package de.fraunhofer.iem.dataprovider

import org.springframework.context.annotation.Bean
import org.springframework.context.annotation.Configuration
import org.springframework.http.HttpMethod
import org.springframework.security.config.annotation.web.builders.HttpSecurity
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
import org.springframework.security.web.SecurityFilterChain

@Configuration
@EnableWebSecurity
class WebSecurityConfiguration {
    @Bean
    fun filterChain(http: HttpSecurity): SecurityFilterChain {
        http.authorizeHttpRequests()
            .requestMatchers(HttpMethod.POST, "/gitlab/repoChanged").permitAll()

        // TODO: this is enabled for dev purposes only !
        http.cors()
        // https://www.baeldung.com/spring-security-csrf#stateless-spring-api
        // "If our stateless API uses token-based authentication, such as JWT,
        // we don't need CSRF protection, and we must disable it as we saw earlier."
        http.csrf().disable()

        return http.build()
    }

}