fix: cors headers & credentials

api-module/src/main/java/com/likelion/apimodule/security/config/SecurityConfig.java

@@ -1,9 +1,7 @@
 package com.likelion.apimodule.security.config;
 
-import com.likelion.apimodule.security.util.JwtUtil;
 import com.likelion.commonmodule.exception.jwt.JwtAccessDeniedHandler;
 import com.likelion.commonmodule.exception.jwt.JwtAuthenticationEntryPoint;
-import com.likelion.commonmodule.redis.util.RedisUtil;
 import com.likelion.commonmodule.security.config.CorsConfig;
 import lombok.RequiredArgsConstructor;
 import org.springframework.context.annotation.Bean;
@@ -17,9 +15,6 @@
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.web.SecurityFilterChain;
 
-import java.util.Arrays;
-import java.util.stream.Stream;
-
 @Configuration
 @EnableWebSecurity
 @RequiredArgsConstructor
@@ -42,7 +37,8 @@ public BCryptPasswordEncoder bCryptPasswordEncoder() {
     public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 
         http
-                .cors(AbstractHttpConfigurer::disable);
+                .cors(cors -> cors
+                        .configurationSource(CorsConfig.apiConfigurationSource()));
 
         // csrf disable
         http
@@ -62,8 +58,8 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 //                        .requestMatchers("/swagger-ui/**").permitAll()
 //                        .requestMatchers("/api-docs").permitAll()
 //                        .requestMatchers("/v1/users/login/**").permitAll()
-                        .requestMatchers("/v1/api/**").authenticated()
-                        .anyRequest().permitAll()
+                                .requestMatchers("/v1/api/**").authenticated()
+                                .anyRequest().permitAll()
                 );
 
         // Jwt Filters

common-module/src/main/java/com/likelion/commonmodule/security/config/CorsConfig.java

@@ -2,12 +2,14 @@
 
 import lombok.AccessLevel;
 import lombok.NoArgsConstructor;
+import org.springframework.http.HttpHeaders;
 import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.CorsConfigurationSource;
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 
 import java.util.ArrayList;
+import java.util.List;
 
 @NoArgsConstructor(access = AccessLevel.PRIVATE)
 public class CorsConfig implements WebMvcConfigurer {
@@ -22,12 +24,11 @@ public static CorsConfigurationSource apiConfigurationSource() {
         allowedOriginPatterns.add("https://localhost:3000");
         allowedOriginPatterns.add("https://syluv.link");
 
-        ArrayList<String> allowedHttpMethods = new ArrayList<>();
-        allowedHttpMethods.add("GET");
-        allowedHttpMethods.add("POST");
-
         configuration.setAllowedOrigins(allowedOriginPatterns);
-        configuration.setAllowedMethods(allowedHttpMethods);
+        configuration.setAllowedMethods(List.of("HEAD", "POST", "GET", "DELETE", "PUT", "OPTIONS", "PATCH"));
+        configuration.setAllowedHeaders(List.of("*"));
+        configuration.setAllowCredentials(true);
+        configuration.setExposedHeaders(List.of(HttpHeaders.LOCATION, HttpHeaders.SET_COOKIE));
 
         UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
         source.registerCorsConfiguration("/**", configuration);