Adapter: plugin

pkg/adapter/plugins/apiauth/apiauth.go

@@ -0,0 +1,94 @@
+// Copyright 2014 beego Author. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package apiauth provides handlers to enable apiauth support.
+//
+// Simple Usage:
+//	import(
+//		"github.com/astaxie/beego"
+//		"github.com/astaxie/beego/plugins/apiauth"
+//	)
+//
+//	func main(){
+//		// apiauth every request
+//		beego.InsertFilter("*", beego.BeforeRouter,apiauth.APIBaiscAuth("appid","appkey"))
+//		beego.Run()
+//	}
+//
+// Advanced Usage:
+//
+//	func getAppSecret(appid string) string {
+//		// get appsecret by appid
+//		// maybe store in configure, maybe in database
+//	}
+//
+//	beego.InsertFilter("*", beego.BeforeRouter,apiauth.APISecretAuth(getAppSecret, 360))
+//
+// Information:
+//
+// In the request user should include these params in the query
+//
+// 1. appid
+//
+//		 appid is assigned to the application
+//
+// 2. signature
+//
+//	get the signature use apiauth.Signature()
+//
+//	when you send to server remember use url.QueryEscape()
+//
+// 3. timestamp:
+//
+//       send the request time, the format is yyyy-mm-dd HH:ii:ss
+//
+package apiauth
+
+import (
+	"net/url"
+
+	beego "github.com/astaxie/beego/pkg/adapter"
+	"github.com/astaxie/beego/pkg/adapter/context"
+	beecontext "github.com/astaxie/beego/pkg/server/web/context"
+	"github.com/astaxie/beego/pkg/server/web/filter/apiauth"
+)
+
+// AppIDToAppSecret is used to get appsecret throw appid
+type AppIDToAppSecret apiauth.AppIDToAppSecret
+
+// APIBasicAuth use the basic appid/appkey as the AppIdToAppSecret
+func APIBasicAuth(appid, appkey string) beego.FilterFunc {
+	f := apiauth.APIBasicAuth(appid, appkey)
+	return func(c *context.Context) {
+		f((*beecontext.Context)(c))
+	}
+}
+
+// APIBaiscAuth calls APIBasicAuth for previous callers
+func APIBaiscAuth(appid, appkey string) beego.FilterFunc {
+	return APIBasicAuth(appid, appkey)
+}
+
+// APISecretAuth use AppIdToAppSecret verify and
+func APISecretAuth(f AppIDToAppSecret, timeout int) beego.FilterFunc {
+	ft := apiauth.APISecretAuth(apiauth.AppIDToAppSecret(f), timeout)
+	return func(ctx *context.Context) {
+		ft((*beecontext.Context)(ctx))
+	}
+}
+
+// Signature used to generate signature with the appsecret/method/params/RequestURI
+func Signature(appsecret, method string, params url.Values, requestURL string) string {
+	return apiauth.Signature(appsecret, method, params, requestURL)
+}

pkg/adapter/plugins/apiauth/apiauth_test.go

@@ -0,0 +1,20 @@
+package apiauth
+
+import (
+	"net/url"
+	"testing"
+)
+
+func TestSignature(t *testing.T) {
+	appsecret := "beego secret"
+	method := "GET"
+	RequestURL := "http://localhost/test/url"
+	params := make(url.Values)
+	params.Add("arg1", "hello")
+	params.Add("arg2", "beego")
+
+	signature := "mFdpvLh48ca4mDVEItE9++AKKQ/IVca7O/ZyyB8hR58="
+	if Signature(appsecret, method, params, RequestURL) != signature {
+		t.Error("Signature error")
+	}
+}

