use Spring-Props for CORS-config, move CORS-config to BaseWebSecurityConfig and add tests (#212)

Co-authored-by: Michael Hoennig <michael@hoennig.de> Reviewed-on: https://dev.hostsharing.net/hostsharing/hs.hsadmin.ng/pulls/212 Reviewed-by: Marc Sandlus <hsh-marcsandlus@noreply.dev.hostsharing.net>
2026-03-21 13:55:43 +01:00
parent 3a24e1c726
commit 28eebbc95a
9 changed files with 273 additions and 35 deletions
@@ -0,0 +1,30 @@
+# PR#212: CORS-config using spring-props and adding tests
+
+## The Problems
+
+- CORS handling was configured via `System.getenv("ALLOWED_ORIGINS")` in `HsadminNgApplication`, which made configuration and testing harder.
+- Spring Security had CORS disabled, so CORS behavior was not aligned with the security filter chain.
+`/api/pong` only supported `GET`, which limited testing and client integration scenarios for CORS-enabled protected endpoints.
+
+In total, with this PR we want the CORS configuration to work properly and to be configurable for:
+- prod env
+- dev env
+- local env
+- JUnit-based tests 
+
+## The Solution
+
+- Introduced a `WebMvcConfigurer` bean that reads `hsadminng.cors.allowed-origins` and applies origin and method rules for `/api/**`.
+- Kept `/api/ping` explicitly open for `GET` from any origin to preserve its public health-check style behavior.
+- Added CORS integration tests for preflight and actual requests, including allowed and denied origins and unauthorized token scenarios.
+- Added `POST /api/pong` to the OpenAPI definition and implemented `pongPost()` in `PingController` using the same response logic as `pong()`.
+- Added REST and acceptance tests for `POST /api/pong` to verify translated responses and authenticated behavior.
+
+## Additional Changes
+
+- Moved CORS configuration into `BaseWebSecurityConfig`, thus it's closer to related configurations.
+- Included cleanup changes from rebasing and cyclic reference fixes while keeping the final behavior covered by tests.
+
+## Attachments
+
+None.