From c7cf0ea9f8a9c8039505531992dea8759a6c686f Mon Sep 17 00:00:00 2001
From: Tihon <itihon@example.com>
Date: Sat, 7 Mar 2026 23:33:53 +0200
Subject: [PATCH] swagger availability fix

---
 .../com/honey/honey/config/AdminSecurityConfig.java  | 12 ++++++++++--
 src/main/java/com/honey/honey/config/WebConfig.java  | 10 +++++++++-
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/src/main/java/com/honey/honey/config/AdminSecurityConfig.java b/src/main/java/com/honey/honey/config/AdminSecurityConfig.java
index c84fe8d..c9b9c54 100644
--- a/src/main/java/com/honey/honey/config/AdminSecurityConfig.java
+++ b/src/main/java/com/honey/honey/config/AdminSecurityConfig.java
@@ -64,7 +64,8 @@ public class AdminSecurityConfig {
     /**
      * Swagger/OpenAPI docs: permitAll with highest precedence so the default Spring Boot chain
      * (which requires auth for /**) never handles these paths. Includes webjars and resources
-     * so the UI can load CSS/JS.
+     * so the UI can load CSS/JS. Also matches /api/swagger-ui/** and /api/v3/api-docs/** so
+     * Swagger behind nginx at a secret path (e.g. /secret/swagger-ui/ -> /api/swagger-ui/) is public.
      */
     @Bean
     @Order(Ordered.HIGHEST_PRECEDENCE)
@@ -76,7 +77,14 @@ public class AdminSecurityConfig {
                 new AntPathRequestMatcher("/v3/api-docs/**"),
                 new AntPathRequestMatcher("/webjars/**"),
                 new AntPathRequestMatcher("/swagger-resources/**"),
-                new AntPathRequestMatcher("/configuration/**")
+                new AntPathRequestMatcher("/configuration/**"),
+                new AntPathRequestMatcher("/api/swagger-ui/**"),
+                new AntPathRequestMatcher("/api/swagger-ui.html"),
+                new AntPathRequestMatcher("/api/v3/api-docs"),
+                new AntPathRequestMatcher("/api/v3/api-docs/**"),
+                new AntPathRequestMatcher("/api/webjars/**"),
+                new AntPathRequestMatcher("/api/swagger-resources/**"),
+                new AntPathRequestMatcher("/api/configuration/**")
         );
         http
                 .securityMatcher(swaggerMatcher)
diff --git a/src/main/java/com/honey/honey/config/WebConfig.java b/src/main/java/com/honey/honey/config/WebConfig.java
index c8b32c2..28a2bd2 100644
--- a/src/main/java/com/honey/honey/config/WebConfig.java
+++ b/src/main/java/com/honey/honey/config/WebConfig.java
@@ -40,7 +40,15 @@ public class WebConfig implements WebMvcConfigurer {
                     "/v3/api-docs/**",
                     "/webjars/**",
                     "/swagger-resources/**",
-                    "/configuration/**"
+                    "/configuration/**",
+                    // Same under /api/ when Swagger is proxied at a secret path (e.g. nginx rewrite to /api/swagger-ui/)
+                    "/api/swagger-ui/**",
+                    "/api/swagger-ui.html",
+                    "/api/v3/api-docs",
+                    "/api/v3/api-docs/**",
+                    "/api/webjars/**",
+                    "/api/swagger-resources/**",
+                    "/api/configuration/**"
                 );
         
         // User-based rate limiting for payment creation and payout creation (applied after auth interceptor)