feat: improve check origin functionality

Author: oliemansm

.github/workflows/pull-request.yml

@@ -44,16 +44,16 @@ jobs:
         with:
           distribution: 'temurin'
           java-version: ${{ matrix.java }}
-#      - name: Cache Gradle
-#        uses: actions/cache@v3
-#        env:
-#          java-version: ${{ matrix.java }}
-#        with:
-#          path: |
-#            ~/.gradle/caches
-#            ~/.gradle/wrapper
-#          key: ${{ runner.os }}-${{ env.java-version }}-gradle-${{ hashFiles('**/*.gradle*') }}
-#          restore-keys: ${{ runner.os }}-${{ env.java-version }}-gradle-
+      - name: Cache Gradle
+        uses: actions/cache@v3
+        env:
+          java-version: ${{ matrix.java }}
+        with:
+          path: |
+            ~/.gradle/caches
+            ~/.gradle/wrapper
+          key: ${{ runner.os }}-${{ env.java-version }}-gradle-${{ hashFiles('**/*.gradle*') }}
+          restore-keys: ${{ runner.os }}-${{ env.java-version }}-gradle-
       - name: Make gradlew executable (non-Windows only)
         if: matrix.os != 'windows-latest'
         run: chmod +x ./gradlew
@@ -94,13 +94,13 @@ jobs:
           path: ~/.sonar/cache
           key: ${{ runner.os }}-sonar
           restore-keys: ${{ runner.os }}-sonar
-#      - name: Cache Gradle packages
-#        if: env.SONAR_TOKEN != null
-#        uses: actions/cache@v3
-#        with:
-#          path: ~/.gradle/caches
-#          key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle') }}
-#          restore-keys: ${{ runner.os }}-gradle
+      - name: Cache Gradle packages
+        if: env.SONAR_TOKEN != null
+        uses: actions/cache@v3
+        with:
+          path: ~/.gradle/caches
+          key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle') }}
+          restore-keys: ${{ runner.os }}-gradle
       - name: Build and analyze
         if: env.SONAR_TOKEN != null
         env:

graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/web/servlet/GraphQLWebsocketAutoConfiguration.java

@@ -66,8 +66,7 @@ public GraphQLWebsocketServlet graphQLWebsocketServlet(
         graphQLInvoker,
         invocationInputFactory,
         graphQLObjectMapper,
-        listeners,
-        websocketProperties.getAllowedOrigins());
+        listeners);
   }
 
   private Optional<SubscriptionConnectionListener> keepAliveListener() {

graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/web/servlet/GraphQLWsServerEndpointRegistration.java

@@ -1,6 +1,8 @@
 package graphql.kickstart.autoconfigure.web.servlet;
 
 import graphql.kickstart.servlet.GraphQLWebsocketServlet;
+import java.util.ArrayList;
+import java.util.List;
 import jakarta.websocket.HandshakeResponse;
 import jakarta.websocket.server.HandshakeRequest;
 import jakarta.websocket.server.ServerEndpointConfig;
@@ -13,19 +15,38 @@
 public class GraphQLWsServerEndpointRegistration extends ServerEndpointRegistration
     implements Lifecycle {
 
+  private static final String ALL = "*";
   private final GraphQLWebsocketServlet servlet;
   private final WsCsrfFilter csrfFilter;
 
   public GraphQLWsServerEndpointRegistration(
-      String path, GraphQLWebsocketServlet servlet, WsCsrfFilter csrfFilter) {
+      String path, GraphQLWebsocketServlet servlet, WsCsrfFilter csrfFilter, List<String> allowedOrigins) {
     super(path, servlet);
     this.servlet = servlet;
+    if (allowedOrigins == null || allowedOrigins.isEmpty()) {
+      this.allowedOrigins = List.of(ALL);
+    } else {
+      this.allowedOrigins = new ArrayList<>(allowedOrigins);
+    }
     this.csrfFilter = csrfFilter;
   }
 
