Add CORS management to admin frontend

gameyfin/src/main/frontend/components/administration/SystemManagement.tsx

@@ -1,11 +1,26 @@
-import React from "react";
+import React, {useEffect} from "react";
 import {SystemEndpoint} from "Frontend/generated/endpoints";
 import withConfigPage from "Frontend/components/administration/withConfigPage";
 import {Button} from "@heroui/react";
+import ConfigFormField from "Frontend/components/administration/ConfigFormField";
+import Section from "Frontend/components/general/Section";
+
+function SystemManagementLayout({getConfig, formik, setSaveMessage}: any) {
+
+    useEffect(() => {
+        if (formik.dirty && (formik.initialValues.system.cors["allowed-origins"] !== formik.values.system.cors["allowed-origins"])) {
+            setSaveMessage("Gameyfin must be restarted for the changes to take effect");
+        } else {
+            setSaveMessage(null);
+        }
+    }, [formik.dirty]);
 
-function SystemManagementLayout() {
     return (
         <div className="flex flex-col mt-4">
+            <Section title="Security configuration"/>
+            <ConfigFormField configElement={getConfig("system.cors.allowed-origins")}/>
+
+            <Section title="Restart Gameyfin"/>
             <Button onPress={() => SystemEndpoint.restart()}>Restart</Button>
         </div>
     );

gameyfin/src/main/kotlin/de/grimsi/gameyfin/config/ConfigProperties.kt

@@ -242,6 +242,18 @@ sealed class ConfigProperties<T : Serializable>(
             )
         }
     }
+
+    /** System */
+    sealed class System {
+        sealed class Cors {
+            data object AllowedOrigins : ConfigProperties<Array<String>>(
+                Array<String>::class,
+                "system.cors.allowed-origins",
+                "List of allowed CORS origins",
+                emptyArray()
+            )
+        }
+    }
 }
 
 enum class MatchUsersBy {

gameyfin/src/main/kotlin/de/grimsi/gameyfin/core/security/SecurityConfig.kt

@@ -19,6 +19,8 @@ import org.springframework.security.oauth2.client.registration.ClientRegistratio
 import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository
 import org.springframework.security.oauth2.core.AuthorizationGrantType
 import org.springframework.security.web.authentication.logout.HttpStatusReturningLogoutSuccessHandler
+import org.springframework.web.cors.CorsConfiguration
+
 
 @Configuration
 @EnableWebSecurity
@@ -33,6 +35,7 @@ class SecurityConfig(
 
     @Throws(Exception::class)
     override fun configure(http: HttpSecurity) {
+
         // Configure your static resources with public access before calling super.configure(HttpSecurity) as it adds final anyRequest matcher
         http.authorizeHttpRequests { auth: AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry ->
             auth.requestMatchers("/setup").permitAll()
@@ -49,6 +52,14 @@ class SecurityConfig(
                 .sessionRegistry(sessionRegistry)
         }
 
+        http.cors { cors ->
+            cors.configurationSource { request ->
+                val configuration = CorsConfiguration()
+                configuration.allowedOrigins = config.get(ConfigProperties.System.Cors.AllowedOrigins)?.toList()
+                configuration
+            }
+        }
+
         super.configure(http)
 
         if (config.get(ConfigProperties.SSO.OIDC.Enabled) == true) {