omerada
diff --git a/‎api-gateway/src/main/java/com/craftpilot/apigateway/config/CorsConfiguration.java‎
Lines changed: 0 additions & 67 deletions b/‎api-gateway/src/main/java/com/craftpilot/apigateway/config/CorsConfiguration.java‎
Lines changed: 0 additions & 67 deletions
diff --git a/‎api-gateway/src/main/java/com/craftpilot/apigateway/config/SecurityConfig.java‎
Lines changed: 60 additions & 0 deletions b/‎api-gateway/src/main/java/com/craftpilot/apigateway/config/SecurityConfig.java‎
Lines changed: 60 additions & 0 deletions
diff --git a/‎api-gateway/src/main/java/com/craftpilot/apigateway/config/SecurityConfiguration.java‎
Lines changed: 0 additions & 68 deletions b/‎api-gateway/src/main/java/com/craftpilot/apigateway/config/SecurityConfiguration.java‎
Lines changed: 0 additions & 68 deletions
diff --git a/‎api-gateway/src/main/java/com/craftpilot/apigateway/controller/FallbackController.java‎
Lines changed: 0 additions & 54 deletions b/‎api-gateway/src/main/java/com/craftpilot/apigateway/controller/FallbackController.java‎
Lines changed: 0 additions & 54 deletions
diff --git a/‎api-gateway/src/main/java/com/craftpilot/apigateway/security/RouteMetadataAuthorizationManager.java‎
Lines changed: 31 additions & 28 deletions b/‎api-gateway/src/main/java/com/craftpilot/apigateway/security/RouteMetadataAuthorizationManager.java‎
Lines changed: 31 additions & 28 deletions
diff --git a/‎api-gateway/src/main/java/com/craftpilot/apigateway/security/SecurityConstants.java‎
Lines changed: 2 additions & 1 deletion b/‎api-gateway/src/main/java/com/craftpilot/apigateway/security/SecurityConstants.java‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎api-gateway/src/main/resources/application.yml‎
Lines changed: 6 additions & 10 deletions b/‎api-gateway/src/main/resources/application.yml‎
Lines changed: 6 additions & 10 deletions
@@ -0,0 +1,60 @@
+package com.craftpilot.apigateway.config;
+
+import com.craftpilot.apigateway.security.FirebaseAuthenticationFilter;
+import jakarta.ws.rs.HttpMethod;
+import lombok.RequiredArgsConstructor;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.core.annotation.Order;
+import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
+import org.springframework.security.config.web.server.SecurityWebFiltersOrder;
+import org.springframework.security.config.web.server.ServerHttpSecurity;
+import org.springframework.security.web.server.SecurityWebFilterChain;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsConfigurationSource;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
+
+import java.util.Arrays;
+
+@Configuration
+@EnableWebFluxSecurity
+@RequiredArgsConstructor
+public class SecurityConfig {
+    
+    private final FirebaseAuthenticationFilter firebaseAuthenticationFilter;
+
+    @Bean
+    @Order(Ordered.HIGHEST_PRECEDENCE)
+    public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
+        return http
+            .csrf(ServerHttpSecurity.CsrfSpec::disable)
+            .cors(cors -> cors.configurationSource(corsConfigurationSource())) // CORS yapılandırması buraya taşındı
+            .httpBasic(ServerHttpSecurity.HttpBasicSpec::disable)
+            .formLogin(ServerHttpSecurity.FormLoginSpec::disable)
+            .authorizeExchange(exchanges -> exchanges
+                .pathMatchers(HttpMethod.OPTIONS).permitAll()
+                .pathMatchers(SecurityConstants.PUBLIC_PATHS.toArray(new String[0])).permitAll()
+                .anyExchange().access(new RouteMetadataAuthorizationManager())
+            )
+            .addFilterAt(firebaseAuthenticationFilter, SecurityWebFiltersOrder.AUTHENTICATION)
+            .build();
+    }
+
+    @Bean
+    public CorsConfigurationSource corsConfigurationSource() {
+        CorsConfiguration config = new CorsConfiguration();
+        config.setAllowCredentials(true);
+        config.setAllowedOriginPatterns(Arrays.asList(
+            "http://localhost:*",
+            "https://*.craftpilot.io",
+            "https://craftpilot.io"
+        ));
+        config.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS", "PATCH"));
+        config.setAllowedHeaders(Arrays.asList("*"));
+        config.setMaxAge(3600L);
+
+        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+        source.registerCorsConfiguration("/**", config);
+        return source;
+    }
+}
@@ -1,49 +1,52 @@
-package com.craftpilot.apigateway.security;
-
-import org.springframework.cloud.gateway.route.Route;
-import org.springframework.cloud.gateway.support.ServerWebExchangeUtils;
-import org.springframework.http.HttpMethod;
-import org.springframework.security.authorization.AuthorizationDecision;
-import org.springframework.security.authorization.ReactiveAuthorizationManager;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.web.server.authorization.AuthorizationContext;
-import org.springframework.web.server.ServerWebExchange;
-import reactor.core.publisher.Mono;
-
-import java.util.List;
-import java.util.Map;
-
+@Slf4j
+@Component
 public class RouteMetadataAuthorizationManager implements ReactiveAuthorizationManager<AuthorizationContext> {
-
+    
     @Override
     public Mono<AuthorizationDecision> check(Mono<Authentication> authentication, AuthorizationContext context) {
         ServerWebExchange exchange = context.getExchange();
         Route route = exchange.getAttribute(ServerWebExchangeUtils.GATEWAY_ROUTE_ATTR);
 
