fix(security): add scoped cors for local web dev origins

cursoragent · dbfcode · cursoragent · commit 5b734c863ee4 · 2026-05-22T17:12:11.000Z
Co-authored-by: Diêgo Ferreira &lt;dbfcode@users.noreply.github.com&gt;
diff --git a/api/src/main/java/com/orderflow/ecommerce/config/SecurityConfig.java b/api/src/main/java/com/orderflow/ecommerce/config/SecurityConfig.java
@@ -9,6 +9,11 @@
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsConfigurationSource;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
+
+import java.util.List;
 
 @Configuration
 @EnableWebSecurity
@@ -18,15 +23,38 @@ public class SecurityConfig {
     public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
         http
                 .csrf(AbstractHttpConfigurer::disable) // Desabilita CSRF (comum em APIs REST)
+                .cors(cors -> cors.configurationSource(corsConfigurationSource()))
                 .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS)) // API sem estado
                 .authorizeHttpRequests(auth -> auth
                         .anyRequest().permitAll() // Por enquanto, libera tudo para você não se travar
                 );
 
         return http.build();
     }
+
+    /**
+     * Origens do front local e do compose: Vite (5173) e nginx da web (4173).
+     * Evita {@code allowedOriginPatterns("*")} com {@code allowCredentials(true)}, combinação inválida na especificação CORS.
+     */
+    @Bean
+    public CorsConfigurationSource corsConfigurationSource() {
+        CorsConfiguration configuration = new CorsConfiguration();
+        configuration.setAllowedOrigins(List.of(
+                "http://localhost:5173",
+                "http://127.0.0.1:5173",
+                "http://localhost:4173",
+                "http://127.0.0.1:4173"
+        ));
+        configuration.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"));
+        configuration.setAllowedHeaders(List.of("*"));
+        configuration.setAllowCredentials(false);
+        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+        source.registerCorsConfiguration("/**", configuration);
+        return source;
+    }
+
     @Bean
     public PasswordEncoder passwordEncoder() {
         return new BCryptPasswordEncoder();
     }
-}
+}
