feat: comments and security comfiguration improved.

2025-02-12 12:04:59 +01:00 · 2025-02-12 12:04:59 +01:00 · 07f66f65ed
commit 07f66f65ed
parent 6e5651c527
1 changed files with 27 additions and 8 deletions
--- a/MyINPulse-back/src/main/java/enseirb/myinpulse/config/WebSecurityCustomConfiguration.java
+++ b/MyINPulse-back/src/main/java/enseirb/myinpulse/config/WebSecurityCustomConfiguration.java
@ -1,6 +1,7 @@
 package enseirb.myinpulse.config;

 import enseirb.myinpulse.security.KeycloakJwtRolesConverter;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@ -14,37 +15,55 @@ import java.util.List;

 import static org.springframework.security.authorization.AuthorityAuthorizationManager.hasRole;

+
@Configuration
 public class WebSecurityCustomConfiguration {
    // CORS configuration
-    // TODO: make sure to only accept our own domains
+
+    @Value("${VITE_APP_URL}")
+    private String frontendUrl;
+
+    /**
+     * Configure the CORS (Cross Origin Ressource Sharing -- a security feature) configuration.
+     * The only allowed website is the frontend, defined in the .env file.
+     *
+     * @return the CORS configuration used by the backend
+     */
    @Bean
    public CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration configuration = new CorsConfiguration();
-        configuration.setAllowedOrigins(List.of("*"));
+        configuration.setAllowedOrigins(List.of(frontendUrl));
        configuration.setAllowedMethods(Arrays.asList("GET", "OPTIONS"));
        configuration.setAllowedHeaders(
                Arrays.asList(
                        "authorization",
                        "content-type",
-                        "x-auth-token")); // Do not remove, this fixes the CORS errors when
-        // unauthenticated
+                        "x-auth-token"));
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);

        return source;
    }

+    /**
+     * Configure the authorisation required for each path.
+     * admin endpoints are under /admin/* and entrepreneur are under /entrepreneur/*
+     * If endpoints dont require authentication, they are under /unauth/
+     *
+     * @param http automatically filled in by spring.
+     * @return a securityfilterchain, automatically used by spring.
+     * @throws Exception TODO: figure out when the exception are raised
+     */
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests(
                        authorize ->
                                authorize
-                                        .requestMatchers("/random2")
+                                        .requestMatchers("/entrepreneur/**")
                                        .access(hasRole("REALM_MyINPulse-entrepreneur"))
-                                        .requestMatchers("/random")
+                                        .requestMatchers("/admin/**")
                                        .access(hasRole("REALM_MyINPulse-admin"))
-                                        .requestMatchers("/random3")
+                                        .requestMatchers("/unauth/**")
                                        .permitAll()
                                        .anyRequest()
                                        .authenticated())