Permit unauthenticated access to health/info/prometheus actuator endpoints

[Brutus5000]

Summary

• Spring Boot 4 applies the application's SecurityFilterChain to the management port, so the existing anyRequest().authenticated() rule made /actuator/health return 401 and broke the prod deployment's healthcheck.
• Permit health, info, and prometheus via EndpointRequest.to(...); other exposed endpoints (env, beans, …) still require authentication.

Test plan

• Deploy to prod and confirm the healthcheck on the management port (8011) succeeds
• curl http://<host>:8011/actuator/health returns 200 without credentials
• curl http://<host>:8011/actuator/env still returns 401

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated the security configuration to allow unauthenticated access to operational endpoints, including service health, basic info, and Prometheus metrics. This improves observability and simplifies status/monitoring checks without requiring login.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ab5afdd5-1f33-40d2-bc25-7bfcee20df3e

📥 Commits

Reviewing files that changed from the base of the PR and between d92bbdc and 6f95c8b.

📒 Files selected for processing (1)

• src/main/java/com/faforever/api/config/security/WebSecurityConfig.java

🚧 Files skipped from review as they are similar to previous changes (1)

• src/main/java/com/faforever/api/config/security/WebSecurityConfig.java

---

📝 Walkthrough

Walkthrough

WebSecurityConfig gains an import for Spring Boot Actuator's EndpointRequest and a new HTTP authorization rule that grants unauthenticated (permitAll) access to the health, info, and prometheus Actuator endpoints. All other security rules remain unchanged.

Changes

Actuator Endpoint Security Rules

Layer / File(s)	Summary
Permit Actuator endpoints in WebSecurityConfig src/main/java/com/faforever/api/config/security/WebSecurityConfig.java	Imports EndpointRequest and adds a permitAll() authorization rule for the health, info, and prometheus Actuator endpoints.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐇 Hop, hop, the metrics are free,
No token required for health to see!
prometheus scrapes without a fuss,
info and health — no auth for us.
The rabbit says: let monitors in! 🌿

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately summarizes the main change: permitting unauthenticated access to specific actuator endpoints (health, info, prometheus).
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/actuator-security-sb4

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}