fix: permit OpenAPI/Swagger endpoints in dev profile

Spring Security was blocking /v3/api-docs with 401, preventing npm run generate:api from fetching the spec. The springdoc paths are now whitelisted only when the dev Spring profile is active. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-15 14:13:36 +01:00
parent 0cb8812692
commit 251d865ddc
1 changed files with 13 additions and 5 deletions
--- a/backend/src/main/java/org/raddatz/familienarchiv/config/SecurityConfig.java
+++ b/backend/src/main/java/org/raddatz/familienarchiv/config/SecurityConfig.java
@@ -5,6 +5,7 @@ import lombok.RequiredArgsConstructor;
 import org.raddatz.familienarchiv.service.CustomUserDetailsService;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.core.env.Environment;
 import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -19,6 +20,7 @@ import org.springframework.security.web.SecurityFilterChain;
 public class SecurityConfig {

    private final CustomUserDetailsService userDetailsService;
+    private final Environment environment;

    @Bean
    public PasswordEncoder passwordEncoder() {
@@ -43,11 +45,17 @@ public class SecurityConfig {
                // cookie-based sessions, CSRF protection must be re-enabled.
                .csrf(csrf -> csrf.disable())

-                .authorizeHttpRequests(auth -> auth
-                        // Wir sperren jetzt ALLES. Nur eingeloggte User dürfen irgendwas.
-                        .anyRequest().authenticated()
-
-                )
+                .authorizeHttpRequests(auth -> {
+                    // In dev, allow unauthenticated access to the OpenAPI spec and Swagger UI
+                    if (environment.matchesProfiles("dev")) {
+                        auth.requestMatchers(
+                            "/v3/api-docs/**",
+                            "/swagger-ui/**",
+                            "/swagger-ui.html"
+                        ).permitAll();
+                    }
+                    auth.anyRequest().authenticated();
+                })
                // erlaubt pdf im Iframe
                .headers(headers -> headers
                        .frameOptions(frameOptions -> frameOptions.sameOrigin()))