From 6f7267f3d75e675ba154f6416a9964c370c297ba Mon Sep 17 00:00:00 2001 From: DarioGii Date: Thu, 23 Oct 2025 17:05:04 +0100 Subject: [PATCH] addressing comments --- .../common/model/ApplicationProperties.java | 1 + .../software/SPDF/config/WebMvcConfig.java | 27 ++++++++++++++----- .../src/main/resources/settings.yml.template | 1 + 3 files changed, 22 insertions(+), 7 deletions(-) diff --git a/app/common/src/main/java/stirling/software/common/model/ApplicationProperties.java b/app/common/src/main/java/stirling/software/common/model/ApplicationProperties.java index f867fb37a..57fae9420 100644 --- a/app/common/src/main/java/stirling/software/common/model/ApplicationProperties.java +++ b/app/common/src/main/java/stirling/software/common/model/ApplicationProperties.java @@ -371,6 +371,7 @@ public class ApplicationProperties { private CustomPaths customPaths = new CustomPaths(); private String fileUploadLimit; private TempFileManagement tempFileManagement = new TempFileManagement(); + private List corsAllowedOrigins = new ArrayList<>(); public boolean isAnalyticsEnabled() { return this.getEnableAnalytics() != null && this.getEnableAnalytics(); diff --git a/app/core/src/main/java/stirling/software/SPDF/config/WebMvcConfig.java b/app/core/src/main/java/stirling/software/SPDF/config/WebMvcConfig.java index 69aa60882..cbc0be35f 100644 --- a/app/core/src/main/java/stirling/software/SPDF/config/WebMvcConfig.java +++ b/app/core/src/main/java/stirling/software/SPDF/config/WebMvcConfig.java @@ -7,11 +7,14 @@ import org.springframework.web.servlet.config.annotation.WebMvcConfigurer; import lombok.RequiredArgsConstructor; +import stirling.software.common.model.ApplicationProperties; + @Configuration @RequiredArgsConstructor public class WebMvcConfig implements WebMvcConfigurer { private final EndpointInterceptor endpointInterceptor; + private final ApplicationProperties applicationProperties; @Override public void addInterceptors(InterceptorRegistry registry) { @@ -20,13 +23,23 @@ public class WebMvcConfig implements WebMvcConfigurer { @Override public void addCorsMappings(CorsRegistry registry) { - // Allow frontend dev server (Vite on localhost:5173) to access backend - registry.addMapping("/**") - .allowedOrigins("http://localhost:5173", "http://127.0.0.1:5173") - .allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS", "PATCH") - .allowedHeaders("*") - .allowCredentials(true) - .maxAge(3600); + // Only configure CORS if allowed origins are specified + if (applicationProperties.getSystem() != null + && applicationProperties.getSystem().getCorsAllowedOrigins() != null + && !applicationProperties.getSystem().getCorsAllowedOrigins().isEmpty()) { + + String[] allowedOrigins = applicationProperties.getSystem() + .getCorsAllowedOrigins() + .toArray(new String[0]); + + registry.addMapping("/**") + .allowedOrigins(allowedOrigins) + .allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS", "PATCH") + .allowedHeaders("*") + .allowCredentials(true) + .maxAge(3600); + } + // If no origins are configured, CORS is not enabled (secure by default) } // @Override diff --git a/app/core/src/main/resources/settings.yml.template b/app/core/src/main/resources/settings.yml.template index 62e2aefd7..412b1abfc 100644 --- a/app/core/src/main/resources/settings.yml.template +++ b/app/core/src/main/resources/settings.yml.template @@ -124,6 +124,7 @@ system: enableUrlToPDF: false # Set to 'true' to enable URL to PDF, INTERNAL ONLY, known security issues, should not be used externally disableSanitize: false # set to true to disable Sanitize HTML; (can lead to injections in HTML) maxDPI: 500 # Maximum allowed DPI for PDF to image conversion + corsAllowedOrigins: [] # List of allowed origins for CORS (e.g. ['http://localhost:5173', 'https://app.example.com']). Leave empty to disable CORS. serverCertificate: enabled: true # Enable server-side certificate for "Sign with Stirling-PDF" option organizationName: Stirling-PDF # Organization name for generated certificates