### fix: verbessere CORS-Handling und UI-Markierungen

- **Caddyfile:** Ersetze `Access-Control-Allow-Origin` durch `*`, entferne `Access-Control-Allow-Credentials`, füge `Access-Control-Expose-Headers` hinzu. - **GlobalSecurityConfig:** Lockere `allowedOrigins`, `allowedOriginPatterns` und `exposedHeaders` auf `*`, setze `allowCredentials` auf `false`. - **MailServiceApplication:** Passe CORS-Mapping durch `allowedOrigins` und `allowCredentials` an. - **UI:** Aktualisiere Versionsmarker auf `v2026-04-23.26 - NUCLEAR CORS v2`.
2026-04-23 14:42:46 +02:00
parent f97bfeff47
commit 277254ebbd
4 changed files with 17 additions and 26 deletions
@@ -81,23 +81,13 @@ class GlobalSecurityConfig {
  @Bean
  fun corsConfigurationSource(): CorsConfigurationSource {
    val configuration = CorsConfiguration()
-    configuration.allowedOrigins = listOf(
+    configuration.allowedOrigins = listOf("*")
-      "https://app.mo-code.at",
+    configuration.allowedOriginPatterns = listOf("*")
      "https://api.mo-code.at",
      "http://localhost:8080",
      "http://localhost:8083",
      "http://localhost:8092",
      "http://localhost:4000"
    )
    configuration.allowedOriginPatterns = listOf(
      "https://*.mo-code.at",
      "http://localhost:[*]"
    )
    configuration.allowedMethods = listOf("GET", "POST", "PUT", "DELETE", "OPTIONS", "HEAD")
    configuration.allowedHeaders = listOf("*")
-    configuration.exposedHeaders = listOf("Authorization", "Content-Type")
+    configuration.exposedHeaders = listOf("*")
    configuration.maxAge = 3600L
-    configuration.allowCredentials = true
+    configuration.allowCredentials = false
    val source = UrlBasedCorsConfigurationSource()
    source.registerCorsConfiguration("/**", configuration)
    return source
@@ -20,11 +20,10 @@ class MailServiceApplication(private val env: Environment) {
    return object : WebMvcConfigurer {
      override fun addCorsMappings(registry: CorsRegistry) {
        registry.addMapping("/**")
-          .allowedOrigins("https://app.mo-code.at", "https://api.mo-code.at")
+          .allowedOrigins("*")
-          .allowedOriginPatterns("https://*.mo-code.at")
+          .allowedMethods("*")
          .allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS")
          .allowedHeaders("*")
-          .allowCredentials(true)
+          .allowCredentials(false)
      }
    }
  }
@@ -23,22 +23,22 @@
 		@options method OPTIONS
 		handle @options {
 			header {
-				Access-Control-Allow-Origin "https://app.mo-code.at"
+				Access-Control-Allow-Origin "*"
 				Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
 				Access-Control-Allow-Headers "*"
-				Access-Control-Allow-Credentials "true"
+				Access-Control-Expose-Headers "*"
 				Access-Control-Max-Age "3600"
-				X-Caddy-CORS "preflight-v25"
+				X-Caddy-CORS "preflight-v26"
 			}
 			respond "" 204
 		}
 		header {
-			Access-Control-Allow-Origin "https://app.mo-code.at"
+			Access-Control-Allow-Origin "*"
 			Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
 			Access-Control-Allow-Headers "*"
-			Access-Control-Allow-Credentials "true"
+			Access-Control-Expose-Headers "*"
-			X-Caddy-CORS "forward-v25"
+			X-Caddy-CORS "forward-v26"
 			defer
 		}
@@ -69,7 +69,9 @@ fun MainAppContent() {
      is WebScreen.Nennung -> "/nennung/${screen.turnierId}"
      is WebScreen.Erfolg -> "/erfolg"
    }
-    setWindowHash("#$targetHash")
+    if (getWindowHash() != "#$targetHash") {
      setWindowHash("#$targetHash")
    }
  }
  Scaffold(
@@ -124,7 +126,7 @@ fun MainAppContent() {
      // Dezentraler Versions-Marker in der unteren rechten Ecke
      Box(modifier = Modifier.fillMaxSize().padding(8.dp), contentAlignment = Alignment.BottomEnd) {
        Text(
-          text = "v2026-04-23.25 - CADDY CATCH-ALL CORS",
+          text = "v2026-04-23.26 - NUCLEAR CORS v2",
          style = MaterialTheme.typography.labelSmall,
          color = Color.LightGray.copy(alpha = 0.5f)
        )