Make allowed origins more flexible

Author: Isti01

backend/src/main/kotlin/hu/bme/sch/cmsch/component/app/ApplicationApiController.kt

@@ -11,7 +11,6 @@ import org.springframework.http.HttpHeaders
 import org.springframework.http.HttpStatusCode
 import org.springframework.http.ResponseEntity
 import org.springframework.security.core.Authentication
-import org.springframework.web.bind.annotation.CrossOrigin
 import org.springframework.web.bind.annotation.GetMapping
 import org.springframework.web.bind.annotation.RequestMapping
 import org.springframework.web.bind.annotation.RestController
@@ -20,7 +19,6 @@ import java.util.*
 
 @RestController
 @RequestMapping("/api")
-@CrossOrigin(origins = ["\${cmsch.frontend.production-url}"], allowedHeaders = ["*"])
 class ApplicationApiController(
     private val menuService: MenuService,
     private val applicationComponent: ApplicationComponent,

backend/src/main/kotlin/hu/bme/sch/cmsch/component/app/ManifestApiController.kt

@@ -1,7 +1,6 @@
 package hu.bme.sch.cmsch.component.app
 
 import org.springframework.boot.autoconfigure.condition.ConditionalOnBean
-import org.springframework.web.bind.annotation.CrossOrigin
 import org.springframework.web.bind.annotation.GetMapping
 import org.springframework.web.bind.annotation.RequestMapping
 import org.springframework.web.bind.annotation.RestController
@@ -10,7 +9,6 @@ const val IMAGE_PNG = "image/png"
 
 @RestController
 @RequestMapping("/manifest")
-@CrossOrigin(origins = ["\${cmsch.frontend.production-url}"], allowedHeaders = ["*"])
 @ConditionalOnBean(ApplicationComponent::class)
 class ManifestApiController(
     private val manifestComponent: ManifestComponent,

backend/src/main/kotlin/hu/bme/sch/cmsch/component/app/SettingsApiController.kt

@@ -7,7 +7,6 @@ import org.springframework.web.bind.annotation.*
 
 @RestController
 @RequestMapping("/admin/api/settings")
-@CrossOrigin(origins = ["\${cmsch.frontend.production-url}"], allowedHeaders = ["*"])
 class SettingsApiController(
     private val adminMenuService: AdminMenuService
 ) {

backend/src/main/kotlin/hu/bme/sch/cmsch/component/app/WarningApiController.kt

@@ -3,14 +3,12 @@ package hu.bme.sch.cmsch.component.app
 import com.fasterxml.jackson.annotation.JsonView
 import hu.bme.sch.cmsch.dto.Preview
 import org.springframework.boot.autoconfigure.condition.ConditionalOnBean
-import org.springframework.web.bind.annotation.CrossOrigin
 import org.springframework.web.bind.annotation.GetMapping
 import org.springframework.web.bind.annotation.RequestMapping
 import org.springframework.web.bind.annotation.RestController
 
 @RestController
 @RequestMapping("/api")
-@CrossOrigin(origins = ["\${cmsch.frontend.production-url}"], allowedHeaders = ["*"])
 @ConditionalOnBean(ApplicationComponent::class)
 class WarningApiController(
     private val applicationComponent: ApplicationComponent

backend/src/main/kotlin/hu/bme/sch/cmsch/component/communities/CommunitiesApiController.kt

@@ -8,7 +8,6 @@ import org.springframework.web.bind.annotation.*
 
 @RestController
 @RequestMapping("/api")
-@CrossOrigin(origins = ["\${cmsch.frontend.production-url}"], allowedHeaders = ["*"])
 @ConditionalOnBean(CommunitiesComponent::class)
 class CommunitiesApiController(
     private val organizationService: OrganizationService

backend/src/main/kotlin/hu/bme/sch/cmsch/component/debt/DebtApiController.kt

@@ -5,14 +5,12 @@ import hu.bme.sch.cmsch.dto.FullDetails
 import hu.bme.sch.cmsch.util.getUser
 import org.springframework.boot.autoconfigure.condition.ConditionalOnBean
 import org.springframework.security.core.Authentication
-import org.springframework.web.bind.annotation.CrossOrigin
 import org.springframework.web.bind.annotation.GetMapping
 import org.springframework.web.bind.annotation.RequestMapping
 import org.springframework.web.bind.annotation.RestController
 
