SamuelDouay
diff --git a/‎.idea/dataSources.xml‎
Lines changed: 12 additions & 0 deletions b/‎.idea/dataSources.xml‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎.idea/data_source_mapping.xml‎
Lines changed: 6 additions & 0 deletions b/‎.idea/data_source_mapping.xml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎src/main/java/fr/github/vera/filters/CorsFilter.java‎
Lines changed: 95 additions & 18 deletions b/‎src/main/java/fr/github/vera/filters/CorsFilter.java‎
Lines changed: 95 additions & 18 deletions
diff --git a/‎src/main/resources/setting/app.properties‎
Lines changed: 2 additions & 1 deletion b/‎src/main/resources/setting/app.properties‎
Lines changed: 2 additions & 1 deletion
@@ -1,41 +1,118 @@
 package fr.github.vera.filters;
 
+import fr.github.vera.config.ConfigProperties;
 import jakarta.ws.rs.container.*;
 import jakarta.ws.rs.core.Response;
 import jakarta.ws.rs.ext.Provider;
 
 import java.io.IOException;
+import java.lang.reflect.Method;
 
 @Provider
 @PreMatching
 public class CorsFilter implements ContainerRequestFilter, ContainerResponseFilter {
+    private boolean isPublicEndpoint(ContainerRequestContext requestContext) {
+        try {
+            // Récupérer la méthode de la ressource depuis le contexte
+            Object resourceMethodInvoker = requestContext
+                    .getProperty("org.jboss.resteasy.core.ResourceMethodInvoker");
+
+            if (resourceMethodInvoker != null) {
+                // Utiliser la réflexion pour accéder à la méthode
+                Method getMethod = resourceMethodInvoker.getClass().getMethod("getMethod");
+                Method resourceMethod = (Method) getMethod.invoke(resourceMethodInvoker);
+
+                // Vérifier si la méthode ou sa classe a l'annotation @Public
+                return resourceMethod.isAnnotationPresent(Public.class) ||
+                        resourceMethod.getDeclaringClass().isAnnotationPresent(Public.class);
+            }
+        } catch (Exception e) {
+            return false;
+        }
+        return false;
+    }
+    
 
     @Override
     public void filter(ContainerRequestContext requestContext,
                        ContainerResponseContext responseContext) {
-        // Accepter toutes les origines
-        responseContext.getHeaders().add("Access-Control-Allow-Origin", "*");
-        responseContext.getHeaders().add("Access-Control-Allow-Headers",
-                "origin, content-type, accept, authorization, x-requested-with");
-        // NE PAS mettre credentials à true quand origin est "*"
-        responseContext.getHeaders().add("Access-Control-Allow-Methods",
-                "GET, POST, PUT, DELETE, OPTIONS, HEAD");
-        responseContext.getHeaders().add("Access-Control-Max-Age", "3600");
+
+        String origin = requestContext.getHeaderString("Origin");
+        boolean isPublic = isPublicEndpoint(requestContext);
+
+        setCorsHeaders(responseContext, origin, isPublic);
     }
 
