From 9cdebf076c68bbf92abb221cca8780500e10661d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20Kr=C3=BChlmann?= <andreas@kruhlmann.dev>
Date: Tue, 30 Dec 2025 13:13:27 +0100
Subject: [PATCH] Add missing auth

---
 .../dev/kruhlmann/imgfloat/config/SecurityConfig.java     | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/main/java/dev/kruhlmann/imgfloat/config/SecurityConfig.java b/src/main/java/dev/kruhlmann/imgfloat/config/SecurityConfig.java
index 0d3205c..5aa7830 100644
--- a/src/main/java/dev/kruhlmann/imgfloat/config/SecurityConfig.java
+++ b/src/main/java/dev/kruhlmann/imgfloat/config/SecurityConfig.java
@@ -10,7 +10,10 @@ import org.springframework.security.oauth2.client.endpoint.DefaultAuthorizationC
 import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient;
 import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.HttpStatusEntryPoint;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.web.client.RestTemplate;
+import org.springframework.http.HttpStatus;
 
 @Configuration
 @EnableWebSecurity
@@ -44,6 +47,11 @@ public class SecurityConfig {
                 .tokenEndpoint(token -> token.accessTokenResponseClient(twitchAccessTokenResponseClient()))
                 .userInfoEndpoint(user -> user.userService(twitchOAuth2UserService())))
             .logout(logout -> logout.logoutSuccessUrl("/").permitAll())
+            .exceptionHandling(exceptions -> exceptions
+                .defaultAuthenticationEntryPointFor(
+                    new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED),
+                    new AntPathRequestMatcher("/api/**")
+                ))
             .csrf(csrf -> csrf.ignoringRequestMatchers("/ws/**", "/api/**"));
         return http.build();
     }