From c916897874e957fac398795760b2bf7ff868a418 Mon Sep 17 00:00:00 2001
From: usbharu <64310155+usbharu@users.noreply.github.com>
Date: Tue, 26 Sep 2023 12:55:48 +0900
Subject: [PATCH] =?UTF-8?q?fix:=20CSRF=E4=BF=9D=E8=AD=B7=E3=82=92=E6=9C=89?=
 =?UTF-8?q?=E5=8A=B9=E5=8C=96?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/main/kotlin/dev/usbharu/hideout/config/SecurityConfig.kt | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/main/kotlin/dev/usbharu/hideout/config/SecurityConfig.kt b/src/main/kotlin/dev/usbharu/hideout/config/SecurityConfig.kt
index d4a8d4d1..95a2dc4c 100644
--- a/src/main/kotlin/dev/usbharu/hideout/config/SecurityConfig.kt
+++ b/src/main/kotlin/dev/usbharu/hideout/config/SecurityConfig.kt
@@ -72,6 +72,9 @@ class SecurityConfig {
                     builder.pattern("/error"),
                     builder.pattern("/nodeinfo/2.0")
                 ).permitAll()
+                it.requestMatchers(
+                    builder.pattern("/auth/**")
+                ).anonymous()
                 it.requestMatchers(builder.pattern("/change-password")).authenticated()
                 it.requestMatchers(builder.pattern("/api/v1/accounts/verify_credentials"))
                     .hasAnyAuthority("SCOPE_read", "SCOPE_read:accounts")
@@ -84,7 +87,6 @@ class SecurityConfig {
             .passwordManagement { }
             .formLogin(Customizer.withDefaults())
             .csrf {
-                it.ignoringRequestMatchers(builder.pattern("/api/**"))
                 it.ignoringRequestMatchers(builder.pattern("/users/*/inbox"))
                 it.ignoringRequestMatchers(builder.pattern("/inbox"))
                 it.ignoringRequestMatchers(PathRequest.toH2Console())