Skip to content

Allow exposing data to anonymous users as config option #1137

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Brutus5000 merged 1 commit into from
Jun 14, 2026
Merged

Allow exposing data to anonymous users as config option #1137

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 1 addition & 5 deletions src/main/java/com/faforever/api/config/FafApiProperties.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ public class FafApiProperties {
* The API version.
*/
private String version;
private boolean allowAnonymous;
private Jwt jwt = new Jwt();
private OAuth2 oAuth2 = new OAuth2();
private Async async = new Async();
Expand Down Expand Up @@ -258,11 +259,6 @@ public static class Smtp {
private String password;
}

@Data
public static class Anope {
private String databaseName;
}

@Data
public static class Rating {
private int defaultMean;
Expand Down
6 changes: 6 additions & 0 deletions src/main/java/com/faforever/api/config/security/MethodSecurityConfig.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,18 @@
package com.faforever.api.config.security;

import com.faforever.api.security.method.CustomMethodSecurityExpressionHandler;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;

@Configuration
@ConditionalOnProperty(
value = "faf-api.allow-anonymous",
havingValue = "false",
matchIfMissing = true
)
@EnableMethodSecurity(securedEnabled = true)
Comment on lines +11 to 16

@coderabbitai coderabbitai Bot Jun 14, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Global method-security disablement is too broad.

When faf-api.allow-anonymous=true, this removes all @PreAuthorize/@Secured enforcement, not just for health/readiness or /data/**. Keep method security enabled and scope anonymous access at request matcher/controller level instead.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/main/java/com/faforever/api/config/security/MethodSecurityConfig.java`
around lines 11 - 16, The MethodSecurityConfig class uses `@ConditionalOnProperty`
to disable method security globally when faf-api.allow-anonymous is true, which
is overly broad and removes all `@PreAuthorize/`@Secured enforcement. Remove the
`@ConditionalOnProperty` annotation from `@EnableMethodSecurity`(securedEnabled =
true) to ensure method security is always enabled. Instead, configure anonymous
access at the request matcher or controller level through your security
configuration (such as in SecurityFilterChain or by using `@PermitAll` on specific
controller methods) so that only specific endpoints allow anonymous access while
protected endpoints remain enforced.

public class MethodSecurityConfig {
@Bean
Expand Down
2 changes: 1 addition & 1 deletion src/main/java/com/faforever/api/security/ElideUser.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ public String getName() {

@Override
public boolean isInRole(String role) {
return fafAuthentication.hasRole(role);
return fafAuthentication != null && fafAuthentication.hasRole(role);
}

public Optional<Integer> getFafUserId() {
Expand Down
5 changes: 3 additions & 2 deletions src/main/resources/config/application-local.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
faf-api:
allow-anonymous: true
jwt:
secretKeyPath: ${JWT_PRIVATE_KEY_PATH:test-pki-private.key}
publicKeyPath: ${JWT_PUBLIC_KEY_PATH:test-pki-public.key}
Expand Down Expand Up @@ -86,8 +87,8 @@ spring:
oauth2:
resourceserver:
jwt:
jwk-set-uri: https://hydra.faforever.com/.well-known/jwks.json
issuer-uri: https://hydra.faforever.com/
jwk-set-uri: http://hydra.faforever.localhost/.well-known/jwks.json
issuer-uri: http://ory-hydra:4444/
logging:
level:
com.faforever.api: debug
Loading