From 00ebb0da0fb16f187c1e562c2a6a7202d5c8e7c4 Mon Sep 17 00:00:00 2001
From: "H@di" <hadi@hadisafari.ir>
Date: Mon, 6 Jan 2025 15:18:18 +0330
Subject: [PATCH] BE: Chore: CORS config on error handling (#555)

Co-authored-by: Roman Zabaluev <gpg@haarolean.dev>
---
 .../kafbat/ui/config/CorsGlobalConfiguration.java   | 12 ++++++++----
 .../io/kafbat/ui/config/ReadOnlyModeFilter.java     |  3 ++-
 .../exception/GlobalErrorWebExceptionHandler.java   | 13 +++++++++++++
 3 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/api/src/main/java/io/kafbat/ui/config/CorsGlobalConfiguration.java b/api/src/main/java/io/kafbat/ui/config/CorsGlobalConfiguration.java
index 4713dfd37..d39fda91d 100644
--- a/api/src/main/java/io/kafbat/ui/config/CorsGlobalConfiguration.java
+++ b/api/src/main/java/io/kafbat/ui/config/CorsGlobalConfiguration.java
@@ -22,10 +22,7 @@ public WebFilter corsFilter() {
 
       final ServerHttpResponse response = ctx.getResponse();
       final HttpHeaders headers = response.getHeaders();
-      headers.add("Access-Control-Allow-Origin", "*");
-      headers.add("Access-Control-Allow-Methods", "GET, PUT, POST, DELETE, OPTIONS");
-      headers.add("Access-Control-Max-Age", "3600");
-      headers.add("Access-Control-Allow-Headers", "Content-Type");
+      fillCorsHeader(headers, request);
 
       if (request.getMethod() == HttpMethod.OPTIONS) {
         response.setStatusCode(HttpStatus.OK);
@@ -36,4 +33,11 @@ public WebFilter corsFilter() {
     };
   }
 
+  public static void fillCorsHeader(HttpHeaders responseHeaders, ServerHttpRequest request) {
+    responseHeaders.add("Access-Control-Allow-Origin", request.getHeaders().getOrigin());
+    responseHeaders.add("Access-Control-Allow-Credentials", "true");
+    responseHeaders.add("Access-Control-Allow-Methods", "GET, PUT, POST, DELETE, OPTIONS");
+    responseHeaders.add("Access-Control-Max-Age", "3600");
+    responseHeaders.add("Access-Control-Allow-Headers", "Content-Type");
+  }
 }
diff --git a/api/src/main/java/io/kafbat/ui/config/ReadOnlyModeFilter.java b/api/src/main/java/io/kafbat/ui/config/ReadOnlyModeFilter.java
index ac7c6747f..acfe1929c 100644
--- a/api/src/main/java/io/kafbat/ui/config/ReadOnlyModeFilter.java
+++ b/api/src/main/java/io/kafbat/ui/config/ReadOnlyModeFilter.java
@@ -33,7 +33,8 @@ public class ReadOnlyModeFilter implements WebFilter {
   @NotNull
   @Override
   public Mono<Void> filter(ServerWebExchange exchange, @NotNull WebFilterChain chain) {
-    var isSafeMethod = exchange.getRequest().getMethod() == HttpMethod.GET;
+    var isSafeMethod =
+        exchange.getRequest().getMethod() == HttpMethod.GET || exchange.getRequest().getMethod() == HttpMethod.OPTIONS;
     if (isSafeMethod) {
       return chain.filter(exchange);
     }
diff --git a/api/src/main/java/io/kafbat/ui/exception/GlobalErrorWebExceptionHandler.java b/api/src/main/java/io/kafbat/ui/exception/GlobalErrorWebExceptionHandler.java
index b4c978ac2..61236f801 100644
--- a/api/src/main/java/io/kafbat/ui/exception/GlobalErrorWebExceptionHandler.java
+++ b/api/src/main/java/io/kafbat/ui/exception/GlobalErrorWebExceptionHandler.java
@@ -2,12 +2,14 @@
 
 import com.google.common.base.Throwables;
 import com.google.common.collect.Sets;
+import io.kafbat.ui.config.CorsGlobalConfiguration;
 import io.kafbat.ui.model.ErrorResponseDTO;
 import java.math.BigDecimal;
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
 import java.util.Set;
+import java.util.function.Consumer;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 import org.springframework.boot.autoconfigure.web.WebProperties;
@@ -16,6 +18,7 @@
 import org.springframework.context.ApplicationContext;
 import org.springframework.core.Ordered;
 import org.springframework.core.annotation.Order;
+import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
 import org.springframework.http.codec.ServerCodecConfigurer;
@@ -78,6 +81,7 @@ private Mono<ServerResponse> renderDefault(Throwable throwable, ServerRequest re
     return ServerResponse
         .status(ErrorCode.UNEXPECTED.httpStatus())
         .contentType(MediaType.APPLICATION_JSON)
+        .headers(headers(request))
         .bodyValue(response);
   }
 
@@ -92,6 +96,7 @@ private Mono<ServerResponse> render(CustomBaseException baseException, ServerReq
     return ServerResponse
         .status(errorCode.httpStatus())
         .contentType(MediaType.APPLICATION_JSON)
+        .headers(headers(request))
         .bodyValue(response);
   }
 
@@ -122,6 +127,7 @@ private Mono<ServerResponse> render(WebExchangeBindException exception, ServerRe
     return ServerResponse
         .status(HttpStatus.BAD_REQUEST)
         .contentType(MediaType.APPLICATION_JSON)
+        .headers(headers(request))
         .bodyValue(response);
   }
 
@@ -136,6 +142,7 @@ private Mono<ServerResponse> render(ResponseStatusException exception, ServerReq
     return ServerResponse
         .status(exception.getStatusCode())
         .contentType(MediaType.APPLICATION_JSON)
+        .headers(headers(request))
         .bodyValue(response);
   }
 
@@ -143,6 +150,12 @@ private String requestId(ServerRequest request) {
     return request.exchange().getRequest().getId();
   }
 
+  private Consumer<HttpHeaders> headers(ServerRequest request) {
+    return (HttpHeaders headers) -> {
+      CorsGlobalConfiguration.fillCorsHeader(headers, request.exchange().getRequest());
+    };
+  }
+
   private BigDecimal currentTimestamp() {
     return BigDecimal.valueOf(System.currentTimeMillis());
   }