MyINPulse-back/src/main/java/enseirb/myinpulse/config/WebSecurityCustomConfiguration.java

@@ -1,6 +1,7 @@
 package enseirb.myinpulse.config;
 
 import enseirb.myinpulse.security.KeycloakJwtRolesConverter;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -14,37 +15,55 @@ import java.util.List;
 
 import static org.springframework.security.authorization.AuthorityAuthorizationManager.hasRole;
 
+
 @Configuration
-public class WebSecurityCustomConfiguration{
+public class WebSecurityCustomConfiguration {
     // CORS configuration
-    // TODO: make sure to only accept our own domains
+
+    @Value("${VITE_APP_URL}")
+    private String frontendUrl;
+
+    /**
+     * Configure the CORS (Cross Origin Ressource Sharing -- a security feature) configuration.
+     * The only allowed website is the frontend, defined in the .env file.
+     *
+     * @return the CORS configuration used by the backend
+     */
     @Bean
     public CorsConfigurationSource corsConfigurationSource() {
         CorsConfiguration configuration = new CorsConfiguration();
-        configuration.setAllowedOrigins(List.of("*"));
+        configuration.setAllowedOrigins(List.of(frontendUrl));
         configuration.setAllowedMethods(Arrays.asList("GET", "OPTIONS"));
         configuration.setAllowedHeaders(
                 Arrays.asList(
                         "authorization",
                         "content-type",
-                        "x-auth-token")); // Do not remove, this fixes the CORS errors when
+                        "x-auth-token"));
-        // unauthenticated
         UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
         source.registerCorsConfiguration("/**", configuration);
 
         return source;
     }
 
+    /**
+     * Configure the authorisation required for each path.
+     * admin endpoints are under /admin/* and entrepreneur are under /entrepreneur/*
+     * If endpoints dont require authentication, they are under /unauth/
+     *
+     * @param http automatically filled in by spring.
+     * @return a securityfilterchain, automatically used by spring.
+     * @throws Exception TODO: figure out when the exception are raised
+     */
     @Bean
     public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
         http.authorizeHttpRequests(
                         authorize ->
                                 authorize
-                                        .requestMatchers("/random2")
+                                        .requestMatchers("/entrepreneur/**")
                                         .access(hasRole("REALM_MyINPulse-entrepreneur"))
-                                        .requestMatchers("/random")
+                                        .requestMatchers("/admin/**")
                                         .access(hasRole("REALM_MyINPulse-admin"))
-                                        .requestMatchers("/random3")
+                                        .requestMatchers("/unauth/**")
                                         .permitAll()
                                         .anyRequest()
                                         .authenticated())