Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow configuring Access-Control-Allow-Origin header #535

Open
2 tasks done
PhilGrayson-flutterint opened this issue Sep 2, 2024 · 5 comments · May be fixed by #574
Open
2 tasks done

Allow configuring Access-Control-Allow-Origin header #535

PhilGrayson-flutterint opened this issue Sep 2, 2024 · 5 comments · May be fixed by #574
Assignees
@aditya-baldwa
Labels
area/auth App authentication related issues good first issue Up for grabs hacktoberfest Issues good for hacktoberfest goal scope/backend Related to backend changes status/triage/completed Automatic triage completed type/enhancement En enhancement/improvement to an already existing feature

Comments

@PhilGrayson-flutterint
Copy link

PhilGrayson-flutterint commented Sep 2, 2024
edited
Loading

Issue submitter TODO list

  • I've searched for an already existing issues here
  • I'm running a supported version of the application which is listed here and the feature is not present there

Is your proposal related to a problem?

No response

Describe the feature you're interested in

I'd like to be define a custom Access-Control-Allow-Origin header value, in order to restrict other websites from accessing my deployment of Kafka-UI APIs.

The header value is currently hardcoded to * in CorsGlobalConfiguration.java.

It'll be nice if this was configurable via spring properties.

Describe alternatives you've considered

I considered mutating the header at the load balancer level. Unfortunately, I'm using an AWS ALB load balancer and I don't think this feature is supported. At least, not via the Kubernetes ALB ingress controller.

Kafka-UI with oauth2 does prevent cross-origin requests because;

  • Kafka-UI redirects unauthenticated requests to the oauth2 auth provider
    AND
  • Browsers do not send authentication details cross-origin because Access-Control-Allow-Credentials header is not set

But as a defense-in-depth approach, it would still be good to control the value of Access-Control-Allow-Origin header.

Version you're running

8c70126

Additional context

No response
@PhilGrayson-flutterint PhilGrayson-flutterint added status/triage Issues pending maintainers triage type/feature A brand new feature labels Sep 2, 2024
@kapybro kapybro bot added status/triage/manual Manual triage in progress status/triage/completed Automatic triage completed and removed status/triage Issues pending maintainers triage labels Sep 2, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Sep 2, 2024

Hi PhilGrayson-flutterint! 👋

Welcome, and thank you for opening your first issue in the repo!

Please wait for triaging by our maintainers.

As development is carried out in our spare time, you can support us by sponsoring our activities or even funding the development of specific issues.
Sponsorship link

If you plan to raise a PR for this issue, please take a look at our contributing guide.

@Haarolean Haarolean added good first issue Up for grabs type/enhancement En enhancement/improvement to an already existing feature scope/backend Related to backend changes area/auth App authentication related issues and removed type/feature A brand new feature status/triage/manual Manual triage in progress labels Sep 3, 2024
@Haarolean Haarolean moved this to Todo in Up for grabs Sep 3, 2024
@aditya-baldwa
Copy link

aditya-baldwa commented Sep 28, 2024
edited
Loading

Hey @Haarolean ! I went through the problem statement, and I believe it's an important enhancement for controlling access via CORS. I'm really interested in contributing a solution here. Instead of hardcoding the value of Access-Control-Allow-Origin, we could use the @value annotation to dynamically fetch the value from a configuration property, making it more flexible. I'm new towards contributing in open source, any guidance will be helpful here !!

@Haarolean
Copy link
Member

@aditya-baldwa sure, please. Instead of using a bunch of @value's, let's introduce a new configuration class with @ConfigurationProperties annotation which will hold all CORS-related properties.

@Haarolean Haarolean moved this from Todo to In Development in Up for grabs Sep 29, 2024
@aditya-baldwa
Copy link

@Haarolean Thank you for the feedback! I'll implement the solution using a new configuration class with @ConfigurationProperties to manage the CORS-related settings. I'll make sure the CORS properties are dynamic and configurable through the application properties file.

I'll proceed with this approach and submit a PR soon. Any other guidance or details you'd like me to keep in mind would be appreciated!

@Haarolean Haarolean added the hacktoberfest Issues good for hacktoberfest goal label Oct 4, 2024
aditya-baldwa added a commit to aditya-baldwa/kafka-ui that referenced this issue Oct 5, 2024
@aditya-baldwa
Closes kafbat#535, allowing to configure cors through spring properties
c18ed5b
@aditya-baldwa aditya-baldwa linked a pull request Oct 5, 2024 that will close this issue
Open
13 tasks
@Haarolean Haarolean linked a pull request Oct 9, 2024 that will close this issue
FE: Closes #535, allowing to configure cors through spring properties #574
Open
13 tasks
@Haarolean Haarolean moved this from In Development to In Review in Up for grabs Oct 9, 2024
aditya-baldwa added a commit to aditya-baldwa/kafka-ui that referenced this issue Oct 19, 2024
@aditya-baldwa
Closes kafbat#535, allowing to configure cors through spring properties
2b65e83
aditya-baldwa added a commit to aditya-baldwa/kafka-ui that referenced this issue Oct 19, 2024
@aditya-baldwa
Closes kafbat#535, allowing to configure cors through spring properties
1f9e6f3
@aditya-baldwa
Copy link

Hey @Haarolean, a friendly follow up here. How are we progressing with the review of the PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aditya-baldwa aditya-baldwa

Labels
area/auth App authentication related issues good first issue Up for grabs hacktoberfest Issues good for hacktoberfest goal scope/backend Related to backend changes status/triage/completed Automatic triage completed type/enhancement En enhancement/improvement to an already existing feature
Projects
Up for grabs
Status: In Review
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

FE: Closes #535, allowing to configure cors through spring properties aditya-baldwa/kafka-ui
3 participants
@Haarolean @PhilGrayson-flutterint @aditya-baldwa