From ae0e4a40132e4373a707177a8a5d1607e3b04ab2 Mon Sep 17 00:00:00 2001
From: usbharu <i@usbharu.dev>
Date: Fri, 14 Feb 2025 17:45:13 +0900
Subject: [PATCH] =?UTF-8?q?fix:=20Spring=20Security=E3=81=8C=E6=AD=A3?=
 =?UTF-8?q?=E5=B8=B8=E3=81=AB=E5=8B=95=E4=BD=9C=E3=81=97=E3=81=A6=E3=81=84?=
 =?UTF-8?q?=E3=81=AA=E3=81=8B=E3=81=A3=E3=81=9F=E3=81=AE=E3=81=A7=E4=BF=AE?=
 =?UTF-8?q?=E6=AD=A3?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../activitypub/config/ActivityPubSecurityConfig.kt        | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/hideout/hideout-activitypub/src/main/kotlin/dev/usbharu/hideout/activitypub/config/ActivityPubSecurityConfig.kt b/hideout/hideout-activitypub/src/main/kotlin/dev/usbharu/hideout/activitypub/config/ActivityPubSecurityConfig.kt
index 9676aa01..6890b0b0 100644
--- a/hideout/hideout-activitypub/src/main/kotlin/dev/usbharu/hideout/activitypub/config/ActivityPubSecurityConfig.kt
+++ b/hideout/hideout-activitypub/src/main/kotlin/dev/usbharu/hideout/activitypub/config/ActivityPubSecurityConfig.kt
@@ -8,6 +8,8 @@ import org.springframework.http.HttpMethod.POST
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.invoke
 import org.springframework.security.web.SecurityFilterChain
+import org.springframework.security.web.util.matcher.AnyRequestMatcher
+import org.springframework.security.web.util.matcher.RequestMatcher
 
 @Configuration
 class ActivityPubSecurityConfig {
@@ -15,11 +17,16 @@ class ActivityPubSecurityConfig {
     @Order(4)
     fun activityPubSecurityFilterChain(http: HttpSecurity): SecurityFilterChain {
         http {
+            securityMatcher(RequestMatcher {
+                val accept = it.getHeader("Accept") ?: ""
+                return@RequestMatcher accept == "application/json" || accept == "application/activity+json"
+            })
             authorizeHttpRequests {
                 authorize(POST, "/inbox", permitAll)
                 authorize(POST, "/users/{username}/inbox", permitAll)
                 authorize(GET, "/outbox", permitAll)
                 authorize(GET, "/users/{username}/outbox", permitAll)
+                authorize(GET, "/users/{username}", permitAll)
             }
         }
         return http.build()