Added csrf protection matcher to exclude bearer token calls from csfr

2025-10-30 17:04:33 +01:00 · 2025-10-30 17:04:33 +01:00 · 9bf148a09f
commit 9bf148a09f
parent 98e69164ed
1 changed files with 10 additions and 1 deletions
--- a/src/main/java/de/avatic/lcc/config/SecurityConfig.java
+++ b/src/main/java/de/avatic/lcc/config/SecurityConfig.java
@ -91,9 +91,18 @@ public class SecurityConfig {
                )
                .csrf(csrf -> csrf
                        .ignoringRequestMatchers("/oauth2/token") // CSRF für OAuth deaktivieren
+                        .ignoringRequestMatchers("/login/oauth2/code/**")
+                        .requireCsrfProtectionMatcher(request -> {
+
+                            String authHeader = request.getHeader("Authorization");
+                            if (authHeader != null && authHeader.startsWith("Bearer ")) {
+                                return false;
+                            }
+
+                            return true;
+                        })
                        .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
                        .csrfTokenRequestHandler(new LccCsrfTokenRequestHandler())
-                        .ignoringRequestMatchers("/login/oauth2/code/**")
                )
                .addFilterAfter(new CsrfCookieFilter(), BasicAuthenticationFilter.class)
                .addFilterBefore(