fix(join): permit /v1/invites/** (not just /*) + match panel color to login

- SecurityConfig: /** covers /v1/invites/{code}/accept (two path segments); /* only matched one segment so the accept endpoint was returning 401 - HouseholdIdentityPanel + page: use --green-dark bg (matching BrandPanel on login) instead of --green-tint; text updated to white/--green-light Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-10 22:00:47 +02:00
parent c5ec3396b2
commit 6aed303627
4 changed files with 23 additions and 13 deletions
--- a/backend/src/main/java/com/recipeapp/auth/SecurityConfig.java
+++ b/backend/src/main/java/com/recipeapp/auth/SecurityConfig.java
@@ -24,7 +24,7 @@ public class SecurityConfig {
                .authorizeHttpRequests(auth -> auth
                        .requestMatchers("/v1/auth/signup", "/v1/auth/login").permitAll()
                        .requestMatchers("/swagger-ui/**", "/v3/api-docs/**").permitAll()
-                        .requestMatchers("/v1/invites/*").permitAll()
+                        .requestMatchers("/v1/invites/**").permitAll()
                        .requestMatchers("/v1/admin/**").hasAuthority("ROLE_ADMIN")
                        .anyRequest().authenticated())
                .exceptionHandling(ex -> ex
--- a/backend/src/test/java/com/recipeapp/auth/SecurityConfigTest.java
+++ b/backend/src/test/java/com/recipeapp/auth/SecurityConfigTest.java
@@ -10,6 +10,7 @@ import org.springframework.web.context.WebApplicationContext;

 import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;

 class SecurityConfigTest extends AbstractIntegrationTest {
@@ -33,6 +34,15 @@ class SecurityConfigTest extends AbstractIntegrationTest {
                .andExpect(status().isNotFound());
    }

+    @Test
+    void inviteAcceptEndpointIsAccessibleWithoutAuthentication() throws Exception {
+        // 400 = validation error (empty body), but NOT 401 — proves the path is permitted
+        mockMvc.perform(post("/v1/invites/ANYCODE/accept")
+                        .contentType(org.springframework.http.MediaType.APPLICATION_JSON)
+                        .content("{}"))
+                .andExpect(status().isBadRequest());
+    }
+
    @Test
    void protectedEndpointRequiresAuthentication() throws Exception {
        mockMvc.perform(get("/v1/households/mine"))