Merge branch 'V2' into codex/analyze-frontend-tools-for-backend-dependency

2026-03-13 02:18:16 +01:00 · 2025-10-24 14:09:20 +01:00
parent 81e43b7eb9 848ff9688b
commit a32047c1fb
65 changed files with 3991 additions and 288 deletions
--- a/app/core/src/main/java/stirling/software/SPDF/config/WebMvcConfig.java
+++ b/app/core/src/main/java/stirling/software/SPDF/config/WebMvcConfig.java
@@ -1,22 +1,49 @@
 package stirling.software.SPDF.config;

 import org.springframework.context.annotation.Configuration;
+import org.springframework.web.servlet.config.annotation.CorsRegistry;
 import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;

 import lombok.RequiredArgsConstructor;

+import stirling.software.common.model.ApplicationProperties;
+
@Configuration
@RequiredArgsConstructor
 public class WebMvcConfig implements WebMvcConfigurer {

    private final EndpointInterceptor endpointInterceptor;
+    private final ApplicationProperties applicationProperties;

    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        registry.addInterceptor(endpointInterceptor);
    }

+    @Override
+    public void addCorsMappings(CorsRegistry registry) {
+        // Only configure CORS if allowed origins are specified
+        if (applicationProperties.getSystem() != null
+                && applicationProperties.getSystem().getCorsAllowedOrigins() != null
+                && !applicationProperties.getSystem().getCorsAllowedOrigins().isEmpty()) {
+
+            String[] allowedOrigins =
+                    applicationProperties
+                            .getSystem()
+                            .getCorsAllowedOrigins()
+                            .toArray(new String[0]);
+
+            registry.addMapping("/**")
+                    .allowedOrigins(allowedOrigins)
+                    .allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS", "PATCH")
+                    .allowedHeaders("*")
+                    .allowCredentials(true)
+                    .maxAge(3600);
+        }
+        // If no origins are configured, CORS is not enabled (secure by default)
+    }
+
    // @Override
    // public void addResourceHandlers(ResourceHandlerRegistry registry) {
    //     // Handler for external static resources - DISABLED in backend-only mode
--- a/app/core/src/main/resources/application.properties
+++ b/app/core/src/main/resources/application.properties
@@ -2,7 +2,7 @@ multipart.enabled=true
 logging.level.org.springframework=WARN
 logging.level.org.hibernate=WARN
 logging.level.org.eclipse.jetty=WARN
-#logging.level.org.springframework.security.saml2=TRACE
+#logging.level.org.springframework.security.oauth2=DEBUG
 #logging.level.org.springframework.security=DEBUG
 #logging.level.org.opensaml=DEBUG
 #logging.level.stirling.software.proprietary.security=DEBUG
@@ -35,12 +35,12 @@ spring.datasource.username=sa
 spring.datasource.password=
 spring.h2.console.enabled=false
 spring.jpa.hibernate.ddl-auto=update
-# Defer datasource initialization to ensure that the database is fully set up 
-# before Hibernate attempts to access it. This is particularly useful when 
+# Defer datasource initialization to ensure that the database is fully set up
+# before Hibernate attempts to access it. This is particularly useful when
 # using database initialization scripts or tools.
 spring.jpa.defer-datasource-initialization=true

-# Disable SQL logging to avoid cluttering the logs in production. Enable this 
+# Disable SQL logging to avoid cluttering the logs in production. Enable this
 # property during development if you need to debug SQL queries.
 spring.jpa.show-sql=false
 server.servlet.session.timeout:30m
@@ -60,4 +60,4 @@ spring.main.allow-bean-definition-overriding=true
 java.io.tmpdir=${stirling.tempfiles.directory:${java.io.tmpdir}/stirling-pdf}

 # V2 features
-v2=false
+v2=true
--- a/app/core/src/main/resources/settings.yml.template
+++ b/app/core/src/main/resources/settings.yml.template
@@ -64,7 +64,6 @@ security:
    enableKeyRotation: true # Set to 'true' to enable key pair rotation
    enableKeyCleanup: true # Set to 'true' to enable key pair cleanup
    keyRetentionDays: 7 # Number of days to retain old keys. The default is 7 days.
-    secureCookie: false # Set to 'true' to use secure cookies for JWTs
  validation: # PDF signature validation settings
    trust:
      serverAsAnchor: true # Trust server certificate as anchor for PDF signatures (if configured and self-signed or CA)
@@ -125,6 +124,7 @@ system:
  enableUrlToPDF: false # Set to 'true' to enable URL to PDF, INTERNAL ONLY, known security issues, should not be used externally
  disableSanitize: false # set to true to disable Sanitize HTML; (can lead to injections in HTML)
  maxDPI: 500 # Maximum allowed DPI for PDF to image conversion
+  corsAllowedOrigins: [] # List of allowed origins for CORS (e.g. ['http://localhost:5173', 'https://app.example.com']). Leave empty to disable CORS.
  serverCertificate:
    enabled: true # Enable server-side certificate for "Sign with Stirling-PDF" option
    organizationName: Stirling-PDF # Organization name for generated certificates