JadnK
diff --git a/‎src/main/java/de/jadenk/springcloud/SpringcloudApplication.java‎
Lines changed: 0 additions & 2 deletions b/‎src/main/java/de/jadenk/springcloud/SpringcloudApplication.java‎
Lines changed: 0 additions & 2 deletions
diff --git a/‎src/main/java/de/jadenk/springcloud/config/ApiTokenFilter.java‎
Lines changed: 9 additions & 1 deletion b/‎src/main/java/de/jadenk/springcloud/config/ApiTokenFilter.java‎
Lines changed: 9 additions & 1 deletion
diff --git a/‎src/main/java/de/jadenk/springcloud/config/SecurityConfig.java‎
Lines changed: 24 additions & 17 deletions b/‎src/main/java/de/jadenk/springcloud/config/SecurityConfig.java‎
Lines changed: 24 additions & 17 deletions
diff --git a/‎src/main/java/de/jadenk/springcloud/config/WebConfig.java‎
Lines changed: 17 additions & 11 deletions b/‎src/main/java/de/jadenk/springcloud/config/WebConfig.java‎
Lines changed: 17 additions & 11 deletions
@@ -12,8 +12,6 @@
 @SpringBootApplication
 public class SpringcloudApplication {
 
-	// curl -k -X GET https://localhost:8080/api/log/2 -H "X-API-TOKEN: feb58cac1cbf427ea9efe12d114cb467" -H "Accept: application/json"
-
 	public static void main(String[] args) {
 		ApplicationContext context = SpringApplication.run(SpringcloudApplication.class, args);
 		WebhookService webhookService = context.getBean(WebhookService.class);
 
@@ -19,30 +19,38 @@ public class ApiTokenFilter extends OncePerRequestFilter {
     @Autowired
     private ApiTokenRepository apiTokenRepo;
 
+    /**
+     * Filtert alle eingehenden API-Anfragen unter /api/ außer /api/s/ (Administrative Endpoints),
+     * überprüft den X-API-TOKEN Header und validiert ihn gegen die Datenbank.
+     */
+
     @Override
     protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
             throws ServletException, IOException {
 
         String path = request.getRequestURI();
 
+        // Nur öffentliche API-Endpunkte filtern
         if (path.startsWith("/api/") && !path.startsWith("/api/s/")) {
             String token = request.getHeader("X-API-TOKEN");
 
+            // Prüfen, ob Token vorhanden ist
             if (token == null || token.isBlank()) {
                 response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
                 response.getWriter().write("Missing API Token");
                 return;
             }
 
+            // Prüfen, ob Token gültig und aktiv ist
             Optional<ApiToken> validToken = apiTokenRepo.findByTokenAndActiveTrue(token);
-
             if (validToken.isEmpty()) {
                 response.setStatus(HttpServletResponse.SC_FORBIDDEN);
                 response.getWriter().write("Invalid API Token");
                 return;
             }
         }
 
