From a1acc0bc6212d731ddfa705c755956c6f390fedd Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Fri, 10 Apr 2026 13:15:08 +0200
Subject: [PATCH] fix: permit SPA routes /vendor/** and /tenant/** for direct
 navigation

Without this, hard refresh on SPA routes returns 401 because Spring
Security intercepts before SpaController can forward to index.html.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../java/net/siegeln/cameleer/saas/config/SecurityConfig.java    | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/main/java/net/siegeln/cameleer/saas/config/SecurityConfig.java b/src/main/java/net/siegeln/cameleer/saas/config/SecurityConfig.java
index 7c0ef64..e694b6f 100644
--- a/src/main/java/net/siegeln/cameleer/saas/config/SecurityConfig.java
+++ b/src/main/java/net/siegeln/cameleer/saas/config/SecurityConfig.java
@@ -44,6 +44,7 @@ public class SecurityConfig {
                         .requestMatchers("/actuator/health").permitAll()
                         .requestMatchers("/api/config").permitAll()
                         .requestMatchers("/", "/index.html", "/login", "/callback",
+                                "/vendor/**", "/tenant/**",
                                 "/environments/**", "/license", "/admin/**").permitAll()
                         .requestMatchers("/_app/**", "/favicon.ico", "/favicon.svg", "/logo.svg", "/logo-dark.svg").permitAll()
                         .requestMatchers("/api/vendor/**").hasAuthority("SCOPE_platform:admin")