From 4d2634466577b0aa7dff28f949c3129ff68db8c0 Mon Sep 17 00:00:00 2001
From: Marek Lesko <marek@lesko.me>
Date: Fri, 1 Aug 2025 11:02:57 +0200
Subject: [PATCH] fix: update CORS policy and add CorsOrigins to configuration
 #5

---
 .gitlab-ci.yml       |  1 +
 Api/Program.cs       | 16 +++++++++++-----
 Api/appsettings.json |  4 +++-
 3 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 1086d56..aa9f8f1 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -33,6 +33,7 @@ docker-build:
   script:
     - 'sed -i "s|\"apiEndpoint\": \"[^\"]*\"|\"apiEndpoint\": \"https\:\/\/""$PUBLIC_WEB_URL""\"|" Web/public/config.json'
     - 'sed -i "s|\"AllowedHosts\": \"[^\"]*\"|\"AllowedHosts\": \"$PUBLIC_WEB_URL\"|" Api/appsettings.json'
+    - 'sed -i "s|\"CorsOrigins\": \"[^\"]*\"|\"CorsOrigins\": \"https\:\/\/""$PUBLIC_WEB_URL""\"|" Api/appsettings.json'
     - docker build -t $CI_REGISTRY_IMAGE:latest -t $CI_REGISTRY_IMAGE:${CI_PIPELINE_IID} -f Dockerfile .
     - echo "$CI_REGISTRY_PASSWORD" | docker login -u "$CI_REGISTRY_USER" --password-stdin $CI_REGISTRY
     - docker push $CI_REGISTRY_IMAGE:latest
diff --git a/Api/Program.cs b/Api/Program.cs
index 1740ed1..39dcc34 100644
--- a/Api/Program.cs
+++ b/Api/Program.cs
@@ -24,7 +24,6 @@ namespace Api
             })
             .AddJwtBearer(options =>
             {
-       
                 options.Authority = builder.Configuration["Authentication:PocketId:Authority"];
                 options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters()
                 {
@@ -35,9 +34,14 @@ namespace Api
 
             builder.Services.AddCors(options =>
             {
-                options.AddPolicy("AllowAll", policy =>
+                options.AddPolicy("Default", policy =>
                 {
-                    policy.AllowAnyOrigin()
+                    var allowedHostsConfiguration = builder.Configuration["CorsOrigins"]?
+                        .ToString()
+                        .Split(',');
+
+                    policy
+                        .WithOrigins(allowedHostsConfiguration ?? new[] { "*" })
                         .AllowAnyHeader()
                         .AllowAnyMethod();
                 });
@@ -52,6 +56,7 @@ namespace Api
                 : builder.Configuration.GetConnectionString("DefaultConnection");
             builder.Services.AddDbContext<AppDbContext>(options =>
                 options.UseSqlServer(connectionString));
+
             // Learn more about configuring Swagger/OpenAPI at https://aka.ms/aspnetcore/swashbuckle
             builder.Services.AddEndpointsApiExplorer();
             builder.Services.AddSwaggerGen();
@@ -67,6 +72,7 @@ namespace Api
                 app.UseHttpsRedirection();
             }
 
+            // Angular rewrite for SPA hosting
             var routes = new[] { "api", "swagger" };
             var rewriteString = String.Join("|", routes);
             var rewriteOptions = new RewriteOptions()
@@ -77,7 +83,7 @@ namespace Api
             if (app.Environment.IsDevelopment())
             {
                 var currentDirectory = Directory.GetCurrentDirectory();
-                var staticFilePath = Path.Combine(currentDirectory,"../Web/dist/Web/browser");
+                var staticFilePath = Path.Combine(currentDirectory, "../Web/dist/Web/browser");
                 app.UseDefaultFiles(new DefaultFilesOptions
                 {
                     FileProvider = new Microsoft.Extensions.FileProviders.PhysicalFileProvider(staticFilePath),
@@ -95,7 +101,7 @@ namespace Api
                 app.UseStaticFiles();
             }
 
-            app.UseCors("AllowAll");
+            app.UseCors("Default");
             app.UseAuthentication();
             app.UseAuthorization();
 
diff --git a/Api/appsettings.json b/Api/appsettings.json
index 9925c2d..67108b3 100644
--- a/Api/appsettings.json
+++ b/Api/appsettings.json
@@ -14,5 +14,7 @@
       "Microsoft.AspNetCore": "Warning"
     }
   },
-  "AllowedHosts": "*"
+  "AllowedHosts": "localhost",
+  "CorsOrigins": "https://localhost:5001,http://localhost:4200,http://localhost:5000"
+    
 }
\ No newline at end of file