diff --git a/src/main/java/com/security/config/auth/AuthorizationServerConfig.java b/src/main/java/com/security/config/auth/AuthorizationServerConfig.java index 66eb48d..98be859 100644 --- a/src/main/java/com/security/config/auth/AuthorizationServerConfig.java +++ b/src/main/java/com/security/config/auth/AuthorizationServerConfig.java @@ -1,6 +1,7 @@ package com.security.config.auth; import lombok.RequiredArgsConstructor; +import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.crypto.password.PasswordEncoder; @@ -25,11 +26,14 @@ public class AuthorizationServerConfig { private final AuthProperties authProperties; private final PasswordEncoder passwordEncoder; + @Value("${gateway.secret}") + private String GATEWAY_SECRET; + @Bean public RegisteredClientRepository registeredClientRepository() { RegisteredClient.Builder clientBuilder = RegisteredClient.withId(UUID.randomUUID().toString()) .clientId("gateway-client") - .clientSecret(passwordEncoder.encode("gateway-secret")) + .clientSecret(passwordEncoder.encode(GATEWAY_SECRET)) .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC) .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_POST) .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE) diff --git a/src/main/java/com/security/config/auth/SecurityConfig.java b/src/main/java/com/security/config/auth/SecurityConfig.java index 10b62e0..c8ae2a5 100644 --- a/src/main/java/com/security/config/auth/SecurityConfig.java +++ b/src/main/java/com/security/config/auth/SecurityConfig.java @@ -10,7 +10,6 @@ import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; @@ -25,6 +24,7 @@ import org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter; import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; +import org.springframework.security.web.csrf.CookieCsrfTokenRepository; import java.util.ArrayList; import java.util.Collection; @@ -100,7 +100,9 @@ public SecurityFilterChain defaultSecurityFilterChain( .oauth2ResourceServer(oauth2ResourceServer -> oauth2ResourceServer.jwt(Customizer.withDefaults()) ) - .csrf(AbstractHttpConfigurer::disable) + .csrf(csrf-> csrf.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()) + .ignoringRequestMatchers("/auth/register") + ) .build(); } diff --git a/src/main/java/com/security/controllers/AuthController.java b/src/main/java/com/security/controllers/AuthController.java index dac7ee2..3d74c99 100644 --- a/src/main/java/com/security/controllers/AuthController.java +++ b/src/main/java/com/security/controllers/AuthController.java @@ -33,7 +33,7 @@ public class AuthController { private final AuthService authService; private final CookieService cookieService; -// private final LoginResponseService loginResponseService; + @Operation(summary = "Iniciar sesión con email", description = "Autentica un usuario y establece cookies seguras") @PostMapping("/login") @@ -102,11 +102,12 @@ public ResponseEntity logout( cookieService.clearTokenCookies(response); return ResponseEntity.ok(new AuthResponseDTO(true, "Sesión cerrada exitosamente", Instant.now())); - } catch ( - Exception e) { + } catch (Exception e) { log.error("Logout failed", e); cookieService.clearTokenCookies(response); - return ResponseEntity.ok(new AuthResponseDTO(false, "Error al cerrar sesion", Instant.now())); + return ResponseEntity + .status(HttpStatus.INTERNAL_SERVER_ERROR) + .body(new AuthResponseDTO(false, "Error al cerrar sesión", Instant.now())); } }