pkg/adapter/plugins/auth/basic.go

@@ -0,0 +1,81 @@
+// Copyright 2014 beego Author. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package auth provides handlers to enable basic auth support.
+// Simple Usage:
+//	import(
+//		"github.com/astaxie/beego"
+//		"github.com/astaxie/beego/plugins/auth"
+//	)
+//
+//	func main(){
+//		// authenticate every request
+//		beego.InsertFilter("*", beego.BeforeRouter,auth.Basic("username","secretpassword"))
+//		beego.Run()
+//	}
+//
+//
+// Advanced Usage:
+//
+//	func SecretAuth(username, password string) bool {
+//		return username == "astaxie" && password == "helloBeego"
+//	}
+//	authPlugin := auth.NewBasicAuthenticator(SecretAuth, "Authorization Required")
+//	beego.InsertFilter("*", beego.BeforeRouter,authPlugin)
+package auth
+
+import (
+	"net/http"
+
+	beego "github.com/astaxie/beego/pkg/adapter"
+	"github.com/astaxie/beego/pkg/adapter/context"
+	beecontext "github.com/astaxie/beego/pkg/server/web/context"
+	"github.com/astaxie/beego/pkg/server/web/filter/auth"
+)
+
+// Basic is the http basic auth
+func Basic(username string, password string) beego.FilterFunc {
+	return func(c *context.Context) {
+		f := auth.Basic(username, password)
+		f((*beecontext.Context)(c))
+	}
+}
+
+// NewBasicAuthenticator return the BasicAuth
+func NewBasicAuthenticator(secrets SecretProvider, realm string) beego.FilterFunc {
+	f := auth.NewBasicAuthenticator(auth.SecretProvider(secrets), realm)
+	return func(c *context.Context) {
+		f((*beecontext.Context)(c))
+	}
+}
+
+// SecretProvider is the SecretProvider function
+type SecretProvider auth.SecretProvider
+
+// BasicAuth store the SecretProvider and Realm
+type BasicAuth auth.BasicAuth
+
+// CheckAuth Checks the username/password combination from the request. Returns
+// either an empty string (authentication failed) or the name of the
+// authenticated user.
+// Supports MD5 and SHA1 password entries
+func (a *BasicAuth) CheckAuth(r *http.Request) string {
+	return (*auth.BasicAuth)(a).CheckAuth(r)
+}
+
+// RequireAuth http.Handler for BasicAuth which initiates the authentication process
+// (or requires reauthentication).
+func (a *BasicAuth) RequireAuth(w http.ResponseWriter, r *http.Request) {
+	(*auth.BasicAuth)(a).RequireAuth(w, r)
+}

pkg/adapter/plugins/authz/authz.go

@@ -0,0 +1,80 @@
+// Copyright 2014 beego Author. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package authz provides handlers to enable ACL, RBAC, ABAC authorization support.
+// Simple Usage:
+//	import(
+//		"github.com/astaxie/beego"
+//		"github.com/astaxie/beego/plugins/authz"
+//		"github.com/casbin/casbin"
+//	)
+//
+//	func main(){
+//		// mediate the access for every request
+//		beego.InsertFilter("*", beego.BeforeRouter, authz.NewAuthorizer(casbin.NewEnforcer("authz_model.conf", "authz_policy.csv")))
+//		beego.Run()
+//	}
+//
+//
+// Advanced Usage:
+//
+//	func main(){
+//		e := casbin.NewEnforcer("authz_model.conf", "")
+//		e.AddRoleForUser("alice", "admin")
+//		e.AddPolicy(...)
+//
+//		beego.InsertFilter("*", beego.BeforeRouter, authz.NewAuthorizer(e))
+//		beego.Run()
+//	}
+package authz
+
+import (
+	"net/http"
+
+	"github.com/casbin/casbin"
+
+	beego "github.com/astaxie/beego/pkg/adapter"
+	"github.com/astaxie/beego/pkg/adapter/context"
+	beecontext "github.com/astaxie/beego/pkg/server/web/context"
+	"github.com/astaxie/beego/pkg/server/web/filter/authz"
+)
+
+// NewAuthorizer returns the authorizer.
+// Use a casbin enforcer as input
+func NewAuthorizer(e *casbin.Enforcer) beego.FilterFunc {
+	f := authz.NewAuthorizer(e)
+	return func(context *context.Context) {
+		f((*beecontext.Context)(context))
+	}
+}
+
+// BasicAuthorizer stores the casbin handler
+type BasicAuthorizer authz.BasicAuthorizer
+
+// GetUserName gets the user name from the request.
+// Currently, only HTTP basic authentication is supported
+func (a *BasicAuthorizer) GetUserName(r *http.Request) string {
+	return (*authz.BasicAuthorizer)(a).GetUserName(r)
+}
+
+// CheckPermission checks the user/method/path combination from the request.
+// Returns true (permission granted) or false (permission forbidden)
+func (a *BasicAuthorizer) CheckPermission(r *http.Request) bool {
+	return (*authz.BasicAuthorizer)(a).CheckPermission(r)
+}
+
+// RequirePermission returns the 403 Forbidden to the client
+func (a *BasicAuthorizer) RequirePermission(w http.ResponseWriter) {
+	(*authz.BasicAuthorizer)(a).RequirePermission(w)
+}

