swagger availability fix

2026-03-07 23:33:53 +02:00
parent 15498c8337
commit c7cf0ea9f8
2 changed files with 19 additions and 3 deletions
--- a/src/main/java/com/honey/honey/config/AdminSecurityConfig.java
+++ b/src/main/java/com/honey/honey/config/AdminSecurityConfig.java
@@ -64,7 +64,8 @@ public class AdminSecurityConfig {
    /**
     * Swagger/OpenAPI docs: permitAll with highest precedence so the default Spring Boot chain
     * (which requires auth for /**) never handles these paths. Includes webjars and resources
-     * so the UI can load CSS/JS.
+     * so the UI can load CSS/JS. Also matches /api/swagger-ui/** and /api/v3/api-docs/** so
+     * Swagger behind nginx at a secret path (e.g. /secret/swagger-ui/ -> /api/swagger-ui/) is public.
     */
    @Bean
    @Order(Ordered.HIGHEST_PRECEDENCE)
@@ -76,7 +77,14 @@ public class AdminSecurityConfig {
                new AntPathRequestMatcher("/v3/api-docs/**"),
                new AntPathRequestMatcher("/webjars/**"),
                new AntPathRequestMatcher("/swagger-resources/**"),
-                new AntPathRequestMatcher("/configuration/**")
+                new AntPathRequestMatcher("/configuration/**"),
+                new AntPathRequestMatcher("/api/swagger-ui/**"),
+                new AntPathRequestMatcher("/api/swagger-ui.html"),
+                new AntPathRequestMatcher("/api/v3/api-docs"),
+                new AntPathRequestMatcher("/api/v3/api-docs/**"),
+                new AntPathRequestMatcher("/api/webjars/**"),
+                new AntPathRequestMatcher("/api/swagger-resources/**"),
+                new AntPathRequestMatcher("/api/configuration/**")
        );
        http
                .securityMatcher(swaggerMatcher)
--- a/src/main/java/com/honey/honey/config/WebConfig.java
+++ b/src/main/java/com/honey/honey/config/WebConfig.java
@@ -40,7 +40,15 @@ public class WebConfig implements WebMvcConfigurer {
                    "/v3/api-docs/**",
                    "/webjars/**",
                    "/swagger-resources/**",
-                    "/configuration/**"
+                    "/configuration/**",
+                    // Same under /api/ when Swagger is proxied at a secret path (e.g. nginx rewrite to /api/swagger-ui/)
+                    "/api/swagger-ui/**",
+                    "/api/swagger-ui.html",
+                    "/api/v3/api-docs",
+                    "/api/v3/api-docs/**",
+                    "/api/webjars/**",
+                    "/api/swagger-resources/**",
+                    "/api/configuration/**"
                );
        
        // User-based rate limiting for payment creation and payout creation (applied after auth interceptor)