Address code review: trim CORS origins, validate sort fields, add JWT logging, explain CSRF disablement

Copilot · vitorhugo-java · web-flow · commit 2051f771cccc · 2026-04-13T14:46:09.000Z
Agent-Logs-Url: https://github.com/vitorhugo-java/SpringBoot-JobApplyTracker/sessions/d4ef3360-4360-4e5e-8c1d-ad3f70c38ed2 Co-authored-by: vitorhugo-java <65777252+vitorhugo-java@users.noreply.github.com>
diff --git a/backend/src/main/java/com/jobtracker/config/CorsConfig.java b/backend/src/main/java/com/jobtracker/config/CorsConfig.java
@@ -7,6 +7,7 @@
 import org.springframework.web.cors.CorsConfigurationSource;
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 
+import java.util.Arrays;
 import java.util.List;
 
 @Configuration
@@ -18,7 +19,10 @@ public class CorsConfig {
     @Bean
     public CorsConfigurationSource corsConfigurationSource() {
         CorsConfiguration configuration = new CorsConfiguration();
-        configuration.setAllowedOriginPatterns(List.of(allowedOrigins.split(",")));
+        List<String> origins = Arrays.stream(allowedOrigins.split(","))
+                .map(String::trim)
+                .toList();
+        configuration.setAllowedOriginPatterns(origins);
         configuration.setAllowedMethods(List.of("GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"));
         configuration.setAllowedHeaders(List.of("*"));
         configuration.setAllowCredentials(true);
diff --git a/backend/src/main/java/com/jobtracker/config/JwtAuthenticationFilter.java b/backend/src/main/java/com/jobtracker/config/JwtAuthenticationFilter.java
@@ -5,6 +5,8 @@
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.UserDetails;
@@ -17,6 +19,8 @@
 @Component
 public class JwtAuthenticationFilter extends OncePerRequestFilter {
 
+    private static final Logger log = LoggerFactory.getLogger(JwtAuthenticationFilter.class);
+
     private final JwtService jwtService;
     private final UserRepository userRepository;
 
@@ -52,7 +56,8 @@ protected void doFilterInternal(HttpServletRequest request,
                 }
             }
         } catch (Exception e) {
-            // Invalid JWT token, continue without authentication
+            // Log invalid JWT token at debug level and continue without authentication
+            log.debug("JWT authentication failed: {}", e.getMessage());
         }
 
         filterChain.doFilter(request, response);
diff --git a/backend/src/main/java/com/jobtracker/config/SecurityConfig.java b/backend/src/main/java/com/jobtracker/config/SecurityConfig.java
@@ -28,7 +28,7 @@ public SecurityConfig(JwtAuthenticationFilter jwtAuthenticationFilter, CorsConfi
     public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
         http
                 .cors(cors -> cors.configurationSource(corsConfig.corsConfigurationSource()))
-                .csrf(AbstractHttpConfigurer::disable)
+                .csrf(AbstractHttpConfigurer::disable) // CSRF protection disabled for stateless JWT REST API
                 .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                 .authorizeHttpRequests(auth -> auth
                         .requestMatchers(HttpMethod.OPTIONS, "/**").permitAll()
diff --git a/backend/src/main/java/com/jobtracker/service/ApplicationService.java b/backend/src/main/java/com/jobtracker/service/ApplicationService.java
@@ -21,10 +21,16 @@
 import java.time.LocalDateTime;
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Set;
 
 @Service
 public class ApplicationService {
 
+    private static final Set<String> ALLOWED_SORT_FIELDS = Set.of(
+            "createdAt", "updatedAt", "applicationDate", "status",
+            "vacancyName", "recruiterName", "nextStepDateTime"
+    );
+
     private final ApplicationRepository applicationRepository;
     private final ApplicationMapper applicationMapper;
     private final SecurityUtils securityUtils;
@@ -156,6 +162,10 @@ private Sort buildSort(String sort) {
         }
         String[] parts = sort.split(",");
         String field = parts[0].trim();
+        if (!ALLOWED_SORT_FIELDS.contains(field)) {
+            throw new BadRequestException("Invalid sort field: " + field +
+                    ". Allowed fields: " + ALLOWED_SORT_FIELDS);
+        }
         Sort.Direction direction = parts.length > 1 && parts[1].trim().equalsIgnoreCase("asc")
                 ? Sort.Direction.ASC : Sort.Direction.DESC;
         return Sort.by(direction, field);
