fix: check allowed origins for websocket subscription

fixes #941

Author: oliemansm

gradle.properties

@@ -16,7 +16,7 @@
 # DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
 # FROM, OUT OF OR IN CONNECTION WITH THE  SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
-version=15.0.1-SNAPSHOT
+version=15.1.0-SNAPSHOT
 ### Project Metadata
 group=com.graphql-java-kickstart
 PROJECT_NAME=graphql-spring-boot
@@ -32,7 +32,7 @@ TARGET_COMPATIBILITY=17
 LIB_GRAPHQL_JAVA_VER=20.1
 LIB_EXTENDED_SCALARS_VER=19.1
 LIB_SPRING_BOOT_VER=3.0.5
-LIB_GRAPHQL_SERVLET_VER=15.0.0
+LIB_GRAPHQL_SERVLET_VER=15.1.0-SNAPSHOT
 LIB_GRAPHQL_JAVA_TOOLS_VER=13.0.3
 LIB_GRAPHQL_ANNOTATIONS_VER=9.1
 LIB_REFLECTIONS_VER=0.10.2

graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/web/servlet/GraphQLSubscriptionWebsocketProperties.java

@@ -1,5 +1,8 @@
 package graphql.kickstart.autoconfigure.web.servlet;
 
+import static java.util.Collections.emptyList;
+
+import java.util.List;
 import lombok.Data;
 import org.springframework.boot.context.properties.ConfigurationProperties;
 
@@ -8,4 +11,5 @@
 class GraphQLSubscriptionWebsocketProperties {
 
   private String path = "/subscriptions";
+  private List<String> allowedOrigins = emptyList();
 }

graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/web/servlet/GraphQLWebsocketAutoConfiguration.java

@@ -35,7 +35,6 @@
 @ConditionalOnWebApplication(type = Type.SERVLET)
 @ConditionalOnClass({DispatcherServlet.class, ServerEndpointRegistration.class})
 @Conditional(OnSchemaOrSchemaProviderBean.class)
-@SuppressWarnings("SpringJavaInjectionPointsAutowiringInspection")
 @ConditionalOnProperty(
     value = "graphql.servlet.websocket.enabled",
     havingValue = "true",
@@ -63,7 +62,11 @@ public GraphQLWebsocketServlet graphQLWebsocketServlet(
     }
     keepAliveListener().ifPresent(listeners::add);
     return new GraphQLWebsocketServlet(
-        graphQLInvoker, invocationInputFactory, graphQLObjectMapper, listeners);
+        graphQLInvoker,
+        invocationInputFactory,
+        graphQLObjectMapper,
+        listeners,
+        websocketProperties.getAllowedOrigins());
   }
 
   private Optional<SubscriptionConnectionListener> keepAliveListener() {

graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/web/servlet/GraphQLWsServerEndpointRegistration.java

@@ -18,6 +18,11 @@ public GraphQLWsServerEndpointRegistration(String path, GraphQLWebsocketServlet
     this.servlet = servlet;
   }
 
+  @Override
+  public boolean checkOrigin(String originHeaderValue) {
+    return servlet.checkOrigin(originHeaderValue);
+  }
+
   @Override
   public void modifyHandshake(
       ServerEndpointConfig sec, HandshakeRequest request, HandshakeResponse response) {