From 9c9cb3ca75a21e3035ac77dbe135ac87ea9202c3 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 13 Mar 2026 11:44:32 +0000 Subject: [PATCH 1/3] Initial plan From a0fb32825d85a21dbebf690c3777029e183f5ab5 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 13 Mar 2026 11:53:12 +0000 Subject: [PATCH 2/3] Fix 403 Forbidden: explicitly set CSRF cookie path and add env var properties Co-authored-by: vitorhugo-java <65777252+vitorhugo-java@users.noreply.github.com> --- .../java/com/espacogeek/geek/config/SecurityConfig.java | 2 +- src/main/resources/application.properties | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/src/main/java/com/espacogeek/geek/config/SecurityConfig.java b/src/main/java/com/espacogeek/geek/config/SecurityConfig.java index 6f0cbddf..20477f7e 100644 --- a/src/main/java/com/espacogeek/geek/config/SecurityConfig.java +++ b/src/main/java/com/espacogeek/geek/config/SecurityConfig.java @@ -23,7 +23,6 @@ import org.springframework.web.cors.CorsConfiguration; import com.espacogeek.geek.services.impl.UserDetailsServiceImpl; -import org.springframework.web.cors.UrlBasedCorsConfigurationSource; import java.util.Arrays; import java.util.List; @@ -80,6 +79,7 @@ public SecurityFilterChain configure(HttpSecurity http) throws Exception { var authenticationManager = authenticationManagerBuilder.build(); var csrfRepo = CookieCsrfTokenRepository.withHttpOnlyFalse(); + csrfRepo.setCookiePath("/"); if (!csrfCookieDomain.isBlank()) { csrfRepo.setCookieDomain(csrfCookieDomain); } diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index f3710b8a..dc85df72 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -40,6 +40,13 @@ security.jwt.cookie-path=/ security.jwt.same-site-when-same-site=${SAMESITE_WHEN_SAME_SITE:Lax} security.jwt.expiration-ms=${JWT_EXPIRATION_MS:604800000} +# CSRF cookie domain: set to .espacogeek.com in production so that the XSRF-TOKEN cookie +# is accessible to both api.espacogeek.com (backend) and espacogeek.com (frontend). +# Leave blank for local development. +security.csrf.cookie-domain=${CSRF_COOKIE_DOMAIN:} +# CSRF cookie SameSite attribute (e.g., None for cross-site, Lax for same-site). +security.csrf.cookie-same-site=${CSRF_COOKIE_SAME_SITE:} + # ===== Email Configuration ===== spring.mail.host=${MAIL_HOST:smtp.gmail.com} spring.mail.port=${MAIL_PORT:587} From 05692dcd66f4fe77c397c04ca73f97921c46ac58 Mon Sep 17 00:00:00 2001 From: Vitor Hugo Date: Fri, 13 Mar 2026 12:05:59 +0000 Subject: [PATCH 3/3] utilizing env existin --- src/main/resources/application.properties | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index dc85df72..fdf5e08e 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -43,9 +43,9 @@ security.jwt.expiration-ms=${JWT_EXPIRATION_MS:604800000} # CSRF cookie domain: set to .espacogeek.com in production so that the XSRF-TOKEN cookie # is accessible to both api.espacogeek.com (backend) and espacogeek.com (frontend). # Leave blank for local development. -security.csrf.cookie-domain=${CSRF_COOKIE_DOMAIN:} +security.csrf.cookie-domain=${SECURITY_CSRF_COOKIE_DOMAIN:} # CSRF cookie SameSite attribute (e.g., None for cross-site, Lax for same-site). -security.csrf.cookie-same-site=${CSRF_COOKIE_SAME_SITE:} +security.csrf.cookie-same-site=${SECURITY_CSRF_COOKIE_SAME_SITE:} # ===== Email Configuration ===== spring.mail.host=${MAIL_HOST:smtp.gmail.com}