diff --git a/push-service/src/main/java/com/xuqm/push/config/SecurityConfig.java b/push-service/src/main/java/com/xuqm/push/config/SecurityConfig.java index 2711de5..d02c725 100644 --- a/push-service/src/main/java/com/xuqm/push/config/SecurityConfig.java +++ b/push-service/src/main/java/com/xuqm/push/config/SecurityConfig.java @@ -30,7 +30,15 @@ public class SecurityConfig { .csrf(AbstractHttpConfigurer::disable) .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS)) .authorizeHttpRequests(auth -> auth - .requestMatchers("/api/push/internal/**", "/api/push/auth/**", "/actuator/health", "/actuator/info").permitAll() + .requestMatchers( + "/api/push/internal/**", + "/api/push/auth/**", + "/api/push/register", // SDK device token registration — appKey+userId only, no JWT + "/api/push/unregister", // SDK device token removal — appKey+userId only, no JWT + "/api/push/receive-push", // SDK push opt-in/out — appKey+userId only, no JWT + "/actuator/health", + "/actuator/info" + ).permitAll() .anyRequest().authenticated() ) .exceptionHandling(ex -> ex