From bf661686faefd6ef6b34f0d05f1108af580abeee Mon Sep 17 00:00:00 2001
From: Hoan Nguyen <hoan.nguyen01@axonactive.com>
Date: Mon, 29 Jul 2024 14:15:42 +0700
Subject: [PATCH] Fix Sonar issue

---
 .github/workflows/docker-build.yml                     |  1 +
 marketplace-build/.env                                 |  3 ++-
 .../main/java/com/axonivy/market/config/WebConfig.java | 10 +++++++---
 .../axonivy/market/controller/FeedbackController.java  |  3 ---
 .../axonivy/market/controller/OAuth2Controller.java    |  3 ---
 .../src/main/resources/application.properties          |  1 +
 6 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index 347360989..dbdb3aaf1 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -67,6 +67,7 @@ jobs:
           sed -i "s/^MARKET_GITHUB_OAUTH_APP_CLIENT_ID=.*$/MARKET_GITHUB_OAUTH_APP_CLIENT_ID=$OAUTH_APP_CLIENT_ID/" $ENV_FILE
           sed -i "s/^MARKET_GITHUB_OAUTH_APP_CLIENT_SECRET=.*$/MARKET_GITHUB_OAUTH_APP_CLIENT_SECRET=$OAUTH_APP_CLIENT_SECRET/" $ENV_FILE
           sed -i "s/^MARKET_JWT_SECRET_KEY=.*$/MARKET_JWT_SECRET_KEY=$MARKET_JWT_SECRET_KEY/" $ENV_FILE
+          sed -i "s/^MARKET_CORS_ALLOWED_ORIGIN=.*$/MARKET_CORS_ALLOWED_ORIGIN=$MARKET_CORS_ALLOWED_ORIGIN/" $ENV_FILE
 
       - name: Build and bring up containers without cache
         working-directory: ./marketplace-build
diff --git a/marketplace-build/.env b/marketplace-build/.env
index c08dfe92a..a6dee6c27 100644
--- a/marketplace-build/.env
+++ b/marketplace-build/.env
@@ -8,4 +8,5 @@ MARKET_GITHUB_TOKEN=
 MARKETPLACE_INSTALLATION_URL=
 MARKET_GITHUB_OAUTH_APP_CLIENT_ID=
 MARKET_GITHUB_OAUTH_APP_CLIENT_SECRET=
-MARKET_JWT_SECRET_KEY=
\ No newline at end of file
+MARKET_JWT_SECRET_KEY=
+MARKET_CORS_ALLOWED_ORIGIN=
\ No newline at end of file
diff --git a/marketplace-service/src/main/java/com/axonivy/market/config/WebConfig.java b/marketplace-service/src/main/java/com/axonivy/market/config/WebConfig.java
index 0ff332d8c..833903bb5 100644
--- a/marketplace-service/src/main/java/com/axonivy/market/config/WebConfig.java
+++ b/marketplace-service/src/main/java/com/axonivy/market/config/WebConfig.java
@@ -9,13 +9,17 @@
 @Configuration
 public class WebConfig implements WebMvcConfigurer {
 
+  private static final String ALL_MAPPINGS = "/**";
   private static final String[] EXCLUDE_PATHS = { "/", "/swagger-ui/**", "/api-docs/**" };
   private static final String[] ALLOWED_HEADERS = { "Accept-Language", "Content-Type", "Authorization",
       "X-Requested-By", "x-requested-with", "X-Forwarded-Host", "x-xsrf-token" };
-  private static final String[] ALLOWED_METHODS = { "GET", "OPTIONS" };
+  private static final String[] ALLOWED_METHODS = { "GET", "POST", "PUT", "DELETE", "OPTIONS" };
 
   private final MarketHeaderInterceptor headerInterceptor;
 
+  @Value("${market.cors.allowed.origin.patterns}")
+  private String marketCorsAllowedOriginPatterns;
+
   @Value("${market.cors.allowed.origin.maxAge}")
   private int marketCorsAllowedOriginMaxAge;
 
