From 3eed3d251f51d0735b244a320597ac498288d396 Mon Sep 17 00:00:00 2001 From: Vincent Guillet Date: Fri, 5 Dec 2025 15:14:16 +0100 Subject: [PATCH] Refactor CORS configuration to use allowed origins and enhance header handling --- .../api/config/SecurityConfig.java | 27 ++++++++++++------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/api/src/main/java/fr/gameovergne/api/config/SecurityConfig.java b/api/src/main/java/fr/gameovergne/api/config/SecurityConfig.java index ba09b27..9a577de 100644 --- a/api/src/main/java/fr/gameovergne/api/config/SecurityConfig.java +++ b/api/src/main/java/fr/gameovergne/api/config/SecurityConfig.java @@ -61,17 +61,26 @@ public class SecurityConfig { @Bean public CorsConfigurationSource corsConfigurationSource() { CorsConfiguration config = new CorsConfiguration(); - config.setAllowedOriginPatterns(Arrays.asList( - "http://localhost:4200", - "http://127.0.0.1:4200", - "https://dev.vincent-guillet.fr", - "https://projets.vincent-guillet.fr" - )); - config.setAllowedMethods(Arrays.asList("GET","POST","PUT","DELETE","OPTIONS")); - config.setAllowedHeaders(Arrays.asList("Authorization","Content-Type","Accept")); - config.setExposedHeaders(Arrays.asList("Authorization")); + + // IMPORTANT : origins explicites, sans path + config.setAllowedOrigins(Arrays.asList( + "http://localhost:4200", + "http://127.0.0.1:4200", + "https://dev.vincent-guillet.fr", + "https://projets.vincent-guillet.fr" + )); + config.setAllowCredentials(true); + // Autoriser tous les headers côté requête (plus robuste) + config.setAllowedHeaders(Arrays.asList("*")); + + // Autoriser les méthodes classiques + config.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS")); + + // Headers que le client *voit* dans la réponse + config.setExposedHeaders(Arrays.asList("Authorization", "Content-Type")); + UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); source.registerCorsConfiguration("/**", config); return source;