befly 3.4.14 → 3.4.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/config/env.ts +12 -12
  2. package/lib/middleware.ts +38 -6
  3. package/package.json +2 -2
  4. package/router/api.ts +1 -0
package/config/env.ts CHANGED
@@ -87,17 +87,17 @@ export interface EnvConfig {
87
87
 
88
88
  // ========== CORS 配置 ==========
89
89
  /** 允许的来源 */
90
- ALLOWED_ORIGIN: string;
90
+ CORS_ALLOWED_ORIGIN: string;
91
91
  /** 允许的方法 */
92
- ALLOWED_METHODS: string;
92
+ CORS_ALLOWED_METHODS: string;
93
93
  /** 允许的头部 */
94
- ALLOWED_HEADERS: string;
94
+ CORS_ALLOWED_HEADERS: string;
95
95
  /** 暴露的头部 */
96
- EXPOSE_HEADERS: string;
96
+ CORS_EXPOSE_HEADERS: string;
97
97
  /** 预检请求缓存时间(秒) */
98
- MAX_AGE: number;
98
+ CORS_MAX_AGE: number;
99
99
  /** 是否允许凭证 */
100
- ALLOW_CREDENTIALS: string;
100
+ CORS_ALLOW_CREDENTIALS: string;
101
101
 
102
102
  // ========== 邮件配置 ==========
103
103
  /** 邮件服务器主机 */
@@ -183,12 +183,12 @@ export const Env: EnvConfig = {
183
183
  JWT_ALGORITHM: getEnv('JWT_ALGORITHM', 'HS256'),
184
184
 
185
185
  // ========== CORS 配置 ==========
186
- ALLOWED_ORIGIN: getEnv('ALLOWED_ORIGIN', '*'),
187
- ALLOWED_METHODS: getEnv('ALLOWED_METHODS', 'GET, POST, PUT, DELETE, OPTIONS'),
188
- ALLOWED_HEADERS: getEnv('ALLOWED_HEADERS', 'Content-Type, Authorization, authorization, token'),
189
- EXPOSE_HEADERS: getEnv('EXPOSE_HEADERS', 'Content-Range, X-Content-Range, Authorization, authorization, token'),
190
- MAX_AGE: getEnvNumber('MAX_AGE', 86400),
191
- ALLOW_CREDENTIALS: getEnv('ALLOW_CREDENTIALS', 'true'),
186
+ CORS_ALLOWED_ORIGIN: getEnv('CORS_ALLOWED_ORIGIN', '*'),
187
+ CORS_ALLOWED_METHODS: getEnv('CORS_ALLOWED_METHODS', 'GET, POST, PUT, DELETE, OPTIONS'),
188
+ CORS_ALLOWED_HEADERS: getEnv('CORS_ALLOWED_HEADERS', 'Content-Type, Authorization, authorization, token'),
189
+ CORS_EXPOSE_HEADERS: getEnv('CORS_EXPOSE_HEADERS', 'Content-Range, X-Content-Range, Authorization, authorization, token'),
190
+ CORS_MAX_AGE: getEnvNumber('CORS_MAX_AGE', 86400),
191
+ CORS_ALLOW_CREDENTIALS: getEnv('CORS_ALLOW_CREDENTIALS', 'true'),
192
192
 
