hs.hsadmin.ng/doc/PR/2026-12-16-PR#212-cors-config-using-spring-props-and-adding-tests.md

PR#212: CORS-config using spring-props and adding tests

The Problems

• CORS handling was configured via System.getenv("ALLOWED_ORIGINS") in HsadminNgApplication, which made configuration and testing harder.
• Spring Security had CORS disabled, so CORS behavior was not aligned with the security filter chain. /api/pong only supported GET, which limited testing and client integration scenarios for CORS-enabled protected endpoints.

In total, with this PR we want the CORS configuration to work properly and to be configurable for:

• prod env
• dev env
• local env
• JUnit-based tests

The Solution

• Introduced a WebMvcConfigurer bean that reads hsadminng.cors.allowed-origins and applies origin and method rules for /api/**.
• Kept /api/ping explicitly open for GET from any origin to preserve its public health-check style behavior.
• Added CORS integration tests for preflight and actual requests, including allowed and denied origins and unauthorized token scenarios.
• Added POST /api/pong to the OpenAPI definition and implemented pongPost() in PingController using the same response logic as pong().
• Added REST and acceptance tests for POST /api/pong to verify translated responses and authenticated behavior.

Additional Changes

• Moved CORS configuration into BaseWebSecurityConfig, thus it's closer to related configurations.
• Included cleanup changes from rebasing and cyclic reference fixes while keeping the final behavior covered by tests.

Attachments

None.