Allow requests only from the frontend endpoint

src/main/java/br/com/arnar/openforms/api/authentication/SecurityConfiguration.java

@@ -18,28 +18,35 @@
 package br.com.arnar.openforms.api.authentication;
 
 import lombok.RequiredArgsConstructor;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.authentication.AuthenticationManager;
-import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsConfigurationSource;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
+import java.util.List;
 
 @Configuration
 @EnableWebSecurity
 @RequiredArgsConstructor
 public class SecurityConfiguration {
     private final JwtTokenProvider jwtTokenProvider;
 
+    @Value("${openforms.http.allowedEndpoint}")
+    private String allowedEndpoint;
+
     @Bean
     public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
         http.csrf(AbstractHttpConfigurer::disable);
 
-        http.cors(Customizer.withDefaults());
+        http.securityMatcher("/**").cors((cors) -> cors.configurationSource(apiConfigurationSource()));
 
         http.sessionManagement(management -> management
                 .sessionCreationPolicy(SessionCreationPolicy.STATELESS));
@@ -62,4 +69,29 @@ public AuthenticationManager authenticationManager(AuthenticationConfiguration a
             throws Exception {
         return authenticationConfiguration.getAuthenticationManager();
     }
+
+    private CorsConfigurationSource apiConfigurationSource() {
+        CorsConfiguration cors = new CorsConfiguration();
+
+        cors.setAllowedOrigins(List.of(allowedEndpoint));
+        cors.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE", "OPTIONS"));
+        cors.setAllowedHeaders(List.of("Authorization", "Content-Type"));
+        cors.setAllowCredentials(true);
+        cors.setMaxAge(3600L);
+
+        CorsConfiguration openFormCors = new CorsConfiguration();
+        openFormCors.addAllowedOriginPattern("*"); // Allow all origins
+        openFormCors.setAllowedMethods(List.of("POST", "OPTIONS"));
+        openFormCors.setAllowedHeaders(List.of("Authorization", "Content-Type"));
+        openFormCors.setAllowCredentials(false); // safer for public endpoints
+        openFormCors.setMaxAge(3600L);
+
+        // Register CORS config for all endpoints
+        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+
+        source.registerCorsConfiguration("/api/v1/form/", openFormCors);
+        source.registerCorsConfiguration("/**", cors);
+
+        return source;
+    }
 }

src/main/resources/application-development.properties

@@ -1,4 +1,5 @@
 spring.application.name=OpenForms (Development)
+openforms.http.allowedEndpoint=http://localhost:5173/
 
 spring.datasource.url=jdbc:h2:mem:testdb;DB_CLOSE_DELAY=-1
 spring.datasource.driverClassName=org.h2.Driver

src/main/resources/application-production.properties

@@ -1,4 +1,5 @@
 spring.application.name=OpenForms
+openforms.http.allowedEndpoint=https://forms.arnar.com.br/
 
 spring.datasource.url=jdbc:postgresql://localhost:5432/openforms
 spring.datasource.username=