pkg/adapter/plugins/authz/authz_model.conf

@@ -0,0 +1,14 @@
+[request_definition]
+r = sub, obj, act
+
+[policy_definition]
+p = sub, obj, act
+
+[role_definition]
+g = _, _
+
+[policy_effect]
+e = some(where (p.eft == allow))
+
+[matchers]
+m = g(r.sub, p.sub) && keyMatch(r.obj, p.obj) && (r.act == p.act || p.act == "*")

pkg/adapter/plugins/authz/authz_policy.csv

@@ -0,0 +1,7 @@
+p, alice, /dataset1/*, GET
+p, alice, /dataset1/resource1, POST
+p, bob, /dataset2/resource1, *
+p, bob, /dataset2/resource2, GET
+p, bob, /dataset2/folder1/*, POST
+p, dataset1_admin, /dataset1/*, *
+g, cathy, dataset1_admin

pkg/adapter/plugins/authz/authz_test.go

@@ -0,0 +1,108 @@
+// Copyright 2014 beego Author. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package authz
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	beego "github.com/astaxie/beego/pkg/adapter"
+	"github.com/astaxie/beego/pkg/adapter/context"
+	"github.com/astaxie/beego/pkg/adapter/plugins/auth"
+	"github.com/casbin/casbin"
+)
+
+func testRequest(t *testing.T, handler *beego.ControllerRegister, user string, path string, method string, code int) {
+	r, _ := http.NewRequest(method, path, nil)
+	r.SetBasicAuth(user, "123")
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, r)
+
+	if w.Code != code {
+		t.Errorf("%s, %s, %s: %d, supposed to be %d", user, path, method, w.Code, code)
+	}
+}
+
+func TestBasic(t *testing.T) {
+	handler := beego.NewControllerRegister()
+
+	handler.InsertFilter("*", beego.BeforeRouter, auth.Basic("alice", "123"))
+	handler.InsertFilter("*", beego.BeforeRouter, NewAuthorizer(casbin.NewEnforcer("authz_model.conf", "authz_policy.csv")))
+
+	handler.Any("*", func(ctx *context.Context) {
+		ctx.Output.SetStatus(200)
+	})
+
+	testRequest(t, handler, "alice", "/dataset1/resource1", "GET", 200)
+	testRequest(t, handler, "alice", "/dataset1/resource1", "POST", 200)
+	testRequest(t, handler, "alice", "/dataset1/resource2", "GET", 200)
+	testRequest(t, handler, "alice", "/dataset1/resource2", "POST", 403)
+}
+
+func TestPathWildcard(t *testing.T) {
+	handler := beego.NewControllerRegister()
+
+	handler.InsertFilter("*", beego.BeforeRouter, auth.Basic("bob", "123"))
+	handler.InsertFilter("*", beego.BeforeRouter, NewAuthorizer(casbin.NewEnforcer("authz_model.conf", "authz_policy.csv")))
+
+	handler.Any("*", func(ctx *context.Context) {
+		ctx.Output.SetStatus(200)
+	})
+
+	testRequest(t, handler, "bob", "/dataset2/resource1", "GET", 200)
+	testRequest(t, handler, "bob", "/dataset2/resource1", "POST", 200)
+	testRequest(t, handler, "bob", "/dataset2/resource1", "DELETE", 200)
+	testRequest(t, handler, "bob", "/dataset2/resource2", "GET", 200)
+	testRequest(t, handler, "bob", "/dataset2/resource2", "POST", 403)
+	testRequest(t, handler, "bob", "/dataset2/resource2", "DELETE", 403)
+
+	testRequest(t, handler, "bob", "/dataset2/folder1/item1", "GET", 403)
+	testRequest(t, handler, "bob", "/dataset2/folder1/item1", "POST", 200)
+	testRequest(t, handler, "bob", "/dataset2/folder1/item1", "DELETE", 403)
+	testRequest(t, handler, "bob", "/dataset2/folder1/item2", "GET", 403)
+	testRequest(t, handler, "bob", "/dataset2/folder1/item2", "POST", 200)
+	testRequest(t, handler, "bob", "/dataset2/folder1/item2", "DELETE", 403)
+}
+
+func TestRBAC(t *testing.T) {
+	handler := beego.NewControllerRegister()
+
+	handler.InsertFilter("*", beego.BeforeRouter, auth.Basic("cathy", "123"))
+	e := casbin.NewEnforcer("authz_model.conf", "authz_policy.csv")
+	handler.InsertFilter("*", beego.BeforeRouter, NewAuthorizer(e))
+
+	handler.Any("*", func(ctx *context.Context) {
+		ctx.Output.SetStatus(200)
+	})
+
+	// cathy can access all /dataset1/* resources via all methods because it has the dataset1_admin role.
+	testRequest(t, handler, "cathy", "/dataset1/item", "GET", 200)
+	testRequest(t, handler, "cathy", "/dataset1/item", "POST", 200)
+	testRequest(t, handler, "cathy", "/dataset1/item", "DELETE", 200)
+	testRequest(t, handler, "cathy", "/dataset2/item", "GET", 403)
+	testRequest(t, handler, "cathy", "/dataset2/item", "POST", 403)
+	testRequest(t, handler, "cathy", "/dataset2/item", "DELETE", 403)
+
+	// delete all roles on user cathy, so cathy cannot access any resources now.
+	e.DeleteRolesForUser("cathy")
+
+	testRequest(t, handler, "cathy", "/dataset1/item", "GET", 403)
+	testRequest(t, handler, "cathy", "/dataset1/item", "POST", 403)
+	testRequest(t, handler, "cathy", "/dataset1/item", "DELETE", 403)
+	testRequest(t, handler, "cathy", "/dataset2/item", "GET", 403)
+	testRequest(t, handler, "cathy", "/dataset2/item", "POST", 403)
+	testRequest(t, handler, "cathy", "/dataset2/item", "DELETE", 403)
+}

