bff/src/main/java/se/su/dsv/studentportalen/bff/Studentportalen.java

@@ -5,64 +5,13 @@ import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.boot.context.properties.ConfigurationPropertiesScan;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.boot.web.servlet.support.SpringBootServletInitializer;
-import org.springframework.context.annotation.Bean;
-import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.web.SecurityFilterChain;
-import org.springframework.security.web.util.matcher.RequestMatcher;
-import org.springframework.security.web.util.matcher.RequestMatchers;
-import org.springframework.web.cors.CorsConfiguration;
-import se.su.dsv.studentportalen.bff.login.BFFAuthenticationEntryPoint;
-
-import java.util.List;
-
-import static org.springframework.security.web.util.matcher.AntPathRequestMatcher.antMatcher;
 
 @SpringBootApplication
 @EnableConfigurationProperties
 @ConfigurationPropertiesScan
 public class Studentportalen extends SpringBootServletInitializer {
 
-    private static final RequestMatcher DOCUMENTATION_MATCHER = RequestMatchers.anyOf(
-            antMatcher("/swagger"),
-            antMatcher("/swagger-ui/**"),
-            antMatcher("/v3/api-docs/**"));
-
     public static void main(String[] args) {
         SpringApplication.run(Studentportalen.class, args);
     }
-
-    @Bean
-    public SecurityFilterChain securityFilterChain(
-            HttpSecurity http,
-            FrontendConfiguration frontendConfiguration)
-            throws Exception
-    {
-        http.exceptionHandling(exception -> exception
-                .authenticationEntryPoint(new BFFAuthenticationEntryPoint()));
-        http.oauth2Login(login -> login
-                .defaultSuccessUrl(frontendConfiguration.url(), true));
-        http.authorizeHttpRequests(authorize -> authorize
-                .requestMatchers(DOCUMENTATION_MATCHER).permitAll()
-                .anyRequest().authenticated());
-        http.cors(cors -> cors
-                .configurationSource(_ -> frontendOnlyCors(frontendConfiguration)));
-        return http.build();
-    }
-
-    private static CorsConfiguration frontendOnlyCors(FrontendConfiguration frontendConfiguration) {
-        var corsConfiguration = new CorsConfiguration();
-        corsConfiguration.setAllowedOrigins(List.of(frontendConfiguration.url()));
-        corsConfiguration.setAllowedMethods(List.of("GET", "POST"));
-
-        // Allow the frontend to see the X-Authorization-Url header
-        corsConfiguration.setExposedHeaders(List.of("X-Authorization-Url"));
-
-        // To allow the session cookie to be included
-        corsConfiguration.setAllowCredentials(true);
-
-        // Content-Type is allowed by default but with a restriction on the value
-        // The restriction does not allow "application/json" so we add it as an allowed header
-        corsConfiguration.setAllowedHeaders(List.of("Content-Type"));
-        return corsConfiguration;
-    }
 }

bff/src/main/java/se/su/dsv/studentportalen/bff/config/SecurityConfiguration.java

@@ -0,0 +1,51 @@
+package se.su.dsv.studentportalen.bff.config;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.web.cors.CorsConfiguration;
+import se.su.dsv.studentportalen.bff.login.BFFAuthenticationEntryPoint;
+
+import java.util.List;
+
+@Configuration
+public class SecurityConfiguration {
+
+    @Bean
+    public SecurityFilterChain securityFilterChain(
+            HttpSecurity http,
+            FrontendConfiguration frontendConfiguration)
+            throws Exception
+    {
+        http.exceptionHandling(exception -> exception
+                .authenticationEntryPoint(new BFFAuthenticationEntryPoint()));
+        http.oauth2Login(login -> login
+                .defaultSuccessUrl(frontendConfiguration.url(), true));
+        http.authorizeHttpRequests(authorize -> authorize
+                .requestMatchers("/swagger", "/swagger-ui/**", "/v3/api-docs/**").permitAll()
+                .anyRequest().authenticated());
+        http.cors(cors -> cors
+                .configurationSource(_ -> frontendOnlyCors(frontendConfiguration)));
+        http.csrf(csrf -> csrf.spa());
+        return http.build();
+    }
+
+    private static CorsConfiguration frontendOnlyCors(FrontendConfiguration frontendConfiguration) {
+        var corsConfiguration = new CorsConfiguration();
+        corsConfiguration.setAllowedOrigins(List.of(frontendConfiguration.url()));
+        corsConfiguration.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE"));
+
+        // Allow the frontend to see the X-Authorization-Url header
+        corsConfiguration.setExposedHeaders(List.of("X-Authorization-Url"));
+
+        // To allow the session cookie to be included
+        corsConfiguration.setAllowCredentials(true);
+
+        // Content-Type is allowed by default but with a restriction on the value
+        // The restriction does not allow "application/json" so we add it as an allowed header
+        // X-XSRF-TOKEN is needed for CSRF protection
+        corsConfiguration.setAllowedHeaders(List.of("Content-Type", "X-XSRF-TOKEN"));
+        return corsConfiguration;
+    }
+}