Set default cors headers if missing fix #498

oliemansm · oliemansm · commit e4bb1480f3ed · 2020-12-28T16:07:42.000+01:00
diff --git a/graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/spring/web/boot/GraphQLInstrumentationAutoConfiguration.java b/graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/spring/web/boot/GraphQLInstrumentationAutoConfiguration.java
@@ -17,7 +17,6 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
-import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 
@@ -30,7 +29,6 @@
 @AutoConfigureAfter({MetricsAutoConfiguration.class, SimpleMetricsExportAutoConfiguration.class,
     GraphQLWebsocketAutoConfiguration.class})
 @ConditionalOnProperty(value = "graphql.servlet.enabled", havingValue = "true", matchIfMissing = true)
-@EnableConfigurationProperties({GraphQLServletProperties.class})
 public class GraphQLInstrumentationAutoConfiguration {
 
   private final GraphQLServletProperties graphqlServletProperties;
diff --git a/graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/spring/web/boot/GraphQLWebAutoConfiguration.java b/graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/spring/web/boot/GraphQLWebAutoConfiguration.java
@@ -56,6 +56,7 @@
 import graphql.kickstart.spring.web.boot.metrics.MetricsInstrumentation;
 import graphql.kickstart.tools.boot.GraphQLJavaToolsAutoConfiguration;
 import graphql.schema.GraphQLSchema;
+import java.util.Arrays;
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
@@ -78,6 +79,7 @@
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Conditional;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpMethod;
 import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 import org.springframework.web.filter.CorsFilter;
@@ -126,6 +128,10 @@ public CorsConfiguration corsConfiguration() {
   @ConditionalOnProperty(value = "graphql.servlet.corsEnabled", havingValue = "true", matchIfMissing = true)
   public CorsFilter corsConfigurer(CorsConfiguration corsConfiguration) {
     Map<String, CorsConfiguration> corsConfigurations = new LinkedHashMap<>(1);
+    if (corsConfiguration.getAllowedMethods() == null) {
+      corsConfiguration.setAllowedMethods(
+          Arrays.asList(HttpMethod.GET.name(), HttpMethod.HEAD.name(), HttpMethod.POST.name()));
+    }
     corsConfigurations.put(graphQLServletProperties.getCorsMapping(), corsConfiguration);
 
     UrlBasedCorsConfigurationSource configurationSource = new UrlBasedCorsConfigurationSource();
diff --git a/graphql-spring-boot-autoconfigure/src/test/java/graphql/kickstart/spring/web/boot/CorsTest.java b/graphql-spring-boot-autoconfigure/src/test/java/graphql/kickstart/spring/web/boot/CorsTest.java
@@ -0,0 +1,75 @@
+package graphql.kickstart.spring.web.boot;
+
+import static graphql.Scalars.GraphQLString;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.options;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.header;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+import graphql.schema.GraphQLFieldDefinition;
+import graphql.schema.GraphQLObjectType;
+import graphql.schema.GraphQLSchema;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.autoconfigure.ImportAutoConfiguration;
+import org.springframework.boot.autoconfigure.jackson.JacksonAutoConfiguration;
+import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.test.context.TestConfiguration;
+import org.springframework.context.annotation.Bean;
+import org.springframework.http.MediaType;
+import org.springframework.test.context.junit.jupiter.SpringExtension;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.ResultActions;
+
+@ExtendWith(SpringExtension.class)
+@AutoConfigureMockMvc
+@ImportAutoConfiguration({JacksonAutoConfiguration.class, GraphQLWebAutoConfiguration.class})
+@SpringBootTest(properties = {"debug=true", "graphql.servlet.mapping=/graphql", "graphql.servlet.cors.allowed-origins=https://trusted.com", "graphql.servlet.cors.allowed-methods=GET,HEAD,POST"})
+class CorsTest {
+
+  @Autowired
+  private MockMvc mockMvc;
+
+  @Test
+  void evilDomain_shouldNotBeAllowed() throws Exception {
+    ResultActions resultActions = performCorsPreflight("https://evil.com");
+    resultActions
+        .andExpect(status().isForbidden())
+        .andExpect(content().string("Invalid CORS request"));
+  }
+
+  private ResultActions performCorsPreflight(String origin) throws Exception {
+    return mockMvc.perform(
+        options("/graphql")
+            .contentType(MediaType.APPLICATION_JSON)
+            .header("Access-Control-Request-Method", "POST")
+            .header("Origin", origin)
+    );
+  }
+
+  @Test
+  void trustedDomain_shouldBeAllowed() throws Exception {
+    ResultActions resultActions = performCorsPreflight("https://trusted.com");
+    resultActions
+        .andExpect(status().isOk())
+        .andExpect(header().string("Access-Control-Allow-Origin", "https://trusted.com"))
+        .andExpect(header().string("Access-Control-Allow-Methods", "GET,HEAD,POST"));
+  }
+
+  @TestConfiguration
+  static class MyTestConfiguration {
+
+    @Bean
+    public GraphQLSchema graphQLSchema() {
+      return GraphQLSchema.newSchema()
+          .query(GraphQLObjectType.newObject().name("Query").field(
+              GraphQLFieldDefinition.newFieldDefinition()
+                  .name("echo")
+                  .type(GraphQLString)
+                  .build()).build()).build();
+    }
+  }
+
+}
diff --git a/graphql-spring-boot-autoconfigure/src/test/java/graphql/kickstart/spring/web/boot/GraphQLServletPropertiesTest.java b/graphql-spring-boot-autoconfigure/src/test/java/graphql/kickstart/spring/web/boot/GraphQLServletPropertiesTest.java
@@ -15,6 +15,7 @@
     "graphql.servlet.contextSetting=PER_REQUEST_WITH_INSTRUMENTATION"})
 class GraphQLServletPropertiesTest {
 
+  @SuppressWarnings("SpringJavaInjectionPointsAutowiringInspection")
   @Autowired
   private GraphQLServletProperties properties;
 
diff --git a/graphql-spring-boot-autoconfigure/src/test/java/graphql/kickstart/spring/web/boot/TestAutoConfiguration.java b/graphql-spring-boot-autoconfigure/src/test/java/graphql/kickstart/spring/web/boot/TestAutoConfiguration.java
@@ -1,12 +1,8 @@
 package graphql.kickstart.spring.web.boot;
 
 import org.springframework.boot.SpringBootConfiguration;
-import org.springframework.boot.context.properties.EnableConfigurationProperties;
-import org.springframework.context.annotation.Import;
 
 @SpringBootConfiguration
-@Import(GraphQLServletProperties.class)
-@EnableConfigurationProperties
 public class TestAutoConfiguration {
 
 