pkg/adapter/plugins/cors/cors.go

@@ -0,0 +1,71 @@
+// Copyright 2014 beego Author. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package cors provides handlers to enable CORS support.
+// Usage
+//	import (
+// 		"github.com/astaxie/beego"
+//		"github.com/astaxie/beego/plugins/cors"
+// )
+//
+//	func main() {
+//		// CORS for https://foo.* origins, allowing:
+//		// - PUT and PATCH methods
+//		// - Origin header
+//		// - Credentials share
+//		beego.InsertFilter("*", beego.BeforeRouter, cors.Allow(&cors.Options{
+//			AllowOrigins:     []string{"https://*.foo.com"},
+//			AllowMethods:     []string{"PUT", "PATCH"},
+//			AllowHeaders:     []string{"Origin"},
+//			ExposeHeaders:    []string{"Content-Length"},
+//			AllowCredentials: true,
+//		}))
+//		beego.Run()
+//	}
+package cors
+
+import (
+	beego "github.com/astaxie/beego/pkg/adapter"
+	beecontext "github.com/astaxie/beego/pkg/server/web/context"
+	"github.com/astaxie/beego/pkg/server/web/filter/cors"
+
+	"github.com/astaxie/beego/pkg/adapter/context"
+)
+
+// Options represents Access Control options.
+type Options cors.Options
+
+// Header converts options into CORS headers.
+func (o *Options) Header(origin string) (headers map[string]string) {
+	return (*cors.Options)(o).Header(origin)
+}
+
+// PreflightHeader converts options into CORS headers for a preflight response.
+func (o *Options) PreflightHeader(origin, rMethod, rHeaders string) (headers map[string]string) {
+	return (*cors.Options)(o).PreflightHeader(origin, rMethod, rHeaders)
+}
+
+// IsOriginAllowed looks up if the origin matches one of the patterns
+// generated from Options.AllowOrigins patterns.
+func (o *Options) IsOriginAllowed(origin string) bool {
+	return (*cors.Options)(o).IsOriginAllowed(origin)
+}
+
+// Allow enables CORS for requests those match the provided options.
+func Allow(opts *Options) beego.FilterFunc {
+	f := cors.Allow((*cors.Options)(opts))
+	return func(c *context.Context) {
+		f((*beecontext.Context)(c))
+	}
+}

