marcel/familienarchiv
1
0
Fork 0
Code Issues 103 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix: permit OpenAPI/Swagger endpoints in dev profile

Browse Source 
Spring Security was blocking /v3/api-docs with 401, preventing
npm run generate:api from fetching the spec. The springdoc paths are
now whitelisted only when the dev Spring profile is active.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Marcel
2026-03-15 14:13:36 +01:00
parent 0cb8812692
commit 251d865ddc
1 changed files with 13 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
backend/src/main/java/org/raddatz/familienarchiv/config/SecurityConfig.java
View File

@@ -5,6 +5,7 @@ import lombok.RequiredArgsConstructor;
import org.raddatz.familienarchiv.service.CustomUserDetailsService; import org.raddatz.familienarchiv.service.CustomUserDetailsService;
import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Configuration;
import org.springframework.core.env.Environment;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider; import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.Customizer; import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -19,6 +20,7 @@ import org.springframework.security.web.SecurityFilterChain;
public class SecurityConfig { public class SecurityConfig {
private final CustomUserDetailsService userDetailsService; private final CustomUserDetailsService userDetailsService;
private final Environment environment;
@Bean @Bean
public PasswordEncoder passwordEncoder() { public PasswordEncoder passwordEncoder() {
@@ -43,11 +45,17 @@ public class SecurityConfig {
// cookie-based sessions, CSRF protection must be re-enabled. // cookie-based sessions, CSRF protection must be re-enabled.
.csrf(csrf -> csrf.disable()) .csrf(csrf -> csrf.disable())
.authorizeHttpRequests(auth -> auth .authorizeHttpRequests(auth -> {
// Wir sperren jetzt ALLES. Nur eingeloggte User dürfen irgendwas. // In dev, allow unauthenticated access to the OpenAPI spec and Swagger UI
.anyRequest().authenticated() if (environment.matchesProfiles("dev")) {
auth.requestMatchers(
) "/v3/api-docs/**",
"/swagger-ui/**",
"/swagger-ui.html"
).permitAll();
}
auth.anyRequest().authenticated();
})
// erlaubt pdf im Iframe // erlaubt pdf im Iframe
.headers(headers -> headers .headers(headers -> headers
.frameOptions(frameOptions -> frameOptions.sameOrigin())) .frameOptions(frameOptions -> frameOptions.sameOrigin()))