Fix 403 Forbidden and ~31s response time for MediaPage (tvserie) query

src/main/java/com/espacogeek/geek/services/impl/MediaServiceImpl.java

@@ -211,7 +211,7 @@
     @Transactional
     public Optional<MediaModel> findByIdEager(Integer id) {
         var fieldList = new ArrayList<Field>();
         MediaModel media = (MediaModel) mediaRepository.findById(id).orElseGet(null);
 
         if (media == null)
             return Optional.empty();
@@ -366,27 +366,7 @@
         response.setNumber(medias.getNumber());
         response.setSize(medias.getSize());
 
-        var mediasList = medias.getContent();
-        for (MediaModel mediaModel : mediasList) {
-            if (MediaUtils.updateMediaWhenLastTimeUpdateMoreThanOneDay(mediaModel)) {
-                switch (mediaModel.getMediaCategory().getId()) {
-                    case 5:
-                    case 1:
-                        serieController.updateArtworks(mediaModel, null);
-                        break;
-                    case 7:
-                    case 4:
-                        genericMediaDataController.updateArtworks(mediaModel, null, typeReferenceService.findById(MediaDataController.ExternalReferenceType.TMDB.getId()).get(), movieAPI);
-                        break;
-                    case 2:
-                    case 3:
-                        genericMediaDataController.updateArtworks(mediaModel, null, typeReferenceService.findById(MediaDataController.ExternalReferenceType.IGDB.getId()).get(), gamesAndVNsAPI);
-                        break;
-                }
-            }
-        }
-
-        response.setContent(MediaSimplefied.fromMediaModelList(mediasList));
+        response.setContent(MediaSimplefied.fromMediaModelList(medias.getContent()));
 
         return response;
     }

src/test/java/com/espacogeek/geek/cors/BrowserCorsRequestTest.java

@@ -17,9 +17,13 @@
 import com.espacogeek.geek.config.JwtConfig;
 import com.espacogeek.geek.config.SecurityConfig;
 import com.espacogeek.geek.controllers.DailyQuoteArtworkController;
+import com.espacogeek.geek.controllers.MediaController;
 import com.espacogeek.geek.models.DailyQuoteArtworkModel;
 import com.espacogeek.geek.services.DailyQuoteArtworkService;
+import com.espacogeek.geek.services.MediaService;
 import com.espacogeek.geek.services.impl.UserDetailsServiceImpl;
+import com.espacogeek.geek.types.MediaPage;
+import com.espacogeek.geek.types.MediaSimplefied;
 import com.espacogeek.geek.types.Scalars;
 import com.espacogeek.geek.utils.TokenUtils;
 import com.fasterxml.jackson.databind.ObjectMapper;
@@ -62,6 +66,7 @@ class BrowserCorsRequestTest {
     @SpringBootApplication
     @Import({
         DailyQuoteArtworkController.class,
+        MediaController.class,
         SecurityConfig.class,
         JwtConfig.class,
         JwtAuthenticationFilter.class,
@@ -80,6 +85,9 @@ RuntimeWiringConfigurer dateScalarConfigurer() {
     @MockitoBean
     private DailyQuoteArtworkService dailyQuoteArtworkService;
 
+    @MockitoBean
+    private MediaService mediaService;
+
     @MockitoBean
     private UserDetailsServiceImpl userDetailsService;
 
@@ -125,6 +133,39 @@ private String graphqlPayload() throws Exception {
         return objectMapper.writeValueAsString(body);
     }
 
