From 582a74c00095daa7121bccce4e685e6961edd046 Mon Sep 17 00:00:00 2001
From: Anthony Accioly <1591739+aaccioly@users.noreply.github.com>
Date: Tue, 5 Nov 2024 18:37:12 +0000
Subject: [PATCH] refactor: apply CORS rules on relay

---
 blossom/server.go | 32 +++++++-------------------------
 handlers.go       | 20 +++++++++++++++++---
 2 files changed, 24 insertions(+), 28 deletions(-)

diff --git a/blossom/server.go b/blossom/server.go
index 5b9fcff..4aed5ac 100644
--- a/blossom/server.go
+++ b/blossom/server.go
@@ -3,11 +3,9 @@ package blossom
 import (
 	"context"
 	"io"
-	"net/http"
 
 	"github.com/fiatjaf/khatru"
 	"github.com/nbd-wtf/go-nostr"
-	"github.com/rs/cors"
 )
 
 type BlossomServer struct {
@@ -29,30 +27,14 @@ func New(rl *khatru.Relay, serviceURL string) *BlossomServer {
 		ServiceURL: serviceURL,
 	}
 
-	base := rl.Router()
+	mux := rl.Router()
 
-	blossomApi := http.NewServeMux()
-	blossomApi.HandleFunc("PUT /upload", bs.handleUpload)
-	blossomApi.HandleFunc("HEAD /upload", bs.handleUploadCheck)
-	blossomApi.HandleFunc("GET /list/{pubkey}", bs.handleList)
-	blossomApi.HandleFunc("HEAD /{sha256}", bs.handleHasBlob)
-	blossomApi.HandleFunc("GET /{sha256}", bs.handleGetBlob)
-	blossomApi.HandleFunc("DELETE /{sha256}", bs.handleDelete)
-	blossomApi.Handle("/", base) // forwards to relay
-
-	bud01CorsMux := cors.New(cors.Options{
-		AllowedOrigins: []string{"*"},
-		AllowedMethods: []string{"GET", "PUT", "DELETE"},
-		AllowedHeaders: []string{"Authorization", "*"},
-		MaxAge:         86400,
-	})
-
-	wrappedBlossomApi := bud01CorsMux.Handler(blossomApi)
-
-	combinedMux := http.NewServeMux()
-	combinedMux.Handle("/", wrappedBlossomApi)
-
-	rl.SetRouter(combinedMux)
+	mux.HandleFunc("PUT /upload", bs.handleUpload)
+	mux.HandleFunc("HEAD /upload", bs.handleUploadCheck)
+	mux.HandleFunc("GET /list/{pubkey}", bs.handleList)
+	mux.HandleFunc("HEAD /{sha256}", bs.handleHasBlob)
+	mux.HandleFunc("GET /{sha256}", bs.handleGetBlob)
+	mux.HandleFunc("DELETE /{sha256}", bs.handleDelete)
 
 	return bs
 }
diff --git a/handlers.go b/handlers.go
index 914f74a..aaf3d03 100644
--- a/handlers.go
+++ b/handlers.go
@@ -26,14 +26,28 @@ func (rl *Relay) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		rl.ServiceURL = getServiceBaseURL(r)
 	}
 
+	corsMiddleware := cors.New(cors.Options{
+		AllowedOrigins: []string{"*"},
+		AllowedMethods: []string{
+			http.MethodHead,
+			http.MethodGet,
+			http.MethodPost,
+			http.MethodPut,
+			http.MethodPatch,
+			http.MethodDelete,
+		},
+		AllowedHeaders: []string{"Authorization", "*"},
+		MaxAge:         86400,
+	})
+
 	if r.Header.Get("Upgrade") == "websocket" {
 		rl.HandleWebsocket(w, r)
 	} else if r.Header.Get("Accept") == "application/nostr+json" {
-		cors.AllowAll().Handler(http.HandlerFunc(rl.HandleNIP11)).ServeHTTP(w, r)
+		corsMiddleware.Handler(http.HandlerFunc(rl.HandleNIP11)).ServeHTTP(w, r)
 	} else if r.Header.Get("Content-Type") == "application/nostr+json+rpc" {
-		cors.AllowAll().Handler(http.HandlerFunc(rl.HandleNIP86)).ServeHTTP(w, r)
+		corsMiddleware.Handler(http.HandlerFunc(rl.HandleNIP86)).ServeHTTP(w, r)
 	} else {
-		rl.serveMux.ServeHTTP(w, r)
+		corsMiddleware.Handler(rl.serveMux).ServeHTTP(w, r)
 	}
 }