 @RestController
 @RequestMapping("/api")
-@CrossOrigin(origins = ["\${cmsch.frontend.production-url}"], allowedHeaders = ["*"])
 @ConditionalOnBean(DebtComponent::class)
 class DebtApiController(
     private val debtsRepository: SoldProductRepository

backend/src/main/kotlin/hu/bme/sch/cmsch/component/event/EventApiController.kt

@@ -16,7 +16,6 @@ import org.springframework.web.bind.annotation.*
 
 @RestController
 @RequestMapping("/api")
-@CrossOrigin(origins = ["\${cmsch.frontend.production-url}"], allowedHeaders = ["*"])
 @ConditionalOnBean(EventComponent::class)
 class EventApiController(
     private val eventComponent: EventComponent,

backend/src/main/kotlin/hu/bme/sch/cmsch/component/form/FormApiController.kt

@@ -12,7 +12,6 @@ import org.springframework.web.bind.annotation.*
 
 @RestController
 @RequestMapping("/api")
-@CrossOrigin(origins = ["\${cmsch.frontend.production-url}"], allowedHeaders = ["*"])
 @ConditionalOnBean(FormComponent::class)
 class FormApiController(
     private val formService: FormService

backend/src/main/kotlin/hu/bme/sch/cmsch/component/gallery/GalleryApiController.kt

@@ -11,14 +11,12 @@ import org.springframework.boot.autoconfigure.condition.ConditionalOnBean
 import org.springframework.http.HttpStatus
 import org.springframework.http.ResponseEntity
 import org.springframework.security.core.Authentication
-import org.springframework.web.bind.annotation.CrossOrigin
 import org.springframework.web.bind.annotation.GetMapping
 import org.springframework.web.bind.annotation.RequestMapping
 import org.springframework.web.bind.annotation.RestController
 
 @RestController
 @RequestMapping("/api")
-@CrossOrigin(origins = ["\${cmsch.frontend.production-url}"], allowedHeaders = ["*"])
 @ConditionalOnBean(GalleryComponent::class)
 class GalleryApiController(
     private val galleryComponent: GalleryComponent,

backend/src/main/kotlin/hu/bme/sch/cmsch/component/groupselection/GroupSelectionApiController.kt

@@ -9,7 +9,6 @@ import java.util.*
 
 @RestController
 @RequestMapping("/api")
-@CrossOrigin(origins = ["\${cmsch.frontend.production-url}"], allowedHeaders = ["*"])
 @ConditionalOnBean(GroupSelectionComponent::class)
 class GroupSelectionApiController(
     private val groupSelectionService: GroupSelectionService,

backend/src/main/kotlin/hu/bme/sch/cmsch/component/home/HomeApiController.kt

@@ -7,15 +7,13 @@ import hu.bme.sch.cmsch.dto.Preview
 import hu.bme.sch.cmsch.util.getUserOrNull
 import org.springframework.boot.autoconfigure.condition.ConditionalOnBean
 import org.springframework.security.core.Authentication
-import org.springframework.web.bind.annotation.CrossOrigin
 import org.springframework.web.bind.annotation.GetMapping
 import org.springframework.web.bind.annotation.RequestMapping
 import org.springframework.web.bind.annotation.RestController
 import java.util.*
 
 @RestController
 @RequestMapping("/api")
-@CrossOrigin(origins = ["\${cmsch.frontend.production-url}"], allowedHeaders = ["*"])
 @ConditionalOnBean(HomeComponent::class)
 class HomeApiController(
     private val newsService: Optional<NewsService>,

backend/src/main/kotlin/hu/bme/sch/cmsch/component/key/AccessKeyApiController.kt

@@ -10,7 +10,6 @@ import org.springframework.web.bind.annotation.*
 
 @RestController
 @RequestMapping("/api")
-@CrossOrigin(origins = ["\${cmsch.frontend.production-url}"], allowedHeaders = ["*"])
 @ConditionalOnBean(AccessKeyComponent::class)
 class AccessKeyApiController(
     private val accessKeyComponent: AccessKeyComponent,

backend/src/main/kotlin/hu/bme/sch/cmsch/component/leaderboard/LeaderBoardApiController.kt

