From 7ed38529b5c6a9b9e87de7a168d15594d1db08f5 Mon Sep 17 00:00:00 2001
From: Lucas Aguiar <vintesetelucas@gmail.com>
Date: Fri, 2 Jan 2026 10:34:19 -0300
Subject: [PATCH] refactor(security): centralize CORS configuration

- Move CORS config from controllers to SecurityConfig
- Add corsConfigurationSource bean with global settings
- Remove @CrossOrigin annotations from all controllers
- Configure maxAge for preflight caching optimization
---
 .../adapter/controller/MailController.java    |  2 --
 .../controller/auth/AuthController.java       |  1 -
 .../controller/comment/CommentController.java |  1 -
 .../controller/flame/FlameController.java     |  1 -
 .../controller/note/NoteController.java       |  1 -
 .../notification/NotificationController.java  |  6 +++--
 .../controller/payment/PaymentController.java |  1 -
 .../controller/reply/ReplyController.java     |  1 -
 .../controller/user/UserController.java       |  1 -
 .../infra/security/SecurityConfig.java        | 22 ++++++++++++++++++-
 10 files changed, 25 insertions(+), 12 deletions(-)

diff --git a/src/main/java/br/com/notehub/adapter/controller/MailController.java b/src/main/java/br/com/notehub/adapter/controller/MailController.java
index a246c9f..c7f0ae6 100644
--- a/src/main/java/br/com/notehub/adapter/controller/MailController.java
+++ b/src/main/java/br/com/notehub/adapter/controller/MailController.java
@@ -9,7 +9,6 @@
 import jakarta.servlet.http.HttpServletRequest;
 import lombok.RequiredArgsConstructor;
 import org.springframework.beans.factory.annotation.Value;
-import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
@@ -17,7 +16,6 @@
 import java.util.Objects;
 
 @RestController
-@CrossOrigin(origins = {"https://notehub.com.br"})
 @Hidden
 @RequestMapping("/api/v1/mail")
 @RequiredArgsConstructor
diff --git a/src/main/java/br/com/notehub/application/controller/auth/AuthController.java b/src/main/java/br/com/notehub/application/controller/auth/AuthController.java
index 94868c8..1a01298 100644
--- a/src/main/java/br/com/notehub/application/controller/auth/AuthController.java
+++ b/src/main/java/br/com/notehub/application/controller/auth/AuthController.java
@@ -25,7 +25,6 @@
 import org.springframework.web.bind.annotation.*;
 
 @RestController
-@CrossOrigin(origins = {"https://notehub.com.br"})
 @RequestMapping("/api/v1/auth")
 @Tag(name = "Auth Controller", description = "Endpoints for authentication and authorization")
 @RequiredArgsConstructor
diff --git a/src/main/java/br/com/notehub/application/controller/comment/CommentController.java b/src/main/java/br/com/notehub/application/controller/comment/CommentController.java
index cd2fc95..e96dec4 100644
--- a/src/main/java/br/com/notehub/application/controller/comment/CommentController.java
+++ b/src/main/java/br/com/notehub/application/controller/comment/CommentController.java
@@ -26,7 +26,6 @@
 import java.util.UUID;
 
 @RestController
-@CrossOrigin(origins = {"https://notehub.com.br"})
 @RequestMapping("/api/v1/notes")
 @SecurityRequirement(name = "bearer-key")
 @Tag(name = "Comment Controller", description = "Endpoints for managing comments")
diff --git a/src/main/java/br/com/notehub/application/controller/flame/FlameController.java b/src/main/java/br/com/notehub/application/controller/flame/FlameController.java
index 4b8ae82..ec7c08b 100644
--- a/src/main/java/br/com/notehub/application/controller/flame/FlameController.java
+++ b/src/main/java/br/com/notehub/application/controller/flame/FlameController.java
@@ -23,7 +23,6 @@
 import java.util.UUID;
 
 @RestController
-@CrossOrigin(origins = {"https://notehub.com.br"})
 @RequestMapping("/api/v1/flames")
 @SecurityRequirement(name = "bearer-key")
 @Tag(name = "Flame Controller", description = "Endpoints for managing user flames")
diff --git a/src/main/java/br/com/notehub/application/controller/note/NoteController.java b/src/main/java/br/com/notehub/application/controller/note/NoteController.java
index dc860df..020e876 100644
--- a/src/main/java/br/com/notehub/application/controller/note/NoteController.java
+++ b/src/main/java/br/com/notehub/application/controller/note/NoteController.java
@@ -28,7 +28,6 @@
 import java.util.UUID;
 
 @RestController
-@CrossOrigin(origins = {"https://notehub.com.br"})
 @RequestMapping("/api/v1/notes")
 @SecurityRequirement(name = "bearer-key")
 @Tag(name = "Note Controller", description = "Endpoints for managing notes")
diff --git a/src/main/java/br/com/notehub/application/controller/notification/NotificationController.java b/src/main/java/br/com/notehub/application/controller/notification/NotificationController.java
index d9b07d4..1c0ffc3 100644
--- a/src/main/java/br/com/notehub/application/controller/notification/NotificationController.java
+++ b/src/main/java/br/com/notehub/application/controller/notification/NotificationController.java
@@ -18,12 +18,14 @@
 import org.springframework.data.web.PageableDefault;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
-import org.springframework.web.bind.annotation.*;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestHeader;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
 
 import java.util.UUID;
 
 @RestController
-@CrossOrigin(origins = {"https://notehub.com.br"})
 @RequestMapping("/api/v1/notifications")
 @SecurityRequirement(name = "bearer-key")
 @Tag(name = "Notification Controller", description = "Endpoints for managing user notifications, including retrieving and marking notifications as read.")
diff --git a/src/main/java/br/com/notehub/application/controller/payment/PaymentController.java b/src/main/java/br/com/notehub/application/controller/payment/PaymentController.java
index d1c00ed..da5e77d 100644
--- a/src/main/java/br/com/notehub/application/controller/payment/PaymentController.java
+++ b/src/main/java/br/com/notehub/application/controller/payment/PaymentController.java
@@ -23,7 +23,6 @@
 import org.springframework.web.bind.annotation.*;
 
 @RestController
-@CrossOrigin(origins = {"https://notehub.com.br"})
 @RequestMapping("/api/v1/payment")
 @Tag(name = "Payment Controller", description = "Endpoints for managing payments")
 @RequiredArgsConstructor
diff --git a/src/main/java/br/com/notehub/application/controller/reply/ReplyController.java b/src/main/java/br/com/notehub/application/controller/reply/ReplyController.java
index 77ba507..3efc43d 100644
--- a/src/main/java/br/com/notehub/application/controller/reply/ReplyController.java
+++ b/src/main/java/br/com/notehub/application/controller/reply/ReplyController.java
@@ -26,7 +26,6 @@
 import java.util.UUID;
 
 @RestController
-@CrossOrigin(origins = {"https://notehub.com.br"})
 @RequestMapping("/api/v1/notes/comments")
 @SecurityRequirement(name = "bearer-key")
 @Tag(name = "Reply Controller", description = "Endpoints for managing replies")
diff --git a/src/main/java/br/com/notehub/application/controller/user/UserController.java b/src/main/java/br/com/notehub/application/controller/user/UserController.java
index 17aefd5..c9c0524 100644
--- a/src/main/java/br/com/notehub/application/controller/user/UserController.java
+++ b/src/main/java/br/com/notehub/application/controller/user/UserController.java
@@ -38,7 +38,6 @@
 import java.util.UUID;
 
 @RestController
-@CrossOrigin(origins = {"https://notehub.com.br"})
 @RequestMapping("/api/v1/users")
 @SecurityRequirement(name = "bearer-key")
 @Tag(name = "User Controller", description = "Endpoints for managing users")
diff --git a/src/main/java/br/com/notehub/infra/security/SecurityConfig.java b/src/main/java/br/com/notehub/infra/security/SecurityConfig.java
index f4f4f75..22eb26e 100644
--- a/src/main/java/br/com/notehub/infra/security/SecurityConfig.java
+++ b/src/main/java/br/com/notehub/infra/security/SecurityConfig.java
@@ -13,6 +13,11 @@
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsConfigurationSource;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
+
+import java.util.Arrays;
 
 @Configuration
 @EnableWebSecurity
@@ -53,7 +58,9 @@ public class SecurityConfig {
 
     @Bean
     public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-        return http.csrf(csrf -> csrf.disable())
+        return http
+                .cors(cors -> cors.configurationSource(corsConfigurationSource()))
+                .csrf(csrf -> csrf.disable())
                 .headers(httpSecurityHeadersConfigurer -> httpSecurityHeadersConfigurer.frameOptions(frameOptionsConfig -> frameOptionsConfig.disable()))
                 .sessionManagement((sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS)))
                 .authorizeHttpRequests(req -> {
@@ -78,4 +85,17 @@ public PasswordEncoder passwordEncoder() {
         return new BCryptPasswordEncoder();
     }
 
+    @Bean
+    public CorsConfigurationSource corsConfigurationSource() {
+        CorsConfiguration config = new CorsConfiguration();
+        config.setAllowedOrigins(Arrays.asList("https://notehub.com.br"));
+        config.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"));
+        config.setAllowedHeaders(Arrays.asList("*"));
+        config.setAllowCredentials(true);
+        config.setMaxAge(3600L);
+        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+        source.registerCorsConfiguration("/**", config);
+        return source;
+    }
+
 }
\ No newline at end of file