fix(cors): allow origins from environment variable

.env.example

@@ -1,6 +1,7 @@
 SPRING_PROFILES_ACTIVE=dev
 
 APP_ENCRYPTION_SECRET=123456789
+APP_ALLOWED_ORIGINS=http://localhost:8080
 
 DB_NAME=EXAMPLE_DB
 DB_USER=EXAMPLE

bootstrap/src/main/resources/application.yml

@@ -5,6 +5,8 @@ info:
 app:
   encryption:
     secret:  ${APP_ENCRYPTION_SECRET}
+  cors:
+    allowed-origins: ${APP_ALLOWED_ORIGINS:http://localhost:8080}
 
 server:
   port: 8080

docker-compose.yml

@@ -14,6 +14,7 @@ services:
       DB_USER: ${DB_USER}
       DB_PASSWORD: ${DB_PASSWORD}
       APP_ENCRYPTION_SECRET: ${APP_ENCRYPTION_SECRET}
+      APP_ALLOWED_ORIGINS: ${APP_ALLOWED_ORIGINS}
       GMAIL_OAUTH_CLIENT_ID: ${GMAIL_OAUTH_CLIENT_ID}
       GMAIL_OAUTH_CLIENT_SECRET: ${GMAIL_OAUTH_CLIENT_SECRET}
     networks:

infrastructure/pom.xml

@@ -49,6 +49,11 @@
             <artifactId>spring-boot-starter-validation</artifactId>
         </dependency>
 
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+        </dependency>
+        
         <dependency>
             <groupId>org.reflections</groupId>
             <artifactId>reflections</artifactId>

infrastructure/src/main/java/com/pablotj/restemailbridge/infrastructure/config/CorsConfig.java

@@ -0,0 +1,35 @@
+package com.pablotj.restemailbridge.infrastructure.config;
+
+import java.util.Arrays;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsConfigurationSource;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
+
+import java.util.List;
+
+@Configuration
+public class CorsConfig {
+
+    @Value("${app.cors.allowed-origins}")
+    private String allowedOriginsString;
+
+    @Bean
+    public CorsConfigurationSource corsConfigurationSource() {
+        CorsConfiguration config = new CorsConfiguration();
+
+        List<String> allowedOrigins = Arrays.asList(allowedOriginsString.split(","));
+        config.setAllowedOriginPatterns(allowedOrigins);
+
+        config.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE", "OPTIONS"));
+        config.setAllowedHeaders(List.of("*"));
+        config.setAllowCredentials(true);
+
+        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+        source.registerCorsConfiguration("/**", config);
+
+        return source;
+    }
+}

infrastructure/src/main/java/com/pablotj/restemailbridge/infrastructure/config/SecurityConfig.java

@@ -0,0 +1,31 @@
+package com.pablotj.restemailbridge.infrastructure.config;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.web.cors.CorsConfigurationSource;
+
+@Configuration
+@EnableWebSecurity
+public class SecurityConfig {
+
+    private final CorsConfigurationSource corsConfigurationSource;
+
+    public SecurityConfig(CorsConfigurationSource corsConfigurationSource) {
+        this.corsConfigurationSource = corsConfigurationSource;
+    }
+
+    @Bean
+    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+        http
+                .csrf(AbstractHttpConfigurer::disable)
+                .cors(cors -> cors.configurationSource(corsConfigurationSource))
+                .authorizeHttpRequests(auth -> auth
+                        .anyRequest().permitAll()
+                );
+        return http.build();
+    }
+}