fix(file-service): restrict file-serving permitAll to GET requests only

Upload endpoint (POST) was inadvertently matched by the method-less requestMatchers("/api/file/*") rule. Making it GET-only makes the intent explicit and ensures upload correctly requires a valid JWT. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-18 14:11:56 +08:00 · 2026-05-18 14:11:56 +08:00 · 623656648e
--- a/file-service/src/main/java/com/xuqm/file/config/SecurityConfig.java
+++ b/file-service/src/main/java/com/xuqm/file/config/SecurityConfig.java
@ -36,12 +36,12 @@ public class SecurityConfig {
            .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
            .authorizeHttpRequests(auth -> auth
                .requestMatchers(HttpMethod.OPTIONS, "/**").permitAll()
-                // Public: serve files by hash and thumbnails
-                .requestMatchers("/api/file/*/thumbnail").permitAll()
-                .requestMatchers("/api/file/*").permitAll()
+                // Public: serve files by hash and thumbnails (GET only — upload requires auth)
+                .requestMatchers(HttpMethod.GET, "/api/file/*/thumbnail").permitAll()
+                .requestMatchers(HttpMethod.GET, "/api/file/*").permitAll()
                // Actuator health & info
                .requestMatchers("/actuator/**").permitAll()
-                // Upload requires authentication
+                // Everything else (including POST /api/file/upload) requires authentication
                .anyRequest().authenticated()
            )
            .exceptionHandling(ex -> ex