- Make the value of the Access-Control-Allow-Origin response header c…

…onfigurable.

- Allow only necessary headers.

src/main/kotlin/org/motivepick/config/SecurityConfig.kt

@@ -53,9 +53,9 @@ internal class SecurityConfig {
             it.configurationSource {
                 val configuration = CorsConfiguration()
                 configuration.allowCredentials = true
-                configuration.allowedOriginPatterns = listOf("*")
+                configuration.allowedOriginPatterns = listOf(config.corsAllowedOriginPattern)
                 configuration.allowedMethods = listOf("GET", "POST", "PUT", "DELETE")
-                configuration.allowedHeaders = listOf("*")
+                configuration.allowedHeaders = listOf("Content-Type")
                 configuration
             }
         }

src/main/kotlin/org/motivepick/config/ServerConfig.kt

@@ -19,5 +19,8 @@ class ServerConfig(
         val logoutSuccessUrl: String,
 
         @Value("\${cookie.domain}")
-        val cookieDomain: String
+        val cookieDomain: String,
+
+        @Value("\${cors.allowedOriginPattern}")
+        val corsAllowedOriginPattern: String
 )

src/main/resources/application-prod.yml

@@ -20,3 +20,5 @@ cookie.domain: milestone.yaskovdev.com
 jwt.token:
   issuer: https://api.milestone.yaskovdev.com
   signing.key: ${JWT_TOKEN_SIGNING_KEY}
+
+cors.allowedOriginPattern: 'https://milestone.yaskovdev.com'

src/main/resources/application.yml

@@ -31,3 +31,6 @@ authentication.success.url.mobile: 'motive://'
 
 springdoc.packagesToScan: 'org.motivepick'
 springdoc.pathsToMatch: '/**'
+
+# This is normally the origin of the Web app or * (if not Prod)
+cors.allowedOriginPattern: '*'