From 62b48cb5e89b0e5fc7d7beef5f85d30e715e0978 Mon Sep 17 00:00:00 2001
From: Mathieu-bot <Mathieu-bot@users.noreply.github.com>
Date: Sat, 4 Apr 2026 11:49:12 +0300
Subject: [PATCH 1/3] fix(security): add CORS config, allow /ws/**, and
 redirect OAuth2 to frontend

- Configure CORS directly in SecurityFilterChain with credentials support
- Allow /ws/** endpoints for WebSocket handshake
- Add defaultSuccessUrl redirect to frontend after OAuth2 login
- Add logoutSuccessUrl redirect to frontend login page
---
 .../raibu/shi/security/SecurityConfig.java    | 35 ++++++++++++++++---
 1 file changed, 31 insertions(+), 4 deletions(-)

diff --git a/src/main/java/shi/raibu/shi/security/SecurityConfig.java b/src/main/java/shi/raibu/shi/security/SecurityConfig.java
index 4658ec6..cb3e5dc 100644
--- a/src/main/java/shi/raibu/shi/security/SecurityConfig.java
+++ b/src/main/java/shi/raibu/shi/security/SecurityConfig.java
@@ -1,11 +1,17 @@
 package shi.raibu.shi.security;
 
+import java.util.Arrays;
+import java.util.List;
 import lombok.RequiredArgsConstructor;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsConfigurationSource;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 
 @Configuration
 @EnableWebSecurity
@@ -14,21 +20,42 @@ public class SecurityConfig {
 
   private final CustomOidcUserService customOidcUserService;
 
+  @Value("${app.frontend-url:http://localhost:5173}")
+  private String frontendUrl;
+
+  @Value("${cors.allowed-origins:http://localhost:5173,http://localhost:3000,https://raibu.app}")
+  private String allowedOrigins;
+
   @Bean
   public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-    http.csrf(csrf -> csrf.ignoringRequestMatchers("/ws/**"))
+    http.cors(cors -> cors.configurationSource(corsConfigurationSource()))
+        .csrf(csrf -> csrf.ignoringRequestMatchers("/ws/**"))
         .authorizeHttpRequests(
             auth ->
-                auth.requestMatchers("/ping", "/actuator/**")
+                auth.requestMatchers("/ping", "/actuator/**", "/ws/**")
                     .permitAll()
                     .anyRequest()
                     .authenticated())
         .oauth2Login(
             oauth2 ->
                 oauth2.userInfoEndpoint(
-                    userInfo -> userInfo.oidcUserService(customOidcUserService)))
-        .logout(logout -> logout.logoutUrl("/logout").logoutSuccessUrl("/"));
+                        userInfo -> userInfo.oidcUserService(customOidcUserService))
+                    .defaultSuccessUrl(frontendUrl + "/home", true))
+        .logout(logout -> logout.logoutUrl("/logout").logoutSuccessUrl(frontendUrl + "/login"));
 
     return http.build();
   }
+
+  @Bean
+  public CorsConfigurationSource corsConfigurationSource() {
+    CorsConfiguration configuration = new CorsConfiguration();
+    configuration.setAllowedOrigins(
+        Arrays.stream(allowedOrigins.split(",")).map(String::trim).toList());
+    configuration.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE", "OPTIONS"));
+    configuration.setAllowedHeaders(List.of("*"));
+    configuration.setAllowCredentials(true);
+    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+    source.registerCorsConfiguration("/**", configuration);
+    return source;
+  }
 }

From 1666df6ae63e318c6a4e334b8957745177012c0a Mon Sep 17 00:00:00 2001
From: Mathieu-bot <Mathieu-bot@users.noreply.github.com>
Date: Sat, 4 Apr 2026 11:49:15 +0300
Subject: [PATCH 2/3] fix(config): add localhost:5173 to default CORS allowed
 origins

---
 src/main/resources/application.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
index ae316aa..685a739 100644
--- a/src/main/resources/application.yml
+++ b/src/main/resources/application.yml
@@ -41,4 +41,4 @@ server:
 
 # for WebSocket
 cors:
-  allowed-origins: ${ALLOWED_ORIGINS:http://localhost:3000,https://raibu.app}
+  allowed-origins: ${ALLOWED_ORIGINS:http://localhost:5173,http://localhost:3000,https://raibu.app}

From ad7b7842a6086579bcd5eedf1101d0ad4b1df597 Mon Sep 17 00:00:00 2001
From: Mathieu-bot <Mathieu-bot@users.noreply.github.com>
Date: Sat, 4 Apr 2026 11:49:31 +0300
Subject: [PATCH 3/3] fix(cors): update CorsConfigurer default allowed origins
 to include localhost:5173

---
 src/main/java/shi/raibu/shi/endpoint/CorsConfigurer.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/java/shi/raibu/shi/endpoint/CorsConfigurer.java b/src/main/java/shi/raibu/shi/endpoint/CorsConfigurer.java
index 762649a..f4165f0 100644
--- a/src/main/java/shi/raibu/shi/endpoint/CorsConfigurer.java
+++ b/src/main/java/shi/raibu/shi/endpoint/CorsConfigurer.java
@@ -9,7 +9,7 @@
 @Configuration
 public class CorsConfigurer implements WebMvcConfigurer {
 
-  @Value("${cors.allowed-origins:http://localhost:3000,https://raibu.app}")
+  @Value("${cors.allowed-origins:http://localhost:5173,http://localhost:3000,https://raibu.app}")
   private String allowedOrigins;
 
   @Override