pkg/adapter/plugins/cors/cors_test.go

@@ -0,0 +1,253 @@
+// Copyright 2014 beego Author. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cors
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/astaxie/beego"
+	"github.com/astaxie/beego/context"
+)
+
+// HTTPHeaderGuardRecorder is httptest.ResponseRecorder with own http.Header
+type HTTPHeaderGuardRecorder struct {
+	*httptest.ResponseRecorder
+	savedHeaderMap http.Header
+}
+
+// NewRecorder return HttpHeaderGuardRecorder
+func NewRecorder() *HTTPHeaderGuardRecorder {
+	return &HTTPHeaderGuardRecorder{httptest.NewRecorder(), nil}
+}
+
+func (gr *HTTPHeaderGuardRecorder) WriteHeader(code int) {
+	gr.ResponseRecorder.WriteHeader(code)
+	gr.savedHeaderMap = gr.ResponseRecorder.Header()
+}
+
+func (gr *HTTPHeaderGuardRecorder) Header() http.Header {
+	if gr.savedHeaderMap != nil {
+		// headers were written. clone so we don't get updates
+		clone := make(http.Header)
+		for k, v := range gr.savedHeaderMap {
+			clone[k] = v
+		}
+		return clone
+	}
+	return gr.ResponseRecorder.Header()
+}
+
+func Test_AllowAll(t *testing.T) {
+	recorder := httptest.NewRecorder()
+	handler := beego.NewControllerRegister()
+	handler.InsertFilter("*", beego.BeforeRouter, Allow(&Options{
+		AllowAllOrigins: true,
+	}))
+	handler.Any("/foo", func(ctx *context.Context) {
+		ctx.Output.SetStatus(500)
+	})
+	r, _ := http.NewRequest("PUT", "/foo", nil)
+	handler.ServeHTTP(recorder, r)
+
+	if recorder.HeaderMap.Get(headerAllowOrigin) != "*" {
+		t.Errorf("Allow-Origin header should be *")
+	}
+}
+
+func Test_AllowRegexMatch(t *testing.T) {
+	recorder := httptest.NewRecorder()
+	handler := beego.NewControllerRegister()
+	handler.InsertFilter("*", beego.BeforeRouter, Allow(&Options{
+		AllowOrigins: []string{"https://aaa.com", "https://*.foo.com"},
+	}))
+	handler.Any("/foo", func(ctx *context.Context) {
+		ctx.Output.SetStatus(500)
+	})
+	origin := "https://bar.foo.com"
+	r, _ := http.NewRequest("PUT", "/foo", nil)
+	r.Header.Add("Origin", origin)
+	handler.ServeHTTP(recorder, r)
+
+	headerValue := recorder.HeaderMap.Get(headerAllowOrigin)
+	if headerValue != origin {
+		t.Errorf("Allow-Origin header should be %v, found %v", origin, headerValue)
+	}
+}
+
+func Test_AllowRegexNoMatch(t *testing.T) {
+	recorder := httptest.NewRecorder()
+	handler := beego.NewControllerRegister()
+	handler.InsertFilter("*", beego.BeforeRouter, Allow(&Options{
+		AllowOrigins: []string{"https://*.foo.com"},
+	}))
+	handler.Any("/foo", func(ctx *context.Context) {
+		ctx.Output.SetStatus(500)
+	})
+	origin := "https://ww.foo.com.evil.com"
+	r, _ := http.NewRequest("PUT", "/foo", nil)