   @Override
   public boolean checkOrigin(String originHeaderValue) {
-    return servlet.checkOrigin(originHeaderValue);
+    if (originHeaderValue == null || originHeaderValue.isBlank()) {
+      return allowedOrigins.contains(ALL);
+    }
+    if (allowedOrigins.contains(ALL)) {
+      return true;
+    }
+    String originToCheck = trimTrailingSlash(originHeaderValue);
+    return allowedOrigins.stream()
+        .map(this::trimTrailingSlash)
+        .anyMatch(originToCheck::equalsIgnoreCase);
+  }
+
+  private String trimTrailingSlash(String origin) {
+    return (origin.endsWith("/") ? origin.substring(0, origin.length() - 1) : origin);
   }
 
   @Override

graphql-spring-boot-autoconfigure/src/test/java/graphql/kickstart/autoconfigure/web/servlet/GraphQLWsServerEndpointRegistrationTest.java

@@ -0,0 +1,45 @@
+package graphql.kickstart.autoconfigure.web.servlet;
+
+import static org.assertj.core.api.AssertionsForClassTypes.assertThat;
+
+import graphql.kickstart.servlet.GraphQLWebsocketServlet;
+import java.util.List;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.CsvSource;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+
+@ExtendWith(MockitoExtension.class)
+class GraphQLWsServerEndpointRegistrationTest {
+
+  private static final String PATH = "/subscriptions";
+
+  @Mock private GraphQLWebsocketServlet servlet;
+
+  @ParameterizedTest
+  @CsvSource(value = {"https://trusted.com", "NULL", "' '"}, nullValues = {"NULL"})
+  void givenDefaultAllowedOrigins_whenCheckOrigin_thenReturnTrue(String origin) {
+    var registration = createRegistration();
+    var allowed = registration.checkOrigin("null".equals(origin) ? null : origin);
+    assertThat(allowed).isTrue();
+  }
+
+  private GraphQLWsServerEndpointRegistration createRegistration(String... allowedOrigins) {
+    return new GraphQLWsServerEndpointRegistration(PATH, servlet, List.of(allowedOrigins));
+  }
+
+  @ParameterizedTest(name = "{index} => allowedOrigin=''{0}'', originToCheck=''{1}''")
+  @CsvSource(delimiterString = "|", textBlock = """
+    *                    | https://trusted.com
+    https://trusted.com  | https://trusted.com
+    https://trusted.com/ | https://trusted.com
+    https://trusted.com/ | https://trusted.com/
+    https://trusted.com  | https://trusted.com/
+""")
+  void givenAllowedOrigins_whenCheckOrigin_thenReturnTrue(String allowedOrigin, String originToCheck) {
+    var registration = createRegistration(allowedOrigin);
+    var allowed = registration.checkOrigin(originToCheck);
+    assertThat(allowed).isTrue();
+  }
+}

graphql-spring-boot-test/build.gradle

@@ -17,13 +17,13 @@
  * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
  */
 dependencies {
-    implementation("org.springframework:spring-web")
-    implementation("org.springframework.boot:spring-boot-starter-test")
-    implementation("com.fasterxml.jackson.core:jackson-databind")
-    implementation("com.jayway.jsonpath:json-path")
+    implementation "org.springframework:spring-web"
+    implementation "org.springframework.boot:spring-boot-starter-test"
+    implementation "com.fasterxml.jackson.core:jackson-databind"
+    implementation "com.jayway.jsonpath:json-path"
     implementation "org.awaitility:awaitility:$LIB_AWAITILITY_VER"
-    compileOnly("com.graphql-java-kickstart:graphql-java-servlet:$LIB_GRAPHQL_SERVLET_VER")
-    testImplementation("org.springframework.boot:spring-boot-starter-web")
+    compileOnly "com.graphql-java-kickstart:graphql-java-servlet:$LIB_GRAPHQL_SERVLET_VER"
+    testImplementation "org.springframework.boot:spring-boot-starter-web"
     testImplementation "org.springframework.boot:spring-boot-starter-websocket"
     testImplementation project(":graphql-spring-boot-starter")
     testImplementation "io.reactivex.rxjava2:rxjava:2.2.21"