From c39e324c5a8aa13ff88db4d69764da08fd700062 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20Kr=C3=BChlmann?= <andreas@kruhlmann.dev>
Date: Wed, 10 Dec 2025 11:09:27 +0100
Subject: [PATCH] Restrict channel routes

---
 .../imgfloat/app/config/OpenApiConfig.java    | 19 +++++++++++++++++++
 .../app/controller/ChannelApiController.java  |  2 ++
 2 files changed, 21 insertions(+)

diff --git a/src/main/java/com/imgfloat/app/config/OpenApiConfig.java b/src/main/java/com/imgfloat/app/config/OpenApiConfig.java
index 7a2da28..0d873d2 100644
--- a/src/main/java/com/imgfloat/app/config/OpenApiConfig.java
+++ b/src/main/java/com/imgfloat/app/config/OpenApiConfig.java
@@ -1,19 +1,38 @@
 package com.imgfloat.app.config;
 
 import io.swagger.v3.oas.models.OpenAPI;
+import io.swagger.v3.oas.models.Components;
 import io.swagger.v3.oas.models.info.Info;
+import io.swagger.v3.oas.models.security.OAuthFlow;
+import io.swagger.v3.oas.models.security.OAuthFlows;
+import io.swagger.v3.oas.models.security.SecurityRequirement;
+import io.swagger.v3.oas.models.security.SecurityScheme;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 
 @Configuration
 public class OpenApiConfig {
 
+    private static final String TWITCH_OAUTH_SCHEME = "twitchOAuth";
+
     @Bean
     public OpenAPI imgfloatOpenAPI() {
         return new OpenAPI()
+                .components(new Components().addSecuritySchemes(TWITCH_OAUTH_SCHEME, twitchOAuthScheme()))
+                .addSecurityItem(new SecurityRequirement().addList(TWITCH_OAUTH_SCHEME))
                 .info(new Info()
                         .title("Imgfloat API")
                         .description("OpenAPI documentation for Imgfloat admin and broadcaster APIs.")
                         .version("v1"));
     }
+
+    private SecurityScheme twitchOAuthScheme() {
+        return new SecurityScheme()
+                .name(TWITCH_OAUTH_SCHEME)
+                .type(SecurityScheme.Type.OAUTH2)
+                .flows(new OAuthFlows()
+                        .authorizationCode(new OAuthFlow()
+                                .authorizationUrl("https://id.twitch.tv/oauth2/authorize")
+                                .tokenUrl("https://id.twitch.tv/oauth2/token")));
+    }
 }
diff --git a/src/main/java/com/imgfloat/app/controller/ChannelApiController.java b/src/main/java/com/imgfloat/app/controller/ChannelApiController.java
index 5f5ffc8..c352d1c 100644
--- a/src/main/java/com/imgfloat/app/controller/ChannelApiController.java
+++ b/src/main/java/com/imgfloat/app/controller/ChannelApiController.java
@@ -8,6 +8,7 @@ import com.imgfloat.app.model.TwitchUserProfile;
 import com.imgfloat.app.model.VisibilityRequest;
 import com.imgfloat.app.service.ChannelDirectoryService;
 import com.imgfloat.app.service.TwitchUserLookupService;
+import io.swagger.v3.oas.annotations.security.SecurityRequirement;
 import jakarta.validation.Valid;
 import org.springframework.http.ResponseEntity;
 import org.springframework.http.MediaType;
@@ -37,6 +38,7 @@ import static org.springframework.http.HttpStatus.BAD_REQUEST;
 
 @RestController
 @RequestMapping("/api/channels/{broadcaster}")
+@SecurityRequirement(name = "twitchOAuth")
 public class ChannelApiController {
     private final ChannelDirectoryService channelDirectoryService;
     private final OAuth2AuthorizedClientService authorizedClientService;