feat: 优化web

internal/server/cors.go

@@ -0,0 +1,32 @@
+package server
+
+import (
+	"net/http"
+	"strings"
+
+	"github.com/gin-gonic/gin"
+)
+
+// corsLocalDev 允许本机前端（localhost / 127.0.0.1 任意端口）跨域访问 API 与 OAuth；生产同域部署时可关闭或改为配置白名单。
+func corsLocalDev() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		o := c.GetHeader("Origin")
+		if o != "" && isLocalDevOrigin(o) {
+			c.Writer.Header().Set("Access-Control-Allow-Origin", o)
+			c.Writer.Header().Set("Access-Control-Allow-Credentials", "true")
+			c.Writer.Header().Set("Access-Control-Allow-Headers", "Authorization, Content-Type, X-Tenant-ID, X-User-ID, X-Grantor-User-ID")
+			c.Writer.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, PATCH, DELETE, OPTIONS")
+		}
+		if c.Request.Method == http.MethodOptions {
+			c.AbortWithStatus(http.StatusNoContent)
+			return
+		}
+		c.Next()
+	}
+}
+
+func isLocalDevOrigin(o string) bool {
+	return strings.HasPrefix(o, "http://localhost:") ||
+		strings.HasPrefix(o, "http://127.0.0.1:") ||
+		strings.HasPrefix(o, "http://[::1]:")
+}