Restrict channel routes

2026-02-05 03:39:26 +00:00 · 2025-12-10 11:09:27 +01:00
parent 650b33111a
commit c39e324c5a
2 changed files with 21 additions and 0 deletions
--- a/src/main/java/com/imgfloat/app/config/OpenApiConfig.java
+++ b/src/main/java/com/imgfloat/app/config/OpenApiConfig.java
@@ -1,19 +1,38 @@
 package com.imgfloat.app.config;

 import io.swagger.v3.oas.models.OpenAPI;
+import io.swagger.v3.oas.models.Components;
 import io.swagger.v3.oas.models.info.Info;
+import io.swagger.v3.oas.models.security.OAuthFlow;
+import io.swagger.v3.oas.models.security.OAuthFlows;
+import io.swagger.v3.oas.models.security.SecurityRequirement;
+import io.swagger.v3.oas.models.security.SecurityScheme;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;

@Configuration
 public class OpenApiConfig {

+    private static final String TWITCH_OAUTH_SCHEME = "twitchOAuth";
+
    @Bean
    public OpenAPI imgfloatOpenAPI() {
        return new OpenAPI()
+                .components(new Components().addSecuritySchemes(TWITCH_OAUTH_SCHEME, twitchOAuthScheme()))
+                .addSecurityItem(new SecurityRequirement().addList(TWITCH_OAUTH_SCHEME))
                .info(new Info()
                        .title("Imgfloat API")
                        .description("OpenAPI documentation for Imgfloat admin and broadcaster APIs.")
                        .version("v1"));
    }
+
+    private SecurityScheme twitchOAuthScheme() {
+        return new SecurityScheme()
+                .name(TWITCH_OAUTH_SCHEME)
+                .type(SecurityScheme.Type.OAUTH2)
+                .flows(new OAuthFlows()
+                        .authorizationCode(new OAuthFlow()
+                                .authorizationUrl("https://id.twitch.tv/oauth2/authorize")
+                                .tokenUrl("https://id.twitch.tv/oauth2/token")));
+    }
 }
--- a/src/main/java/com/imgfloat/app/controller/ChannelApiController.java
+++ b/src/main/java/com/imgfloat/app/controller/ChannelApiController.java
@@ -8,6 +8,7 @@ import com.imgfloat.app.model.TwitchUserProfile;
 import com.imgfloat.app.model.VisibilityRequest;
 import com.imgfloat.app.service.ChannelDirectoryService;
 import com.imgfloat.app.service.TwitchUserLookupService;
+import io.swagger.v3.oas.annotations.security.SecurityRequirement;
 import jakarta.validation.Valid;
 import org.springframework.http.ResponseEntity;
 import org.springframework.http.MediaType;
@@ -37,6 +38,7 @@ import static org.springframework.http.HttpStatus.BAD_REQUEST;

@RestController
@RequestMapping("/api/channels/{broadcaster}")
+@SecurityRequirement(name = "twitchOAuth")
 public class ChannelApiController {
    private final ChannelDirectoryService channelDirectoryService;
    private final OAuth2AuthorizedClientService authorizedClientService;