From cacf02681bfdda7926379d37d58ad1a21e398e1a Mon Sep 17 00:00:00 2001
From: lrj <owen.stl@gmail.com>
Date: 星期六, 04 十月 2025 19:08:12 +0800
Subject: [PATCH] fix(auth): 对无 Authorization 的 GraphQL 请求默认匿名放行到解析层，避免 400/403；公开查询仍优先识别后放行

---
 backend/src/main/java/com/rongyichuang/auth/filter/JwtAuthenticationFilter.java |   23 +++++++++++++----------
 1 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/backend/src/main/java/com/rongyichuang/auth/filter/JwtAuthenticationFilter.java b/backend/src/main/java/com/rongyichuang/auth/filter/JwtAuthenticationFilter.java
index 3ad897d..e7a03b1 100644
--- a/backend/src/main/java/com/rongyichuang/auth/filter/JwtAuthenticationFilter.java
+++ b/backend/src/main/java/com/rongyichuang/auth/filter/JwtAuthenticationFilter.java
@@ -209,27 +209,30 @@
             // 鍏堟鏌uthorization澶达紝濡傛灉娌℃湁token锛屽啀妫�鏌ユ槸鍚︿负鍏紑鏌ヨ
             String authHeader = request.getHeader("Authorization");
             if (authHeader == null || !authHeader.startsWith("Bearer ")) {
-                logger.debug("GraphQL璇锋眰娌℃湁Authorization澶达紝妫�鏌ユ槸鍚︿负鍏紑鏌ヨ");
+                logger.debug("GraphQL璇锋眰娌℃湁Authorization澶达紝灏濊瘯鍒ゅ畾鏄惁涓哄叕寮�鏌ヨ");
                 
-                // 妫�鏌ユ槸鍚︿负鍏紑鏌ヨ
+                // 灏濊瘯鍒ゅ畾鍏紑鏌ヨ锛涘鏋滆兘纭畾鏄叕寮�鏌ヨ鍒欐斁琛�
                 if (isPublicGraphQLQuery(wrappedRequest)) {
                     logger.debug("妫�娴嬪埌鍏紑GraphQL鏌ヨ锛屽厑璁稿尶鍚嶈闂�");
-                    
-                    // 璁剧疆鍖垮悕璁よ瘉锛岃Spring Security鐭ラ亾杩欐槸涓�涓凡璁よ瘉鐨勫尶鍚嶇敤鎴�
                     AnonymousAuthenticationToken anonymousAuth = new AnonymousAuthenticationToken(
-                        "anonymous", 
-                        "anonymous", 
+                        "anonymous",
+                        "anonymous",
                         Arrays.asList(new SimpleGrantedAuthority("ROLE_ANONYMOUS"))
                     );
                     SecurityContextHolder.getContext().setAuthentication(anonymousAuth);
-                    logger.debug("涓哄叕寮�GraphQL鏌ヨ璁剧疆鍖垮悕璁よ瘉");
-                    
                     filterChain.doFilter(wrappedRequest, response);
                     return;
                 }
                 
-                logger.warn("GraphQL璇锋眰缂哄皯鏈夋晥鐨凙uthorization澶翠笖涓嶆槸鍏紑鏌ヨ");
-                sendUnauthorizedResponse(response);
+                // 鏃犳硶鍙潬璇诲彇/鍒ゅ畾璇锋眰浣撴椂锛岄粯璁や互鍖垮悕韬唤鏀捐鍒癎raphQL灞傦紝鐢卞悇Resolver鑷杩涜鏉冮檺鏍￠獙
+                logger.debug("鏃犳硶鍙潬鍒ゅ畾鏄惁涓哄叕寮�鏌ヨ锛岃缃尶鍚嶈璇佸苟浜ょ敱GraphQL灞傚鐞�");
+                AnonymousAuthenticationToken anonymousAuth = new AnonymousAuthenticationToken(
+                    "anonymous",
+                    "anonymous",
+                    Arrays.asList(new SimpleGrantedAuthority("ROLE_ANONYMOUS"))
+                );
+                SecurityContextHolder.getContext().setAuthentication(anonymousAuth);
+                filterChain.doFilter(wrappedRequest, response);
                 return;
             }
             

--
Gitblit v1.8.0