Skip to content

feat(core): migrate to allowedOriginPatterns for credentialed CORS#46

Closed
OmarAitBenaissa wants to merge 2 commits into
mainfrom
feat/Update-cors-configuration-to-allowedPatterns-origins
Closed

feat(core): migrate to allowedOriginPatterns for credentialed CORS#46
OmarAitBenaissa wants to merge 2 commits into
mainfrom
feat/Update-cors-configuration-to-allowedPatterns-origins

Conversation

@OmarAitBenaissa
Copy link
Copy Markdown
Collaborator

@OmarAitBenaissa OmarAitBenaissa commented Apr 27, 2026

PR Description

This pull request updates the application's CORS configuration to use allowed-origin-patterns and allowed-origins, aligning with more flexible and modern Spring CORS configuration practices. The change ensures that origin matching can use patterns (such as wildcards), which is more robust for various deployment scenarios.

What this PR Provides

CORS Configuration Updates:

  • Changed the CorsProperties record to use allowedOriginPatterns and allowedOrigins, and updated the null check accordingly (CorsProperties.java).
  • Updated the corsConfigurationSource bean to call setAllowedOriginPatterns instead of setAllowedOrigins (SecurityConfiguration.java).

Configuration File Adjustments:

  • Modified application.yml to use the allowed-origin-patterns property and its corresponding environment variable, replacing allowed-origins (application.yml).… prevent wildcard + credentials conflicts and allows controlled subdomain matching.

Review

The reviewer must double-check these points:

  • The reviewer has tested the feature
  • The reviewer has reviewed the implementation of the feature
  • The documentation has been updated
  • The feature implementation respects the Technical Doc / ADR previously produced

@CLAassistant
Copy link
Copy Markdown

CLAassistant commented Apr 27, 2026
edited
Loading

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@OmarAitBenaissa OmarAitBenaissa force-pushed the feat/Update-cors-configuration-to-allowedPatterns-origins branch from a46247f to 1b30789 Compare May 11, 2026 12:10
brandPittCode
brandPittCode requested changes May 12, 2026
View reviewed changes
Comment thread src/main/resources/application.yml Outdated
Comment thread .../com/decathlon/idp_core/infrastructure/adapters/api/configuration/SecurityConfiguration.java Outdated
@OmarAitBenaissa
feat(core): migrate to allowedOriginPatterns for credentialed CORS to…
4e613f0 
… prevent wildcard + credentials conflicts and allows controlled subdomain matching.

Signed-off-by: OmarAitBenaissa <omar.aitbenaissa.partner@decathlon.com>
@OmarAitBenaissa
feat(cors): update CORS configuration to remove wildcard support and …
a94ce8a 
…enhance security with allowedOriginPatterns

Signed-off-by: OmarAitBenaissa <omar.aitbenaissa.partner@decathlon.com>
@OmarAitBenaissa OmarAitBenaissa force-pushed the feat/Update-cors-configuration-to-allowedPatterns-origins branch from 491c969 to a94ce8a Compare May 12, 2026 15:12
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 12, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@OmarAitBenaissa OmarAitBenaissa deleted the feat/Update-cors-configuration-to-allowedPatterns-origins branch May 13, 2026 15:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brandPittCode brandPittCode brandPittCode approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@OmarAitBenaissa @CLAassistant @brandPittCode