From d92bbdc1e516e28c6a54049b3c1e029c895f183d Mon Sep 17 00:00:00 2001
From: Brutus5000 <Brutus5000@gmx.net>
Date: Sun, 14 Jun 2026 08:09:58 +0200
Subject: [PATCH 1/2] Permit unauthenticated access to health/info/prometheus
 actuator endpoints

Spring Boot 4 applies the application's SecurityFilterChain to the
management port, so the existing anyRequest().authenticated() rule
caused /actuator/health to return 401 and broke prod healthchecks.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../com/faforever/api/config/security/WebSecurityConfig.java    | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/main/java/com/faforever/api/config/security/WebSecurityConfig.java b/src/main/java/com/faforever/api/config/security/WebSecurityConfig.java
index 9a8a7cd8..f5768af9 100644
--- a/src/main/java/com/faforever/api/config/security/WebSecurityConfig.java
+++ b/src/main/java/com/faforever/api/config/security/WebSecurityConfig.java
@@ -1,6 +1,7 @@
 package com.faforever.api.config.security;
 
 import com.faforever.api.security.FafAuthenticationConverter;
+import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpMethod;
@@ -37,6 +38,7 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
     });
     http.authorizeHttpRequests(authorizeConfig -> {
       authorizeConfig.requestMatchers(HttpMethod.OPTIONS).permitAll();
+      authorizeConfig.requestMatchers(EndpointRequest.to("health", "info", "prometheus")).permitAll();
       // Swagger UI
       authorizeConfig.requestMatchers(
         "/swagger-ui/**",

From 6f95c8bf31d9d1cd47c261c3d2ba1ddc168dfec7 Mon Sep 17 00:00:00 2001
From: Brutus5000 <Brutus5000@gmx.net>
Date: Sun, 14 Jun 2026 09:11:28 +0200
Subject: [PATCH 2/2] Fix EndpointRequest import for Spring Boot 4 package
 layout

EndpointRequest moved from
org.springframework.boot.actuate.autoconfigure.security.servlet
to org.springframework.boot.security.autoconfigure.actuate.web.servlet
in Spring Boot 4.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../com/faforever/api/config/security/WebSecurityConfig.java    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/java/com/faforever/api/config/security/WebSecurityConfig.java b/src/main/java/com/faforever/api/config/security/WebSecurityConfig.java
index f5768af9..b8f2cd3c 100644
--- a/src/main/java/com/faforever/api/config/security/WebSecurityConfig.java
+++ b/src/main/java/com/faforever/api/config/security/WebSecurityConfig.java
@@ -1,7 +1,7 @@
 package com.faforever.api.config.security;
 
 import com.faforever.api.security.FafAuthenticationConverter;
-import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
+import org.springframework.boot.security.autoconfigure.actuate.web.servlet.EndpointRequest;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpMethod;