Merge pull request #27 from YAPP-Github/feat/PRODUCT-106

[Feat] CORS 설정

Author: leegwichan

src/main/java/timeeat/config/CorsConfig.java

@@ -0,0 +1,45 @@
+package timeeat.config;
+
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpMethod;
+import org.springframework.web.servlet.config.annotation.CorsRegistry;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+
+@Configuration
+public class CorsConfig implements WebMvcConfigurer {
+
+    private final String[] corsOrigin;
+
+    public CorsConfig(@Value("${cors.origin}") String[] corsOrigin) {
+        validate(corsOrigin);
+        this.corsOrigin = corsOrigin;
+    }
+
+    private void validate(String[] corsOrigin) {
+        if (corsOrigin == null || corsOrigin.length == 0) {
+            // TODO Initialize error 논의
+            throw new RuntimeException("Initialization Error: CORS origin cannot be empty.");
+        }
+        for (String origin : corsOrigin) {
+            if (origin == null || origin.isBlank()) {
+                throw new RuntimeException("Initialization Error: CORS origin string cannot be blank.");
+            }
+        }
+    }
+
+    @Override
+    public void addCorsMappings(CorsRegistry registry) {
+        registry.addMapping("/**")
+                .allowedOriginPatterns(corsOrigin)
+                .allowedMethods(
+                        HttpMethod.GET.name(),
+                        HttpMethod.POST.name(),
+                        HttpMethod.PUT.name(),
+                        HttpMethod.PATCH.name(),
+                        HttpMethod.DELETE.name()
+                )
+                .allowCredentials(true)
+                .allowedHeaders("*");
+    }
+}

src/test/java/timeeat/controller/CorsTest.java

@@ -0,0 +1,43 @@
+package timeeat.controller;
+
+import static org.hamcrest.Matchers.containsString;
+
+import org.junit.jupiter.api.Nested;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.ValueSource;
+import org.springframework.beans.factory.annotation.Value;
+
+public class CorsTest extends BaseControllerTest {
+
+    @Value("${cors.origin}")
+    private String corsOrigin;
+
+    @Nested
+    class PreflightTest {
+
+        @ParameterizedTest
+        @ValueSource(strings = {"GET", "POST", "PUT", "PATCH", "DELETE"})
+        void CORS_preflight에서_허용된_origin의_요청을_정상적으로_처리할_수_있다(String method) {
+            given()
+                    .header("Origin", corsOrigin)
+                    .header("Access-Control-Request-Method", method)
+                    .when().options("/")
+                    .then().statusCode(200)
+                    .headers("Access-Control-Allow-Origin", corsOrigin)
+                    .header("Access-Control-Allow-Methods", containsString(method));
+        }
+
+        @Test
+        void CORS_preflight에서_허용되지_않은_origin의_요청을_막을_수_있다() {
+            String notAllowedOrigin = "https://not-allowed-origin.com";
+            String allowedMethod = "GET";
+
+            given()
+                    .header("Origin", notAllowedOrigin)
+                    .header("Access-Control-Request-Method", allowedMethod)
+                    .when().options("/")
+                    .then().statusCode(403);
+        }
+    }
+}

src/test/resources/application.yml

@@ -23,3 +23,6 @@ spring:
     defer-datasource-initialization: true
   flyway:
     enabled: false
+
+cors:
+  origin: "https://example.eat-da.com"