feat: rbac迁移完成，并已部署至dev服务器

app/zero-gateway/internal/middleware/cors.go

@@ -0,0 +1,57 @@
+package middleware
+
+import (
+	"net/http"
+	"strings"
+)
+
+// CorsMiddleware 跨域中间件
+type CorsMiddleware struct {
+	allowOrigins []string
+	allowMethods []string
+	allowHeaders []string
+}
+
+func NewCorsMiddleware(origins, methods, headers []string) *CorsMiddleware {
+	return &CorsMiddleware{
+		allowOrigins: origins,
+		allowMethods: methods,
+		allowHeaders: headers,
+	}
+}
+
+func (m *CorsMiddleware) Handle(next http.HandlerFunc) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		origin := r.Header.Get("Origin")
+
+		allowed := false
+		for _, o := range m.allowOrigins {
+			if o == "*" || o == origin {
+				allowed = true
+				break
+			}
+		}
+
+		if allowed {
+			allowOrigin := origin
+			if len(m.allowOrigins) == 1 && m.allowOrigins[0] == "*" {
+				allowOrigin = "*"
+			}
+			w.Header().Set("Access-Control-Allow-Origin", allowOrigin)
+			w.Header().Set("Access-Control-Allow-Methods", strings.Join(m.allowMethods, ", "))
+			w.Header().Set("Access-Control-Allow-Headers", strings.Join(m.allowHeaders, ", "))
+			w.Header().Set("Access-Control-Allow-Credentials", "true")
+			w.Header().Set("Access-Control-Max-Age", "3600")
+			// 允许前端 JS 读取自定义响应头（默认跨域只能读 6 个安全头）
+			w.Header().Set("Access-Control-Expose-Headers", "X-Refresh-Token")
+		}
+
+		// 预检请求直接返回 204
+		if r.Method == http.MethodOptions {
+			w.WriteHeader(http.StatusNoContent)
+			return
+		}
+
+		next(w, r)
+	}
+}