diff --git a/backend/infrastructure/gateway/src/main/kotlin/at/mocode/infrastructure/gateway/security/SecurityConfig.kt b/backend/infrastructure/gateway/src/main/kotlin/at/mocode/infrastructure/gateway/security/SecurityConfig.kt index 44a47bbe..42b4fddf 100644 --- a/backend/infrastructure/gateway/src/main/kotlin/at/mocode/infrastructure/gateway/security/SecurityConfig.kt +++ b/backend/infrastructure/gateway/src/main/kotlin/at/mocode/infrastructure/gateway/security/SecurityConfig.kt @@ -64,16 +64,18 @@ class SecurityConfig( if (delegate == null) { synchronized(this) { if (delegate == null) { + if (jwkSetUri.isBlank()) { + logger.error("JWK Set URI is missing – all authenticated requests will be rejected.") + return Mono.error(org.springframework.security.oauth2.jwt.BadJwtException("Identity Provider not configured")) + } try { - if (jwkSetUri.isBlank()) { - throw IllegalArgumentException("JWK Set URI is missing") - } logger.info("Attempting to initialize JWT Decoder with URI: {}", jwkSetUri) delegate = NimbusReactiveJwtDecoder.withJwkSetUri(jwkSetUri).build() logger.info("JWT Decoder successfully initialized.") } catch (e: Exception) { logger.warn("Could not initialize JWT Decoder: {}", e.message) - return Mono.error(IllegalStateException("Identity Provider unavailable")) + // Throw BadJwtException so Spring Security returns 401, not 500 or passthrough + return Mono.error(org.springframework.security.oauth2.jwt.BadJwtException("Identity Provider unavailable: ${e.message}")) } } } @@ -133,7 +135,7 @@ data class GatewaySecurityProperties( ) data class CorsProperties( - val allowedOriginPatterns: Set = setOf("http://localhost:*", "https://*.meldestelle.at"), + val allowedOriginPatterns: Set = setOf("http://localhost:*", "https://*.meldestelle.at", "https://*.mo-code.at"), val allowedMethods: Set = setOf("GET", "POST", "PUT", "DELETE", "OPTIONS", "PATCH"), val allowedHeaders: Set = setOf("*"), val exposedHeaders: Set = setOf("X-Correlation-ID"),