Feat/accounts

.env.example

@@ -6,7 +6,7 @@ POSTGRES_HOST=localhost
 POSTGRES_PORT=5432
 
 # backend
-API_BASE_URL=http://localhost:8080
+API_BASE_URL=http://localhost:8080/
 JWT_SECRET=SomeVeryLongRandomSecretKeyWhichIsUsedToEncodeJwtTokensForAuthorization
 
 # sentry

.github/workflows/api-ci.yml

@@ -55,4 +55,5 @@ jobs:
           AWS_ENDPOINT: ${{ secrets.AWS_ENDPOINT }}
           AWS_ACCESS_KEY: ${{ secrets.AWS_ACCESS_KEY }}
           AWS_SECRET_KEY: ${{ secrets.AWS_SECRET_KEY }}
+          JWT_SECRET: justforthisrunnerthishasnovaluelalalalalalalalalalalalalalalalalalalalalalalalalalla
         working-directory: api

.github/workflows/generate-openapi.yaml

@@ -99,6 +99,7 @@ jobs:
           AWS_ENDPOINT: ${{ secrets.AWS_ENDPOINT }}
           AWS_ACCESS_KEY: ${{ secrets.AWS_ACCESS_KEY }}
           AWS_SECRET_KEY: ${{ secrets.AWS_SECRET_KEY }}
+          JWT_SECRET: justforthisrunnerthishasnovaluelalalalalalalalalalalalalalalalalalalalalalalalalalla
         working-directory: api
 
       # replace all occurences of "*/*" with "application/json" in the openapi.json file
@@ -130,3 +131,4 @@ jobs:
         if: steps.check_authors.outputs.has_bot_author != 'true'
         with:
           commit_message: "chore: update openapi types"
+          skip_checkout: true

api/pom.xml

@@ -18,6 +18,17 @@
         <mapstruct.version>1.6.3</mapstruct.version>
     </properties>
     <dependencies>
+        <!-- SPRING -->
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-test</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.springdoc</groupId>
+            <artifactId>springdoc-openapi-starter-webmvc-ui</artifactId>
+            <version>2.6.0</version>
+        </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-data-jpa</artifactId>
@@ -30,22 +41,9 @@
           <groupId>org.springframework.boot</groupId>
           <artifactId>spring-boot-starter-websocket</artifactId>
         </dependency>
-
         <dependency>
-            <groupId>com.fasterxml.jackson.datatype</groupId>
-            <artifactId>jackson-datatype-jsr310</artifactId>
-        </dependency>
-
-        <!-- SENTRY -->
-        <dependency>
-            <groupId>io.sentry</groupId>
-            <artifactId>sentry-spring-boot-starter-jakarta</artifactId>
-            <version>7.8.0</version>
-        </dependency>
-        <dependency>
-            <groupId>io.sentry</groupId>
-            <artifactId>sentry-logback</artifactId>
-            <version>7.8.0</version>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
         </dependency>
 
         <!-- DATABASE -->
@@ -65,11 +63,28 @@
             <scope>test</scope>
         </dependency>
 
+        <!-- SENTRY -->
+        <dependency>
+            <groupId>io.sentry</groupId>
+            <artifactId>sentry-spring-boot-starter-jakarta</artifactId>
+            <version>7.8.0</version>
+        </dependency>
+        <dependency>
+            <groupId>io.sentry</groupId>
+            <artifactId>sentry-logback</artifactId>
+            <version>7.8.0</version>
+        </dependency>
+
+        <!-- UTILS -->
         <dependency>
             <groupId>org.projectlombok</groupId>
             <artifactId>lombok</artifactId>
             <scope>provided</scope>
         </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.datatype</groupId>
+            <artifactId>jackson-datatype-jsr310</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.mapstruct</groupId>
             <artifactId>mapstruct</artifactId>
@@ -80,27 +95,27 @@
             <artifactId>lombok-mapstruct-binding</artifactId>
             <version>0.2.0</version>
         </dependency>
-
         <dependency>
             <groupId>software.amazon.awssdk</groupId>
             <artifactId>s3</artifactId>
             <version>2.33.9</version>
         </dependency>
 
