CHORE - Update version of the application to 1.0.1

Juansecu · Sep 9, 2024 · 014b78d · 014b78d
1 parent 13b8fb1
commit 014b78d
Show file tree

Hide file tree

Showing 4 changed files with 72 additions and 22 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,32 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.0.1]
+
+### Improved
+
+- Added environment variable `MAIL_SERVER_FROM_ACCOUNT_RELATED_EMAIL_ADDRESS`
+  to allow the configuration of the email address that will be used as the
+  sender of account-related emails
+- Leverage SSL configuration to application administrators, so they can
+  configure the application to use SSL or not
+- Reduced size of the holo-char image by converting it to a WEBP format
+
+### Security
+
+- Updated Spring starter dependencies to 3.2.9
+- Restricted access to API docs to only accounts with the following levels:
+
+    - `DEVELOPER (Level 50)`
+    - `GAME MASTER (Level 30)`
+    - `MASTER (Level 1)`
+
+- Avoid account stealing by importing correctly the value from the `JWT_SECRET`
+  environment variable when generating and validating JWT tokens
+- Added environment variable `CORS_ALLOWED_ORIGINS` to allow the configuration
+  of the allowed origins for CORS requests
+- Added `Content-Security-Policy` header to prevent XSS attacks
+
 ## [1.0.0]
 
 ### Added

diff --git a/pom.xml b/pom.xml
@@ -10,7 +10,7 @@
 	</parent>
 	<groupId>com.juansecu.openfusion</groupId>
 	<artifactId>openfusion-openapi-plugin</artifactId>
-	<version>1.0.0</version>
+	<version>1.0.1</version>
 	<name>OpenFusion OpenAPI Plugin</name>
 	<description>OpenAPI declaration plugin for server applications based on OpenFusion</description>
 	<properties>

diff --git a/src/main/java/com/juansecu/openfusion/openfusionopenapiplugin/config/SecurityConfig.java b/src/main/java/com/juansecu/openfusion/openfusionopenapiplugin/config/SecurityConfig.java
@@ -1,6 +1,9 @@
 package com.juansecu.openfusion.openfusionopenapiplugin.config;
 
-import com.juansecu.openfusion.openfusionopenapiplugin.accounts.enums.EAccountLevel;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
 import lombok.RequiredArgsConstructor;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
@@ -21,7 +24,11 @@
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsConfigurationSource;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 
+import com.juansecu.openfusion.openfusionopenapiplugin.accounts.enums.EAccountLevel;
 import com.juansecu.openfusion.openfusionopenapiplugin.auth.filters.JwtAuthenticationFilter;
 import com.juansecu.openfusion.openfusionopenapiplugin.auth.filters.ProtectedViewAgainstAuthenticatedUserFilter;
 import com.juansecu.openfusion.openfusionopenapiplugin.auth.filters.ProtectedViewAgainstAuthenticationFilter;
@@ -31,6 +38,8 @@
 @EnableWebSecurity
 @RequiredArgsConstructor
 public class SecurityConfig {
+    @Value("${server.cors.allowed-origins}")
+    private String allowedOrigins;
     @Value("${server.headers.content-security-policy}")
     private String contentSecurityPolicy;
 
@@ -62,11 +71,46 @@ protected AuthenticationProvider authenticationProvider() {
         return daoAuthenticationProvider;
     }
 
+    @Bean
+    protected CorsConfigurationSource corsConfigurationSource() {
+        final CorsConfiguration apiCorsConfiguration = new CorsConfiguration();
+        final Map<String, CorsConfiguration> corsConfigurations = new HashMap<>(2);
+        final CorsConfiguration uiCorsConfiguration = new CorsConfiguration();
+        final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+
+        apiCorsConfiguration.setAllowedHeaders(List.of("*"));
+        apiCorsConfiguration.setAllowedMethods(List.of("DELETE", "GET", "OPTIONS", "POST", "PUT"));
+        apiCorsConfiguration.setAllowedOrigins(
+            List.of(this.allowedOrigins.split(","))
+        );
+
+        uiCorsConfiguration.setAllowedHeaders(List.of("*"));
+        uiCorsConfiguration.setAllowedMethods(List.of("GET", "OPTIONS", "POST"));
+        uiCorsConfiguration.setAllowedOrigins(List.of("*"));
+
+        corsConfigurations.put("/api/accounts/**", uiCorsConfiguration);
+        corsConfigurations.put("/api/auth/**", apiCorsConfiguration);
+
+        corsConfigurations.put("/accounts/**", uiCorsConfiguration);
+        corsConfigurations.put("/api/docs/**", uiCorsConfiguration);
+        corsConfigurations.put("/api/verification-tokens/**", apiCorsConfiguration);
+        corsConfigurations.put("/auth/**", uiCorsConfiguration);
+        corsConfigurations.put("/docs", uiCorsConfiguration);
+        corsConfigurations.put("/favicon.ico", uiCorsConfiguration);
+        corsConfigurations.put("/static/**", uiCorsConfiguration);
+        corsConfigurations.put("/swagger-ui/**", uiCorsConfiguration);
+
+        source.setCorsConfigurations(corsConfigurations);
+
+        return source;
+    }
+
     @Bean
     protected SecurityFilterChain securityFilterChain(
         final HttpSecurity httpSecurity
     ) throws Exception {
         httpSecurity
+            .cors(cors -> cors.configurationSource(this.corsConfigurationSource()))
             .csrf(AbstractHttpConfigurer::disable)
             .headers(headers ->
                 headers

diff --git a/src/main/java/com/juansecu/openfusion/openfusionopenapiplugin/config/WebMvcConfig.java b/src/main/java/com/juansecu/openfusion/openfusionopenapiplugin/config/WebMvcConfig.java
@@ -1,7 +1,6 @@
 package com.juansecu.openfusion.openfusionopenapiplugin.config;
 
 import lombok.RequiredArgsConstructor;
-import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.web.servlet.config.annotation.*;
 
@@ -11,27 +10,8 @@
 @EnableWebMvc
 @RequiredArgsConstructor
 public class WebMvcConfig implements WebMvcConfigurer {
-    @Value("${server.cors.allowed-origins}")
-    private String allowedOrigins;
-
     private final VerificationTokenInterceptor verificationTokenInterceptor;
 
-    @Override
-    public void addCorsMappings(final CorsRegistry registry) {
-
-        registry
-            .addMapping("/**")
-            .allowedHeaders("*")
-            .allowedMethods(
-                "DELETE",
-                "GET",
-                "OPTIONS",
-                "POST",
-                "PUT"
-            )
-            .allowedOrigins(this.allowedOrigins.split(","));
-    }
-
     @Override
     public void addInterceptors(final InterceptorRegistry registry) {
         registry