refactor(api): extract cors origin classification into internal/api/cors leaf (ADR-0011)#454
Merged
Merged
Conversation
…ors leaf (ADR-0011) Move the Origin-header classification used by the CORS policy out of the flat internal/api namespace into the internal/api/cors leaf package (ADR-0011, fourth slice). The leaf exposes IsLocalhostOrigin, IsSameOrigin, and IsRFC1918Origin — with the strict complete-IP-structure validation that rejects bypass tricks like "localhost.evil.com" and "192.168.1.1.evil.com" — and depends only on stdlib (net/url, strings). The api-cors-isolated depguard rule statically forbids any upward import of the transport layer. The HTTP middleware that consumes the classifiers (corsMiddleware), the opt-in env read (corsAllowPrivateEnabled), and the response-header wiring stay in internal/api. server.go drops from 1007 to 870 lines. The security-sensitive origin logic is now unit-tested directly against the leaf: the existing cors_internal_test.go and four classifier tests that were embedded in server_internal_test.go are relocated to internal/api/cors (exported-API tests external, unexported-helper tests internal). No behaviour change: CORS allow/deny decisions and response headers are identical.
Contributor
License Compliance ReportAll dependencies pass license compliance checksGo Dependencies
npm DependenciesSee full report in workflow artifacts Allowed Licenses: MIT, Apache-2.0, BSD-*, ISC, CC0-1.0, MPL-2.0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Extracts the CORS Origin-header classification out of the flat
internal/apinamespace into theinternal/api/corsleaf package —the fourth slice of the ADR-0011
internal/apisub-package decomposition(after
ratelimit#451,sse#452,tlsutil#453).The leaf exposes
IsLocalhostOrigin,IsSameOrigin, andIsRFC1918Origin, with the strict complete-IP-structure validation thatrejects CORS-bypass tricks like
localhost.evil.comand192.168.1.1.evil.com. It depends only on stdlib (net/url,strings).The new
api-cors-isolateddepguard rule statically forbids any upwardimport of the transport layer.
The HTTP plumbing stays in
internal/api: thecorsMiddlewaremiddleware,the opt-in env read
corsAllowPrivateEnabled(which logs thecredentialed-LAN-origin warning), and the response-header wiring. As a
side effect
server.goshrinks from 1007 → 870 lines (god-filereduction).
The security-sensitive origin logic is now unit-tested directly against
the leaf: the old
cors_internal_test.goand four classifier tests thatwere embedded in the 2900-line
server_internal_test.goare relocated tointernal/api/cors(exported-API tests external, unexported-helper testsinternal). The
corsMiddlewareintegration tests stay ininternal/api.No behaviour change: CORS allow/deny decisions and response headers are
identical.
Linked Issue
Related to #450
Testing Evidence
Gated from a clean worktree off
origin/main(go 1.26.4,golangci-lint v2.12.2):
Security and Release Checklist
decisions and response headers are byte-identical.
boundary) is preserved exactly and now has dedicated unit coverage in
the leaf; the
corsMiddlewareintegration tests still pass unchanged.api-cors-isolateddepguardrule); golangci-lint clean.
gating, output encoding invariants untouched.