+        <!-- JWT -->
         <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-test</artifactId>
-            <scope>test</scope>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt-api</artifactId>
+            <version>0.11.5</version>
         </dependency>
         <dependency>
-            <groupId>org.springdoc</groupId>
-            <artifactId>springdoc-openapi-starter-webmvc-ui</artifactId>
-            <version>2.6.0</version>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt-impl</artifactId>
+            <version>0.11.5</version>
         </dependency>
         <dependency>
-            <groupId>com.google.cloud.sql</groupId>
-            <artifactId>postgres-socket-factory</artifactId>
-            <version>1.11.0</version>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt-jackson</artifactId>
+            <version>0.11.5</version>
         </dependency>
     </dependencies>
 
@@ -176,4 +191,5 @@
             </plugin>
         </plugins>
     </build>
+
 </project>

api/src/main/java/pro/beerpong/api/auth/JwtAuthenticationFilter.java

@@ -0,0 +1,80 @@
+package pro.beerpong.api.auth;
+
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import lombok.RequiredArgsConstructor;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.util.AntPathMatcher;
+import org.springframework.util.StringUtils;
+import org.springframework.web.filter.OncePerRequestFilter;
+import pro.beerpong.api.control.GroupController;
+import pro.beerpong.api.service.AuthService;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.context.SecurityContextHolder;
+
+import java.io.IOException;
+import java.util.List;
+
+@RequiredArgsConstructor
+public class JwtAuthenticationFilter extends OncePerRequestFilter {
+    private static final String GROUPS_PATTERN = "/groups/**";
+    private static final String GROUP_ID_PATTERN = "/groups/{groupId}/**";
+    private static final List<String> NO_VALIDATION_ENDPOINTS = List.of(
+            "/groups",
+            "/groups/" + GroupController.USER_GROUPS_ENDPOINT,
+            "/groups/{groupId}/" + GroupController.JOIN_GROUP_ENDPOINT
+    );
+
+    private final AuthService authService;
+    private final AntPathMatcher pathMatcher = new AntPathMatcher();
+
+    @Override
+    protected void doFilterInternal(HttpServletRequest req,
+                                    HttpServletResponse res,
+                                    FilterChain chain) throws ServletException, IOException {
+        var header = req.getHeader("Authorization");
+
+        if (!StringUtils.hasText(header) || !header.startsWith("Bearer ")) {
+            res.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+            res.getWriter().write("Missing or invalid Authorization header!");
+            return;
+        }
+
+        var token = header.substring(7);
+        var user = authService.userFromAccessToken(token);
+
+        if (user == null) {
+            res.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+            res.getWriter().write("Invalid access token or invalid user-id!");
+            return;
+        }
+
+        if (!isExcludedFromValidation(req) && !authService.hasAccessToGroup(user, extractGroupId(req))) {
+            res.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+            res.getWriter().write("No access to this group!");
+            return;
+        }
+
+        var auth = new UsernamePasswordAuthenticationToken(user, null, List.of(new SimpleGrantedAuthority("ROLE_GROUP_MEMBER")));
+        SecurityContextHolder.getContext().setAuthentication(auth);
+
+        chain.doFilter(req, res);
+    }
+
+    @Override
+    protected boolean shouldNotFilter(HttpServletRequest request) {
+        return !pathMatcher.match(GROUPS_PATTERN, request.getRequestURI());
+    }
+
+    private boolean isExcludedFromValidation(HttpServletRequest request) {
+        return NO_VALIDATION_ENDPOINTS.stream().anyMatch(s -> pathMatcher.match(s, request.getRequestURI()));
+    }
+
+    private String extractGroupId(HttpServletRequest request) {
+        return (pathMatcher.match(GROUP_ID_PATTERN, request.getRequestURI()) ?
+                pathMatcher.extractUriTemplateVariables(GROUP_ID_PATTERN, request.getRequestURI()).get("groupId") :
+                "");
+    }
+}

