From 251d865ddce4ed70c49a633c46d68ae9e50290be Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Sun, 15 Mar 2026 14:13:36 +0100
Subject: [PATCH] fix: permit OpenAPI/Swagger endpoints in dev profile

Spring Security was blocking /v3/api-docs with 401, preventing
npm run generate:api from fetching the spec. The springdoc paths are
now whitelisted only when the dev Spring profile is active.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../familienarchiv/config/SecurityConfig.java  | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/backend/src/main/java/org/raddatz/familienarchiv/config/SecurityConfig.java b/backend/src/main/java/org/raddatz/familienarchiv/config/SecurityConfig.java
index 65608e11..c7fa7cca 100644
--- a/backend/src/main/java/org/raddatz/familienarchiv/config/SecurityConfig.java
+++ b/backend/src/main/java/org/raddatz/familienarchiv/config/SecurityConfig.java
@@ -5,6 +5,7 @@ import lombok.RequiredArgsConstructor;
 import org.raddatz.familienarchiv.service.CustomUserDetailsService;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.core.env.Environment;
 import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -19,6 +20,7 @@ import org.springframework.security.web.SecurityFilterChain;
 public class SecurityConfig {
 
     private final CustomUserDetailsService userDetailsService;
+    private final Environment environment;
 
     @Bean
     public PasswordEncoder passwordEncoder() {
@@ -43,11 +45,17 @@ public class SecurityConfig {
                 // cookie-based sessions, CSRF protection must be re-enabled.
                 .csrf(csrf -> csrf.disable())
 
-                .authorizeHttpRequests(auth -> auth
-                        // Wir sperren jetzt ALLES. Nur eingeloggte User dürfen irgendwas.
-                        .anyRequest().authenticated()
-
-                )
+                .authorizeHttpRequests(auth -> {
+                    // In dev, allow unauthenticated access to the OpenAPI spec and Swagger UI
+                    if (environment.matchesProfiles("dev")) {
+                        auth.requestMatchers(
+                            "/v3/api-docs/**",
+                            "/swagger-ui/**",
+                            "/swagger-ui.html"
+                        ).permitAll();
+                    }
+                    auth.anyRequest().authenticated();
+                })
                 // erlaubt pdf im Iframe
                 .headers(headers -> headers
                         .frameOptions(frameOptions -> frameOptions.sameOrigin()))