JoeKung/print-calculator
1
1
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(back-end): implementation of security better
Some checks failed
Build, Test, Deploy and Analysis / qodana (push) Failing after 12s
Details
Build, Test, Deploy and Analysis / test-backend (push) Successful in 37s
Details
Build, Test, Deploy and Analysis / build-and-push (push) Successful in 41s
Details
Build, Test, Deploy and Analysis / deploy (push) Successful in 9s
Details

Browse Source
This commit is contained in:
Joe Küng
2026-03-03 10:11:12 +01:00
parent c0d6b480c1
commit 654aa775db
8 changed files with 32 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
backend/src/main/java/com/printcalculator/BackendApplication.java
View File

@@ -2,12 +2,12 @@ package com.printcalculator;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration;
import org.springframework.scheduling.annotation.EnableScheduling;
import org.springframework.scheduling.annotation.EnableAsync;
import org.springframework.scheduling.annotation.EnableScheduling;
import org.springframework.transaction.annotation.EnableTransactionManagement;
@SpringBootApplication
@SpringBootApplication(exclude = {UserDetailsServiceAutoConfiguration.class})
@EnableTransactionManagement
@EnableScheduling
@EnableAsync

2
backend/src/main/java/com/printcalculator/config/SecurityConfig.java
View File

@@ -29,6 +29,8 @@ public class SecurityConfig {
.logout(AbstractHttpConfigurer::disable)
.authorizeHttpRequests(auth -> auth
.requestMatchers(HttpMethod.OPTIONS, "/**").permitAll()
.requestMatchers("/actuator/health", "/actuator/health/**").permitAll()
.requestMatchers("/actuator/**").denyAll()
.requestMatchers("/api/admin/auth/login").permitAll()
.requestMatchers("/api/admin/**").authenticated()
.anyRequest().permitAll()

2
backend/src/main/java/com/printcalculator/controller/QuoteSessionController.java
View File

@@ -97,7 +97,7 @@ public class QuoteSessionController {
session.setExpiresAt(OffsetDateTime.now().plusDays(30));
var policy = pricingRepo.findFirstByIsActiveTrueOrderByValidFromDesc();
session.setSetupCostChf(policy != null ? policy.getFixedJobFeeChf() : BigDecimal.ZERO);
session.setSetupCostChf(quoteCalculator.calculateSessionSetupFee(policy));
session = sessionRepo.save(session);
return ResponseEntity.ok(session);

17
backend/src/main/java/com/printcalculator/service/QuoteCalculator.java
View File

@@ -21,6 +21,8 @@ import java.util.List;
@Service
public class QuoteCalculator {
private static final BigDecimal SETUP_FEE_DOUBLE_THRESHOLD_CHF = BigDecimal.TEN;
private static final BigDecimal SETUP_FEE_MULTIPLIER_BELOW_THRESHOLD = BigDecimal.valueOf(2);
private final PricingPolicyRepository pricingRepo;
private final PricingPolicyMachineHourTierRepository tierRepo;
@@ -111,6 +113,21 @@ public class QuoteCalculator {
return rawCost.multiply(markupFactor).setScale(2, RoundingMode.HALF_UP);
}
public BigDecimal calculateSessionSetupFee(PricingPolicy policy) {
if (policy == null || policy.getFixedJobFeeChf() == null) {
return BigDecimal.ZERO.setScale(2, RoundingMode.HALF_UP);
}
BigDecimal baseSetupFee = policy.getFixedJobFeeChf();
if (baseSetupFee.compareTo(SETUP_FEE_DOUBLE_THRESHOLD_CHF) < 0) {
return baseSetupFee
.multiply(SETUP_FEE_MULTIPLIER_BELOW_THRESHOLD)
.setScale(2, RoundingMode.HALF_UP);
}
return baseSetupFee.setScale(2, RoundingMode.HALF_UP);
}
private BigDecimal calculateMachineCost(PricingPolicy policy, BigDecimal hours) {
List<PricingPolicyMachineHourTier> tiers = tierRepo.findAllByPricingPolicyOrderByTierStartHoursAsc(policy);
if (tiers.isEmpty()) {

4
backend/src/main/resources/application.properties
View File

@@ -7,6 +7,7 @@ spring.datasource.username=${DB_USERNAME:printcalc}
spring.datasource.password=${DB_PASSWORD:printcalc_secret}
spring.jpa.hibernate.ddl-auto=update
spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQLDialect
spring.jpa.open-in-view=false
# Slicer Configuration
@@ -47,3 +48,6 @@ admin.password=${ADMIN_PASSWORD}
admin.session.secret=${ADMIN_SESSION_SECRET}
admin.session.ttl-minutes=${ADMIN_SESSION_TTL_MINUTES:480}
admin.auth.trust-proxy-headers=${ADMIN_AUTH_TRUST_PROXY_HEADERS:false}
# Expose only liveness endpoint by default.
management.endpoints.web.exposure.include=health