从 go-swagger UI 访问 API 时 Golang 中的 CORS 问题

Posted

技术标签:

【中文标题】从 go-swagger UI 访问 API 时 Golang 中的 CORS 问题【英文标题】:CORS Issue in Golang while accessing API from go-swagger UI 【发布时间】:2021-01-28 11:03:12 【问题描述】:

我已经为我的 API 文档实现了 go-swagger,该文档在我的本地主机上的不同端口上运行,我的应用程序在端口 8888 上运行。我已经实现了 cors https://github.com/rs/cors

我实现 cors 的代码是

var Router = func() *mux.Router
    router := mux.NewRouter()
    var c = cors.New(cors.Options
        AllowedOrigins: []string"*",
        AllowCredentials: true,
        AllowedMethods :[]string"POST", "PUT","GET","DELETE","OPTIONS",
        AllowedHeaders:   []string"Accept", "Authorization", "Content-Type", "X-CSRF-Token",
        MaxAge: 300,
        // Enable Debugging for testing, consider disabling in production
        Debug: true,
    )


    RegisterHandler := http.HandlerFunc(controllers.Register)
    router.Handle("/api/register",c.Handler(middleware.RequestValidator(RegisterHandler,reflect.TypeOf(dto.UserRequest)))).Methods("POST")
    fmt.Println("var1 = ", reflect.TypeOf(router)) 
    return router

当从 Postman 发出请求时,似乎代码运行良好

邮递员响应标头

access-control-allow-credentials →true
access-control-allow-origin →*
content-length →123
content-type →application/json
date →Wed, 14 Oct 2020 04:02:37 GMT
vary →Origin 

由于我在实现 cors 中间件时启用了调试,因此打印在控制台上的日志如下

控制台日志

[cors] 2020/10/14 09:32:37 Handler: Actual request
[cors] 2020/10/14 09:32:37   Actual response added headers: map[Access-Control-Allow-Credentials:[true] Access-Control-Allow-Origin:[*] Vary:[Origin]]

问题

当我在浏览器中从 Swagger-UI 访问相同的 API 时,我遇到了未设置“Access-Control-Allow-Origin”标头的问题

Access to fetch at 'http://localhost:8888/api/register' from origin 'http://localhost:45601' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

并且控制台上没有打印日志。

从 Swagger UI 访问 API 时,似乎无法访问 cors 中间件代码。

这是 swagger 响应的 bowser 网络调用详细信息

HTTP 方法 = 选项

一般

Request URL: http://localhost:8888/api/register
Request Method: OPTIONS
Status Code: 405 Method Not Allowed
Remote Address: [::1]:8888
Referrer Policy: strict-origin-when-cross-origin

响应头

Content-Length: 0
Date: Wed, 14 Oct 2020 04:25:23 GMT

请求标头

Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en-IN;q=0.9,en;q=0.8
Access-Control-Request-Headers: content-type
Access-Control-Request-Method: POST
Cache-Control: no-cache
Connection: keep-alive
Host: localhost:8888
Origin: http://localhost:45601
Pragma: no-cache
Referer: http://localhost:45601/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (Khtml, like Gecko) Chrome/85.0.4183.121 Safari/537.36

获取

一般

Request URL: http://localhost:8888/api/register
Referrer Policy: strict-origin-when-cross-origin

请求标头

Provisional headers are shown
accept: application/json
Content-Type: application/json
Referer: http://localhost:45601/
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36

谢谢!

【问题讨论】:

完整代码可以在Github上获取github.com/abhimanyu1990/go-connect 您使用隐身窗口吗?所以浏览器没有缓存您网站的旧版本? 不,我没有使用隐身模式。因为我已经多次重新启动 swagger 并且每次都在新端口上启动 您最终解决了上述问题吗?如果是这样,你能分享一下如何做的见解吗? 【参考方案1】:

你需要在路由器上允许OPTIONS方法。

https://github.com/abhimanyu1990/go-connect/blob/main/app/conf/router.configuration.go#L30

router.Handle("/api/register", c.Handler(middleware.RequestValidator(RegisterHandler, reflect.TypeOf(dto.UserRequest)))).Methods("POST", "OPTIONS")

【讨论】:

我已经尝试过了,但没有任何区别。 我认为它解决了 405 方法不允许的问题。我在我这边测试过,它有效 是的,克隆了你的仓库并在本地测试得很好【参考方案2】:

当我尝试启用 CORS 并在 Go 中写入标头时,这很烦人。 最后,我创建了一个 struct wrapping ResponseWriter 来检测 header 是否已经写入并且它工作正常。

package router

import (
    "log"
    "net/http"
)

const (
    noWritten     = -1
    defaultStatus = http.StatusOK
)

type ResponseWriter struct 
    writer http.ResponseWriter
    size   int
    status int


func (w *ResponseWriter) Writer() http.ResponseWriter 
    return w.writer


func (w *ResponseWriter) WriteHeader(code int) 
    if code > 0 && w.status != code 
        if w.Written() 
            log.Printf("[WARNING] Headers were already written. Wanted to override status code %d with %d", w.status, code)
        
        w.status = code
    


func (w *ResponseWriter) WriteHeaderNow() 
    if !w.Written() 
        w.size = 0
        w.writer.WriteHeader(w.status)
    


func (w *ResponseWriter) Write(data []byte) (n int, err error) 
    w.WriteHeaderNow()
    n, err = w.writer.Write(data)
    w.size += n
    return


func (w *ResponseWriter) Status() int 
    return w.status


func (w *ResponseWriter) Size() int 
    return w.size


func (w *ResponseWriter) Written() bool 
    return w.size != noWritten

在回应中:

func respondJSON(w *router.ResponseWriter, status int, payload interface) 
    res, err := json.Marshal(payload)
    if err != nil 
        respondError(w, internalErrorStatus.number, internalErrorStatus.description)
        return
    

    go w.WriteHeader(status)
    header := w.Writer().Header()
    header.Add("Access-Control-Allow-Origin", "*")
    header.Add("Content-Type", "application/json")
    header.Add("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE")
    header.Add("Access-Control-Allow-Headers", "*")

    w.Write([]byte(res))

【讨论】:

以上是关于从 go-swagger UI 访问 API 时 Golang 中的 CORS 问题的主要内容,如果未能解决你的问题,请参考以下文章

使用go-swagger为golang API自动生成swagger文档

golang restful 框架之 go-swagger

语言实践Go语言文档自动化之go-swagger

CORS 策略已阻止对 XMLHttpRequest 的访问:Spring API 和 Angular UI

从javascript传递到web api 2时如何隐藏或保护令牌

以编程方式加载时无法从类函数内部访问 jQuery UI