mirror of
https://github.com/NoFxAiOS/nofx.git
synced 2026-07-07 13:00:59 +08:00
fix: toFloat handles json.Number, CORS credentials+wildcard bug, strategy config error handling
- agent/agent.go: toFloat() now handles json.Number and int32 types to prevent silent data loss - api/server.go: CORS fix — echo specific origin instead of '*' when credentials are enabled (browsers reject Allow-Credentials with wildcard) - api/strategy.go: all 4 json.Unmarshal calls now check errors and return 'config_error' field instead of silently serving zero-value configs - store/decision.go: explicitly mark best-effort unmarshal with _ = assignment for clarity
This commit is contained in:
@@ -98,7 +98,14 @@ func corsMiddleware() gin.HandlerFunc {
|
||||
return func(c *gin.Context) {
|
||||
origin := c.Request.Header.Get("Origin")
|
||||
if allowAll {
|
||||
c.Writer.Header().Set("Access-Control-Allow-Origin", "*")
|
||||
if origin != "" {
|
||||
// When credentials are needed, we must echo the specific origin
|
||||
// instead of "*" (browsers reject Allow-Credentials with wildcard).
|
||||
c.Writer.Header().Set("Access-Control-Allow-Origin", origin)
|
||||
c.Writer.Header().Set("Vary", "Origin")
|
||||
} else {
|
||||
c.Writer.Header().Set("Access-Control-Allow-Origin", "*")
|
||||
}
|
||||
} else if origin != "" && allowed[origin] {
|
||||
c.Writer.Header().Set("Access-Control-Allow-Origin", origin)
|
||||
c.Writer.Header().Set("Vary", "Origin")
|
||||
|
||||
Reference in New Issue
Block a user