+	r.Header.Add("Origin", origin)
+	handler.ServeHTTP(recorder, r)
+
+	headerValue := recorder.HeaderMap.Get(headerAllowOrigin)
+	if headerValue != "" {
+		t.Errorf("Allow-Origin header should not exist, found %v", headerValue)
+	}
+}
+
+func Test_OtherHeaders(t *testing.T) {
+	recorder := httptest.NewRecorder()
+	handler := beego.NewControllerRegister()
+	handler.InsertFilter("*", beego.BeforeRouter, Allow(&Options{
+		AllowAllOrigins:  true,
+		AllowCredentials: true,
+		AllowMethods:     []string{"PATCH", "GET"},
+		AllowHeaders:     []string{"Origin", "X-whatever"},
+		ExposeHeaders:    []string{"Content-Length", "Hello"},
+		MaxAge:           5 * time.Minute,
+	}))
+	handler.Any("/foo", func(ctx *context.Context) {
+		ctx.Output.SetStatus(500)
+	})
+	r, _ := http.NewRequest("PUT", "/foo", nil)
+	handler.ServeHTTP(recorder, r)
+
+	credentialsVal := recorder.HeaderMap.Get(headerAllowCredentials)
+	methodsVal := recorder.HeaderMap.Get(headerAllowMethods)
+	headersVal := recorder.HeaderMap.Get(headerAllowHeaders)
+	exposedHeadersVal := recorder.HeaderMap.Get(headerExposeHeaders)
+	maxAgeVal := recorder.HeaderMap.Get(headerMaxAge)
+
+	if credentialsVal != "true" {
+		t.Errorf("Allow-Credentials is expected to be true, found %v", credentialsVal)
+	}
+
+	if methodsVal != "PATCH,GET" {
+		t.Errorf("Allow-Methods is expected to be PATCH,GET; found %v", methodsVal)
+	}
+
+	if headersVal != "Origin,X-whatever" {
+		t.Errorf("Allow-Headers is expected to be Origin,X-whatever; found %v", headersVal)
+	}
+
+	if exposedHeadersVal != "Content-Length,Hello" {
+		t.Errorf("Expose-Headers are expected to be Content-Length,Hello. Found %v", exposedHeadersVal)
+	}
+
+	if maxAgeVal != "300" {
+		t.Errorf("Max-Age is expected to be 300, found %v", maxAgeVal)
+	}
+}
+
+func Test_DefaultAllowHeaders(t *testing.T) {
+	recorder := httptest.NewRecorder()
+	handler := beego.NewControllerRegister()
+	handler.InsertFilter("*", beego.BeforeRouter, Allow(&Options{
+		AllowAllOrigins: true,
+	}))
+	handler.Any("/foo", func(ctx *context.Context) {
+		ctx.Output.SetStatus(500)
+	})
+
+	r, _ := http.NewRequest("PUT", "/foo", nil)
+	handler.ServeHTTP(recorder, r)
+
+	headersVal := recorder.HeaderMap.Get(headerAllowHeaders)
+	if headersVal != "Origin,Accept,Content-Type,Authorization" {
+		t.Errorf("Allow-Headers is expected to be Origin,Accept,Content-Type,Authorization; found %v", headersVal)
+	}
+}
+
+func Test_Preflight(t *testing.T) {
+	recorder := NewRecorder()
+	handler := beego.NewControllerRegister()
+	handler.InsertFilter("*", beego.BeforeRouter, Allow(&Options{
+		AllowAllOrigins: true,
+		AllowMethods:    []string{"PUT", "PATCH"},
