Closes #535, allowing to configure cors through spring properties

Author: aditya-baldwa

api/src/main/java/io/kafbat/ui/config/CorsGlobalConfiguration.java

@@ -1,5 +1,6 @@
 package io.kafbat.ui.config;
 
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpHeaders;
@@ -15,14 +16,17 @@
 @Configuration
 public class CorsGlobalConfiguration {
 
+  @Autowired
+  private static CorsProperties corsProperties;
+
   @Bean
   public WebFilter corsFilter() {
     return (final ServerWebExchange ctx, final WebFilterChain chain) -> {
       final ServerHttpRequest request = ctx.getRequest();
 
       final ServerHttpResponse response = ctx.getResponse();
       final HttpHeaders headers = response.getHeaders();
-      fillCorsHeader(headers, request);
+      fillCorsHeader(headers);
 
       if (request.getMethod() == HttpMethod.OPTIONS) {
         response.setStatusCode(HttpStatus.OK);
@@ -33,11 +37,11 @@ public WebFilter corsFilter() {
     };
   }
 
-  public static void fillCorsHeader(HttpHeaders responseHeaders, ServerHttpRequest request) {
-    responseHeaders.add("Access-Control-Allow-Origin", request.getHeaders().getOrigin());
-    responseHeaders.add("Access-Control-Allow-Credentials", "true");
-    responseHeaders.add("Access-Control-Allow-Methods", "GET, PUT, POST, DELETE, OPTIONS");
-    responseHeaders.add("Access-Control-Max-Age", "3600");
-    responseHeaders.add("Access-Control-Allow-Headers", "Content-Type");
+  public static void fillCorsHeader(HttpHeaders responseHeaders) {
+    responseHeaders.add("Access-Control-Allow-Origin", corsProperties.getAllowedOrigins());
+    responseHeaders.add("Access-Control-Allow-Credentials", corsProperties.getAllowCredentials());
+    responseHeaders.add("Access-Control-Allow-Methods", corsProperties.getAllowedMethods());
+    responseHeaders.add("Access-Control-Max-Age", corsProperties.getMaxAge());
+    responseHeaders.add("Access-Control-Allow-Headers", corsProperties.getAllowedHeaders());
   }
 }

api/src/main/java/io/kafbat/ui/config/CorsProperties.java

@@ -0,0 +1,18 @@
+package io.kafbat.ui.config;
+
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.stereotype.Component;
+import lombok.Data;
+
+@Component
+@ConfigurationProperties(prefix = "cors")
+@Data
+public class CorsProperties {
+
+  private String allowedOrigins;
+  private String allowedMethods;
+  private String allowedHeaders;
+  private String allowCredentials;
+  private String maxAge;
+
+}

api/src/main/java/io/kafbat/ui/exception/GlobalErrorWebExceptionHandler.java

@@ -151,9 +151,7 @@ private String requestId(ServerRequest request) {
   }
 
   private Consumer<HttpHeaders> headers(ServerRequest request) {
-    return (HttpHeaders headers) -> {
-      CorsGlobalConfiguration.fillCorsHeader(headers, request.exchange().getRequest());
-    };
+    return CorsGlobalConfiguration::fillCorsHeader;
   }
 
   private BigDecimal currentTimestamp() {

api/src/main/resources/application.yml

@@ -19,3 +19,10 @@ logging:
     reactor.netty.http.server.AccessLog: INFO
     org.hibernate.validator: WARN
 
+cors:
+  allowed-origins: "*"
+  allowed-methods: "GET, PUT, POST, DELETE, OPTIONS"
+  allowed-headers: "Content-Type"
+  allow-credentials: "true"
+  max-age: "3600"
+

contract/src/main/resources/swagger/kafbat-ui-api.yaml

@@ -4391,3 +4391,42 @@ components:
                             type: object
                             additionalProperties:
                               type: string
+            cors:
+              type: object
+              properties:
+                allowedOrigins:
+                  type: array
+                  items:
+                    type: string
+                  description: >-
+                    List of allowed origins for CORS.
+                    If not provided, defaults to allowing all origins (`*`)
+                  default: ["*"]
+                allowedMethods:
+                  type: array
+                  items:
+                    type: string
+                  description: >-
+                    List of allowed HTTP methods for CORS
+                    If not provided, defaults to `GET, POST, PUT, DELETE, OPTIONS`.
+                  default: ["GET", "POST", "PUT", "DELETE", "OPTIONS"]
+                allowedHeaders:
+                  type: array
+                  items:
+                    type: string
+                  description: >-
+                    List of allowed HTTP headers for CORS.
+                    If not provided, defaults to allowing all headers (`*`).
+                  default: ["*"]
+                allowCredentials:
+                  type: boolean
+                  description: >-
+                    Whether to allow credentials in CORS requests.
+                    If not provided, defaults to `true`
+                  default: true
+                maxAge:
+                  type: integer
+                  description: >-
+                    Maximum age (in seconds) for CORS preflight requests.
+                    If not provided, defaults to `3600` seconds.
+                  default: 3600