fix: update CORS policy and add CorsOrigins to configuration #5

2025-08-01 11:02:57 +02:00
parent f8c555bc84
commit 4d26344665
3 changed files with 15 additions and 6 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -33,6 +33,7 @@ docker-build:
  script:
    - 'sed -i "s|\"apiEndpoint\": \"[^\"]*\"|\"apiEndpoint\": \"https\:\/\/""$PUBLIC_WEB_URL""\"|" Web/public/config.json'
    - 'sed -i "s|\"AllowedHosts\": \"[^\"]*\"|\"AllowedHosts\": \"$PUBLIC_WEB_URL\"|" Api/appsettings.json'
+    - 'sed -i "s|\"CorsOrigins\": \"[^\"]*\"|\"CorsOrigins\": \"https\:\/\/""$PUBLIC_WEB_URL""\"|" Api/appsettings.json'
    - docker build -t $CI_REGISTRY_IMAGE:latest -t $CI_REGISTRY_IMAGE:${CI_PIPELINE_IID} -f Dockerfile .
    - echo "$CI_REGISTRY_PASSWORD" | docker login -u "$CI_REGISTRY_USER" --password-stdin $CI_REGISTRY
    - docker push $CI_REGISTRY_IMAGE:latest
--- a/Api/Program.cs
+++ b/Api/Program.cs
@@ -24,7 +24,6 @@ namespace Api
            })
            .AddJwtBearer(options =>
            {
-       
                options.Authority = builder.Configuration["Authentication:PocketId:Authority"];
                options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters()
                {
@@ -35,9 +34,14 @@ namespace Api

            builder.Services.AddCors(options =>
            {
-                options.AddPolicy("AllowAll", policy =>
+                options.AddPolicy("Default", policy =>
                {
-                    policy.AllowAnyOrigin()
+                    var allowedHostsConfiguration = builder.Configuration["CorsOrigins"]?
+                        .ToString()
+                        .Split(',');
+
+                    policy
+                        .WithOrigins(allowedHostsConfiguration ?? new[] { "*" })
                        .AllowAnyHeader()
                        .AllowAnyMethod();
                });
@@ -52,6 +56,7 @@ namespace Api
                : builder.Configuration.GetConnectionString("DefaultConnection");
            builder.Services.AddDbContext<AppDbContext>(options =>
                options.UseSqlServer(connectionString));
+
            // Learn more about configuring Swagger/OpenAPI at https://aka.ms/aspnetcore/swashbuckle
            builder.Services.AddEndpointsApiExplorer();
            builder.Services.AddSwaggerGen();
@@ -67,6 +72,7 @@ namespace Api
                app.UseHttpsRedirection();
            }

+            // Angular rewrite for SPA hosting
            var routes = new[] { "api", "swagger" };
            var rewriteString = String.Join("|", routes);
            var rewriteOptions = new RewriteOptions()
@@ -77,7 +83,7 @@ namespace Api
            if (app.Environment.IsDevelopment())
            {
                var currentDirectory = Directory.GetCurrentDirectory();
-                var staticFilePath = Path.Combine(currentDirectory,"../Web/dist/Web/browser");
+                var staticFilePath = Path.Combine(currentDirectory, "../Web/dist/Web/browser");
                app.UseDefaultFiles(new DefaultFilesOptions
                {
                    FileProvider = new Microsoft.Extensions.FileProviders.PhysicalFileProvider(staticFilePath),
@@ -95,7 +101,7 @@ namespace Api
                app.UseStaticFiles();
            }

-            app.UseCors("AllowAll");
+            app.UseCors("Default");
            app.UseAuthentication();
            app.UseAuthorization();

--- a/Api/appsettings.json
+++ b/Api/appsettings.json
@@ -14,5 +14,7 @@
      "Microsoft.AspNetCore": "Warning"
    }
  },
-  "AllowedHosts": "*"
+  "AllowedHosts": "localhost",
+  "CorsOrigins": "https://localhost:5001,http://localhost:4200,http://localhost:5000"
+    
 }