OpenNHP · jerry-0824 · Oct 22, 2024
diff --git a/server/config.go b/server/config.go
@@ -41,6 +41,7 @@ type HttpConfig struct {
 	HttpListenIp string
 	TLSCertFile  string
 	TLSKeyFile   string
+	AccessControlAllowOrigin string
 }
 
 type Peers struct {

diff --git a/server/httpserver.go b/server/httpserver.go
@@ -28,6 +28,8 @@ type HttpServer struct {
 	ginEngine  *gin.Engine
 	listenAddr *net.TCPAddr
 
+	accessControlAllowOrigin string
+
 	wg      sync.WaitGroup
 	running atomic.Bool
 
@@ -67,7 +69,7 @@ func (hs *HttpServer) Start(us *UdpServer, hc *HttpConfig) error {
 
 	gin.SetMode(gin.ReleaseMode)
 	hs.ginEngine = gin.New()
-	hs.ginEngine.Use(corsMiddleware())
+	hs.ginEngine.Use(corsMiddleware(hc.AccessControlAllowOrigin))
 	hs.ginEngine.Use(gin.LoggerWithWriter(us.log.Writer()))
 	hs.ginEngine.Use(gin.Recovery())
 
@@ -282,10 +284,10 @@ func (hs *HttpServer) initRouter() {
 // corsMiddleware is a middleware function that adds CORS headers to the HTTP response.
 // It allows cross-origin resource sharing, specifies allowed methods, exposes headers, and sets maximum age.
 // If the request method is OPTIONS, PUT, or DELETE, it aborts the request with a 204 status code.
-func corsMiddleware() gin.HandlerFunc {
+func corsMiddleware(originResource string) gin.HandlerFunc {
 	return func(c *gin.Context) {
 		// HTTP headers for CORS
-		c.Writer.Header().Set("Access-Control-Allow-Origin", "*")                   // allow cross-origin resource sharing
+		c.Writer.Header().Set("Access-Control-Allow-Origin", originResource) // allow cross-origin resource sharing
 		c.Writer.Header().Set("Access-Control-Allow-Methods", "GET, OPTIONS, POST") // methods
 		c.Writer.Header().Set("Access-Control-Expose-Headers", "Content-Type, Content-Length, Set-Cookie")
 		c.Writer.Header().Set("Access-Control-Allow-Headers", "Content-Type, Content-Length, Authorization, X-NHP-Ver, Cookie")

diff --git a/server/main/etc/http.toml b/server/main/etc/http.toml
@@ -4,9 +4,11 @@
 # EnableTLS: whether to use TLS certificates for hosting https server.
 # TLSCertFile: certificate file path.
 # TLSKeyFile: key file path.
+# AccessControlAllowOrigin: the response header indicates whether the response can be shared with requesting code from the given origin.
 # to update http changes, you need to restart the http server by changing "EnableHttp" to "false" and then switch it back to "true".
 EnableHttp = true
 EnableTLS = true
 HttpListenIp = "0.0.0.0"    # empty for ipv4 + ipv6, "0.0.0.0" for ipv4 only, "127.0.0.1" for local ipv4 access only
 TLSCertFile = "cert/cert.pem"
 TLSKeyFile = "cert/cert.key"
+AccessControlAllowOrigin = "https://demologin.opennhp.cn"
diff --git a/server/plugins/example/templates/example_login.html b/server/plugins/example/templates/example_login.html
@@ -289,7 +289,9 @@ <h2 id="authSuccessMessage"></h2>
             "&password=" + encodeURIComponent(password);
             console.log(nhpValidUrl);
 
-            fetch(nhpValidUrl)
+            fetch(nhpValidUrl,{
+                credentials: "include"
+            })
             .then(response => response.json())
             .then(result => {
                 console.log(result);