     @Override
     public void filter(ContainerRequestContext requestContext) throws IOException {
-        // Gérer les requêtes OPTIONS (preflight)
+
         if ("OPTIONS".equals(requestContext.getMethod())) {
-            Response response = Response.ok()
-                    .header("Access-Control-Allow-Origin", "*")
-                    .header("Access-Control-Allow-Headers",
-                            "origin, content-type, accept, authorization, x-requested-with")
-                    .header("Access-Control-Allow-Methods",
-                            "GET, POST, PUT, DELETE, OPTIONS, HEAD")
-                    .header("Access-Control-Max-Age", "3600")
-                    .build();
-            requestContext.abortWith(response);
+            // Pour les requêtes preflight, on doit déterminer si le chemin est public
+            boolean isPublic = isPublicEndpoint(requestContext);
+            String origin = requestContext.getHeaderString("Origin");
+
+            Response.ResponseBuilder responseBuilder = Response.ok();
+            setCorsHeaders(responseBuilder, origin, isPublic);
+            requestContext.abortWith(responseBuilder.build());
+        }
+    }
+
+    private void setCorsHeaders(ContainerResponseContext responseContext,
+                                String origin, boolean isPublic) {
+
+        if (isPublic) {
+            // Endpoint public : toutes origines autorisées
+            responseContext.getHeaders().add("Access-Control-Allow-Origin", "*");
+        } else {
+            // Endpoint protégé : seulement les domaines autorisés
+            if (origin != null && isOriginAllowed(origin)) {
+                responseContext.getHeaders().add("Access-Control-Allow-Origin", origin);
+                responseContext.getHeaders().add("Access-Control-Allow-Credentials", "true");
+            }
+        }
+
+        // Headers communs
+        responseContext.getHeaders().add("Access-Control-Allow-Headers",
+                "origin, content-type, accept, authorization, x-requested-with, x-csrf-token");
+        responseContext.getHeaders().add("Access-Control-Allow-Methods",
+                "GET, POST, PUT, DELETE, OPTIONS, HEAD, PATCH");
+        responseContext.getHeaders().add("Access-Control-Max-Age", "3600");
+        responseContext.getHeaders().add("Access-Control-Expose-Headers",
+                "x-csrf-token, authorization");
+    }
+
+    private void setCorsHeaders(Response.ResponseBuilder responseBuilder,
+                                String origin, boolean isPublic) {
+
+        if (isPublic) {
+            responseBuilder.header("Access-Control-Allow-Origin", "*");
+        } else if (origin != null && isOriginAllowed(origin)) {
+            responseBuilder.header("Access-Control-Allow-Origin", origin);
+            responseBuilder.header("Access-Control-Allow-Credentials", "true");
+        }
+
+        // Headers communs
+        responseBuilder.header("Access-Control-Allow-Headers",
+                "origin, content-type, accept, authorization, x-requested-with, x-csrf-token");
+        responseBuilder.header("Access-Control-Allow-Methods",
+                "GET, POST, PUT, DELETE, OPTIONS, HEAD, PATCH");
+        responseBuilder.header("Access-Control-Max-Age", "3600");
+    }
+
+    private boolean isOriginAllowed(String origin) {
+        // Support multiple domains
+        String allowedDomain = ConfigProperties.getInstance().getProperty("cors.allowed-domain");
+        String[] domains = allowedDomain.split(",");
+        for (String domain : domains) {
+            String trimmed = domain.trim();
+            if (origin.equals(trimmed)) {
+                return true;
+            }
+            // Support pour localhost avec différents ports
+            if (trimmed.startsWith("http://localhost") && origin.startsWith("http://localhost")) {
+                return true;
+            }
         }
+        return false;
     }
 }
@@ -1 +1,2 @@
-secret=${SECRET;Vahgtjj8PN2cFjtEfxkm6QvIid4acyrGPB+N60dG6Wo5l9Rd7Wjnc+OnIokMoyoWh++YJZKzg1CsE2fabQ+Hlc1JEB09FBua}
+secret=${SECRET;Vahgtjj8PN2cFjtEfxkm6QvIid4acyrGPB+N60dG6Wo5l9Rd7Wjnc+OnIokMoyoWh++YJZKzg1CsE2fabQ+Hlc1JEB09FBua}
+cors.allowed-domain=${CORS_ALLOWED_DOMAIN;http://localhost}
Original file line number	Diff line number	Diff line change
`@@ -1 +1,2 @@`
`1`		`-secret=${SECRET;Vahgtjj8PN2cFjtEfxkm6QvIid4acyrGPB+N60dG6Wo5l9Rd7Wjnc+OnIokMoyoWh++YJZKzg1CsE2fabQ+Hlc1JEB09FBua}`
	`1`	`+secret=${SECRET;Vahgtjj8PN2cFjtEfxkm6QvIid4acyrGPB+N60dG6Wo5l9Rd7Wjnc+OnIokMoyoWh++YJZKzg1CsE2fabQ+Hlc1JEB09FBua}`
	`2`	`+cors.allowed-domain=${CORS_ALLOWED_DOMAIN;http://localhost}`