From 72ed811c77d74799a25718438a56ace1e091c131 Mon Sep 17 00:00:00 2001
From: Joep de Jong <joep@joepdejong.com>
Date: Mon, 27 May 2024 22:45:59 +0300
Subject: [PATCH] Merge cors rules

---
 src/main/java/ch/wisv/events/ChConnectConfiguration.java | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/src/main/java/ch/wisv/events/ChConnectConfiguration.java b/src/main/java/ch/wisv/events/ChConnectConfiguration.java
index ce6ed2b6..d33fefb3 100644
--- a/src/main/java/ch/wisv/events/ChConnectConfiguration.java
+++ b/src/main/java/ch/wisv/events/ChConnectConfiguration.java
@@ -70,9 +70,6 @@ public class ChConnectConfiguration {
     public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
         http
                 .cors(Customizer.withDefaults())
-                .csrf((csrf) -> csrf
-                        .csrfTokenRequestHandler(new XorCsrfTokenRequestAttributeHandler())
-                )
                 .authorizeHttpRequests((authorize) -> authorize
                     .requestMatchers("/administrator/**").hasRole("ADMIN")
                     .requestMatchers("/", "/management/health").permitAll()
@@ -82,6 +79,7 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
                     .logoutSuccessUrl("/")
                     )
                 .csrf(csrf -> csrf
+                    .csrfTokenRequestHandler(new XorCsrfTokenRequestAttributeHandler())
                     .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
                     .ignoringRequestMatchers("/api/v1/**")
                 )