1 files changed, 25 insertions, 15 deletions

diff --git a/src/main/java/com/juick/server/configuration/SecurityConfig.java b/src/main/java/com/juick/server/configuration/SecurityConfig.java
index f53cc531..df0da16e 100644
--- a/src/main/java/com/juick/server/configuration/SecurityConfig.java
+++ b/src/main/java/com/juick/server/configuration/SecurityConfig.java
@@ -17,7 +17,9 @@
 
 package com.juick.server.configuration;
 
+import com.juick.server.SignatureManager;
 import com.juick.service.UserService;
+import com.juick.service.security.HTTPSignatureAuthenticationFilter;
 import com.juick.service.security.HashParamAuthenticationFilter;
 import com.juick.service.security.JuickUserDetailsService;
 import com.juick.service.security.deprecated.RequestParamHashRememberMeServices;
@@ -69,6 +71,20 @@ public class SecurityConfig {
     public UserDetailsService userDetailsService() {
         return new JuickUserDetailsService(userService);
     }
+    @Bean
+    static CorsConfigurationSource corsConfigurationSource() {
+        CorsConfiguration configuration = new CorsConfiguration();
+
+        configuration.setAllowedOrigins(Collections.singletonList("*"));
+        configuration.setAllowedMethods(Arrays.asList("POST", "GET", "PUT", "OPTIONS", "DELETE"));
+        configuration.setAllowedHeaders(Collections.singletonList("*"));
+
+        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+        source.registerCorsConfiguration("/api/**", configuration);
+        source.registerCorsConfiguration("/u/**", configuration);
+        source.registerCorsConfiguration("/n/**", configuration);
+        return source;
+    }
 
     @Configuration
     @Order(1)
@@ -79,6 +95,8 @@ public class SecurityConfig {
         private String webDomain;
         @Resource
         private UserService userService;
+        @Resource
+        private SignatureManager signatureManager;
         ApiConfig() {
             super(true);
         }
@@ -95,10 +113,14 @@ public class SecurityConfig {
         protected void configure(HttpSecurity http) throws Exception {
             http.antMatcher("/api/**")
                     .addFilterBefore(apiAuthenticationFilter(), BasicAuthenticationFilter.class)
+                    .addFilterBefore(new HTTPSignatureAuthenticationFilter(signatureManager, userService), BasicAuthenticationFilter.class)
                     .authorizeRequests()
                     .antMatchers(HttpMethod.OPTIONS).permitAll()
-                    .antMatchers("/api/", "/api/messages", "/api/messages/discussions", "/api/users", "/api/thread", "/api/tags", "/api/tlgmbtwbhk", "/api/fbwbhk",
-                            "/api/skypebotendpoint", "/api/_fblogin", "/api/_vklogin", "/api/_tglogin", "/api/_google", "/api/signup", "/api/inbox", "/api/u/**", "/.well-known/webfinger", "/.well-known/x-nodeinfo2", "/rss/**", "/api/events").permitAll()
+                    .antMatchers("/api/", "/api/messages", "/api/avatar", "/api/messages/discussions",
+                            "/api/users", "/api/thread", "/api/tags", "/api/tlgmbtwbhk", "/api/fbwbhk",
+                            "/api/skypebotendpoint", "/api/_fblogin", "/api/_vklogin", "/api/_tglogin",
+                            "/api/_google", "/api/signup", "/api/inbox", "/api/events", "/api/info/**",
+                            "/api/nodeinfo/2.0").permitAll()
                     .anyRequest().hasRole("USER")
                     .and()
                     .anonymous().principal(JuickUser.ANONYMOUS_USER).authorities(JuickUser.ANONYMOUS_AUTHORITY)
@@ -122,19 +144,6 @@ public class SecurityConfig {
             return new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED);
         }
 
-        @Bean
-        public CorsConfigurationSource corsConfigurationSource() {
-            CorsConfiguration configuration = new CorsConfiguration();
-
-            configuration.setAllowedOrigins(Collections.singletonList("*"));
-            configuration.setAllowedMethods(Arrays.asList("POST", "GET", "PUT", "OPTIONS", "DELETE"));
-            configuration.setAllowedHeaders(Collections.singletonList("*"));
-
-            UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
-            source.registerCorsConfiguration("/api/**", configuration);
-
-            return source;
-        }
         @Override
         public void configure(WebSecurity web) {
             web.debug(false);
@@ -182,6 +191,7 @@ public class SecurityConfig {
                     .anyRequest().permitAll()
                     .and()
                     .anonymous().principal(JuickUser.ANONYMOUS_USER).authorities(JuickUser.ANONYMOUS_AUTHORITY)
+                    .and().cors().configurationSource(corsConfigurationSource())
                     .and().sessionManagement()
                     .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                     .invalidSessionUrl("/")