Improve CORS origin handling; extend invoice repo/service and payments dispatch; rate limit and nginx config updates

Made-with: Love
2026-04-29 05:44:59 +00:00
parent 2cb17df4c5
commit a01797e9b2
12 changed files with 224 additions and 35 deletions
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -60,6 +60,11 @@ type Config struct {
 	LogLevel          string
 	RateLimitPerMin   int
 	ReservedUsernames []string
+
+	// CORS: exact origin list = FRONTEND_URL ∪ CORS_ORIGINS; loopback hosts if CORS_ALLOW_LOCALHOST.
+	CORSExtraOrigins     []string
+	CORSAllowLocalhost   bool
+	CORSAllowCredentials bool
 }

 func Load() (*Config, error) {
@@ -104,6 +109,9 @@ func Load() (*Config, error) {
 		LogLevel:          env("LOG_LEVEL", "info"),
 		RateLimitPerMin:   envInt("RATE_LIMIT_PER_MIN", 30),
 		ReservedUsernames: csv(env("RESERVED_USERNAMES", "")),
+		CORSExtraOrigins:  csv(env("CORS_ORIGINS", "")),
+		CORSAllowLocalhost:   envBool("CORS_ALLOW_LOCALHOST", true),
+		CORSAllowCredentials: envBool("CORS_ALLOW_CREDENTIALS", false),
 	}

 	if err := Validate(c); err != nil {
@@ -169,3 +177,22 @@ func csvInt(v string) []int {
 }

 func (c *Config) Addr() string { return fmt.Sprintf(":%d", c.Port) }
+
+// CORSExactOrigins lists allowed browser Origins for exact match (before loopback wildcard).
+func (c *Config) CORSExactOrigins() []string {
+	seen := make(map[string]bool)
+	out := make([]string, 0, 4+len(c.CORSExtraOrigins))
+	add := func(s string) {
+		s = strings.TrimSpace(s)
+		if s == "" || seen[s] {
+			return
+		}
+		seen[s] = true
+		out = append(out, s)
+	}
+	add(c.FrontendURL)
+	for _, o := range c.CORSExtraOrigins {
+		add(o)
+	}
+	return out
+}