Backup_Repos/komga
1
0
Fork 0
mirror of https://github.com/gotson/komga.git synced 2025-12-16 13:33:49 +01:00
Code Issues Projects Releases Wiki Activity

fix(api): allow unauthorized access to health endpoint

Browse source 
Closes: #992
This commit is contained in:
Gauthier Roebroeck 2022-10-26 10:18:43 +08:00
parent d749285d6a
commit 751d347231
1 changed files with 6 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
komga/src/main/kotlin/org/gotson/komga/infrastructure/security/SecurityConfiguration.kt
View file

@ -5,6 +5,7 @@ import org.gotson.komga.domain.model.ROLE_ADMIN
import org.gotson.komga.domain.model.ROLE_USER
import org.gotson.komga.infrastructure.configuration.KomgaProperties
import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest
import org.springframework.boot.actuate.health.HealthEndpoint
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity
import org.springframework.security.config.annotation.web.builders.HttpSecurity
import org.springframework.security.config.annotation.web.builders.WebSecurity
@ -45,9 +46,13 @@ class SecurityConfiguration(
.cors {}
.csrf { it.disable() }
.authorizeRequests {
// restrict all actuator endpoints to ADMIN only
// allow unauthorized access to actuator health endpoint
// this will only show limited details as `management.endpoint.health.show-details` is set to `when-authorized`
it.requestMatchers(EndpointRequest.to(HealthEndpoint::class.java)).permitAll()
// restrict all other actuator endpoints to ADMIN only
it.requestMatchers(EndpointRequest.toAnyEndpoint()).hasRole(ROLE_ADMIN)
// claim is unprotected
it.mvcMatchers(
"/api/v1/claim",