Merge pull request #778 from SE-TINF22B6/cors-fix

Fix CORS issues

src/main/java/de/tinf22b6/dhbwhub/config/WebConfig.java

@@ -13,7 +13,7 @@ public void addCorsMappings(CorsRegistry registry) {
         registry.addMapping("/**")
                 .allowedOrigins("http://localhost:3000", "https://www.dhbwhub.de")
                 .allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS")
-                //.allowedHeaders("Content-Type", "Authorization", "Access-Control-Allow-Origin", "Accept")
+                .allowedHeaders("Content-Type", "Authorization", "Accept")
                 .allowCredentials(true);
     }
 }

src/main/java/de/tinf22b6/dhbwhub/controller/AccountController.java

@@ -10,7 +10,6 @@
 import java.util.List;
 
 @RestController
-@CrossOrigin(origins = {"https://www.dhbwhub.de", "http://localhost:3000"})
 @RequestMapping(value = "/account")
 public class AccountController {
     private final AccountService service;

src/main/java/de/tinf22b6/dhbwhub/controller/AdministratorController.java

@@ -10,7 +10,6 @@
 import java.util.List;
 
 @RestController
-@CrossOrigin(origins = {"https://www.dhbwhub.de", "http://localhost:3000"})
 @RequestMapping(value = "/administrator")
 public class AdministratorController {
     private final AdministratorService service;

src/main/java/de/tinf22b6/dhbwhub/controller/AuthController.java

@@ -31,7 +31,6 @@
 import java.util.stream.Collectors;
 
 @RestController
-@CrossOrigin(origins = {"https://www.dhbwhub.de", "http://localhost:3000"})
 @RequestMapping("/api/auth")
 @RequiredArgsConstructor
 public class AuthController {

src/main/java/de/tinf22b6/dhbwhub/controller/CommentController.java

@@ -14,7 +14,6 @@
 import java.util.List;
 
 @RestController
-@CrossOrigin(origins = {"https://www.dhbwhub.de", "http://localhost:3000"})
 @RequestMapping(value = "/comment")
 public class CommentController {
     private final CommentService service;

src/main/java/de/tinf22b6/dhbwhub/controller/CourseController.java

@@ -10,7 +10,6 @@
 import java.util.List;
 
 @RestController
-@CrossOrigin(origins = {"https://www.dhbwhub.de", "http://localhost:3000"})
 @RequestMapping(value = "/course")
 public class CourseController {
     private final CourseService service;

src/main/java/de/tinf22b6/dhbwhub/controller/EventController.java

@@ -9,7 +9,6 @@
 import java.util.List;
 
 @RestController
-@CrossOrigin(origins = {"https://www.dhbwhub.de", "http://localhost:3000"})
 @RequestMapping(value = "/event")
 public class EventController {
     private final EventService service;

src/main/java/de/tinf22b6/dhbwhub/controller/FacultyController.java

@@ -10,7 +10,6 @@
 import java.util.List;
 
 @RestController
-@CrossOrigin(origins = {"https://www.dhbwhub.de", "http://localhost:3000"})
 @RequestMapping(value = "/faculty")
 public class FacultyController {
     private final FacultyService service;

src/main/java/de/tinf22b6/dhbwhub/controller/FriendshipController.java

@@ -10,7 +10,6 @@
 import java.util.List;
 
 @RestController
-@CrossOrigin(origins = {"https://www.dhbwhub.de", "http://localhost:3000"})
 @RequestMapping(value = "/friendship")
 public class FriendshipController {
     private final FriendshipService service;

src/main/java/de/tinf22b6/dhbwhub/controller/NotificationController.java

@@ -9,7 +9,6 @@
 import java.util.List;
 
 @RestController
-@CrossOrigin(origins = {"https://www.dhbwhub.de", "http://localhost:3000"})
 @RequestMapping(value = "/notification")
 public class NotificationController {
     private final NotificationService service;

src/main/java/de/tinf22b6/dhbwhub/controller/PictureController.java

@@ -10,7 +10,6 @@
 import java.util.List;
 
