From ab240e42b09cc23a00db075f4f2b32d2b08394b3 Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Mon, 27 Apr 2026 14:41:21 +0200
Subject: [PATCH] feat: add /api/account/** security config and MFA enforcement
 exemptions

Permit /settings/** SPA route, gate /api/account/** as authenticated,
and exempt account MFA/profile/password paths from MFA enforcement filter.
---
 .../net/siegeln/cameleer/saas/config/MfaEnforcementFilter.java | 3 +++
 .../java/net/siegeln/cameleer/saas/config/SecurityConfig.java  | 3 ++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/main/java/net/siegeln/cameleer/saas/config/MfaEnforcementFilter.java b/src/main/java/net/siegeln/cameleer/saas/config/MfaEnforcementFilter.java
index 7e62c69..3b6cc07 100644
--- a/src/main/java/net/siegeln/cameleer/saas/config/MfaEnforcementFilter.java
+++ b/src/main/java/net/siegeln/cameleer/saas/config/MfaEnforcementFilter.java
@@ -26,6 +26,9 @@ public class MfaEnforcementFilter extends OncePerRequestFilter {
     private static final Logger log = LoggerFactory.getLogger(MfaEnforcementFilter.class);
     private static final Set<String> EXEMPT_PREFIXES = Set.of(
             "/api/tenant/mfa/",
+            "/api/account/mfa/",
+            "/api/account/profile",
+            "/api/account/password",
             "/api/config",
             "/api/me",
             "/api/onboarding",
diff --git a/src/main/java/net/siegeln/cameleer/saas/config/SecurityConfig.java b/src/main/java/net/siegeln/cameleer/saas/config/SecurityConfig.java
index c40cacb..298ffc0 100644
--- a/src/main/java/net/siegeln/cameleer/saas/config/SecurityConfig.java
+++ b/src/main/java/net/siegeln/cameleer/saas/config/SecurityConfig.java
@@ -45,10 +45,11 @@ public class SecurityConfig {
                         .requestMatchers("/actuator/health").permitAll()
                         .requestMatchers("/api/config").permitAll()
                         .requestMatchers("/", "/index.html", "/login", "/register", "/callback",
-                                "/vendor/**", "/tenant/**", "/onboarding",
+                                "/vendor/**", "/tenant/**", "/onboarding", "/settings/**",
                                 "/environments/**", "/license", "/admin/**").permitAll()
                         .requestMatchers("/_app/**", "/assets/**", "/favicon.ico", "/favicon.svg", "/logo.svg", "/logo-dark.svg").permitAll()
                         .requestMatchers("/api/password-reset-notification").permitAll()
+                        .requestMatchers("/api/account/**").authenticated()
                         .requestMatchers("/api/onboarding/**").authenticated()
                         .requestMatchers("/api/vendor/**").hasAuthority("SCOPE_platform:admin")
                         .requestMatchers("/api/tenant/**").authenticated()