infra(bixarena): develop BixArena CDK app for the dev environments (SMR-589) (Sage-Bionetworks#3650)

Author: tschaffter

apps/bixarena/api-gateway/project.json

@@ -51,6 +51,13 @@
         "command": "./gradlew :{projectName}:generateRouteConfig"
       },
       "dependsOn": ["^build"]
+    },
+    "export-image-tarball": {
+      "executor": "nx:run-commands",
+      "options": {
+        "command": "docker save ghcr.io/sage-bionetworks/{projectName}:local -o /tmp/{projectName}.tar"
+      },
+      "dependsOn": ["build-image"]
     }
   },
   "tags": ["type:service", "scope:backend", "language:java", "package-manager:gradle"],

apps/bixarena/api-gateway/src/main/java/org/sagebionetworks/bixarena/api/gateway/filter/ResponseHeaderLoggingFilter.java

@@ -0,0 +1,77 @@
+package org.sagebionetworks.bixarena.api.gateway.filter;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.cloud.gateway.filter.GatewayFilterChain;
+import org.springframework.cloud.gateway.filter.GlobalFilter;
+import org.springframework.core.Ordered;
+import org.springframework.http.HttpHeaders;
+import org.springframework.stereotype.Component;
+import org.springframework.web.server.ServerWebExchange;
+import reactor.core.publisher.Mono;
+
+/**
+ * Global filter to log response headers, particularly Set-Cookie headers.
+ *
+ * <p>This filter runs AFTER the response is received from downstream services but BEFORE it's sent
+ * to the client. It helps debug issues with cookie handling and header propagation.
+ *
+ * <p>Order: LOWEST_PRECEDENCE - 1 (runs after most filters but before final response)
+ */
+@Component
+public class ResponseHeaderLoggingFilter implements GlobalFilter, Ordered {
+
+  private static final Logger log = LoggerFactory.getLogger(ResponseHeaderLoggingFilter.class);
+
+  @Override
+  public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain) {
+    String path = exchange.getRequest().getPath().value();
+    String method = exchange.getRequest().getMethod().name();
+
+    // Process the request and log response headers
+    return chain
+        .filter(exchange)
+        .then(
+            Mono.fromRunnable(
+                () -> {
+                  HttpHeaders responseHeaders = exchange.getResponse().getHeaders();
+                  int statusCode = exchange.getResponse().getStatusCode().value();
+
+                  // Log Set-Cookie headers for debugging
+                  if (responseHeaders.containsKey(HttpHeaders.SET_COOKIE)) {
+                    var setCookies = responseHeaders.get(HttpHeaders.SET_COOKIE);
+                    log.debug(
+                        "Response headers for {} {}: status={} Set-Cookie count={}",
+                        method,
+                        path,
+                        statusCode,
+                        setCookies != null ? setCookies.size() : 0);
+                    if (setCookies != null) {
+                      for (int i = 0; i < setCookies.size(); i++) {
+                        String cookieValue = setCookies.get(i);
+                        // Log first 100 chars of cookie for debugging (don't log full value for
+                        // security)
+                        String preview =
+                            cookieValue.length() > 100
+                                ? cookieValue.substring(0, 100) + "..."
+                                : cookieValue;
+                        log.debug("  Set-Cookie[{}]: {}", i, preview);
+                      }
+                    }
+                  } else {
+                    log.debug(
+                        "Response headers for {} {}: status={} (no Set-Cookie headers)",
+                        method,
+                        path,
+                        statusCode);
+                  }
+                }));
+  }
+
+  @Override
+  public int getOrder() {
+    // Run after most filters but before final response
+    // LOWEST_PRECEDENCE - 1 ensures this runs late in the chain
+    return Ordered.LOWEST_PRECEDENCE - 1;
+  }
+}

apps/bixarena/api-gateway/src/main/java/org/sagebionetworks/bixarena/api/gateway/filter/SessionToJwtFilter.java

@@ -89,8 +89,10 @@ public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
       return validateSession(sessionId)
         .flatMap(userInfo -> {
           var userAuth = createAuthentication(userInfo);
+          log.debug("Session validated for auth service endpoint, passing through to: {} {}", method, path);
           return chain.filter(exchange)
-            .contextWrite(ReactiveSecurityContextHolder.withAuthentication(userAuth));
+            .contextWrite(ReactiveSecurityContextHolder.withAuthentication(userAuth))
+            .doOnSuccess(v -> log.debug("Auth service response completed for: {} {}", method, path));
         })
         .onErrorResume(e -> handleAuthError(exchange, e, method, path));
     }

apps/bixarena/api/project.json

@@ -53,6 +53,13 @@
         "parallel": false
       },
       "dependsOn": ["^build"]
+    },
+    "export-image-tarball": {
+      "executor": "nx:run-commands",
+      "options": {
+        "command": "docker save ghcr.io/sage-bionetworks/{projectName}:local -o /tmp/{projectName}.tar"
+      },
+      "dependsOn": ["build-image"]
     }
   },
   "tags": ["type:service", "scope:backend", "language:java", "package-manager:gradle"],

apps/bixarena/api/src/main/java/org/sagebionetworks/bixarena/api/configuration/AppProperties.java

@@ -2,7 +2,9 @@
 
 import jakarta.validation.Valid;
 import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.NotEmpty;
 import jakarta.validation.constraints.NotNull;
+import java.util.List;
 import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.validation.annotation.Validated;
 
