feat: add list api

pkg/cors/cors.go

@@ -19,9 +19,9 @@ type Config struct {
 func DefaultConfig() Config {
 	return Config{
 		AllowOrigins:     []string{"*"},
-		AllowMethods:     []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"},
-		AllowHeaders:     []string{"Origin", "Content-Type", "Accept"},
-		ExposeHeaders:    []string{"Content-Length"},
+		AllowMethods:     []string{"GET", "POST", "PUT", "DELETE", "OPTIONS", "PATCH"},
+		AllowHeaders:     []string{"Origin", "Content-Type", "Accept", "Authorization", "X-Requested-With"},
+		ExposeHeaders:    []string{"Content-Length", "Content-Type"},
 		AllowCredentials: true,
 		MaxAge:           86400, // 24 hours
 	}
@@ -30,16 +30,30 @@ func DefaultConfig() Config {
 func Cors(config Config) gin.HandlerFunc {
 	return func(c *gin.Context) {
 		origin := c.Request.Header.Get("Origin")
+		if origin == "" {
+			c.Next()
+			return
+		}
 
 		// 检查是否允许该来源
-		allowOrigin := "*"
+		allowOrigin := ""
 		for _, o := range config.AllowOrigins {
+			if o == "*" {
+				// 通配符时，回显实际 origin（兼容 credentials）
+				allowOrigin = origin
+				break
+			}
 			if o == origin {
 				allowOrigin = origin
 				break
 			}
 		}
 
+		if allowOrigin == "" {
+			c.Next()
+			return
+		}
+
 		c.Header("Access-Control-Allow-Origin", allowOrigin)
 		c.Header("Access-Control-Allow-Methods", strings.Join(config.AllowMethods, ","))
 		c.Header("Access-Control-Allow-Headers", strings.Join(config.AllowHeaders, ","))