From f05e1eba25d831a33be00235c37fb21a49453a41 Mon Sep 17 00:00:00 2001
From: Tim <135014430+nagisa77@users.noreply.github.com>
Date: Mon, 30 Jun 2025 22:57:24 +0800
Subject: [PATCH] Allow anonymous GET for posts and comments

---
 src/main/java/com/openisle/config/SecurityConfig.java | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/main/java/com/openisle/config/SecurityConfig.java b/src/main/java/com/openisle/config/SecurityConfig.java
index 09ccb2761..5e3f7ff26 100644
--- a/src/main/java/com/openisle/config/SecurityConfig.java
+++ b/src/main/java/com/openisle/config/SecurityConfig.java
@@ -81,12 +81,18 @@ public class SecurityConfig {
             @Override
             protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
                 String authHeader = request.getHeader("Authorization");
+                String uri = request.getRequestURI();
+
+                boolean publicGet = "GET".equalsIgnoreCase(request.getMethod()) &&
+                        (uri.startsWith("/api/posts") || uri.startsWith("/api/comments"));
+
                 if (authHeader != null && authHeader.startsWith("Bearer ")) {
                     String token = authHeader.substring(7);
                     try {
                         String username = jwtService.validateAndGetSubject(token);
                         UserDetails userDetails = userDetailsService().loadUserByUsername(username);
-                        UsernamePasswordAuthenticationToken authToken = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
+                        UsernamePasswordAuthenticationToken authToken = new UsernamePasswordAuthenticationToken(
+                                userDetails, null, userDetails.getAuthorities());
                         org.springframework.security.core.context.SecurityContextHolder.getContext().setAuthentication(authToken);
                     } catch (Exception e) {
                         response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
@@ -94,12 +100,13 @@ public class SecurityConfig {
                         response.getWriter().write("{\"error\": \"Invalid or expired token\"}");
                         return;
                     }
-                } else if (!request.getRequestURI().startsWith("/api/auth")) {
+                } else if (!uri.startsWith("/api/auth") && !publicGet) {
                     response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
                     response.setContentType("application/json");
                     response.getWriter().write("{\"error\": \"Missing token\"}");
                     return;
                 }
+
                 filterChain.doFilter(request, response);
             }
         };