//TODO WebSecurityConfig

back_end/src/main/java/hackathon/FrisbYEE/config/WebSecurityConfig.java

@@ -26,7 +26,13 @@ public class WebSecurityConfig {
                 .cors(cors -> cors.configurationSource(corsConfigurationSource()))
                 .csrf(csrf -> csrf.disable())
                 .authorizeHttpRequests(auth -> auth
-                        .requestMatchers(HttpMethod.OPTIONS, "/", "/public", "/coach/**","/athlete/**").permitAll() // allow coach endpoints
+                        // TODO //TODO // T O D O
+                        .requestMatchers(HttpMethod.OPTIONS, "/**").permitAll()
+                        // 2. Allow public endpoints BEFORE any authenticated() calls
+                        .requestMatchers("/athlete/create", "/", "/public").permitAll()
+                        .requestMatchers("/coach/**").permitAll()
+                        // 3. Authenticated endpoints
+                        .requestMatchers("/users/sync").authenticated()
                         .requestMatchers("/admin/**").hasRole("admin")
                         .requestMatchers("/user/**").hasRole("user")
                         .anyRequest().authenticated())