 @RestController
-@CrossOrigin(origins = {"https://www.dhbwhub.de", "http://localhost:3000"})
 @RequestMapping(value = "/picture")
 public class PictureController {
     private final PictureService service;

src/main/java/de/tinf22b6/dhbwhub/controller/PostController.java

@@ -11,7 +11,6 @@
 import java.util.List;
 
 @RestController
-@CrossOrigin(origins = {"https://www.dhbwhub.de", "http://localhost:3000"})
 @RequestMapping(value = "/post")
 public class PostController {
     private final PostService service;

src/main/java/de/tinf22b6/dhbwhub/controller/SavedPostController.java

@@ -11,7 +11,6 @@
 import java.util.List;
 
 @RestController
-@CrossOrigin(origins = {"https://www.dhbwhub.de", "http://localhost:3000"})
 @RequestMapping(value = "/saved-post")
 public class SavedPostController {
     private final SavedPostService service;

src/main/java/de/tinf22b6/dhbwhub/controller/UserController.java

@@ -11,7 +11,6 @@
 import java.util.List;
 
 @RestController
-@CrossOrigin(origins = {"https://www.dhbwhub.de", "http://localhost:3000"})
 @RequestMapping(value = "/user")
 public class UserController {
     private final UserService service;

src/main/java/de/tinf22b6/dhbwhub/security/WebSecurityConfig.java

@@ -7,6 +7,7 @@
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -71,15 +72,15 @@ public PasswordEncoder passwordEncoder() {
 
     @Bean
     public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-        http.csrf(AbstractHttpConfigurer::disable) // TODO: CodeQL doesn't like that
+        http.csrf(AbstractHttpConfigurer::disable)
+            // CSRF protection is disabled as this is a stateless API. The application uses token-based authentication, making CSRF less relevant.
             .authorizeHttpRequests(authorizeRequests ->
                 authorizeRequests.requestMatchers(PUBLIC_ENDPOINTS).permitAll()
                     .anyRequest().authenticated()
             ).exceptionHandling(exceptionHandling -> exceptionHandling.authenticationEntryPoint(unauthorizedHandler))
-            .addFilterBefore(authenticationJwtTokenFilter(), UsernamePasswordAuthenticationFilter.class);
+            .addFilterBefore(authenticationJwtTokenFilter(), UsernamePasswordAuthenticationFilter.class)
+            .cors(Customizer.withDefaults());
 
         return http.build();
     }
-
 }
-

src/main/web/src/config/config.ts

@@ -3,10 +3,9 @@ const config = {
   apiUrl: 'https://56e66ce8-2ac2-4635-982a-f19f20896303.ka.bw-cloud-instance.org:8443/',
   googleClientId: '973066251162-r60h517iddja3k756d2f6n8sng5nn24q.apps.googleusercontent.com',
   tooltipMessage: "Please sign up or log in to use this feature",
-  adsOn: true,
+  adsOn: false,
   headers: {
     'Content-Type': 'application/json',
-    'Access-Control-Allow-Origin': '*',
     'Accept': 'application/json'
   }
 };

src/main/web/src/services/LikeService.tsx

@@ -24,7 +24,7 @@ const handleLike = async (
       localStorage.setItem(`liked_${postId}`, 'true');
 
       await fetch(config.apiUrl + `post/increase-likes`, {
-        method: 'POST',
+        method: 'PUT',
         headers: headersWithJwt,
         body: JSON.stringify({
           userId: userId,
@@ -38,7 +38,7 @@ const handleLike = async (
       localStorage.removeItem(`liked_${postId}`);
 
       await fetch(config.apiUrl + `post/decrease-likes`, {
-        method: 'POST',
+        method: 'PUT',
         headers: headersWithJwt,
         body: JSON.stringify({
           userId: userId,