+		AllowHeaders:    []string{"Origin", "X-whatever", "X-CaseSensitive"},
+	}))
+
+	handler.Any("/foo", func(ctx *context.Context) {
+		ctx.Output.SetStatus(200)
+	})
+
+	r, _ := http.NewRequest("OPTIONS", "/foo", nil)
+	r.Header.Add(headerRequestMethod, "PUT")
+	r.Header.Add(headerRequestHeaders, "X-whatever, x-casesensitive")
+	handler.ServeHTTP(recorder, r)
+
+	headers := recorder.Header()
+	methodsVal := headers.Get(headerAllowMethods)
+	headersVal := headers.Get(headerAllowHeaders)
+	originVal := headers.Get(headerAllowOrigin)
+
+	if methodsVal != "PUT,PATCH" {
+		t.Errorf("Allow-Methods is expected to be PUT,PATCH, found %v", methodsVal)
+	}
+
+	if !strings.Contains(headersVal, "X-whatever") {
+		t.Errorf("Allow-Headers is expected to contain X-whatever, found %v", headersVal)
+	}
+
+	if !strings.Contains(headersVal, "x-casesensitive") {
+		t.Errorf("Allow-Headers is expected to contain x-casesensitive, found %v", headersVal)
+	}
+
+	if originVal != "*" {
+		t.Errorf("Allow-Origin is expected to be *, found %v", originVal)
+	}
+
+	if recorder.Code != http.StatusOK {
+		t.Errorf("Status code is expected to be 200, found %d", recorder.Code)
+	}
+}
+
+func Benchmark_WithoutCORS(b *testing.B) {
+	recorder := httptest.NewRecorder()
+	handler := beego.NewControllerRegister()
+	beego.BConfig.RunMode = beego.PROD
+	handler.Any("/foo", func(ctx *context.Context) {
+		ctx.Output.SetStatus(500)
+	})
+	b.ResetTimer()
+	r, _ := http.NewRequest("PUT", "/foo", nil)
+	for i := 0; i < b.N; i++ {
+		handler.ServeHTTP(recorder, r)
+	}
+}
+
+func Benchmark_WithCORS(b *testing.B) {
+	recorder := httptest.NewRecorder()
+	handler := beego.NewControllerRegister()
+	beego.BConfig.RunMode = beego.PROD
+	handler.InsertFilter("*", beego.BeforeRouter, Allow(&Options{
+		AllowAllOrigins:  true,
+		AllowCredentials: true,
+		AllowMethods:     []string{"PATCH", "GET"},
+		AllowHeaders:     []string{"Origin", "X-whatever"},
+		MaxAge:           5 * time.Minute,
+	}))
+	handler.Any("/foo", func(ctx *context.Context) {
+		ctx.Output.SetStatus(500)
+	})
+	b.ResetTimer()
+	r, _ := http.NewRequest("PUT", "/foo", nil)
+	for i := 0; i < b.N; i++ {
+		handler.ServeHTTP(recorder, r)
+	}
+}

pkg/server/web/filter/apiauth/apiauth.go

@@ -83,11 +83,6 @@ func APIBasicAuth(appid, appkey string) web.FilterFunc {
 	return APISecretAuth(ft, 300)
 }
 
-// APIBasicAuth calls APIBasicAuth for previous callers
-func APIBaiscAuth(appid, appkey string) web.FilterFunc {
-	return APIBasicAuth(appid, appkey)
-}
-
 // APISecretAuth uses AppIdToAppSecret verify and
 func APISecretAuth(f AppIDToAppSecret, timeout int) web.FilterFunc {
 	return func(ctx *context.Context) {