Merge branch 'main' into api_limiting_http_request_filter

ORCID · Oct 30, 2024 · 848e8e1 · 848e8e1
2 parents afd46e7 + 32f3b3b
commit 848e8e1
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 28 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,7 @@
+## v2.67.2 - 2024-10-30
+
+[Full Changelog](https://github.com/ORCID/ORCID-Source/compare/v2.67.1...v2.67.2)
+
 ## v2.67.1 - 2024-10-29
 
 [Full Changelog](https://github.com/ORCID/ORCID-Source/compare/v2.67.0...v2.67.1)

diff --git a/orcid-core/src/main/java/org/orcid/core/web/filters/CorsFilterWeb.java b/orcid-core/src/main/java/org/orcid/core/web/filters/CorsFilterWeb.java
@@ -16,45 +16,29 @@
 import org.springframework.web.filter.OncePerRequestFilter;
 
 /**
- * 
  * @author Robert Peters (rcpeters)
- * 
  */
 
 public class CorsFilterWeb extends OncePerRequestFilter {
 
     @Resource
     CrossDomainWebManger crossDomainWebManger;
-
-    private static final String LOCALHOST_BASE_URI= "https://localhost";
-    private static final String LOCALHOST_ORCID_WEB_BASE_URI = "https://localhost:8443/orcid-web";
-
+
     @Value("${org.orcid.core.baseUri}")
     private String baseUri;
 
     @Override
     protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
-        Pattern p = Pattern.compile("^/userStatus\\.json|^/oauth/userinfo|^/oauth/jwks|^/\\.well-known/openid-configuration");
-        Matcher m = p.matcher(OrcidUrlManager.getPathWithoutContextPath(request));
-        // Allow CORS for all paths from Angular frontend only if we are in local dev env
-        // All other envs allow CORS only if request path matches one of:
-        // userStatus.json 
-        // /oauth/userinfo
-        // /oauth/jwks
-        // /.well-known/openid-configuration
-        if (baseUri.equals(LOCALHOST_BASE_URI) || baseUri.equals(LOCALHOST_ORCID_WEB_BASE_URI) || m.matches()) {
-            if (crossDomainWebManger.allowed(request)) {
-                String origin = request.getHeader("origin");
-                response.addHeader("Access-Control-Allow-Origin", origin);
-                response.addHeader("Access-Control-Allow-Credentials", "true");
-
-                if (request.getHeader("Access-Control-Request-Method") != null && "OPTIONS".equals(request.getMethod())) {
-                    // CORS "pre-flight" request
-                    response.addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE");
-                    response.addHeader("Access-Control-Allow-Headers", "X-Requested-With,Origin,Content-Type,Accept,Authorization,x-csrf-token");
-                }
+        if (crossDomainWebManger.allowed(request)) {
+            String origin = request.getHeader("origin");
+            response.addHeader("Access-Control-Allow-Origin", origin);
+            response.addHeader("Access-Control-Allow-Credentials", "true");
+
+            if (request.getHeader("Access-Control-Request-Method") != null && "OPTIONS".equals(request.getMethod())) {
+                // CORS "pre-flight" request
+                response.addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE");
+                response.addHeader("Access-Control-Allow-Headers", "X-Requested-With,Origin,Content-Type,Accept,Authorization,x-csrf-token");
             }
-
         }
 
         filterChain.doFilter(request, response);

diff --git a/properties/development.properties b/properties/development.properties
@@ -99,7 +99,7 @@ org.orcid.core.node = 1
 org.orcid.core.numberOfNodes = 1
 
 # CORS allowed domains
-org.orcid.security.cors.allowed_domains=localhost
+org.orcid.security.cors.allowed_domains=dev.orcid.org
 
 # Messaging
 # Replace with tcp://domain.com:61616 in live to point at ActiveMQ location
@@ -260,9 +260,10 @@ org.orcid.core.autospam.webhookUrl=
 
 #org.orcid.persistence.liquibase.enabled=false
 org.orcid.persistence.solr.read.only.url=http://localhost:8983/solr
-
 org.orcid.persistence.panoply.cleanup.production=false
+#api_limiting_http_request_filter
 org.orcid.persistence.panoply.papiExceededRate.production=false
+
 # Panoply redshift database 
 org.orcid.core.utils.panoply.driver=com.amazon.redshift.jdbc.Driver
 org.orcid.core.utils.panoply.maxPoolSize=20