From e05db6dd9191c0a7c8949eb32d7f533759e2e7bd Mon Sep 17 00:00:00 2001
From: usbharu <64310155+usbharu@users.noreply.github.com>
Date: Tue, 19 Sep 2023 15:46:51 +0900
Subject: [PATCH] =?UTF-8?q?feat:=20Security=E3=81=AE=E8=A8=AD=E5=AE=9A?=
 =?UTF-8?q?=E3=82=92=E5=A4=89=E6=9B=B4?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 build.gradle.kts                                  |  2 ++
 .../dev/usbharu/hideout/config/SecurityConfig.kt  | 15 +++++++++++++++
 .../hideout/controller/InboxControllerImpl.kt     |  3 ++-
 src/main/resources/logback.xml                    |  2 +-
 4 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/build.gradle.kts b/build.gradle.kts
index e3482bc4..5b6bc454 100644
--- a/build.gradle.kts
+++ b/build.gradle.kts
@@ -147,6 +147,8 @@ dependencies {
     implementation("org.springframework.data:spring-data-commons")
     implementation("org.springframework.boot:spring-boot-starter-jdbc")
     implementation("org.springframework.boot:spring-boot-starter-data-jdbc")
+    implementation("org.springframework.boot:spring-boot-starter-webflux")
+    implementation("org.jetbrains.kotlinx:kotlinx-coroutines-reactor")
 
     implementation("io.ktor:ktor-client-logging-jvm:$ktor_version")
     implementation("io.ktor:ktor-server-host-common-jvm:$ktor_version")
diff --git a/src/main/kotlin/dev/usbharu/hideout/config/SecurityConfig.kt b/src/main/kotlin/dev/usbharu/hideout/config/SecurityConfig.kt
index 92fd756f..3217acea 100644
--- a/src/main/kotlin/dev/usbharu/hideout/config/SecurityConfig.kt
+++ b/src/main/kotlin/dev/usbharu/hideout/config/SecurityConfig.kt
@@ -44,6 +44,9 @@ class SecurityConfig {
             .oauth2ResourceServer {
                 it.jwt(Customizer.withDefaults())
             }
+            .csrf {
+                it.disable()
+            }
         return http.build()
     }
 
@@ -52,10 +55,22 @@ class SecurityConfig {
     @Order(2)
     fun defaultSecurityFilterChain(http: HttpSecurity): SecurityFilterChain {
         http
+            .authorizeHttpRequests {
+                it.requestMatchers(
+                    "/inbox",
+                    "/users/*/inbox",
+                    "/outbox",
+                    "/users/*/outbox"
+                )
+                    .permitAll()
+            }
             .authorizeHttpRequests {
                 it.anyRequest().authenticated()
             }
             .formLogin(Customizer.withDefaults())
+            .csrf {
+                it.disable()
+            }
         return http.build()
     }
 
diff --git a/src/main/kotlin/dev/usbharu/hideout/controller/InboxControllerImpl.kt b/src/main/kotlin/dev/usbharu/hideout/controller/InboxControllerImpl.kt
index 002dee31..fb47a3f0 100644
--- a/src/main/kotlin/dev/usbharu/hideout/controller/InboxControllerImpl.kt
+++ b/src/main/kotlin/dev/usbharu/hideout/controller/InboxControllerImpl.kt
@@ -3,11 +3,12 @@ package dev.usbharu.hideout.controller
 import dev.usbharu.hideout.service.ap.APService
 import org.springframework.http.HttpStatus
 import org.springframework.http.ResponseEntity
+import org.springframework.web.bind.annotation.RequestBody
 import org.springframework.web.bind.annotation.RestController
 
 @RestController
 class InboxControllerImpl(private val apService: APService) : InboxController {
-    override suspend fun inbox(string: String): ResponseEntity<Unit> {
+    override suspend fun inbox(@RequestBody string: String): ResponseEntity<Unit> {
         val parseActivity = apService.parseActivity(string)
         apService.processActivity(string, parseActivity)
         return ResponseEntity(HttpStatus.ACCEPTED)
diff --git a/src/main/resources/logback.xml b/src/main/resources/logback.xml
index 9129b1b2..4593b633 100644
--- a/src/main/resources/logback.xml
+++ b/src/main/resources/logback.xml
@@ -4,7 +4,7 @@
             <pattern>%d{YYYY-MM-dd HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n</pattern>
         </encoder>
     </appender>
-    <root level="INFO">
+    <root level="DEBUG">
         <appender-ref ref="STDOUT"/>
     </root>
     <logger name="org.eclipse.jetty" level="INFO"/>