Allow configuring Access-Control-Allow-Origin header

PhilGrayson-flutterint commented 2 months ago

Issue submitter TODO list

[X] I've searched for an already existing issues here
[X] I'm running a supported version of the application which is listed here and the feature is not present there

Is your proposal related to a problem?

No response

Describe the feature you're interested in

I'd like to be define a custom Access-Control-Allow-Origin header value, in order to restrict other websites from accessing my deployment of Kafka-UI APIs.

The header value is currently hardcoded to * in CorsGlobalConfiguration.java.

It'll be nice if this was configurable via spring properties.

Describe alternatives you've considered

I considered mutating the header at the load balancer level. Unfortunately, I'm using an AWS ALB load balancer and I don't think this feature is supported. At least, not via the Kubernetes ALB ingress controller.

Kafka-UI with oauth2 does prevent cross-origin requests because;

Kafka-UI redirects unauthenticated requests to the oauth2 auth provider AND
Browsers do not send authentication details cross-origin because Access-Control-Allow-Credentials header is not set

But as a defense-in-depth approach, it would still be good to control the value of Access-Control-Allow-Origin header.

Version you're running

8c70126

Additional context

No response

github-actions[bot] commented 2 months ago

Hi PhilGrayson-flutterint! 👋

Welcome, and thank you for opening your first issue in the repo!

Please wait for triaging by our maintainers.

As development is carried out in our spare time, you can support us by sponsoring our activities or even funding the development of specific issues. Sponsorship link

If you plan to raise a PR for this issue, please take a look at our contributing guide.

aditya-baldwa commented 1 month ago

Hey @Haarolean ! I went through the problem statement, and I believe it's an important enhancement for controlling access via CORS. I'm really interested in contributing a solution here. Instead of hardcoding the value of Access-Control-Allow-Origin, we could use the @Value annotation to dynamically fetch the value from a configuration property, making it more flexible. I'm new towards contributing in open source, any guidance will be helpful here !!

Haarolean commented 1 month ago

@aditya-baldwa sure, please. Instead of using a bunch of @value's, let's introduce a new configuration class with @ConfigurationProperties annotation which will hold all CORS-related properties.

aditya-baldwa commented 1 month ago

@Haarolean Thank you for the feedback! I'll implement the solution using a new configuration class with @ConfigurationProperties to manage the CORS-related settings. I'll make sure the CORS properties are dynamic and configurable through the application properties file.

I'll proceed with this approach and submit a PR soon. Any other guidance or details you'd like me to keep in mind would be appreciated!

aditya-baldwa commented 1 day ago

Hey @Haarolean, a friendly follow up here. How are we progressing with the review of the PR

kafbat / kafka-ui