From 6de4d18cb2d6684bf7a3ed47ca698e8d7474d48d Mon Sep 17 00:00:00 2001
From: Brutus5000 <Brutus5000@gmx.net>
Date: Thu, 17 Feb 2022 22:17:27 +0100
Subject: [PATCH] Fix parsing of access token in get parameter

This is used by nodebb (passport)

Fixes #562
---
 .../com/faforever/api/config/security/WebSecurityConfig.java | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/main/java/com/faforever/api/config/security/WebSecurityConfig.java b/src/main/java/com/faforever/api/config/security/WebSecurityConfig.java
index 562f1ebf2..9048a2129 100644
--- a/src/main/java/com/faforever/api/config/security/WebSecurityConfig.java
+++ b/src/main/java/com/faforever/api/config/security/WebSecurityConfig.java
@@ -10,6 +10,7 @@
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.oauth2.server.resource.web.DefaultBearerTokenResolver;
 import org.springframework.security.web.authentication.AuthenticationFailureHandler;
 import org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
@@ -26,6 +27,9 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 
   @Override
   protected void configure(HttpSecurity http) throws Exception {
+    final var bearerTokenResolver = new DefaultBearerTokenResolver();
+    bearerTokenResolver.setAllowUriQueryParameter(true);
+
     // @formatter:off
       http
         .csrf()
@@ -44,6 +48,7 @@ public boolean matches(HttpServletRequest request) {
         .cacheControl().disable()
         .and().formLogin().disable()
         .oauth2ResourceServer()
+          .bearerTokenResolver(bearerTokenResolver)
           .jwt()
           .jwtAuthenticationConverter(new FafAuthenticationConverter())
           .and()