Enhance swagger configuration

src/main/java/run/halo/app/config/SwaggerConfiguration.java

@@ -8,11 +8,13 @@ import org.springframework.context.annotation.Configuration;
 import org.springframework.core.Ordered;
 import org.springframework.data.domain.Pageable;
 import org.springframework.data.domain.Sort;
+import org.springframework.http.HttpHeaders;
 import org.springframework.lang.NonNull;
 import org.springframework.util.Assert;
 import org.springframework.web.bind.annotation.RequestMethod;
 import run.halo.app.config.properties.HaloProperties;
 import run.halo.app.model.entity.User;
+import run.halo.app.security.filter.AdminAuthenticationFilter;
 import run.halo.app.security.support.UserDetail;
 import springfox.documentation.builders.*;
 import springfox.documentation.schema.AlternateTypeRule;
@@ -66,6 +68,8 @@ public class SwaggerConfiguration {
         return buildApiDocket("run.halo.app.content.api",
                 "run.halo.app.controller.content.api",
                 "/api/**")
+                .securitySchemes(portalApiKeys())
+                .securityContexts(portalSecurityContext())
                 .enable(!haloProperties.isDocDisabled());
     }
 
@@ -76,6 +80,8 @@ public class SwaggerConfiguration {
         return buildApiDocket("run.halo.app.admin",
                 "run.halo.app.controller.admin",
                 "/api/admin/**")
+                .securitySchemes(adminApiKeys())
+                .securityContexts(adminSecurityContext())
                 .enable(!haloProperties.isDocDisabled());
     }
 
@@ -104,8 +110,6 @@ public class SwaggerConfiguration {
                 .paths(PathSelectors.ant(antPattern))
                 .build()
                 .apiInfo(apiInfo())
-                .securitySchemes(Collections.singletonList(apiKeys()))
-                .securityContexts(Collections.singletonList(securityContext()))
                 .useDefaultResponseMessages(false)
                 .globalResponseMessage(RequestMethod.GET, globalResponses)
                 .globalResponseMessage(RequestMethod.POST, globalResponses)
@@ -114,15 +118,36 @@ public class SwaggerConfiguration {
                 .directModelSubstitute(Temporal.class, String.class);
     }
 
-    private ApiKey apiKeys() {
-        return new ApiKey("TOKEN ACCESS", TOKEN_HEADER, In.HEADER.name());
+    private List<ApiKey> adminApiKeys() {
+        return Arrays.asList(
+                new ApiKey("Token from header", AdminAuthenticationFilter.ADMIN_TOKEN_HEADER_NAME, In.HEADER.name()),
+                new ApiKey("Token from query", AdminAuthenticationFilter.ADMIN_TOKEN_QUERY_NAME, In.QUERY.name())
+        );
     }
 
-    private SecurityContext securityContext() {
-        return SecurityContext.builder()
-                .securityReferences(defaultAuth())
-                .forPaths(PathSelectors.regex("/api/admin/.*"))
-                .build();
+    private List<SecurityContext> adminSecurityContext() {
+        return Collections.singletonList(
+                SecurityContext.builder()
+                        .securityReferences(defaultAuth())
+                        .forPaths(PathSelectors.ant("/api/admin/**"))
+                        .build()
+        );
+    }
+
+    private List<ApiKey> portalApiKeys() {
+        return Arrays.asList(
+                new ApiKey("Token from header", HttpHeaders.AUTHORIZATION, In.HEADER.name()),
+                new ApiKey("Token from query", "token", In.QUERY.name())
+        );
+    }
+
+    private List<SecurityContext> portalSecurityContext() {
+        return Collections.singletonList(
+                SecurityContext.builder()
+                        .securityReferences(defaultAuth())
+                        .forPaths(PathSelectors.ant("/api/**"))
+                        .build()
+        );
     }
 
     private List<SecurityReference> defaultAuth() {

src/main/java/run/halo/app/security/filter/AdminAuthenticationFilter.java

@@ -58,7 +58,7 @@ public class AdminAuthenticationFilter extends AbstractAuthenticationFilter {
     /**
      * Admin token param name.
      */
-    public final static String ADMIN_TOKEN_PARAM_NAME = "adminToken";
+    public final static String ADMIN_TOKEN_QUERY_NAME = "adminToken";
 
     private final HaloProperties haloProperties;
 
