fix: add CORS config and cross-origin API URL for production deployment

emmanuelknafo · emmanuelknafo · commit 4024e6b843f6 · 2026-02-22T10:13:07.000-05:00
- add CorsConfig.java backend bean to allow frontend App Service origin
- update programService.ts to use VITE_API_BASE_URL env var
- set VITE_API_BASE_URL to backend URL and APP_CORS_ALLOWED_ORIGIN in cd.yml
- update application-azuresql.yml to read CORS origin from env var

🔧 - Generated by Copilot
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
@@ -80,7 +80,7 @@ jobs:
       - name: Build for production
         run: npm run build
         env:
-          VITE_API_BASE_URL: /api
+          VITE_API_BASE_URL: https://${{ env.BACKEND_APP_NAME }}.azurewebsites.net/api
 
       - name: Upload frontend artifact
         uses: actions/upload-artifact@v4
@@ -126,6 +126,7 @@ jobs:
             --settings \
               SPRING_PROFILES_ACTIVE=azuresql \
               SPRING_DATASOURCE_URL="jdbc:sqlserver://${{ env.SQL_SERVER_NAME }}.database.windows.net:1433;database=${{ env.SQL_DATABASE_NAME }};encrypt=true;trustServerCertificate=true;hostNameInCertificate=*.database.windows.net;loginTimeout=60;authentication=ActiveDirectoryManagedIdentity;msiClientId=${{ vars.SQL_IDENTITY_CLIENT_ID }};connectRetryCount=3;connectRetryInterval=10;" \
+              APP_CORS_ALLOWED_ORIGIN="https://${{ env.FRONTEND_APP_NAME }}.azurewebsites.net" \
             --only-show-errors
 
       - name: Restart App Service
diff --git a/backend/src/main/java/com/ontario/program/config/CorsConfig.java b/backend/src/main/java/com/ontario/program/config/CorsConfig.java
@@ -0,0 +1,33 @@
+package com.ontario.program.config;
+
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
+import org.springframework.web.filter.CorsFilter;
+
+/**
+ * CORS configuration — allows the frontend origin to call the API
+ * when frontend and backend are on different App Service instances.
+ */
+@Configuration
+public class CorsConfig {
+
+    @Value("${app.cors.allowed-origin:http://localhost:3000}")
+    private String allowedOrigin;
+
+    @Bean
+    public CorsFilter corsFilter() {
+        final CorsConfiguration config = new CorsConfiguration();
+        config.addAllowedOrigin(allowedOrigin);
+        config.addAllowedHeader("*");
+        config.addAllowedMethod("*");
+        config.setAllowCredentials(true);
+        config.setMaxAge(3600L);
+
+        final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+        source.registerCorsConfiguration("/api/**", config);
+        return new CorsFilter(source);
+    }
+}
diff --git a/backend/src/main/resources/application-azuresql.yml b/backend/src/main/resources/application-azuresql.yml
@@ -46,7 +46,7 @@ server:
 
 app:
   cors:
-    allowed-origin: http://localhost:3000
+    allowed-origin: ${APP_CORS_ALLOWED_ORIGIN:http://localhost:3000}
 
 logging:
   level:
diff --git a/frontend/src/services/programService.ts b/frontend/src/services/programService.ts
@@ -1,7 +1,7 @@
 import axios from 'axios';
 
 const api = axios.create({
-  baseURL: '/api',
+  baseURL: import.meta.env.VITE_API_BASE_URL || '/api',
   headers: {
     'Content-Type': 'application/json',
   },
