fix(security): permit /api/health unauthenticated for k8s probes

Adds /api/health to the permitAll() block alongside /api/runtime-config
so Kubernetes liveness/readiness probes can reach it without a session.
Also adds the matching CSRF exemption to the ldap, ad, and oidc auth
paths (local already had it).

closes #124

Author: coopernetes

git-proxy-java-dashboard/src/main/java/org/finos/gitproxy/dashboard/SecurityConfig.java

@@ -128,7 +128,7 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
                 : new String[] {"/api/**", "/login", "/logout"};
 
         http.securityMatcher(protectedPaths)
-                .authorizeHttpRequests(auth -> auth.requestMatchers("/api/runtime-config")
+                .authorizeHttpRequests(auth -> auth.requestMatchers("/api/runtime-config", "/api/health")
                         .permitAll()
                         .requestMatchers(
                                 org.springframework.http.HttpMethod.POST,
@@ -260,6 +260,7 @@ private void configureLdapAuth(
                 .csrf(csrf -> csrf.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
                         .csrfTokenRequestHandler(new SpaCsrfTokenRequestHandler())
                         .ignoringRequestMatchers("/login")
+                        .ignoringRequestMatchers("/api/health", "/api/")
                         .ignoringRequestMatchers(req -> req.getHeader("X-Api-Key") != null));
 
         if (!ldapCfg.getUserSearchFilter().isBlank()) {
@@ -327,6 +328,7 @@ private void configureAdAuth(
                 .csrf(csrf -> csrf.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
                         .csrfTokenRequestHandler(new SpaCsrfTokenRequestHandler())
                         .ignoringRequestMatchers("/login")
+                        .ignoringRequestMatchers("/api/health", "/api/")
                         .ignoringRequestMatchers(req -> req.getHeader("X-Api-Key") != null));
 
         log.info("Active Directory authentication configured: domain={}, url={}", adCfg.getDomain(), adUrl);
@@ -414,6 +416,7 @@ private void configureOidcAuth(
                 .csrf(csrf -> csrf.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
                         .csrfTokenRequestHandler(new SpaCsrfTokenRequestHandler())
                         .ignoringRequestMatchers("/login/oauth2/code/**")
+                        .ignoringRequestMatchers("/api/health", "/api/")
                         .ignoringRequestMatchers(req -> req.getHeader("X-Api-Key") != null));
 
         log.info(