fxies

2026-03-05 15:10:04 +02:00
parent abd18f5692
commit 6269e248bc
2 changed files with 30 additions and 8 deletions
--- a/src/main/java/com/honey/honey/config/AdminSecurityConfig.java
+++ b/src/main/java/com/honey/honey/config/AdminSecurityConfig.java
@@ -5,6 +5,7 @@ import com.honey.honey.security.admin.JwtAuthenticationFilter;
 import lombok.RequiredArgsConstructor;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.core.Ordered;
 import org.springframework.core.annotation.Order;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.ProviderManager;
@@ -12,13 +13,14 @@ import org.springframework.security.authentication.dao.DaoAuthenticationProvider
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.security.web.util.matcher.OrRequestMatcher;
+import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.CorsConfigurationSource;
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
@@ -54,16 +56,28 @@ public class AdminSecurityConfig {
    }

    /**
-     * Ignore Swagger/OpenAPI paths so they bypass Spring Security entirely (no 401).
-     * Using WebSecurityCustomizer is more reliable than a separate SecurityFilterChain on some environments (e.g. Railway).
+     * Swagger/OpenAPI docs: permitAll with highest precedence so the default Spring Boot chain
+     * (which requires auth for /**) never handles these paths. Includes webjars and resources
+     * so the UI can load CSS/JS.
     */
    @Bean
-    public WebSecurityCustomizer webSecurityCustomizer() {
-        return web -> web.ignoring().requestMatchers(
+    @Order(Ordered.HIGHEST_PRECEDENCE)
+    public SecurityFilterChain swaggerSecurityFilterChain(HttpSecurity http) throws Exception {
+        RequestMatcher swaggerMatcher = new OrRequestMatcher(
                new AntPathRequestMatcher("/swagger-ui/**"),
+                new AntPathRequestMatcher("/swagger-ui.html"),
                new AntPathRequestMatcher("/v3/api-docs"),
-                new AntPathRequestMatcher("/v3/api-docs/**")
+                new AntPathRequestMatcher("/v3/api-docs/**"),
+                new AntPathRequestMatcher("/webjars/**"),
+                new AntPathRequestMatcher("/swagger-resources/**"),
+                new AntPathRequestMatcher("/configuration/**")
        );
+        http
+                .securityMatcher(swaggerMatcher)
+                .authorizeHttpRequests(auth -> auth.anyRequest().permitAll())
+                .csrf(csrf -> csrf.disable())
+                .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
+        return http.build();
    }

    @Bean
--- a/src/main/java/com/honey/honey/config/WebConfig.java
+++ b/src/main/java/com/honey/honey/config/WebConfig.java
@@ -24,7 +24,7 @@ public class WebConfig implements WebMvcConfigurer {
        // User session interceptor for all other authenticated endpoints
        registry.addInterceptor(authInterceptor)
                .excludePathPatterns(
-                    "/ping", 
+                    "/ping",
                    "/actuator/**",
                    "/api/auth/tma/session", // Session creation endpoint doesn't require auth
                    "/api/telegram/webhook/**", // Telegram webhook (token in path, validated in controller)
@@ -32,7 +32,15 @@ public class WebConfig implements WebMvcConfigurer {
                    "/api/check_user/**", // User check endpoint for external applications (open endpoint)
                    "/api/deposit_webhook/**", // 3rd party deposit completion webhook (token in path, no auth)
                    "/api/notify_broadcast/**", // Notify broadcast start/stop (token in path, no auth)
-                    "/api/admin/**" // Admin endpoints are handled by Spring Security
+                    "/api/admin/**", // Admin endpoints are handled by Spring Security
+                    // Swagger / OpenAPI docs (no auth required for documentation)
+                    "/swagger-ui/**",
+                    "/swagger-ui.html",
+                    "/v3/api-docs",
+                    "/v3/api-docs/**",
+                    "/webjars/**",
+                    "/swagger-resources/**",
+                    "/configuration/**"
                );
        
        // User-based rate limiting for payment creation and payout creation (applied after auth interceptor)