@@ -152,9 +152,9 @@ public class AdminAuthenticationFilter extends AbstractAuthenticationFilter {
 
         // Get from param
         if (StringUtils.isBlank(token)) {
-            token = request.getParameter(ADMIN_TOKEN_PARAM_NAME);
+            token = request.getParameter(ADMIN_TOKEN_QUERY_NAME);
 
-            log.debug("Got token from parameter: [{}: {}]", ADMIN_TOKEN_PARAM_NAME, token);
+            log.debug("Got token from parameter: [{}: {}]", ADMIN_TOKEN_QUERY_NAME, token);
         } else {
             log.debug("Got token from header: [{}: {}]", ADMIN_TOKEN_HEADER_NAME, token);
         }

src/main/java/run/halo/app/service/AdminService.java

@@ -13,6 +13,13 @@ import run.halo.app.security.token.AuthToken;
  */
 public interface AdminService {
 
+    /**
+     * Expired seconds.
+     */
+    int ACCESS_TOKEN_EXPIRED_SECONDS = 24 * 3600;
+
+    int REFRESH_TOKEN_EXPIRED_DAYS = 30;
+
     String ACCESS_TOKEN_CACHE_PREFIX = "halo.admin.access_token.";
 
     String REFRESH_TOKEN_CACHE_PREFIX = "halo.admin.refresh_token.";

src/main/java/run/halo/app/service/impl/AdminServiceImpl.java

@@ -95,19 +95,17 @@ public class AdminServiceImpl implements AdminService {
         // Generate new token
         AuthToken token = new AuthToken();
 
-        int expiredIn = 24 * 3600;
-
         token.setAccessToken(HaloUtils.randomUUIDWithoutDash());
-        token.setExpiredIn(expiredIn);
+        token.setExpiredIn(ACCESS_TOKEN_EXPIRED_SECONDS);
         token.setRefreshToken(HaloUtils.randomUUIDWithoutDash());
 
         // Cache those tokens, just for clearing
-        cacheStore.putAny(SecurityUtils.buildAccessTokenKey(user), token.getAccessToken(), 30, TimeUnit.DAYS);
-        cacheStore.putAny(SecurityUtils.buildRefreshTokenKey(user), token.getRefreshToken(), 30, TimeUnit.DAYS);
+        cacheStore.putAny(SecurityUtils.buildAccessTokenKey(user), token.getAccessToken(), REFRESH_TOKEN_EXPIRED_DAYS, TimeUnit.DAYS);
+        cacheStore.putAny(SecurityUtils.buildRefreshTokenKey(user), token.getRefreshToken(), REFRESH_TOKEN_EXPIRED_DAYS, TimeUnit.DAYS);
 
         // Cache those tokens with user id
-        cacheStore.putAny(SecurityUtils.buildTokenAccessKey(token.getAccessToken()), user.getId(), expiredIn, TimeUnit.SECONDS);
-        cacheStore.putAny(SecurityUtils.buildTokenRefreshKey(token.getRefreshToken()), user.getId(), 30, TimeUnit.DAYS);
+        cacheStore.putAny(SecurityUtils.buildTokenAccessKey(token.getAccessToken()), user.getId(), ACCESS_TOKEN_EXPIRED_SECONDS, TimeUnit.SECONDS);
+        cacheStore.putAny(SecurityUtils.buildTokenRefreshKey(token.getRefreshToken()), user.getId(), REFRESH_TOKEN_EXPIRED_DAYS, TimeUnit.DAYS);
 
         return token;
     }