193
193
  // ========== 邮件配置 ==========
194
194
  MAIL_HOST: getEnv('MAIL_HOST', ''),
package/lib/middleware.ts CHANGED
@@ -50,18 +50,50 @@ export interface CorsResult {
50
50
  /**
51
51
  * 设置 CORS 选项
52
52
  * 根据环境变量或请求头动态设置跨域配置
53
+ *
54
+ * 注意:Access-Control-Allow-Origin 只能返回单个源,不能用逗号分隔多个源
55
+ * 如果配置了多个允许的源,需要根据请求的 Origin 动态返回匹配的源
56
+ *
53
57
  * @param req - 请求对象
54
58
  * @returns CORS 配置对象
55
59
  */
56
60
  export const setCorsOptions = (req: Request): CorsResult => {
61
+ const requestOrigin = req.headers.get('origin');
62
+ let allowedOrigin = '*';
63
+
64
+ // 如果配置了 CORS_ALLOWED_ORIGIN
65
+ if (Env.CORS_ALLOWED_ORIGIN) {
66
+ // 如果配置为 *,使用请求的 origin(而不是返回 *)
67
+ if (Env.CORS_ALLOWED_ORIGIN === '*') {
68
+ allowedOrigin = requestOrigin || '*';
69
+ } else {
70
+ // 支持多个源,用逗号分隔
71
+ const allowedOrigins = Env.CORS_ALLOWED_ORIGIN.split(',').map((origin) => origin.trim());
72
+
73
+ // 如果请求的 origin 在允许列表中,返回该 origin
74
+ if (requestOrigin && allowedOrigins.includes(requestOrigin)) {
75
+ allowedOrigin = requestOrigin;
76
+ } else if (allowedOrigins.length === 1) {
77
+ // 如果只配置了一个源,直接使用
78
+ allowedOrigin = allowedOrigins[0];
79
+ } else {
80
+ // 多个源但请求源不在列表中,不允许跨域
81
+ allowedOrigin = 'null';
82
+ }
83
+ }
84
+ } else if (requestOrigin) {
85
+ // 没有配置 CORS_ALLOWED_ORIGIN,使用请求的 origin
86
+ allowedOrigin = requestOrigin;
87
+ }
88
+
57
89
  return {
58
90
  headers: {
59
- 'Access-Control-Allow-Origin': Env.ALLOWED_ORIGIN || req.headers.get('origin') || '*',
60
- 'Access-Control-Allow-Methods': Env.ALLOWED_METHODS || 'GET, POST, PUT, DELETE, OPTIONS',
61
- 'Access-Control-Allow-Headers': Env.ALLOWED_HEADERS || 'Content-Type, Authorization, authorization, token',
62
- 'Access-Control-Expose-Headers': Env.EXPOSE_HEADERS || 'Content-Range, X-Content-Range, Authorization, authorization, token',
63
- 'Access-Control-Max-Age': Env.MAX_AGE || 86400,
64
- 'Access-Control-Allow-Credentials': Env.ALLOW_CREDENTIALS || 'true'
91
+ 'Access-Control-Allow-Origin': allowedOrigin,
92
+ 'Access-Control-Allow-Methods': Env.CORS_ALLOWED_METHODS || 'GET, POST, PUT, DELETE, OPTIONS',
93
+ 'Access-Control-Allow-Headers': Env.CORS_ALLOWED_HEADERS || 'Content-Type, Authorization, authorization, token',
94
+ 'Access-Control-Expose-Headers': Env.CORS_EXPOSE_HEADERS || 'Content-Range, X-Content-Range, Authorization, authorization, token',
95
+ 'Access-Control-Max-Age': Env.CORS_MAX_AGE || 86400,
96
+ 'Access-Control-Allow-Credentials': Env.CORS_ALLOW_CREDENTIALS || 'true'
65
97
  }
66
98
  };
67
99
  };
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "befly",
3
- "version": "3.4.14",
3
+ "version": "3.4.16",
4
4
  "description": "Befly - 为 Bun 专属打造的 TypeScript API 接口框架核心引擎",
5
5
  "type": "module",
6
6
  "private": false,
@@ -81,5 +81,5 @@
81
81
  "ora": "^9.0.0",
82
82
  "pathe": "^2.0.3"
83
83
  },
84
- "gitHead": "8ced9f183b280460e8136eb00985c0fb83e63bc1"
84
+ "gitHead": "e1533f0a123ef756790fad4fc34dd9690a30f72e"
85
85
  }
package/router/api.ts CHANGED
@@ -21,6 +21,7 @@ import type { BeflyContext } from '../types/befly.js';
21
21
  export function apiHandler(apiRoutes: Map<string, ApiRoute>, pluginLists: Plugin[], appContext: BeflyContext) {
22
22
  return async (req: Request): Promise<Response> => {
23
23
  const corsOptions = setCorsOptions(req);
24
+ console.log('🔥[ corsOptions ]-24', corsOptions);
24
25
  let ctx: RequestContext | null = null;
25
26
  let api: ApiRoute | undefined;
26
27
  let apiPath = '';