From b60339b9db8e7af49b92a115c3eb3ff38c9936f8 Mon Sep 17 00:00:00 2001 From: LivingLikeKrillin <143606756+LivingLikeKrillin@users.noreply.github.com> Date: Sun, 15 Mar 2026 17:14:12 +0900 Subject: [PATCH] fix: allow Swagger UI and OpenAPI spec paths through security filter Co-Authored-By: Claude Opus 4.6 (1M context) --- .../api/common/config/security/SecurityConfig.java | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/common/src/main/java/com/pfplaybackend/api/common/config/security/SecurityConfig.java b/common/src/main/java/com/pfplaybackend/api/common/config/security/SecurityConfig.java index a8e0528a..6a60e4be 100644 --- a/common/src/main/java/com/pfplaybackend/api/common/config/security/SecurityConfig.java +++ b/common/src/main/java/com/pfplaybackend/api/common/config/security/SecurityConfig.java @@ -43,7 +43,7 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { .requestMatchers("/api/v1/admin/**").permitAll() // Admin API - no auth required (temporary) .requestMatchers("/api/**").authenticated() .requestMatchers("/ws/**").permitAll() - .requestMatchers("/spec/**").permitAll() + .requestMatchers("/spec/**", "/swagger-ui/**", "/v3/api-docs/**").permitAll() .anyRequest().denyAll() ) .oauth2ResourceServer(oauth2 -> oauth2 @@ -61,11 +61,9 @@ public CorsConfigurationSource corsConfigurationSource() { configuration.setAllowedOrigins(List.of( "https://localhost:3000", "http://localhost:3000", - "http://localhost:4000", "http://localhost:8080", "http://admin.pfplay.xyz", - "https://pfplay.xyz", - "https://pfplay-api.app")); + "https://pfplay.xyz")); configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS")); configuration.setAllowedHeaders(List.of("*")); configuration.setAllowCredentials(true);