From 61b79465cd34bea98fd8420cd638a247a3ffa59a Mon Sep 17 00:00:00 2001
From: XuqmGroup <noreply@xuqm.com>
Date: Mon, 18 May 2026 14:49:37 +0800
Subject: [PATCH] fix(file-service): restore public upload by explicitly
 allowing POST /api/file/upload
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The previous commit (GET-only permitAll) inadvertently broke upload by
requiring auth. The original design intentionally allows unauthenticated
upload — explicitly permit POST /api/file/upload to make this clear.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../main/java/com/xuqm/file/config/SecurityConfig.java    | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/file-service/src/main/java/com/xuqm/file/config/SecurityConfig.java b/file-service/src/main/java/com/xuqm/file/config/SecurityConfig.java
index f9792da..e92ea85 100644
--- a/file-service/src/main/java/com/xuqm/file/config/SecurityConfig.java
+++ b/file-service/src/main/java/com/xuqm/file/config/SecurityConfig.java
@@ -36,12 +36,12 @@ public class SecurityConfig {
             .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
             .authorizeHttpRequests(auth -> auth
                 .requestMatchers(HttpMethod.OPTIONS, "/**").permitAll()
-                // Public: serve files by hash and thumbnails (GET only — upload requires auth)
-                .requestMatchers(HttpMethod.GET, "/api/file/*/thumbnail").permitAll()
-                .requestMatchers(HttpMethod.GET, "/api/file/*").permitAll()
+                // Public: file upload and serving by hash (upload is intentionally public)
+                .requestMatchers("/api/file/upload").permitAll()
+                .requestMatchers("/api/file/*/thumbnail").permitAll()
+                .requestMatchers("/api/file/*").permitAll()
                 // Actuator health & info
                 .requestMatchers("/actuator/**").permitAll()
-                // Everything else (including POST /api/file/upload) requires authentication
                 .anyRequest().authenticated()
             )
             .exceptionHandling(ex -> ex