api/src/main/java/pro/beerpong/api/auth/JwtTokenProvider.java

@@ -0,0 +1,66 @@
+package pro.beerpong.api.auth;
+
+import io.jsonwebtoken.*;
+import io.jsonwebtoken.security.Keys;
+import jakarta.annotation.PostConstruct;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.stereotype.Component;
+
+import java.security.Key;
+import java.util.Date;
+
+@Component
+public class JwtTokenProvider {
+    private Key key;
+    @Value("${jwt.secret}")
+    private String secret;
+    @Value("${jwt.access.expiration-ms}")
+    private long accessExpirationMs;
+
+    @PostConstruct
+    public void init() {
+        key = Keys.hmacShaKeyFor(secret.getBytes());
+    }
+
+    public String createRefreshToken(String userId) {
+        return Jwts.builder()
+                .setSubject(userId)
+                .claim("type", "refresh")
+                .signWith(key, SignatureAlgorithm.HS256)
+                .compact();
+    }
+
+    public String createAccessToken(String userId) {
+        Date now = new Date();
+        Date expiry = new Date(now.getTime() + accessExpirationMs);
+
+        return Jwts.builder()
+                .setSubject(userId)
+                .claim("type", "access")
+                .setIssuedAt(now)
+                .setExpiration(expiry)
+                .signWith(key, SignatureAlgorithm.HS256)
+                .compact();
+    }
+
+    public Jws<Claims> parseToken(String token) {
+        return Jwts.parserBuilder()
+                .setSigningKey(key)
+                .build()
+                .parseClaimsJws(token);
+    }
+
+    public Claims validateToken(String token, String type) {
+        try {
+            var claims = parseToken(token).getBody();
+
+            if (!claims.get("type", String.class).equals(type)) {
+                return null;
+            }
+
+            return claims;
+        } catch (JwtException | IllegalArgumentException e) {
+            return null;
+        }
+    }
+}

api/src/main/java/pro/beerpong/api/auth/SecurityConfig.java

@@ -0,0 +1,33 @@
+package pro.beerpong.api.auth;
+
+import lombok.RequiredArgsConstructor;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import pro.beerpong.api.service.AuthService;
+
+@Configuration
+@RequiredArgsConstructor
+public class SecurityConfig {
+    private final AuthService authService;
+
+    @Bean
+    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+        var jwtFilter = new JwtAuthenticationFilter(authService);
+
+        http
+                .csrf(AbstractHttpConfigurer::disable)
+                .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+                .authorizeHttpRequests(auth -> auth
+                        .requestMatchers("/groups/{groupId}/**").authenticated()
+                        .anyRequest().permitAll()
+                )
+                .addFilterBefore(jwtFilter, UsernamePasswordAuthenticationFilter.class);
+
+        return http.build();
+    }
+}

api/src/main/java/pro/beerpong/api/control/AuthController.java

@@ -0,0 +1,40 @@
+package pro.beerpong.api.control;
+
+import lombok.RequiredArgsConstructor;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.*;
+import pro.beerpong.api.model.dto.*;
+import pro.beerpong.api.service.AuthService;
+
+@RestController
+@RequestMapping("/auth")
+@RequiredArgsConstructor
+public class AuthController {
+    private final AuthService authService;
+
+    @PostMapping("signup")
+    public ResponseEntity<ResponseEnvelope<AuthTokenDto>> signup(@RequestBody AuthSignupDto authSignupDto) {
+        var result = authService.registerDevice(authSignupDto);
+
+        if (result == null) {
+            return ResponseEnvelope.notOk(ErrorCodes.AUTH_REGISTER_INVALID_DTO);
+        }
+
+        return ResponseEnvelope.ok(result);
+    }
+
+    @PostMapping("refresh")
+    public ResponseEntity<ResponseEnvelope<AuthTokenDto>> refreshAuth(@RequestBody AuthRefreshDto dto) {
+        if (dto.getRefreshToken() == null || dto.getRefreshToken().trim().isEmpty()) {
+            return ResponseEnvelope.notOk(ErrorCodes.AUTH_REFRESH_INVALID_DTO);
+        }
+
+        var result = authService.refreshAuth(dto);
+
+        if (result == null) {
+            return ResponseEnvelope.notOk(ErrorCodes.AUTH_REFRESH_INVALID_TOKEN);
+        }
+
+        return ResponseEnvelope.ok(result);
+    }
+}