fix: OAuth2 callback, CORS, and WebSocket connection issues

src/main/java/shi/raibu/shi/endpoint/CorsConfigurer.java

@@ -9,7 +9,7 @@
 @Configuration
 public class CorsConfigurer implements WebMvcConfigurer {
 
-  @Value("${cors.allowed-origins:http://localhost:3000,https://raibu.app}")
+  @Value("${cors.allowed-origins:http://localhost:5173,http://localhost:3000,https://raibu.app}")
   private String allowedOrigins;
 
   @Override

src/main/java/shi/raibu/shi/security/SecurityConfig.java

@@ -1,11 +1,17 @@
 package shi.raibu.shi.security;
 
+import java.util.Arrays;
+import java.util.List;
 import lombok.RequiredArgsConstructor;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsConfigurationSource;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 
 @Configuration
 @EnableWebSecurity
@@ -14,21 +20,42 @@ public class SecurityConfig {
 
   private final CustomOidcUserService customOidcUserService;
 
+  @Value("${app.frontend-url:http://localhost:5173}")
+  private String frontendUrl;
+
+  @Value("${cors.allowed-origins:http://localhost:5173,http://localhost:3000,https://raibu.app}")
+  private String allowedOrigins;
+
   @Bean
   public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-    http.csrf(csrf -> csrf.ignoringRequestMatchers("/ws/**"))
+    http.cors(cors -> cors.configurationSource(corsConfigurationSource()))
+        .csrf(csrf -> csrf.ignoringRequestMatchers("/ws/**"))
         .authorizeHttpRequests(
             auth ->
-                auth.requestMatchers("/ping", "/actuator/**")
+                auth.requestMatchers("/ping", "/actuator/**", "/ws/**")
                     .permitAll()
                     .anyRequest()
                     .authenticated())
         .oauth2Login(
             oauth2 ->
                 oauth2.userInfoEndpoint(
-                    userInfo -> userInfo.oidcUserService(customOidcUserService)))
-        .logout(logout -> logout.logoutUrl("/logout").logoutSuccessUrl("/"));
+                        userInfo -> userInfo.oidcUserService(customOidcUserService))
+                    .defaultSuccessUrl(frontendUrl + "/home", true))
+        .logout(logout -> logout.logoutUrl("/logout").logoutSuccessUrl(frontendUrl + "/login"));
 
     return http.build();
   }
+
+  @Bean
+  public CorsConfigurationSource corsConfigurationSource() {
+    CorsConfiguration configuration = new CorsConfiguration();
+    configuration.setAllowedOrigins(
+        Arrays.stream(allowedOrigins.split(",")).map(String::trim).toList());
+    configuration.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE", "OPTIONS"));
+    configuration.setAllowedHeaders(List.of("*"));
+    configuration.setAllowCredentials(true);
+    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+    source.registerCorsConfiguration("/**", configuration);
+    return source;
+  }
 }

src/main/resources/application.yml

@@ -41,4 +41,4 @@ server:
 
 # for WebSocket
 cors:
-  allowed-origins: ${ALLOWED_ORIGINS:http://localhost:3000,https://raibu.app}
+  allowed-origins: ${ALLOWED_ORIGINS:http://localhost:5173,http://localhost:3000,https://raibu.app}