BUGFIX: Refactor CORS configuration to use externalized properties

Replaced hardcoded CORS configurations with a properties-based approach using `CorsProperties`. This centralizes management of allowed origins in application configuration files and improves flexibility for different environments. Updated both development and production YAML files to reflect the new structure.
MichiBaum · Feb 2, 2025 · 9dd2219 · 9dd2219
1 parent 07ffda0
commit 9dd2219
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 23 deletions.
diff --git a/gateway-service/src/main/kotlin/com/michibaum/gatewayservice/config/CorsConfiguration.kt b/gateway-service/src/main/kotlin/com/michibaum/gatewayservice/config/CorsConfiguration.kt
@@ -1,21 +1,30 @@
 package com.michibaum.gatewayservice.config
 
+import org.springframework.boot.context.properties.ConfigurationProperties
+import org.springframework.boot.context.properties.EnableConfigurationProperties
 import org.springframework.context.annotation.Configuration
 import org.springframework.context.annotation.Profile
 import org.springframework.web.servlet.config.annotation.EnableWebMvc
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer
 
 @Configuration
 @EnableWebMvc
-@Profile("dev")
-class CorsConfiguration: WebMvcConfigurer {
+@EnableConfigurationProperties(value = [CorsProperties::class])
+class CorsConfiguration(
+    private val corsProperties: CorsProperties
+): WebMvcConfigurer {
 
     override fun addCorsMappings(registry: org.springframework.web.servlet.config.annotation.CorsRegistry) {
         registry.addMapping("/**")
             .allowedMethods("GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS")
-            .allowedOrigins("http://michibaum.ch:4200", "http://michibaum.com:4200", "http://michibaum.eu:4200")
+            .allowedOriginPatterns(*corsProperties.allowedOriginPatterns.toTypedArray())
             .allowedHeaders("*")
             .allowCredentials(true)
     }
 
-}
+}
+
+@ConfigurationProperties(prefix = "cors")
+data class CorsProperties(
+    val allowedOriginPatterns: List<String>
+)
diff --git a/gateway-service/src/main/resources/application-dev.yml b/gateway-service/src/main/resources/application-dev.yml
@@ -11,4 +11,10 @@ spring:
     admin:
       client:
         username: admin_username
-        password: admin_password
+        password: admin_password
+
+cors:
+  allowed-origin-patterns:
+    - http://michibaum.ch:4200
+    - http://michibaum.com:4200
+    - http://michibaum.eu:4200
diff --git a/gateway-service/src/main/resources/application-prod.yml b/gateway-service/src/main/resources/application-prod.yml
@@ -26,23 +26,6 @@ spring:
         username: ${ADMIN_SERVICE_USERNAME}
         password: ${ADMIN_SERVICE_PASSWORD}
   cloud:
-    gateway:
-      globalcors:
-        add-to-simple-url-handler-mapping: true
-        cors-configurations:
-          '[/**]':
-            allowed-origin-patterns:
-              - https://michibaum.ch
-              - https://michibaum.com
-              - https://michibaum.eu
-            allowed-headers:
-              - "*"
-            allowed-methods:
-              - GET
-              - POST
-              - DELETE
-              - PUT
-              - OPTIONS
     discovery:
       client:
         simple:
@@ -64,4 +47,10 @@ eureka:
   instance:
     non-secure-port-enabled: false
     secure-port-enabled: true
-    secure-port: 443
+    secure-port: 443
+
+cors:
+  allowed-origin-patterns:
+    - https://michibaum.ch
+    - https://michibaum.com
+    - https://michibaum.eu