From 338ea61612c918ebf190e5e7af63c2246fc7dad1 Mon Sep 17 00:00:00 2001
From: Dominick Leppich <dominick.leppich@intranda.com>
Date: Thu, 5 Sep 2024 11:54:34 +0200
Subject: [PATCH] fix: deny access by default and remove default access token

---
 .../goobi/vocabulary/security/BearerTokenAuthFilter.java  | 8 ++++++--
 module-core/src/main/resources/application.properties     | 8 +++++---
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/module-core/src/main/java/io/goobi/vocabulary/security/BearerTokenAuthFilter.java b/module-core/src/main/java/io/goobi/vocabulary/security/BearerTokenAuthFilter.java
index 69335ba..62b0f4c 100644
--- a/module-core/src/main/java/io/goobi/vocabulary/security/BearerTokenAuthFilter.java
+++ b/module-core/src/main/java/io/goobi/vocabulary/security/BearerTokenAuthFilter.java
@@ -19,10 +19,10 @@
 
 @Component
 public class BearerTokenAuthFilter extends OncePerRequestFilter {
-    @Value("${security.token}")
+    @Value("${security.token:#{null}")
     private String secretToken;
 
-    @Value("${security.anonymous.read-allowed}")
+    @Value("${security.anonymous.read-allowed:false}")
     private boolean anonymousReadAllowed;
 
     @Bean
@@ -64,6 +64,10 @@ private boolean isPublic(HttpServletRequest request) {
     }
 
     private boolean isTokenValid(String accessToken) {
+        // If secret token is not set, deny
+        if (secretToken == null) {
+            return false;
+        }
         return secretToken.equals(accessToken);
     }
 }
diff --git a/module-core/src/main/resources/application.properties b/module-core/src/main/resources/application.properties
index e419564..d368c74 100644
--- a/module-core/src/main/resources/application.properties
+++ b/module-core/src/main/resources/application.properties
@@ -3,10 +3,12 @@
 
 # Security
 # Only listen on local address. Remove this line, if you want to open the vocabulary server to the public.
-# ATTENTION: Currently, there is no security in the vocabulary server. Every caller of the API can do anything!
 #server.address=127.0.0.1
-security.token=secret
-security.anonymous.read-allowed=false
+
+# Set a security token! If not set, you won't be able to make modifying API calls
+#security.token=secret
+# Control anonymous read operations. If set to false or not set, anonymous readers will not get access
+#security.anonymous.read-allowed=true
 
 # Basic configuration
 # The port the vocabulary server should listen on