@@ -9,14 +9,12 @@ import org.springframework.boot.autoconfigure.condition.ConditionalOnBean
 import org.springframework.http.HttpStatus
 import org.springframework.http.ResponseEntity
 import org.springframework.security.core.Authentication
-import org.springframework.web.bind.annotation.CrossOrigin
 import org.springframework.web.bind.annotation.GetMapping
 import org.springframework.web.bind.annotation.RequestMapping
 import org.springframework.web.bind.annotation.RestController
 
 @RestController
 @RequestMapping("/api")
-@CrossOrigin(origins = ["\${cmsch.frontend.production-url}"], allowedHeaders = ["*"])
 @ConditionalOnBean(LeaderBoardComponent::class)
 class LeaderBoardApiController(
     private val leaderBoardService: LeaderBoardService,

backend/src/main/kotlin/hu/bme/sch/cmsch/component/location/LocationApiController.kt

@@ -21,7 +21,6 @@ class LocationApiController(
         return locationService.pushLocation(payload)
     }
 
-    @CrossOrigin(origins = ["\${cmsch.frontend.production-url}"], allowedHeaders = ["*"])
     @GetMapping("/track-my-group")
     fun trackMyGroup(auth: Authentication?): List<MapMarker> {
         val user = auth?.getUserOrNull() ?: return listOf()

backend/src/main/kotlin/hu/bme/sch/cmsch/component/login/AuthschLoginController.kt

@@ -13,7 +13,6 @@ import org.springframework.http.ResponseEntity
 import org.springframework.security.core.Authentication
 import org.springframework.security.core.context.SecurityContextHolder
 import org.springframework.stereotype.Controller
-import org.springframework.web.bind.annotation.CrossOrigin
 import org.springframework.web.bind.annotation.GetMapping
 import org.springframework.web.bind.annotation.PostMapping
 import org.springframework.web.bind.annotation.ResponseBody
@@ -88,7 +87,6 @@ class AuthschLoginController(
     }
 
     @ResponseBody
-    @CrossOrigin(origins = ["\${cmsch.frontend.production-url}"], allowedHeaders = ["*"])
     @PostMapping("/api/control/refresh")
     fun refreshToken(auth: Authentication?): ResponseEntity<String> {
         if (auth == null)

backend/src/main/kotlin/hu/bme/sch/cmsch/component/news/NewsApiController.kt

@@ -16,7 +16,6 @@ import org.springframework.web.bind.annotation.*
 
 @RestController
 @RequestMapping("/api")
-@CrossOrigin(origins = ["\${cmsch.frontend.production-url}"], allowedHeaders = ["*"])
 @ConditionalOnBean(NewsComponent::class)
 class NewsApiController(
     private val newsService: NewsService,

backend/src/main/kotlin/hu/bme/sch/cmsch/component/profile/ProfileApiController.kt

@@ -14,7 +14,6 @@ import org.springframework.web.bind.annotation.*
 
 @RestController
 @RequestMapping("/api")
-@CrossOrigin(origins = ["\${cmsch.frontend.production-url}"], allowedHeaders = ["*"])
 @ConditionalOnBean(ProfileComponent::class)
 class ProfileApiController(
     private val profileService: ProfileService,

backend/src/main/kotlin/hu/bme/sch/cmsch/component/pushnotification/PushNotificationApiController.kt

@@ -9,15 +9,13 @@ import org.springframework.http.HttpStatus
 import org.springframework.http.ResponseEntity
 import org.springframework.security.core.Authentication
 import org.springframework.stereotype.Controller
-import org.springframework.web.bind.annotation.CrossOrigin
 import org.springframework.web.bind.annotation.PostMapping
 import org.springframework.web.bind.annotation.RequestBody
 import org.springframework.web.bind.annotation.RequestMapping
 
