feat(api): add model delete, pagination, and cors config

cmd/server/main.go

@@ -7,6 +7,7 @@ import (
 	"net/http"
 	"os"
 	"os/signal"
+	"strings"
 	"syscall"
 	"time"
 
@@ -54,6 +55,21 @@ func fatal(logger *slog.Logger, msg string, args ...any) {
 	os.Exit(1)
 }
 
+func isOriginAllowed(allowed []string, origin string) bool {
+	if len(allowed) == 0 {
+		return false
+	}
+	for _, item := range allowed {
+		if item == "*" {
+			return true
+		}
+		if strings.EqualFold(strings.TrimSpace(item), strings.TrimSpace(origin)) {
+			return true
+		}
+	}
+	return false
+}
+
 func main() {
 	logger, _ := logging.New(logging.Options{Service: "ez-api"})
 
@@ -184,9 +200,18 @@ func main() {
 	r := gin.Default()
 	r.Use(middleware.RequestID())
 
+	allowedOrigins := cfg.CORS.AllowOrigins
+	allowAllOrigins := isOriginAllowed(allowedOrigins, "*")
+
 	// CORS Middleware
 	r.Use(func(c *gin.Context) {
-		c.Writer.Header().Set("Access-Control-Allow-Origin", "*") // TODO: Restrict this in production
+		origin := c.Request.Header.Get("Origin")
+		if allowAllOrigins {
+			c.Writer.Header().Set("Access-Control-Allow-Origin", "*")
+		} else if origin != "" && isOriginAllowed(allowedOrigins, origin) {
+			c.Writer.Header().Set("Access-Control-Allow-Origin", origin)
+			c.Writer.Header().Add("Vary", "Origin")
+		}
 		c.Writer.Header().Set("Access-Control-Allow-Credentials", "true")
 		c.Writer.Header().Set("Access-Control-Allow-Headers", "Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization, accept, origin, Cache-Control, X-Requested-With")
 		c.Writer.Header().Set("Access-Control-Allow-Methods", "POST, OPTIONS, GET, PUT, DELETE")
@@ -257,6 +282,7 @@ func main() {
 		adminGroup.POST("/models", handler.CreateModel)
 		adminGroup.GET("/models", handler.ListModels)
 		adminGroup.PUT("/models/:id", handler.UpdateModel)
+		adminGroup.DELETE("/models/:id", handler.DeleteModel)
 		adminGroup.GET("/logs", handler.ListLogs)
 		adminGroup.DELETE("/logs", handler.DeleteLogs)
 		adminGroup.GET("/logs/stats", handler.LogStats)