fix: cors error removed in all api (#60)

Author: vishwab1

src/main/environment/common_ci.properties

@@ -25,3 +25,5 @@ logging.file.name=@env.SCHEDULER_API_LOGGING_FILE_NAME@
 springdoc.api-docs.enabled=@env.SWAGGER_DOC_ENABLED@
 springdoc.swagger-ui.enabled=@env.SWAGGER_DOC_ENABLED@
 
+cors.allowed-origins=@env.CORS_ALLOWED_ORIGINS@
+

src/main/environment/common_example.properties

@@ -22,3 +22,5 @@ jwt.secret=my-32-character-ultra-secure-and-ultra-long-secret
 logging.path=logs/
 logging.file.name=logs/scheduler-api.log
 
+cors.allowed-origins=http://localhost:*
+

src/main/java/com/iemr/tm/controller/schedule/SchedulingController.java

@@ -26,7 +26,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.web.bind.annotation.CrossOrigin;
+
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -43,7 +43,6 @@
 
 import io.swagger.v3.oas.annotations.Operation;
 
-
 @RestController
 @RequestMapping(value = "/schedule", headers = "Authorization")
 public class SchedulingController {
@@ -52,7 +51,6 @@ public class SchedulingController {
 	@Autowired
 	private SchedulingService schedulingService;
 
-	@CrossOrigin()
 	@Operation(summary = "Mark availability of specialist")
 	@RequestMapping(value = "markavailability", method = RequestMethod.POST)
 	public String markavailability(@RequestBody String specialistInput1) {
@@ -72,7 +70,6 @@ public String markavailability(@RequestBody String specialistInput1) {
 		return response.toString();
 	}
 
-	@CrossOrigin()
 	@Operation(summary = "Mark unavailability of specialist")
 	@RequestMapping(value = "unmarkavailability", method = RequestMethod.POST)
 	public String unmarkavailability(@RequestBody String specialistInput1) {
@@ -91,7 +88,6 @@ public String unmarkavailability(@RequestBody String specialistInput1) {
 		return response.toString();
 	}
 
-	@CrossOrigin()
 	@Operation(summary = "Get available slots of specialist for a particular day")
 	@RequestMapping(value = "getavailableSlot", method = RequestMethod.POST)
 	public String getavailableSlot(@RequestBody String specialistInput1) {
@@ -109,7 +105,6 @@ public String getavailableSlot(@RequestBody String specialistInput1) {
 		return response.toString();
 	}
 
-	@CrossOrigin()
 	@Operation(summary = "Get available slots of specialist for a particular month")
 	@RequestMapping(value = { "/monthview/{year}", "/monthview/{year}/{month}",
 			"/monthview/{year}/{month}/{day}" }, method = RequestMethod.POST)
@@ -131,7 +126,6 @@ public String view(@RequestBody String specialistInput1, @PathVariable("year") I
 		return response.toString();
 	}
 
-	@CrossOrigin()
 	@Operation(summary = "Book available slots of specialist of a particular day")
 	@RequestMapping(value = "bookSlot", method = RequestMethod.POST)
 	public String bookSlot(@RequestBody String specialistInput1) {
@@ -149,7 +143,6 @@ public String bookSlot(@RequestBody String specialistInput1) {
 		return response.toString();
 	}
 
-	@CrossOrigin()
 	@Operation(summary = "Cancel booked slots of specialist of a particular day")
 	@RequestMapping(value = "cancelBookedSlot", method = RequestMethod.POST)
 	public String cancelBookedSlot(@RequestBody String specialistInput1) {
@@ -167,7 +160,6 @@ public String cancelBookedSlot(@RequestBody String specialistInput1) {
 		return response.toString();
 	}
 
-	@CrossOrigin()
 	@Operation(summary = "Get day view of particular specialization")
 	@RequestMapping(value = "getdayview", method = RequestMethod.POST)
 	public String getdayview(@RequestBody String specialistInput1) {

src/main/java/com/iemr/tm/controller/specialist/SpecialistController.java

@@ -26,7 +26,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.web.bind.annotation.CrossOrigin;
+
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -41,7 +41,6 @@
 
 import io.swagger.v3.oas.annotations.Operation;
 
-
 @RestController
 @RequestMapping(value = "/specialist", headers = "Authorization")
 public class SpecialistController {
@@ -50,7 +49,6 @@ public class SpecialistController {
 	@Autowired
 	private SpecialistService specialistService;
 
-	@CrossOrigin()
 	@Operation(summary = "Fetch master specialization")
 	@RequestMapping(value = "masterspecialization", method = RequestMethod.POST)
 	public String markavailability() {
@@ -66,7 +64,6 @@ public String markavailability() {
 		return response.toString();
 	}
 
-	@CrossOrigin()
 	@Operation(summary = "Fetch list of specialists")
 	@RequestMapping(value = "getSpecialist", method = RequestMethod.POST)
 	public String getSpecialist(@RequestBody Specialist specialist) {
@@ -83,7 +80,6 @@ public String getSpecialist(@RequestBody Specialist specialist) {
 		return response.toString();
 	}
 
-	@CrossOrigin()
 	@Operation(summary = "Fetch user specialist")
 	@RequestMapping(value = "info/{userID}", method = RequestMethod.GET)
 	public String info(@PathVariable("userID") Long userID) {
@@ -101,7 +97,6 @@ public String info(@PathVariable("userID") Long userID) {
 		return response.toString();
 	}
 