 @Controller
 @ConditionalOnBean(PushNotificationComponent::class)
 @RequestMapping("/api/pushnotification/")
-@CrossOrigin(origins = ["\${cmsch.frontend.production-url}"], allowedHeaders = ["*"])
 class PushNotificationApiController(
     private val notificationService: PushNotificationService,
     private val notificationComponent: PushNotificationComponent

backend/src/main/kotlin/hu/bme/sch/cmsch/component/qrfight/QrFightApiController.kt

@@ -12,7 +12,6 @@ import org.springframework.web.bind.annotation.*
 
 @RestController
 @RequestMapping("/api")
-@CrossOrigin(origins = ["\${cmsch.frontend.production-url}"], allowedHeaders = ["*"])
 @ConditionalOnBean(QrFightComponent::class)
 class QrFightApiController(
     private val qrFightComponent: QrFightComponent,

backend/src/main/kotlin/hu/bme/sch/cmsch/component/race/RaceApiController.kt

@@ -14,7 +14,6 @@ import org.springframework.web.bind.annotation.*
 
 @RestController
 @RequestMapping("/api")
-@CrossOrigin(origins = ["\${cmsch.frontend.production-url}"], allowedHeaders = ["*"])
 @ConditionalOnBean(RaceComponent::class)
 class RaceApiController(
     private val raceService: RaceService,

backend/src/main/kotlin/hu/bme/sch/cmsch/component/riddle/RiddleApiController.kt

@@ -14,7 +14,6 @@ import org.springframework.web.bind.annotation.*
 
 @RestController
 @RequestMapping("/api")
-@CrossOrigin(origins = ["\${cmsch.frontend.production-url}"], allowedHeaders = ["*"])
 @ConditionalOnBean(RiddleComponent::class)
 class RiddleApiController(
     private val riddleService: ConcurrentRiddleService,

backend/src/main/kotlin/hu/bme/sch/cmsch/component/staticpage/StaticPageApiController.kt

@@ -15,7 +15,6 @@ import org.springframework.web.bind.annotation.*
 
 @RestController
 @RequestMapping("/api")
-@CrossOrigin(origins = ["\${cmsch.frontend.production-url}"], allowedHeaders = ["*"])
 @ConditionalOnBean(StaticPageComponent::class)
 class StaticPageApiController(
     private val staticPageService: StaticPageService,

backend/src/main/kotlin/hu/bme/sch/cmsch/component/task/TaskApiController.kt

@@ -17,7 +17,6 @@ import java.util.*
 
 @RestController
 @RequestMapping("/api")
-@CrossOrigin(origins = ["\${cmsch.frontend.production-url}"], allowedHeaders = ["*"])
 @ConditionalOnBean(TaskComponent::class)
 class TaskApiController(
     private val leaderBoardService: Optional<LeaderBoardService>,

backend/src/main/kotlin/hu/bme/sch/cmsch/component/team/TeamApiController.kt

@@ -12,7 +12,6 @@ import org.springframework.web.multipart.MultipartFile
 
 @RestController
 @RequestMapping("/api")
-@CrossOrigin(origins = ["\${cmsch.frontend.production-url}"], allowedHeaders = ["*"])
 @ConditionalOnBean(TeamComponent::class)
 class TeamApiController(
     private val teamComponent: TeamComponent,

backend/src/main/kotlin/hu/bme/sch/cmsch/component/token/TokenApiController.kt

@@ -21,7 +21,6 @@ const val SESSION_TOKEN_COLLECTOR_ATTRIBUTE = "TOKEN_COLLECTOR_ATTRIBUTE"
 
