Fix CORS header configs (#555)

* add Access-Control-Allow-Credentials=true
* use real request origin instead of '*' to fill Access-Control-Allow-Origin, due to high security standards of modern browsers

Author: hadisfr

api/src/main/java/io/kafbat/ui/config/CorsGlobalConfiguration.java

@@ -22,7 +22,7 @@ public WebFilter corsFilter() {
 
       final ServerHttpResponse response = ctx.getResponse();
       final HttpHeaders headers = response.getHeaders();
-      fillCorsHeader(headers);
+      fillCorsHeader(headers, request);
 
       if (request.getMethod() == HttpMethod.OPTIONS) {
         response.setStatusCode(HttpStatus.OK);
@@ -33,8 +33,9 @@ public WebFilter corsFilter() {
     };
   }
 
-  public static void fillCorsHeader(HttpHeaders responseHeaders) {
-    responseHeaders.add("Access-Control-Allow-Origin", "*");
+  public static void fillCorsHeader(HttpHeaders responseHeaders, ServerHttpRequest request) {
+    responseHeaders.add("Access-Control-Allow-Origin", request.getHeaders().getOrigin());
+    responseHeaders.add("Access-Control-Allow-Credentials", "true");
     responseHeaders.add("Access-Control-Allow-Methods", "GET, PUT, POST, DELETE, OPTIONS");
     responseHeaders.add("Access-Control-Max-Age", "3600");
     responseHeaders.add("Access-Control-Allow-Headers", "Content-Type");

api/src/main/java/io/kafbat/ui/exception/GlobalErrorWebExceptionHandler.java

@@ -9,6 +9,7 @@
 import java.util.Map;
 import java.util.Objects;
 import java.util.Set;
+import java.util.function.Consumer;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 import org.springframework.boot.autoconfigure.web.WebProperties;
@@ -17,6 +18,7 @@
 import org.springframework.context.ApplicationContext;
 import org.springframework.core.Ordered;
 import org.springframework.core.annotation.Order;
+import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
 import org.springframework.http.codec.ServerCodecConfigurer;
@@ -79,7 +81,7 @@ private Mono<ServerResponse> renderDefault(Throwable throwable, ServerRequest re
     return ServerResponse
         .status(ErrorCode.UNEXPECTED.httpStatus())
         .contentType(MediaType.APPLICATION_JSON)
-        .headers(CorsGlobalConfiguration::fillCorsHeader)
+        .headers(headers(request))
         .bodyValue(response);
   }
 
@@ -94,7 +96,7 @@ private Mono<ServerResponse> render(CustomBaseException baseException, ServerReq
     return ServerResponse
         .status(errorCode.httpStatus())
         .contentType(MediaType.APPLICATION_JSON)
-        .headers(CorsGlobalConfiguration::fillCorsHeader)
+        .headers(headers(request))
         .bodyValue(response);
   }
 
@@ -125,7 +127,7 @@ private Mono<ServerResponse> render(WebExchangeBindException exception, ServerRe
     return ServerResponse
         .status(HttpStatus.BAD_REQUEST)
         .contentType(MediaType.APPLICATION_JSON)
-        .headers(CorsGlobalConfiguration::fillCorsHeader)
+        .headers(headers(request))
         .bodyValue(response);
   }
 
@@ -140,14 +142,20 @@ private Mono<ServerResponse> render(ResponseStatusException exception, ServerReq
     return ServerResponse
         .status(exception.getStatusCode())
         .contentType(MediaType.APPLICATION_JSON)
-        .headers(CorsGlobalConfiguration::fillCorsHeader)
+        .headers(headers(request))
         .bodyValue(response);
   }
 
   private String requestId(ServerRequest request) {
     return request.exchange().getRequest().getId();
   }
 
+  private Consumer<HttpHeaders> headers(ServerRequest request) {
+    return (HttpHeaders headers) -> {
+      CorsGlobalConfiguration.fillCorsHeader(headers, request.exchange().getRequest());
+    };
+  }
+
   private BigDecimal currentTimestamp() {
     return BigDecimal.valueOf(System.currentTimeMillis());
   }