CORS: Support multiple allowed origins (dynamic Access-Control-Allow-Origin)

[akshat-kumar-singhal]

Problem

The current CORS middleware (pkg/gofr/http/middleware/cors.go) sets Access-Control-Allow-Origin as a static value from middlewareConfigs. The HTTP spec only allows a single origin or * in this header.

When an application serves multiple frontends (e.g., https://app.example.com and https://admin.example.com), there is no way to configure GoFr to respond with the correct origin dynamically. The only options are:

• * (insecure, does not work with credentials: include)
• A single origin (breaks the other frontends)

Current behavior

// cors.go — always sets a static value
defaultHeaders := map[string]string{
    "Access-Control-Allow-Origin": "*",
}
// Overridden by ACCESS_CONTROL_ALLOW_ORIGIN env var, but still static

Proposed solution

Support a comma-separated list of allowed origins in ACCESS_CONTROL_ALLOW_ORIGIN. The middleware would:

1. Parse the config into a set of allowed origins
2. On each request, check the Origin header against the allowed set
3. If matched, respond with that specific origin (not *)
4. Set Vary: Origin header for correct caching

func CORS(middlewareConfigs map[string]string, routes *[]string) func(inner http.Handler) http.Handler {
    allowedOrigins := parseOrigins(middlewareConfigs["Access-Control-Allow-Origin"])

    return func(inner http.Handler) http.Handler {
        return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
            origin := r.Header.Get("Origin")
            if allowedOrigins["*"] {
                w.Header().Set("Access-Control-Allow-Origin", "*")
            } else if allowedOrigins[origin] {
                w.Header().Set("Access-Control-Allow-Origin", origin)
                w.Header().Set("Vary", "Origin")
            }
            // ... rest of CORS logic
        })
    }
}

Configuration

# Current (single origin or wildcard)
ACCESS_CONTROL_ALLOW_ORIGIN=https://app.example.com

# Proposed (comma-separated list)
ACCESS_CONTROL_ALLOW_ORIGIN=https://app.example.com,https://admin.example.com

This is backward-compatible — a single origin or * works exactly as before. Only when commas are present does the dynamic matching activate.

Use case

Multi-tenant SaaS with separate customer and admin frontends deployed to different domains, both calling the same API. Currently requires workarounds like custom middleware or using *.

[aryanmehrotra]

Yes it should be supported