From 540714d44fc8d6db4d6f3e6a69abae0042d6c66d Mon Sep 17 00:00:00 2001
From: Michael Simon <simon@kit.edu>
Date: Tue, 16 Mar 2021 13:46:59 +0100
Subject: [PATCH] Add CORS Headers for PKCE SPA OIDC Code flow apps

---
 .../edu/kit/scc/webreg/service/oidc/OidcOpLoginImpl.java | 9 ++++++++-
 .../edu/kit/scc/webreg/oauth/OidcCertsController.java    | 2 ++
 .../kit/scc/webreg/oauth/OidcWellknownController.java    | 2 ++
 3 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/bwreg-service/src/main/java/edu/kit/scc/webreg/service/oidc/OidcOpLoginImpl.java b/bwreg-service/src/main/java/edu/kit/scc/webreg/service/oidc/OidcOpLoginImpl.java
index e1124f22b..eaae4256a 100644
--- a/bwreg-service/src/main/java/edu/kit/scc/webreg/service/oidc/OidcOpLoginImpl.java
+++ b/bwreg-service/src/main/java/edu/kit/scc/webreg/service/oidc/OidcOpLoginImpl.java
@@ -326,7 +326,14 @@ public class OidcOpLoginImpl implements OidcOpLogin {
 				throw new OidcAuthenticationException("cannot create hash at the moment. This is bad.");
 			}
 		}
-	
+
+		if (clientConfig.getGenericStore().containsKey("cors_allow_regex")) {
+			String origin = request.getHeader("Origin");
+			if (origin.matches(clientConfig.getGenericStore().get("cors_allow_regex"))) {
+				response.setHeader("Access-Control-Allow-Origin", origin);
+			}
+		}
+			
 		IdentityEntity identity = flowState.getIdentity();
 
 		if (identity == null) {
diff --git a/bwreg-webapp/src/main/java/edu/kit/scc/webreg/oauth/OidcCertsController.java b/bwreg-webapp/src/main/java/edu/kit/scc/webreg/oauth/OidcCertsController.java
index 7a9589c8a..ded0ca9e1 100644
--- a/bwreg-webapp/src/main/java/edu/kit/scc/webreg/oauth/OidcCertsController.java
+++ b/bwreg-webapp/src/main/java/edu/kit/scc/webreg/oauth/OidcCertsController.java
@@ -51,6 +51,8 @@ public class OidcCertsController {
 	@Produces(MediaType.APPLICATION_JSON)
 	public String auth(@PathParam("realm") String realm, @Context HttpServletRequest request, @Context HttpServletResponse response)
 			throws IOException, OidcAuthenticationException {
+	
+		response.setHeader("Access-Control-Allow-Origin", "*");
 		
 		try {
 			logger.debug("certs called for {}", realm);
diff --git a/bwreg-webapp/src/main/java/edu/kit/scc/webreg/oauth/OidcWellknownController.java b/bwreg-webapp/src/main/java/edu/kit/scc/webreg/oauth/OidcWellknownController.java
index 83e9e24ab..046434246 100644
--- a/bwreg-webapp/src/main/java/edu/kit/scc/webreg/oauth/OidcWellknownController.java
+++ b/bwreg-webapp/src/main/java/edu/kit/scc/webreg/oauth/OidcWellknownController.java
@@ -47,6 +47,8 @@ public class OidcWellknownController {
 	public JSONObject wellknown(@PathParam("realm") String realm, @Context HttpServletRequest request, @Context HttpServletResponse response)
 			throws ServletException {
 
+		response.setHeader("Access-Control-Allow-Origin", "*");
+		
 		OidcOpConfigurationEntity opConfig = opService.findByRealmAndHost(realm, request.getServerName());
 		
 		if (opConfig == null) {
-- 
GitLab