.Request) {
         // return operate by id, physique omitted
Enter fullscreen mode

Exit fullscreen mode

Let’s examine how our code modified after we added the library:

        webApi := relaxation.WebApiContext{Db: appContext.ModelContext.Context, Config: appContext.Config, WebApiHandler: gr.NewWebApiHandler(true, gr.AnyOrigin)}

        webApi.WebApiHandler.Router.Use( keycloakAuthService.KeycloakAuthMiddleware)
    router := webApiContext.WebApiHandler.Router

    // operate useful resource
    webApi.WebApiHandler.HandleFunc(router, baseUri+"/operate/", webApi.GetAllFunctions, "GET")
    webApi.WebApiHandler.HandleFunc(router, baseUri+"/operate/discover/", webApi.FindFunctions, "GET").Queries("question", "{question}")
    webApi.WebApiHandler.HandleFunc(router, baseUri+"/operate/identify/", webApi.GetFunctionsNames, "GET")
    webApi.WebApiHandler.HandleFunc(router, baseUri+"/operate/{id:[0-9]+}/", webApi.GetFunctionById, "GET")
    webApi.WebApiHandler.HandleFunc(router, baseUri+"/operate/{id:[0-9]+}/physique/", webApi.GetFunctionWithBodyById, "GET")
    webApi.WebApiHandler.HandleFunc(router, baseUri+"/operate/", webApi.CreateFunction, "POST")
    webApi.WebApiHandler.HandleFunc(router, baseUri+"/operate/{id:[0-9]+}/", webApi.UpdateFunction, "PUT")
    webApi.WebApiHandler.HandleFunc(router, baseUri+"/operate/{id:[0-9]+}/", webApi.DeleteFunction, "DELETE")
    webApi.WebApiHandler.HandleFunc(router, baseUri+"/operate/filter/", webApi.FilterFunctions, "GET")
Enter fullscreen mode

Exit fullscreen mode


We made this bundle not as a result of we have now lots of spare time on our palms, however as a result of we have been compelled to do this due to an enormous quantity of CORS-related errors we have been getting each time we labored on one thing huge. Now that we have now this resolution CORS is not an issue.

Add a Comment

Your email address will not be published. Required fields are marked *