         if (route == null) {
+            log.debug("No route found for path: {}", exchange.getRequest().getPath());
             return Mono.just(new AuthorizationDecision(false));
         }
 
         Map<String, Object> metadata = route.getMetadata();
         boolean secured = metadata.containsKey("secured") ? (boolean) metadata.get("secured") : true;
-        List<String> allowedMethods = (List<String>) metadata.getOrDefault("methods", List.of("GET", "POST", "PUT", "DELETE"));
-        List<String> requiredRoles = (List<String>) metadata.getOrDefault("roles", List.of("USER"));
+        
+        if (!secured || SecurityConstants.isPublicPath(exchange.getRequest().getPath().value())) {
+            return Mono.just(new AuthorizationDecision(true));
+        }
 
         return authentication
+            .filter(Authentication::isAuthenticated)
             .map(auth -> {
-                if (!secured) return true;
-                
-                // HTTP metod kontrolü
+                // Method kontrolü
                 String requestMethod = exchange.getRequest().getMethod().name();
-                if (!allowedMethods.contains(requestMethod)) return false;
+                List<String> allowedMethods = (List<String>) metadata.getOrDefault("methods", 
+                    Arrays.asList("GET", "POST", "PUT", "DELETE"));
+                
+                if (!allowedMethods.contains(requestMethod)) {
+                    log.debug("Method {} not allowed for path {}", requestMethod, exchange.getRequest().getPath());
+                    return false;
+                }
 
                 // Rol kontrolü
-                boolean hasRequiredRole = auth.getAuthorities().stream()
-                    .anyMatch(a -> requiredRoles.contains(a.getAuthority().replace("ROLE_", "")));
-                
-                return hasRequiredRole;
+                List<String> requiredRoles = (List<String>) metadata.getOrDefault("roles", List.of("USER"));
+                boolean hasRole = auth.getAuthorities().stream()
+                    .map(GrantedAuthority::getAuthority)
+                    .map(role -> role.replace("ROLE_", ""))
+                    .anyMatch(requiredRoles::contains);
+
+                if (!hasRole) {
+                    log.debug("User {} does not have required roles {} for path {}", 
+                        auth.getName(), requiredRoles, exchange.getRequest().getPath());
+                }
+
+                return hasRole;
             })
-            .map(AuthorizationDecision::new)
-            .defaultIfEmpty(new AuthorizationDecision(false));
+            .defaultIfEmpty(false)
+            .map(AuthorizationDecision::new);
     }
 }
@@ -14,7 +14,8 @@ public class SecurityConstants {
         "/subscription-plans/public/**",
         "/docs/**",
         "/swagger-ui/**",
-        "/v3/api-docs/**"
+        "/v3/api-docs/**",
+        "/favicon.ico"
     );
 
     public static boolean isPublicPath(String path) {
 
@@ -86,11 +86,11 @@ spring:
           predicates:
             - Path=/ai/**
           metadata:
-            connect-timeout: 120000
-            response-timeout: 120000
             secured: true
-            methods: [POST, GET]
             roles: [USER, ADMIN]
+            methods: [GET, POST]
+            connect-timeout: 120000
+            response-timeout: 120000
           filters:
             - name: CircuitBreaker
               args:
@@ -102,8 +102,10 @@ spring:
                 replacement: "/${segment}"
             - AddRequestHeader=Content-Type, application/json
             - AddRequestHeader=Accept, text/event-stream
-            - DedupeResponseHeader=Access-Control-Allow-Credentials Access-Control-Allow-Origin
             - PreserveHostHeader
+            - name: RequestSize # LLM istekleri için özel boyut limiti
+              args:
+                maxSize: 50MB
 
         - id: image-service
           uri: lb://image-service
@@ -320,9 +322,3 @@ spring.sleuth:
     correlation-enabled: true
     remote-fields: x-request-id
     local-fields: country-code,user-id
-
-cors:
-  allowed-origins: ${ALLOWED_ORIGINS:http://localhost:3000,http://localhost:5173,https://craftpilot.io,https://*.craftpilot.io}
-  allowed-methods: GET,POST,PUT,DELETE,OPTIONS,PATCH
-  max-age: 3600
-  allow-credentials: true