TechTorque-2025 · RandithaK · Nov 10, 2025 · Nov 10, 2025 · Nov 10, 2025 · Nov 10, 2025
diff --git a/auth-service/src/main/java/com/techtorque/auth_service/config/CorsFilter.java b/auth-service/src/main/java/com/techtorque/auth_service/config/CorsFilter.java
@@ -21,7 +21,7 @@
  * The API Gateway applies CORS headers to all responses, so backend services should not
  * add CORS headers to avoid duplication.
  */
-@Component
+// @Component - DISABLED: CORS is handled by API Gateway
 @Order(Ordered.HIGHEST_PRECEDENCE)
 public class CorsFilter implements Filter {
 
@@ -37,8 +37,27 @@ public void init(FilterConfig filterConfig) {
     public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
             throws IOException, ServletException {
 
-        // CORS is handled by the API Gateway, so we skip CORS header injection here
-        // Just pass the request through without adding CORS headers
+        HttpServletRequest httpRequest = (HttpServletRequest) request;
+        HttpServletResponse httpResponse = (HttpServletResponse) response;
+
+        String origin = httpRequest.getHeader("Origin");
+
+        // If origin is present and allowed, add CORS headers
+        if (origin != null && isOriginAllowed(origin)) {
+            httpResponse.setHeader("Access-Control-Allow-Origin", origin);
+            httpResponse.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS, PATCH");
+            httpResponse.setHeader("Access-Control-Allow-Headers", 
+                "Authorization, Content-Type, X-Requested-With, Accept, Origin, Access-Control-Request-Method, Access-Control-Request-Headers");
+            httpResponse.setHeader("Access-Control-Allow-Credentials", "true");
+            httpResponse.setHeader("Access-Control-Max-Age", "3600");
+        }
+
+        // Handle preflight OPTIONS requests
+        if ("OPTIONS".equalsIgnoreCase(httpRequest.getMethod())) {
+            httpResponse.setStatus(HttpServletResponse.SC_OK);
+            return;
+        }
+
         chain.doFilter(request, response);
     }
 

diff --git a/auth-service/src/main/java/com/techtorque/auth_service/controller/UserController.java b/auth-service/src/main/java/com/techtorque/auth_service/controller/UserController.java
@@ -44,9 +44,10 @@ public class UserController {
    * Get a list of all users in the system.
    */
   @GetMapping
-  public ResponseEntity<List<UserDto>> getAllUsers() {
+  public ResponseEntity<List<UserDto>> getAllUsers(@RequestParam(required = false) String role) {
     List<UserDto> users = userService.findAllUsers().stream()
             .map(this::convertToDto)
+            .filter(user -> role == null || user.getRoles().contains(role))
             .collect(Collectors.toList());
     return ResponseEntity.ok(users);
   }