@@ -15,7 +17,8 @@
 public record AppProperties(
   @NotBlank(message = "Welcome message must not be blank") String welcomeMessage,
   @Valid @NotNull AuthService authService,
-  @Valid @NotNull Jwt jwt
+  @Valid @NotNull Jwt jwt,
+  @Valid @NotNull Cors cors
 ) {
   @Validated
   public record AuthService(
@@ -27,4 +30,12 @@ public record Jwt(
     @NotBlank(message = "Expected issuer must not be blank") String expectedIssuer,
     @NotBlank(message = "Expected audience must not be blank") String expectedAudience
   ) {}
+
+  @Validated
+  public record Cors(
+    @NotEmpty(message = "Allowed origins must not be empty") List<String> allowedOrigins,
+    @NotEmpty(message = "Allowed methods must not be empty") List<String> allowedMethods,
+    @NotEmpty(message = "Allowed headers must not be empty") List<String> allowedHeaders,
+    @NotNull(message = "Allow credentials must not be null") Boolean allowCredentials
+  ) {}
 }

apps/bixarena/api/src/main/java/org/sagebionetworks/bixarena/api/configuration/SecurityConfiguration.java

@@ -1,6 +1,5 @@
 package org.sagebionetworks.bixarena.api.configuration;
 
-import java.util.List;
 import org.sagebionetworks.bixarena.api.security.JwtAuthenticationConverter;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
@@ -109,17 +108,10 @@ public JwtDecoder jwtDecoder() {
   @Bean
   public CorsConfigurationSource corsConfigurationSource() {
     CorsConfiguration config = new CorsConfiguration();
-    config.setAllowCredentials(true);
-    config.setAllowedOrigins(
-      List.of(
-        "http://localhost:8100",
-        "http://127.0.0.1:8100",
-        "http://localhost:7860",
-        "http://127.0.0.1:7860"
-      )
-    );
-    config.setAllowedMethods(List.of("GET", "POST", "PATCH", "OPTIONS"));
-    config.setAllowedHeaders(List.of("Authorization", "Content-Type"));
+    config.setAllowCredentials(appProperties.cors().allowCredentials());
+    config.setAllowedOrigins(appProperties.cors().allowedOrigins());
+    config.setAllowedMethods(appProperties.cors().allowedMethods());
+    config.setAllowedHeaders(appProperties.cors().allowedHeaders());
     UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
     source.registerCorsConfiguration("/**", config);
     return source;

apps/bixarena/api/src/main/resources/application.yml

@@ -90,3 +90,20 @@ app:
     expected-issuer: urn:bixarena:auth
     # Expected audience claim value
     expected-audience: urn:bixarena:api
+  cors:
+    # CORS configuration for browser requests (localhost defaults)
+    # Can be overridden via env vars (e.g., APP_CORS_ALLOWED_ORIGINS=http://example.com,https://example.com)
+    allowed-origins:
+      - http://localhost:8100
+      - http://127.0.0.1:8100
+      - http://localhost:7860
+      - http://127.0.0.1:7860
+    allowed-methods:
+      - GET
+      - POST
+      - PATCH
+      - OPTIONS
+    allowed-headers:
+      - Authorization
+      - Content-Type
+    allow-credentials: true

apps/bixarena/app/project.json

@@ -48,6 +48,13 @@
         "bundleLocalDependencies": true
       },
       "cache": true
+    },
+    "export-image-tarball": {
+      "executor": "nx:run-commands",
+      "options": {
+        "command": "docker save ghcr.io/sage-bionetworks/{projectName}:local -o /tmp/{projectName}.tar"
+      },
+      "dependsOn": ["build-image"]
     }
   },
   "tags": ["type:app", "scope:backend", "language:python", "package-manager:uv"]

apps/bixarena/auth-service/project.json

@@ -53,6 +53,13 @@
         "parallel": false
       },
       "dependsOn": ["^build"]
+    },
+    "export-image-tarball": {
+      "executor": "nx:run-commands",
+      "options": {
+        "command": "docker save ghcr.io/sage-bionetworks/{projectName}:local -o /tmp/{projectName}.tar"
+      },
+      "dependsOn": ["build-image"]
     }
   },
   "tags": ["type:service", "scope:backend", "language:java", "package-manager:gradle"],

apps/bixarena/auth-service/src/main/java/org/sagebionetworks/bixarena/auth/service/configuration/AppProperties.java

@@ -2,8 +2,10 @@
 
 import jakarta.validation.Valid;
 import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.NotEmpty;
 import jakarta.validation.constraints.NotNull;
 import java.net.URI;
+import java.util.List;
 import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.validation.annotation.Validated;
 
@@ -18,7 +20,8 @@ public record AppProperties(
   /** Base URL of UI (Gradio) used for post-login redirect */
   @NotBlank(message = "UI base URL must not be blank") String uiBaseUrl,
   @Valid @NotNull Auth auth,
-  @Valid @NotNull SessionCookie sessionCookie
+  @Valid @NotNull SessionCookie sessionCookie,
+  @Valid @NotNull Cors cors
 ) {
   @Validated
   public record Auth(
@@ -43,4 +46,12 @@ public record SessionCookie(
     @NotNull(message = "Secure flag must not be null") Boolean secure,
     @NotNull(message = "HttpOnly flag must not be null") Boolean httpOnly
   ) {}
+
+  @Validated
+  public record Cors(
+    @NotEmpty(message = "Allowed origins must not be empty") List<String> allowedOrigins,
+    @NotEmpty(message = "Allowed methods must not be empty") List<String> allowedMethods,
+    @NotEmpty(message = "Allowed headers must not be empty") List<String> allowedHeaders,
+    @NotNull(message = "Allow credentials must not be null") Boolean allowCredentials
+  ) {}
 }