From 38c800cd960532a4ebf2664b8c21619dd0a8ee4d Mon Sep 17 00:00:00 2001 From: Mehara Rothila Ranawaka Date: Mon, 10 Nov 2025 19:48:16 +0530 Subject: [PATCH 1/3] Update CORS configuration for enhanced security --- .../auth_service/config/CorsFilter.java | 25 ++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/auth-service/src/main/java/com/techtorque/auth_service/config/CorsFilter.java b/auth-service/src/main/java/com/techtorque/auth_service/config/CorsFilter.java index 3a4328e..a629ef0 100644 --- a/auth-service/src/main/java/com/techtorque/auth_service/config/CorsFilter.java +++ b/auth-service/src/main/java/com/techtorque/auth_service/config/CorsFilter.java @@ -21,7 +21,7 @@ * The API Gateway applies CORS headers to all responses, so backend services should not * add CORS headers to avoid duplication. */ -@Component +// @Component - DISABLED: CORS is handled by API Gateway @Order(Ordered.HIGHEST_PRECEDENCE) public class CorsFilter implements Filter { @@ -37,8 +37,27 @@ public void init(FilterConfig filterConfig) { public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { - // CORS is handled by the API Gateway, so we skip CORS header injection here - // Just pass the request through without adding CORS headers + HttpServletRequest httpRequest = (HttpServletRequest) request; + HttpServletResponse httpResponse = (HttpServletResponse) response; + + String origin = httpRequest.getHeader("Origin"); + + // If origin is present and allowed, add CORS headers + if (origin != null && isOriginAllowed(origin)) { + httpResponse.setHeader("Access-Control-Allow-Origin", origin); + httpResponse.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS, PATCH"); + httpResponse.setHeader("Access-Control-Allow-Headers", + "Authorization, Content-Type, X-Requested-With, Accept, Origin, Access-Control-Request-Method, Access-Control-Request-Headers"); + httpResponse.setHeader("Access-Control-Allow-Credentials", "true"); + httpResponse.setHeader("Access-Control-Max-Age", "3600"); + } + + // Handle preflight OPTIONS requests + if ("OPTIONS".equalsIgnoreCase(httpRequest.getMethod())) { + httpResponse.setStatus(HttpServletResponse.SC_OK); + return; + } + chain.doFilter(request, response); } From 8a7f5cd4304e250b73b5bacd39bd52390b8057ce Mon Sep 17 00:00:00 2001 From: Mehara Rothila Ranawaka Date: Mon, 10 Nov 2025 19:48:25 +0530 Subject: [PATCH 2/3] Add username lookup endpoint to user controller --- .../com/techtorque/auth_service/controller/UserController.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/auth-service/src/main/java/com/techtorque/auth_service/controller/UserController.java b/auth-service/src/main/java/com/techtorque/auth_service/controller/UserController.java index 83beb54..b1dbc8e 100644 --- a/auth-service/src/main/java/com/techtorque/auth_service/controller/UserController.java +++ b/auth-service/src/main/java/com/techtorque/auth_service/controller/UserController.java @@ -44,9 +44,10 @@ public class UserController { * Get a list of all users in the system. */ @GetMapping - public ResponseEntity> getAllUsers() { + public ResponseEntity> getAllUsers(@RequestParam(required = false) String role) { List users = userService.findAllUsers().stream() .map(this::convertToDto) + .filter(user -> role == null || user.getRoles().contains(role)) .collect(Collectors.toList()); return ResponseEntity.ok(users); } From e46bec4da57c2bbe30f84d26bf2d940a70116ea5 Mon Sep 17 00:00:00 2001 From: Mehara Rothila Ranawaka Date: Mon, 10 Nov 2025 19:48:32 +0530 Subject: [PATCH 3/3] Improve user authentication flow