+    private MediaPage stubTvSerieMediaPage() {
+        MediaSimplefied item = new MediaSimplefied();
+        item.setId(1);
+        item.setName("Stranger Things");
+        item.setCover("https://example.com/stranger-things.jpg");
+
+        MediaPage page = new MediaPage();
+        page.setContent(java.util.List.of(item));
+        page.setTotalElements(1);
+        page.setTotalPages(1);
+        return page;
+    }
+
+    private String tvSeriePayload() throws Exception {
+        Map<String, Object> body = Map.of(
+            "operationName", "MediaPage",
+            "variables", Map.of("name", "stranger"),
+            "query", """
+                query MediaPage($name: String) {
+                    tvserie(name: $name) {
+                        content {
+                            id
+                            name
+                            cover
+                        }
+                        totalElements
+                        totalPages
+                    }
+                }"""
+        );
+        return objectMapper.writeValueAsString(body);
+    }
+
     // ---- CORS preflight tests ----
 
     @Test
@@ -239,4 +280,77 @@ void browserPost_AllowedOrigin_ResponseShouldExposeCorrectHeaders() throws Excep
         assertThat(exposeHeaders).contains("Content-Type");
         assertThat(exposeHeaders).contains("Set-Cookie");
     }
+
+    // ---- tvserie MediaPage query tests ----
+
+    @Test
+    void tvSerieMediaPage_AllowedOrigin_ShouldReturn200WithCorsHeaders() throws Exception {
+        when(mediaService.findSerieByIdOrName(
+                org.mockito.ArgumentMatchers.isNull(),
+                org.mockito.ArgumentMatchers.eq("stranger"),
+                org.mockito.ArgumentMatchers.any()))
+            .thenReturn(stubTvSerieMediaPage());
+
+        // Reproduce the exact browser request from the issue report
+        MvcResult mvcResult = mockMvc.perform(post("/")
+                .contentType(MediaType.APPLICATION_JSON)
+                .header(HttpHeaders.ORIGIN, ALLOWED_ORIGIN)
+                .header(HttpHeaders.REFERER, ALLOWED_ORIGIN + "/")
+                .header(HttpHeaders.ACCEPT, "*/*")
+                .header("Sec-Fetch-Dest", "empty")
+                .header("Sec-Fetch-Mode", "cors")
+                .header("Sec-Fetch-Site", "same-site")
+                .content(tvSeriePayload()))
+            .andReturn();
+
+        MvcResult result = resolveResult(mvcResult);
+        assertThat(result.getResponse().getStatus()).isEqualTo(200);
+        assertThat(result.getResponse().getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN))
+            .isEqualTo(ALLOWED_ORIGIN);
+        assertThat(result.getResponse().getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS))
+            .isEqualTo("true");
+
+        String body = result.getResponse().getContentAsString(StandardCharsets.UTF_8);
+        var json = objectMapper.readTree(body);
+        assertThat(json.path("data").path("tvserie").path("content").get(0).path("name").asText())
+            .isEqualTo("Stranger Things");
+        assertThat(json.path("data").path("tvserie").path("totalElements").asLong())
+            .isEqualTo(1);
+    }
+
+    @Test
+    void tvSerieMediaPage_NoOriginHeader_ShouldReturn200() throws Exception {
+        when(mediaService.findSerieByIdOrName(
+                org.mockito.ArgumentMatchers.isNull(),
+                org.mockito.ArgumentMatchers.eq("stranger"),
+                org.mockito.ArgumentMatchers.any()))
+            .thenReturn(stubTvSerieMediaPage());
+
+        // A request without Origin header (like Postman/curl) should work — not return 403
+        MvcResult mvcResult = mockMvc.perform(post("/")
+                .contentType(MediaType.APPLICATION_JSON)
+                .content(tvSeriePayload()))
+            .andReturn();
+
+        MvcResult result = resolveResult(mvcResult);
+        assertThat(result.getResponse().getStatus()).isEqualTo(200);
+
+        String body = result.getResponse().getContentAsString(StandardCharsets.UTF_8);
+        var json = objectMapper.readTree(body);
+        assertThat(json.path("data").path("tvserie").path("content").get(0).path("name").asText())
+            .isEqualTo("Stranger Things");
+    }
+
+    @Test
+    void tvSerieMediaPage_DisallowedOrigin_ShouldReturn403() throws Exception {
+        // A browser request from a disallowed origin should be rejected even for tvserie
+        mockMvc.perform(post("/")
+                .contentType(MediaType.APPLICATION_JSON)
+                .header(HttpHeaders.ORIGIN, DISALLOWED_ORIGIN)
+                .header("Sec-Fetch-Dest", "empty")
+                .header("Sec-Fetch-Mode", "cors")
+                .header("Sec-Fetch-Site", "cross-site")
+                .content(tvSeriePayload()))
+            .andExpect(status().isForbidden());
+    }
 }

