fix: 跨域失效 (#394)

2025-12-26 01:33:05 +00:00 · 2024-05-08 18:46:58 +08:00 · 2024-05-08 18:46:58 +08:00 · 3fb6192021
parent 69e39f5ee5
commit 3fb6192021
1 changed files with 11 additions and 15 deletions
--- a/apps/common/middleware/cross_domain_middleware.py
+++ b/apps/common/middleware/cross_domain_middleware.py
@ -17,27 +17,23 @@ class CrossDomainMiddleware(MiddlewareMixin):

    def process_request(self, request):
        if request.method == 'OPTIONS':
-            auth = request.META.get('HTTP_AUTHORIZATION')
-            if auth is not None and str(auth).startswith("application-"):
-                application_api_key = QuerySet(ApplicationApiKey).filter(secret_key=auth).first()
-                if application_api_key.allow_cross_domain:
-                    return HttpResponse(status=200,
-                                        headers={
-                                            "Access-Control-Allow-Origin": "*" if application_api_key.cross_domain_list is None or len(
-                                                application_api_key.cross_domain_list) == 0 else ",".join(
-                                                application_api_key.cross_domain_list),
-                                            "Access-Control-Allow-Methods": "GET,POST,DELETE,PUT",
-                                            "Access-Control-Allow-Headers": "Origin,X-Requested-With,Content-Type,Accept,Authorization,token"})
+            return HttpResponse(status=200,
+                                headers={
+                                    "Access-Control-Allow-Origin": "*",
+                                    "Access-Control-Allow-Methods": "GET,POST,DELETE,PUT",
+                                    "Access-Control-Allow-Headers": "Origin,X-Requested-With,Content-Type,Accept,Authorization,token"})

    def process_response(self, request, response):
        auth = request.META.get('HTTP_AUTHORIZATION')
-        if auth is not None and str(auth).startswith("application-"):
+        origin = request.META.get('HTTP_ORIGIN')
+        if auth is not None and str(auth).startswith("application-") and origin is not None:
            application_api_key = QuerySet(ApplicationApiKey).filter(secret_key=auth).first()
            if application_api_key.allow_cross_domain:
-                response['Access-Control-Allow-Origin'] = "*" if application_api_key.cross_domain_list is None or len(
-                    application_api_key.cross_domain_list) == 0 else ",".join(
-                    application_api_key.cross_domain_list)
                response['Access-Control-Allow-Methods'] = 'GET,POST,DELETE,PUT'
                response[
                    'Access-Control-Allow-Headers'] = "Origin,X-Requested-With,Content-Type,Accept,Authorization,token"
+                if application_api_key.cross_domain_list is None or len(application_api_key.cross_domain_list) == 0:
+                    response['Access-Control-Allow-Origin'] = "*"
+                elif application_api_key.cross_domain_list.__contains__(origin):
+                    response['Access-Control-Allow-Origin'] = origin
        return response