#32 : Fixed more Sonar issues

gazbert · Apr 2, 2020 · 90e1710 · 90e1710
1 parent cc29fea
commit 90e1710
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 5 deletions.
diff --git a/bxbot-rest-api/src/main/java/com/gazbert/bxbot/rest/api/security/config/RestCorsConfig.java b/bxbot-rest-api/src/main/java/com/gazbert/bxbot/rest/api/security/config/RestCorsConfig.java
@@ -23,6 +23,10 @@
 
 package com.gazbert.bxbot.rest.api.security.config;
 
+import javax.validation.constraints.NotNull;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.web.cors.CorsConfiguration;
@@ -40,6 +44,12 @@
 @Configuration
 public class RestCorsConfig {
 
+  private static final Logger LOG = LogManager.getLogger();
+
+  @NotNull
+  @Value("${restapi.cors.allowed_origin}")
+  private String allowedOrigin;
+
   /**
    * Creates the CORS filter.
    *
@@ -48,14 +58,12 @@ public class RestCorsConfig {
   @Bean
   public CorsFilter corsFilter() {
 
+    LOG.info(() -> String.format("CORS Allowed Origins: %s", allowedOrigin));
+
     final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
     final CorsConfiguration config = new CorsConfiguration();
     config.setAllowCredentials(true);
-
-    // TODO: Lock down to specific host in Production
-    config.addAllowedOrigin("*");
-    // config.addAllowedOrigin("http://localhost:3000");
-
+    config.addAllowedOrigin(allowedOrigin);
     config.addAllowedHeader("*");
     config.addAllowedMethod("OPTIONS");
     config.addAllowedMethod("GET");

diff --git a/bxbot-rest-api/src/test/resources/application.properties b/bxbot-rest-api/src/test/resources/application.properties
@@ -11,6 +11,9 @@ bxbot.restapi.jwt.allowed_clock_skew=60
 bxbot.restapi.jwt.issuer=bxbot
 bxbot.restapi.jwt.audience=bxbot-ui
 
+# CORS allowed origins. For dev environment, we allow any origin.
+restapi.cors.allowed_origin=*
+
 # Max number of lines from the logfile to be returned by the REST API /runtime/logfile endpoint.
 # If the number of lines in the logfile exceeds this limit, the file content will truncated.
 bxbot.restapi.maxLogfileLines=2

diff --git a/config/application.properties b/config/application.properties
@@ -34,6 +34,11 @@ bxbot.restapi.jwt.allowed_clock_skew=60
 bxbot.restapi.jwt.issuer=bxbot
 bxbot.restapi.jwt.audience=bxbot-ui
 
+# CORS allowed origins. This MUST be locked down to specific host in Production, e.g.
+# https://some-host:3000
+# For dev environment, we allow any origin.
+restapi.cors.allowed_origin=*
+
 # Database config for storing User details
 #spring.h2.console.enabled=true
 #spring.datasource.url=jdbc:h2:mem:testdb;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE