package com.guams.review.configuration; import com.guams.review.service.AuthorService; import lombok.RequiredArgsConstructor; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpMethod; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; import org.springframework.web.cors.CorsConfiguration; import org.springframework.web.cors.CorsConfigurationSource; import org.springframework.web.cors.UrlBasedCorsConfigurationSource; import java.util.List; @Configuration @EnableWebSecurity @RequiredArgsConstructor public class SpringSecurityConfig { private final AuthorService authorService; @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http, JwtAuthenticationFilter jwtAuthenticationFilter) throws Exception { return http .csrf(AbstractHttpConfigurer::disable) .cors(cors -> cors.configurationSource(corsConfigurationSource())) // Ajout de la configuration CORS .authorizeHttpRequests(auth -> auth .requestMatchers(HttpMethod.GET, "/api/authors", "/api/authors/{id}", "/api/authors/{id}/avatar", "/api/authors/{id}/posts", "/api/posts", "/api/posts/{id}", "/api/comments/{id}", "/api/comments/posts/{id}", "/api/comments").permitAll() // Autorise les GET sur ces routes .requestMatchers("/api/authors/login", "/api/authors/register").permitAll() // Autorise sans authentification .anyRequest().authenticated() // Toutes les autres routes nécessitent une authentification ) .addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class) // Ajoute le filtre JWT .build(); } @Bean public CorsConfigurationSource corsConfigurationSource() { CorsConfiguration configuration = new CorsConfiguration(); configuration.setAllowedOrigins(List.of("https://abonentendeur.guams.fr", "http://192.168.1.35:4200", "http://localhost:4200")); configuration.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE")); // Méthodes HTTP autorisées configuration.setAllowedHeaders(List.of("Authorization", "Content-Type")); // En-têtes autorisés configuration.setAllowCredentials(true); // Permet l'utilisation des cookies ou des tokens configuration.setMaxAge(3600L); // Cache la configuration CORS pendant 1 heure UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); source.registerCorsConfiguration("/**", configuration); // Applique les règles à toutes les routes return source; } @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } @Bean public AuthenticationManager authenticationManager(HttpSecurity http, PasswordEncoder passwordEncoder) throws Exception { AuthenticationManagerBuilder authenticationManagerBuilder = http.getSharedObject(AuthenticationManagerBuilder.class); authenticationManagerBuilder.userDetailsService(authorService).passwordEncoder(passwordEncoder); return authenticationManagerBuilder.build(); } }