@@ -30,7 +34,7 @@ public void addInterceptors(InterceptorRegistry registry) {
 
   @Override
   public void addCorsMappings(CorsRegistry registry) {
-    registry.addMapping("/**").allowedOrigins("*").allowedMethods(ALLOWED_METHODS).allowedHeaders(ALLOWED_HEADERS)
-        .maxAge(marketCorsAllowedOriginMaxAge);
+    registry.addMapping(ALL_MAPPINGS).allowedOriginPatterns(marketCorsAllowedOriginPatterns)
+        .allowedMethods(ALLOWED_METHODS).allowedHeaders(ALLOWED_HEADERS).maxAge(marketCorsAllowedOriginMaxAge);
   }
 }
\ No newline at end of file
diff --git a/marketplace-service/src/main/java/com/axonivy/market/controller/FeedbackController.java b/marketplace-service/src/main/java/com/axonivy/market/controller/FeedbackController.java
index 464744bef..74ebf6d0a 100644
--- a/marketplace-service/src/main/java/com/axonivy/market/controller/FeedbackController.java
+++ b/marketplace-service/src/main/java/com/axonivy/market/controller/FeedbackController.java
@@ -1,6 +1,5 @@
 package com.axonivy.market.controller;
 
-import static com.axonivy.market.constants.RequestMappingConstants.ALL;
 import static com.axonivy.market.constants.RequestMappingConstants.BY_ID;
 import static com.axonivy.market.constants.RequestMappingConstants.FEEDBACK;
 import static com.axonivy.market.constants.RequestMappingConstants.PRODUCT_BY_ID;
@@ -19,7 +18,6 @@
 import org.springframework.hateoas.PagedModel;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
-import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.PostMapping;
@@ -87,7 +85,6 @@ public ResponseEntity<FeedbackModel> findFeedbackByUserIdAndProductId(@RequestPa
     return ResponseEntity.ok(feedbackModelAssembler.toModel(feedback));
   }
 
-  @CrossOrigin(ALL)
   @PostMapping
   public ResponseEntity<Void> createFeedback(@RequestBody @Valid FeedbackModel feedback,
       @RequestHeader(value = AUTHORIZATION) String authorizationHeader) {
diff --git a/marketplace-service/src/main/java/com/axonivy/market/controller/OAuth2Controller.java b/marketplace-service/src/main/java/com/axonivy/market/controller/OAuth2Controller.java
index 588c87bcd..968c81e2b 100644
--- a/marketplace-service/src/main/java/com/axonivy/market/controller/OAuth2Controller.java
+++ b/marketplace-service/src/main/java/com/axonivy/market/controller/OAuth2Controller.java
@@ -1,6 +1,5 @@
 package com.axonivy.market.controller;
 
-import static com.axonivy.market.constants.RequestMappingConstants.ALL;
 import static com.axonivy.market.constants.RequestMappingConstants.AUTH;
 import static com.axonivy.market.constants.RequestMappingConstants.GIT_HUB_LOGIN;
 import static org.apache.commons.lang3.StringUtils.EMPTY;
@@ -10,7 +9,6 @@
 
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
-import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -40,7 +38,6 @@ public OAuth2Controller(GitHubService gitHubService, JwtService jwtService, GitH
     this.gitHubProperty = gitHubProperty;
   }
 
-  @CrossOrigin(ALL)
   @PostMapping(GIT_HUB_LOGIN)
   public ResponseEntity<Map<String, String>> gitHubLogin(@RequestBody Oauth2AuthorizationCode oauth2AuthorizationCode) {
     String accessToken = EMPTY;
diff --git a/marketplace-service/src/main/resources/application.properties b/marketplace-service/src/main/resources/application.properties
index ac08945cb..6020ca4b5 100644
--- a/marketplace-service/src/main/resources/application.properties
+++ b/marketplace-service/src/main/resources/application.properties
@@ -8,6 +8,7 @@ server.forward-headers-strategy=framework
 springdoc.api-docs.path=/api-docs
 springdoc.swagger-ui.path=/swagger-ui.html
 market.cors.allowed.origin.maxAge=3600
+market.cors.allowed.origin.patterns=${MARKET_CORS_ALLOWED_ORIGIN}
 synchronized.installation.counts.path=/home/data/market-installation.json
 market.github.token=${MARKET_GITHUB_TOKEN}
 market.github.oauth2-clientId=${MARKET_GITHUB_OAUTH_APP_CLIENT_ID}