Fix CORS configuration error - wildcard origins with credentials

Dang · Dang · commit 359f79b50d70 · 2025-10-19T14:05:47.000+07:00
Fixed InvalidOperationException: CORS protocol does not allow wildcard origins with credentials
- Updated CORS policy to handle wildcard vs specific origins properly
- Wildcard origins: AllowAnyOrigin() without credentials
- Specific origins: WithOrigins() with credentials enabled
- Added logging to show which CORS policy is being used
- Updated Docker and Production configs with specific origins
- Application should now start successfully in Docker containers
diff --git a/VehicleShowroomManagement/src/WebAPI/Program.cs b/VehicleShowroomManagement/src/WebAPI/Program.cs
@@ -178,10 +178,27 @@
 {
     options.AddPolicy("AllowFE", policy =>
     {
-        policy.WithOrigins(builder.Configuration["Cors:Origins"]?.Split(';', StringSplitOptions.RemoveEmptyEntries) ?? ["http://localhost:3000"])
-              .AllowAnyMethod()
-              .AllowAnyHeader()
-              .AllowCredentials();
+        var origins = builder.Configuration["Cors:Origins"]?.Split(';', StringSplitOptions.RemoveEmptyEntries) ?? ["http://localhost:3000"];
+        
+        Log.Information("CORS Origins configured: {Origins}", string.Join(", ", origins));
+        
+        if (origins.Contains("*"))
+        {
+            // For wildcard origins, don't allow credentials
+            Log.Information("Using wildcard CORS policy (no credentials)");
+            policy.AllowAnyOrigin()
+                  .AllowAnyMethod()
+                  .AllowAnyHeader();
+        }
+        else
+        {
+            // For specific origins, allow credentials
+            Log.Information("Using specific origins CORS policy (with credentials)");
+            policy.WithOrigins(origins)
+                  .AllowAnyMethod()
+                  .AllowAnyHeader()
+                  .AllowCredentials();
+        }
     });
 });
 
diff --git a/VehicleShowroomManagement/src/WebAPI/appsettings.Docker.json b/VehicleShowroomManagement/src/WebAPI/appsettings.Docker.json
@@ -16,7 +16,7 @@
     }
   },
   "Cors": {
-    "Origins": "*"
+    "Origins": "http://localhost:3000;http://localhost:3001;http://localhost:8080;http://localhost:8081"
   },
   "Kestrel": {
     "Endpoints": {
diff --git a/VehicleShowroomManagement/src/WebAPI/appsettings.Production.json b/VehicleShowroomManagement/src/WebAPI/appsettings.Production.json
@@ -15,6 +15,6 @@
     }
   },
   "Cors": {
-    "Origins": "*"
+    "Origins": "https://yourdomain.com;https://www.yourdomain.com"
   }
 }
diff --git a/VehicleShowroomManagement/src/WebAPI/obj/Debug/net8.0/apphost.exe b/VehicleShowroomManagement/src/WebAPI/obj/Debug/net8.0/apphost.exe

Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,7 @@`
`16`	`16`	`}`
`17`	`17`	`},`
`18`	`18`	`"Cors": {`
`19`		`- "Origins": "*"`
	`19`	`+ "Origins": "http://localhost:3000;http://localhost:3001;http://localhost:8080;http://localhost:8081"`
`20`	`20`	`},`
`21`	`21`	`"Kestrel": {`
`22`	`22`	`"Endpoints": {`
Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,6 @@`
`15`	`15`	`}`
`16`	`16`	`},`
`17`	`17`	`"Cors": {`
`18`		`- "Origins": "*"`
	`18`	`+ "Origins": "https://yourdomain.com;https://www.yourdomain.com"`
`19`	`19`	`}`
`20`	`20`	`}`