-	@CrossOrigin()
 	@Operation(summary = "Fetch all specialists")
 	@RequestMapping(value = "getSpecialistAll", method = RequestMethod.POST)
 	public String getSpecialistAll(@RequestBody Specialist specialist) {

src/main/java/com/iemr/tm/controller/van/VanController.java

@@ -24,7 +24,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.web.bind.annotation.CrossOrigin;
+
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
@@ -36,8 +36,6 @@
 
 import io.swagger.v3.oas.annotations.Operation;
 
-
-
 @RestController
 @RequestMapping(value = "/van", headers = "Authorization")
 public class VanController {
@@ -46,7 +44,6 @@ public class VanController {
 	@Autowired
 	private VanService vanService;
 
-	@CrossOrigin()
 	@Operation(summary = "Fetch specialization by van id")
 	@RequestMapping(value = "getvan/{vanid}", method = RequestMethod.GET)
 	public String markavailability(@PathVariable("vanid") Integer vanid) {

src/main/java/com/iemr/tm/utils/FilterConfig.java

@@ -3,17 +3,26 @@
 import org.springframework.boot.web.servlet.FilterRegistrationBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.core.Ordered;
+import org.springframework.beans.factory.annotation.Value;
 
 @Configuration
 public class FilterConfig {
 
+	@Value("${cors.allowed-origins}")
+	private String allowedOrigins;
+
 	@Bean
 	public FilterRegistrationBean<JwtUserIdValidationFilter> jwtUserIdValidationFilter(
 			JwtAuthenticationUtil jwtAuthenticationUtil) {
 		FilterRegistrationBean<JwtUserIdValidationFilter> registrationBean = new FilterRegistrationBean<>();
-		registrationBean.setFilter(new JwtUserIdValidationFilter(jwtAuthenticationUtil));
+
+		// Pass allowedOrigins explicitly to the filter constructor
+		JwtUserIdValidationFilter filter = new JwtUserIdValidationFilter(jwtAuthenticationUtil, allowedOrigins);
+
+		registrationBean.setFilter(filter);
+		registrationBean.setOrder(Ordered.HIGHEST_PRECEDENCE);
 		registrationBean.addUrlPatterns("/*"); // Apply filter to all API endpoints
 		return registrationBean;
 	}
-
 }

src/main/java/com/iemr/tm/utils/JwtUserIdValidationFilter.java

@@ -1,6 +1,7 @@
 package com.iemr.tm.utils;
 
 import java.io.IOException;
+import java.util.Arrays;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -17,14 +18,16 @@
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 
-@Component
 public class JwtUserIdValidationFilter implements Filter {
 
 	private final JwtAuthenticationUtil jwtAuthenticationUtil;
 	private final Logger logger = LoggerFactory.getLogger(this.getClass().getName());
+	private final String allowedOrigins;
 
-	public JwtUserIdValidationFilter(JwtAuthenticationUtil jwtAuthenticationUtil) {
+	public JwtUserIdValidationFilter(JwtAuthenticationUtil jwtAuthenticationUtil,
+			String allowedOrigins) {
 		this.jwtAuthenticationUtil = jwtAuthenticationUtil;
+		this.allowedOrigins = allowedOrigins;
 	}
 
 	@Override
@@ -33,6 +36,27 @@ public void doFilter(ServletRequest servletRequest, ServletResponse servletRespo
 		HttpServletRequest request = (HttpServletRequest) servletRequest;
 		HttpServletResponse response = (HttpServletResponse) servletResponse;
 
+		String origin = request.getHeader("Origin");
+
+		logger.debug("Incoming Origin: {}", origin);
+		logger.debug("Allowed Origins Configured: {}", allowedOrigins);
+
+		if (origin != null && isOriginAllowed(origin)) {
+			response.setHeader("Access-Control-Allow-Origin", origin);
+			response.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
+			response.setHeader("Access-Control-Allow-Headers", "Authorization, Content-Type, Accept, Jwttoken");
+			response.setHeader("Vary", "Origin");
+			response.setHeader("Access-Control-Allow-Credentials", "true");
+		} else {
+			logger.warn("Origin [{}] is NOT allowed. CORS headers NOT added.", origin);
+		}
+
+		if ("OPTIONS".equalsIgnoreCase(request.getMethod())) {
+			logger.info("OPTIONS request - skipping JWT validation");
+			response.setStatus(HttpServletResponse.SC_OK);
+			return;
+		}
+
 		String path = request.getRequestURI();
 		String contextPath = request.getContextPath();
 		logger.info("JwtUserIdValidationFilter invoked for path: " + path);
@@ -110,12 +134,33 @@ public void doFilter(ServletRequest servletRequest, ServletResponse servletRespo
 			response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Authorization error: " + e.getMessage());
 		}
 	}
+
+	private boolean isOriginAllowed(String origin) {
+		if (origin == null || allowedOrigins == null || allowedOrigins.trim().isEmpty()) {
+			logger.warn("No allowed origins configured or origin is null");
+			return false;
+		}
+
+		return Arrays.stream(allowedOrigins.split(","))
+				.map(String::trim)
+				.anyMatch(pattern -> {
+					String regex = pattern
+							.replace(".", "\\.")
+							.replace("*", ".*")
+							.replace("http://localhost:.*", "http://localhost:\\d+"); // special case for wildcard port
+
+					boolean matched = origin.matches(regex);
+					return matched;
+				});
+	}
+
 	private boolean isMobileClient(String userAgent) {
 		if (userAgent == null)
 			return false;
 		userAgent = userAgent.toLowerCase();
 		return userAgent.contains("okhttp");
 	}
+
 	private String getJwtTokenFromCookies(HttpServletRequest request) {
 		Cookie[] cookies = request.getCookies();
 		if (cookies != null) {