src/test/java/com/espacogeek/geek/query/media/TvSerieQueryTest.java

@@ -3,22 +3,21 @@
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.ArgumentMatchers.isNull;
 import static org.mockito.Mockito.when;
 
-import java.util.Arrays;
+import java.util.List;
 
 import org.junit.jupiter.api.Test;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.autoconfigure.graphql.GraphQlTest;
-import org.springframework.data.domain.Page;
-import org.springframework.data.domain.PageImpl;
 import org.springframework.graphql.test.tester.GraphQlTester;
 import org.springframework.test.context.ActiveProfiles;
 import org.springframework.test.context.bean.override.mockito.MockitoBean;
 
 import com.espacogeek.geek.controllers.MediaController;
 import com.espacogeek.geek.data.MediaDataController;
-import com.espacogeek.geek.models.MediaModel;
 import com.espacogeek.geek.services.MediaCategoryService;
 import com.espacogeek.geek.services.MediaService;
 import com.espacogeek.geek.services.TypeReferenceService;
@@ -47,6 +46,19 @@ class TvSerieQueryTest {
     @MockitoBean
     private MediaCategoryService mediaCategoryService;
 
+    private MediaPage stubMediaPage() {
+        MediaSimplefied item = new MediaSimplefied();
+        item.setId(1);
+        item.setName("Stranger Things");
+        item.setCover("https://example.com/cover.jpg");
+
+        MediaPage page = new MediaPage();
+        page.setContent(List.of(item));
+        page.setTotalElements(1);
+        page.setTotalPages(1);
+        return page;
+    }
+
     @Test
     void tvserie_NoParameters_ShouldReturnEmptyPage() {
         // When & Then
@@ -69,4 +81,59 @@ void tvserie_NoParameters_ShouldReturnEmptyPage() {
                     assertThat(result.getContent()).isNull();
                 });
     }
+
+    @Test
+    void tvserie_WithName_ShouldReturnResults() {
+        // Given
+        when(mediaService.findSerieByIdOrName(isNull(), eq("stranger"), any()))
+                .thenReturn(stubMediaPage());
+
+        // When & Then
+        graphQlTester.document("""
+                query MediaPage($name: String) {
+                    tvserie(name: $name) {
+                        totalPages
+                        totalElements
+                        content {
+                            id
+                            name
+                            cover
+                        }
+                    }
+                }
+                """)
+                .variable("name", "stranger")
+                .execute()
+                .path("tvserie")
+                .entity(MediaPage.class)
+                .satisfies(result -> {
+                    assertThat(result.getContent()).isNotNull();
+                    assertThat(result.getContent()).hasSize(1);
+                    assertThat(result.getContent().get(0).getName()).isEqualTo("Stranger Things");
+                    assertThat(result.getTotalElements()).isEqualTo(1);
+                });
+    }
+
+    @Test
+    void tvserie_WithName_ShouldNotReturn403() {
+        // Given - verify that the query executes without throwing a security error
+        when(mediaService.findSerieByIdOrName(isNull(), eq("stranger"), any()))
+                .thenReturn(stubMediaPage());
+
+        // When & Then - no errors should be present in the response
+        graphQlTester.document("""
+                query MediaPage($name: String) {
+                    tvserie(name: $name) {
+                        content {
+                            id
+                            name
+                        }
+                    }
+                }
+                """)
+                .variable("name", "stranger")
+                .execute()
+                .errors()
+                .verify();
+    }
 }