+        // Token gültig oder nicht erforderlich -> Filterkette fortsetzen
         filterChain.doFilter(request, response);
     }
 }
@@ -39,37 +39,44 @@ public class SecurityConfig {
     @Bean
     public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
         http
+                // Logout-Konfiguration
                 .logout(logout -> logout
                         .logoutUrl("/logout")
                         .logoutSuccessUrl("/login?logout")
-                        //.deleteCookies("JSESSIONID", "remember-me")
-                        .permitAll())
+                        //.deleteCookies("JSESSIONID", "remember-me") // optional
+                        .permitAll()
+                )
+                // URL-Autorisierung
                 .authorizeHttpRequests(auth -> auth
                         .requestMatchers(
-                                "/login",
-                                "/error",
-                                "/css/**",
-                                "/js/**",
-                                "/share/**",
-                                "/link-expired"
-                        ).permitAll()
-                        .requestMatchers("/api/**").permitAll()
-                        .anyRequest().authenticated())
+                                "/login", "/error", "/css/**", "/js/**",
+                                "/share/**", "/link-expired"
+                        ).permitAll() // öffentlich zugänglich
+                        .requestMatchers("/api/**").permitAll() // Token-Check wird über ApiTokenFilter gemacht
+                        .anyRequest().authenticated() // alles andere erfordert Login
+                )
+                // Remember-Me Cookie
                 .rememberMe(remember -> remember
                         .key("cookie_remember_me_jadenk_292929")
-                        .tokenValiditySeconds(7 * 24 * 60 * 60)
+                        .tokenValiditySeconds(7 * 24 * 60 * 60) // 7 Tage
                 )
+                // FormLogin
                 .formLogin(form -> form
                         .loginPage("/login")
                         .failureHandler(failureHandler)
                         .successHandler(successHandler)
-                        .permitAll())
+                        .permitAll()
+                )
+                // Session Management
                 .sessionManagement(session -> session
                         .invalidSessionUrl("/login")
                         .maximumSessions(10)
                         .sessionRegistry(sessionRegistry())
                 );
+
+        // API Token Filter vor UsernamePasswordAuthenticationFilter einfügen
         http.addFilterBefore(apiTokenFilter, UsernamePasswordAuthenticationFilter.class);
+
         return http.build();
     }
 
@@ -83,18 +90,18 @@ public HttpSessionEventPublisher httpSessionEventPublisher() {
         return new HttpSessionEventPublisher();
     }
 
-
     @Bean
     public AuthenticationManager authenticationManager(HttpSecurity http) throws Exception {
-        AuthenticationManagerBuilder authenticationManagerBuilder =
+        AuthenticationManagerBuilder authBuilder =
                 http.getSharedObject(AuthenticationManagerBuilder.class);
-        authenticationManagerBuilder.userDetailsService(customUserDetailsService)
+        authBuilder.userDetailsService(customUserDetailsService)
                 .passwordEncoder(passwordEncoder());
-        return authenticationManagerBuilder.build();
+        return authBuilder.build();
     }
 
     @Bean
     public PasswordEncoder passwordEncoder() {
         return new BCryptPasswordEncoder();
     }
 }
+
@@ -14,24 +14,30 @@ public class WebConfig implements WebMvcConfigurer {
 
     @Autowired
     private BannedUserInterceptor bannedUserInterceptor;
+
     @Autowired
     private PasswordEnforcementInterceptor passwordEnforcementInterceptor;
 
     @Override
     public void addInterceptors(InterceptorRegistry registry) {
+        // Interceptor für gesperrte Benutzer
         registry.addInterceptor(bannedUserInterceptor)
-                .addPathPatterns("/**")
-                .excludePathPatterns("/banned", "/logout", "/login", "/css/**", "/js/**");
+                .addPathPatterns("/**") // alle Pfade
+                .excludePathPatterns(
+                        "/banned", "/logout", "/login", "/css/**", "/js/**"
+                ); // Ausnahmen: Login, Logout, statische Ressourcen, Banned-Seite
+
+        // Interceptor für Passwort-Policy Enforcement
         registry.addInterceptor(passwordEnforcementInterceptor);
     }
 
-//    @Override
-//    public void addCorsMappings(CorsRegistry registry) {
-//        registry.addMapping("/**")
-//                .allowedOrigins("http://127.0.0.1:8080")
-//                .allowedMethods("GET", "POST")
-//                .allowedHeaders("*")
-//                .allowCredentials(true);
-//    }
-
+    // CORS-Konfiguration (auskommentiert)
+    // @Override
+    // public void addCorsMappings(CorsRegistry registry) {
+    //     registry.addMapping("/**")
+    //             .allowedOrigins("http://127.0.0.1:8080")
+    //             .allowedMethods("GET", "POST")
+    //             .allowedHeaders("*")
+    //             .allowCredentials(true);
+    // }
 }