[#1097] Fix CORS issue introduced by PR #1350

backend/sources/chat-plugin/src/main/java/co/airy/core/chat_plugin/config/AuthConfig.java

@@ -1,11 +1,11 @@
 package co.airy.core.chat_plugin.config;
 
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.env.Environment;
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.builders.WebSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.http.SessionCreationPolicy;
@@ -24,27 +24,25 @@
 )
 public class AuthConfig extends WebSecurityConfigurerAdapter {
     private final Jwt jwt;
+    private final String systemToken;
 
-    public AuthConfig(Jwt jwt) {
+    public AuthConfig(Jwt jwt, @Value("${system_token:#{null}}") String systemToken) {
         this.jwt = jwt;
+        this.systemToken = systemToken;
     }
 
     @Override
     protected void configure(final HttpSecurity http) throws Exception {
         http.cors().and().csrf().disable()
                 // Don't let Spring create its own session
                 .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
-                .addFilter(new JwtAuthenticationFilter(authenticationManager(), jwt))
+                .addFilter(new JwtAuthenticationFilter(authenticationManager(), jwt, systemToken))
                 .authorizeRequests()
+                .antMatchers("/actuator/**", "/ws.chatplugin").permitAll()
+                .mvcMatchers("/chatplugin.authenticate", "/chatplugin.resumeToken").permitAll()
                 .anyRequest().authenticated();
     }
 
-    @Override
-    public void configure(WebSecurity web) {
-        web.ignoring()
-                .antMatchers("/actuator/**", "/ws.chatplugin")
-                .mvcMatchers("/chatplugin.authenticate", "/chatplugin.resumeToken");
-    }
 
     @Bean
     CorsConfigurationSource corsConfigurationSource(final Environment environment) {

backend/sources/chat-plugin/src/main/java/co/airy/core/chat_plugin/config/JwtAuthenticationFilter.java

@@ -1,7 +1,6 @@
 package co.airy.core.chat_plugin.config;
 
 import co.airy.core.chat_plugin.Principal;
-import org.springframework.http.HttpHeaders;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.context.SecurityContextHolder;
@@ -18,10 +17,14 @@
 
 public class JwtAuthenticationFilter extends BasicAuthenticationFilter {
     private final Jwt jwt;
+    private final String systemToken;
+    private final String systemTokenPrincipal;
 
-    public JwtAuthenticationFilter(AuthenticationManager authManager, Jwt jwt) {
+    public JwtAuthenticationFilter(AuthenticationManager authManager, Jwt jwt, String systemToken) {
         super(authManager);
         this.jwt = jwt;
+        this.systemToken = systemToken;
+        this.systemTokenPrincipal = systemToken == null ? null : String.format("system-token-%s", systemToken.substring(0, Math.min(systemToken.length(), 4)));
     }
 
     @Override
@@ -42,6 +45,10 @@ protected void doFilterInternal(HttpServletRequest req,
     }
 
     private UsernamePasswordAuthenticationToken getAuthentication(String token) {
+        if (systemToken != null && systemToken.equals(token)) {
+            return new UsernamePasswordAuthenticationToken(systemTokenPrincipal, null, List.of());
+        }
+
         final Principal principal = jwt.authenticate(token);
 
         if (principal != null) {

lib/java/spring/auth/src/main/java/co/airy/spring/auth/AuthConfig.java

@@ -26,11 +26,11 @@
 public class AuthConfig extends WebSecurityConfigurerAdapter {
     private final Jwt jwt;
     private final String[] ignoreAuthPatterns;
-    private final String apiToken;
+    private final String systemToken;
 
-    public AuthConfig(Jwt jwt, @Value("${system_token:#{null}}") String apiToken, List<IgnoreAuthPattern> ignorePatternBeans) {
+    public AuthConfig(Jwt jwt, @Value("${system_token:#{null}}") String systemToken, List<IgnoreAuthPattern> ignorePatternBeans) {
         this.jwt = jwt;
-        this.apiToken = apiToken;
+        this.systemToken = systemToken;
         this.ignoreAuthPatterns = ignorePatternBeans.stream()
                 .flatMap((ignoreAuthPatternBean -> ignoreAuthPatternBean.getIgnorePattern().stream()))
                 .toArray(String[]::new);
@@ -42,7 +42,7 @@ protected void configure(final HttpSecurity http) throws Exception {
                 .csrf().disable()
                 // Don't let Spring create its own session
                 .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
-                .addFilter(new JwtAuthenticationFilter(authenticationManager(), jwt, this.apiToken))
+                .addFilter(new JwtAuthenticationFilter(authenticationManager(), jwt, this.systemToken))
                 .authorizeRequests(authorize -> authorize
                         .antMatchers("/actuator/**", "/ws*").permitAll()
                         .antMatchers(ignoreAuthPatterns).permitAll()

lib/java/spring/auth/src/main/java/co/airy/spring/auth/JwtAuthenticationFilter.java

@@ -1,7 +1,6 @@
 package co.airy.spring.auth;
 
 import co.airy.spring.jwt.Jwt;
-import lombok.Value;
 import org.springframework.http.HttpHeaders;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
@@ -18,24 +17,21 @@
 public class JwtAuthenticationFilter extends BasicAuthenticationFilter {
 
     private final Jwt jwt;
-    private final String apiToken;
+    private final String systemToken;
     private final String apiTokenPrincipal;
 
-    public JwtAuthenticationFilter(AuthenticationManager authManager, Jwt jwt, String apiToken) {
+    public JwtAuthenticationFilter(AuthenticationManager authManager, Jwt jwt, String systemToken) {
         super(authManager);
         this.jwt = jwt;
-        this.apiToken = apiToken;
-        this.apiTokenPrincipal = apiToken == null ? null : String.format("api-token-%s", apiToken.substring(0, Math.min(apiToken.length(), 4)));
+        this.systemToken = systemToken;
+        this.apiTokenPrincipal = systemToken == null ? null : String.format("system-token-%s", systemToken.substring(0, Math.min(systemToken.length(), 4)));
     }
 
     @Override
     protected void doFilterInternal(HttpServletRequest req,
                                     HttpServletResponse res,
                                     FilterChain chain) throws IOException, ServletException {
-        String authToken = req.getHeader(HttpHeaders.AUTHORIZATION);
-        if (authToken != null && authToken.startsWith("Bearer")) {
-            authToken = authToken.substring(7);
-        }
+        String authToken = getAuthToken(req);
 
         if (authToken == null) {
             chain.doFilter(req, res);
@@ -53,7 +49,7 @@ protected void doFilterInternal(HttpServletRequest req,
     }
 
     private UsernamePasswordAuthenticationToken getAuthentication(String token) {
-        if (apiToken != null && apiToken.equals(token)) {
+        if (systemToken != null && systemToken.equals(token)) {
             return new UsernamePasswordAuthenticationToken(apiTokenPrincipal, null, List.of());
         }