 @Controller
 @RequestMapping("/api")
-@CrossOrigin(origins = ["\${cmsch.frontend.production-url}"], allowedHeaders = ["*"])
 @ConditionalOnBean(TokenComponent::class)
 class TokenApiController(
     private val tokens: TokenCollectorService,

backend/src/main/kotlin/hu/bme/sch/cmsch/config/WebMvcConfig.kt

@@ -11,19 +11,23 @@ import java.time.Duration
 @Configuration
 class WebMvcConfig(
     private val startupPropertyConfig: StartupPropertyConfig,
-    @Value("\${cmsch.frontend.production-url:*}") private val productionUrl: String
+    @Value("\${cmsch.frontend.production-url:*}") private val productionUrl: String,
+    @Value("\${cmsch.backend.allowed-origin-patterns:*}") private val allowedOrigins: List<String>
 ) : WebMvcConfigurer {
 
     override fun addResourceHandlers(registry: ResourceHandlerRegistry) {
         val handler = registry.addResourceHandler("/cdn/**")
-                .addResourceLocations("file:${startupPropertyConfig.external}")
+            .addResourceLocations("file:${startupPropertyConfig.external}")
         if (startupPropertyConfig.cdnCacheMaxAge > 0) {
             handler.setCacheControl(CacheControl.maxAge(Duration.ofSeconds(startupPropertyConfig.cdnCacheMaxAge)))
         }
     }
 
     override fun addCorsMappings(registry: CorsRegistry) {
-        registry.addMapping("/cdn/**")
-            .allowedOrigins(productionUrl)
+        arrayOf("/api/**", "/manifest/**", "/cdn/**").forEach {
+            registry.addMapping(it)
+                .allowedOrigins(productionUrl)
+                .allowedOriginPatterns(*allowedOrigins.toTypedArray())
+        }
     }
 }

backend/src/main/kotlin/hu/bme/sch/cmsch/controller/MainApiController.kt

@@ -10,7 +10,6 @@ val UNKNOWN_USER = UserEntity(0, fullName = "Feature Not Available")
 
 @RestController
 @RequestMapping("/api")
-@CrossOrigin(origins = ["\${cmsch.frontend.production-url}"], allowedHeaders = ["*"])
 class MainApiController(
     private val clock: TimeService
 ) {

backend/src/main/resources/config/application-docker.properties

@@ -20,6 +20,7 @@ hu.bme.sch.cmsch.startup.mailgun-token=${MAILGUN_TOKEN}
 hu.bme.sch.cmsch.startup.sysadmins=${SYSADMINS:6af3c8b0-592c-6864-8dd9-5f354edfc0be}
 hu.bme.sch.cmsch.login.googleAdminAddresses=${GOOGLE_ADMIN_ADDRESSES:}
 cmsch.frontend.production-url=${FRONTEND_URL}
+cmsch.backend.allowed-origin-patterns=${ALLOWED_ORIGIN_PATTERNS:}
 hu.bme.sch.cmsch.app.siteUrl=${FRONTEND_URL}/
 hu.bme.sch.cmsch.app.adminSiteUrl=${BACKEND_URL:http://127.0.0.1:8080/}
 spring.security.oauth2.client.registration.google.redirect-uri=${BACKEND_URL:http://127.0.0.1:8080/}login/oauth2/code/google

backend/src/main/resources/config/application.properties

@@ -26,7 +26,7 @@ server.error.path=/error
 
 # Env vars - used mainly on frontend
 cmsch.frontend.production-url=http://127.0.0.1:3000
-cmsch.backend.production-url=https://gkorte.sch.bme.hu
+cmsch.backend.allowed-origin-patterns=http://127.0.0.1:3000,http://localhost:3000
 cmsch.frontend.kirdev-url=https://kir-dev.sch.bme.hu
 cmsch.frontend.bugreport-url=https://kir-dev.sch.bme.hu/about#contact
 

frontend/.env.example

@@ -1,4 +1,4 @@
-VITE_API_BASE_URL=http://127.0.0.1:8080
+VITE_API_BASE_URL=http://localhost:8080
 VITE_BUGREPORT_URL='https://kir-dev.hu/about/contact'
 VITE_NAME="CMSch Web"
 VITE_DESCRIPTION="CMSch Web"

frontend/vite.config.ts

@@ -6,7 +6,7 @@ export default defineConfig({
   plugins: [react()],
   server: {
     host: '0.0.0.0',
-    open: 'http://127.0.0.1:3000',
+    open: true,
     port: 3000
   },
   preview: {