Skip to content

Yana P.#2

Open
YanaP1312 wants to merge 1 commit into
HackYourAssignment:mainfrom
YanaP1312:main
Open

Yana P.#2
YanaP1312 wants to merge 1 commit into
HackYourAssignment:mainfrom
YanaP1312:main

Conversation

@YanaP1312

Copy link
Copy Markdown

Summary

Implements a stateless authentication system using Spring Security and JWT, covering all endpoints required by the task: /register, /login, /logout, and a protected /profile endpoint.

Changes

  • SecurityConfig: configure stateless session policy, disable CSRF (safe for stateless JWT auth), register JWT filter before UsernamePasswordAuthenticationFilter, set BCryptPasswordEncoder strength to 12, set correct request matcher paths with leading slashes (/users/register, /auth/login).
  • AppUserService: implement UserDetailsService to load users from the database via UserRepository; registered as a Spring bean.
  • JwtService: generate and validate signed JWT tokens (HS256), extract username and expiration claims, load signing key and expiration from environment variables via application.yaml.
  • JwtAuthenticationFilter: extract Bearer token from the Authorization header, validate it, and populate SecurityContext for authenticated requests.
  • AuthenticationService: implement login() and logout() — login verifies credentials via AuthenticationManager and issues a JWT; logout is a no-op by design (stateless JWT — the client discards the token).
  • UserService: implement registration with BCrypt password hashing and random UUID-based user IDs; implement getProfile with @PreAuthorize to ensure users can only access their own profile.
  • UserController: implement /users/profile to read the authenticated username from the security context (Authentication#getName()).
  • application.yaml: consolidate datasource and JWT config (secret and expiration) from environment variables.

How to test

  • POST /users/register with { "username": "...", "password": "..." } → creates a user, returns 201 Created.
  • POST /auth/login with the same credentials → returns a JWT.
  • GET /users/profile with Authorization: Bearer → returns the logged-in user's profile.
  • GET /users/profile without a token, or with an invalid/expired one → returns 401 Unauthorized.
  • POST /auth/logout → returns 200 OK (no server-side session to invalidate; see note below).

Notes / known limitations

Since this uses stateless JWT (no server-side session table), /logout cannot invalidate an already-issued token — it remains valid until it expires (jwt.expiration-ms).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant