fix(security): eliminate DB query on every request in JWT filter

Extract roles from JWT claims instead of loading UserDetails from
database on each authenticated request.

- Add extractRoles() to JwtService to read roles claim from token
- Refactor JwtAuthenticationFilter to build Authentication from
  token claims only, removing userDetailsService dependency
- Update LoanService.getAuthenticatedUser() to cast principal to
  String and query user by email
- Add constructor overload to UserNotFoundException accepting email
- Add unit tests for JwtService and JwtAuthenticationFilter

Author: erichiroshi

.env.dev

@@ -9,4 +9,7 @@ JWT_SECRET_KEY=dev-insecure-key-for-local-development-only-do-not-use-in-product
 AWS_KEY=criar-access-key-na-aws
 AWS_SECRET=criar-secret-key-na-aws
 BUCKET_NAME=library-api-s3
-BUCKET_REGION=sa-east-1
+BUCKET_REGION=sa-east-1
+
+ZIPKIN_ENDPOINT=http://zipkin:9411/api/v2/spans
+TRACING_SAMPLING_PROBABILITY=0.1  # 10% em prod — ajustável via env

.env.example

@@ -2,14 +2,14 @@ SPRING_PROFILES_ACTIVE=prod
 DB_URL=
 DB_USERNAME=
 DB_PASSWORD=
-JWT_SECRET_KEY=
 REDIS_HOST=
 REDIS_PORT=
+JWT_SECRET_KEY=
 
 AWS_KEY=
 AWS_SECRET=
 BUCKET_NAME=
 BUCKET_REGION=
 
-ZIPKIN_ENDPOINT=http://zipkin:9411/api/v2/spans
-TRACING_SAMPLING_PROBABILITY=0.1  # 10% em prod — ajustável via env
+ZIPKIN_ENDPOINT=
+TRACING_SAMPLING_PROBABILITY=

.gitignore

@@ -18,7 +18,7 @@ gradle-wrapper.jar
 Thumbs.db
 
 # Secrets
-#.env #arquivo liberado - projeto de estudos
+.env
 *.key
 *.pem
 

readme_pdf.md

@@ -647,8 +647,8 @@ Marca como `OVERDUE` empréstimos com `status = WAITING_RETURN` e `dueDate < hoj
 - [x] **Rate limiting** — Bucket4j ou Resilience4j
 - [x] **OpenTelemetry** — Tracing distribuído
 - [x] **Microservices** — Bounded contexts definidos, anticorrupção e schema per service implementados
-- [ ] **Deploy em cloud** — AWS ECS ou Render
 - [ ] **Extração Auth-Service** — primeiro serviço independente (menor e mais isolado)
+- [ ] **Deploy em cloud** — AWS ECS ou Render
 - [ ] **HATEOAS** — Hypermedia links
 - [ ] **WebSockets** — Notificações real-time de devolução
 - [ ] **Microservices** — Extração em serviços independentes

src/main/java/com/example/library/loan/LoanService.java

@@ -262,12 +262,13 @@ private Loan findWithItemsOrThrow(Long loanId) {
 
 	/**
      * Recupera o usuário autenticado direto do SecurityContext.
-     * O principal já é um User (populado pelo JwtAuthenticationFilter),
-     * então não precisa de uma query adicional ao banco.
+     * O principal é o email (populado pelo JwtAuthenticationFilter),
      */
     private User getAuthenticatedUser() {
         Authentication auth = SecurityContextHolder.getContext().getAuthentication();
-        return (User) auth.getPrincipal();
+        String email = (String) auth.getPrincipal();
+        return userLookupService.findByEmail(email)
+                .orElseThrow(() -> new UserNotFoundException(email));
     }
 
     /**

src/main/java/com/example/library/security/filter/JwtAuthenticationFilter.java

@@ -1,31 +1,27 @@
 package com.example.library.security.filter;
 
 import java.io.IOException;
+import java.util.List;
 
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.stereotype.Component;
 import org.springframework.web.filter.OncePerRequestFilter;
 
 import com.example.library.security.jwt.JwtService;
-import com.example.library.user.CustomUserDetailsService;
 
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
+import lombok.RequiredArgsConstructor;
 
+@RequiredArgsConstructor
 @Component
 public class JwtAuthenticationFilter extends OncePerRequestFilter {
 
 	private final JwtService jwtService;
-	private final CustomUserDetailsService userDetailsService;
-
-	public JwtAuthenticationFilter(JwtService jwtService, CustomUserDetailsService userDetailsService) {
-		this.jwtService = jwtService;
-		this.userDetailsService = userDetailsService;
-	}
 
 	@Override
 	protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
@@ -40,11 +36,13 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
 			if (jwtService.isTokenValid(token)) {
 
 				String username = jwtService.extractUsername(token);
-
-				UserDetails user = userDetailsService.loadUserByUsername(username);
-
-				UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(user, null,
-						user.getAuthorities());
+                List<SimpleGrantedAuthority> authorities = jwtService.extractRoles(token)
+                        .stream()
+                        .map(SimpleGrantedAuthority::new)
+                        .toList();
+                
+				UsernamePasswordAuthenticationToken authentication =
+						new UsernamePasswordAuthenticationToken(username, null, authorities);
 
 				SecurityContextHolder.getContext().setAuthentication(authentication);
 			}

src/main/java/com/example/library/security/jwt/JwtService.java

@@ -4,6 +4,7 @@
 import java.time.Instant;
 import java.time.temporal.ChronoUnit;
 import java.util.Date;
+import java.util.List;
 
 import javax.crypto.SecretKey;
 
@@ -82,6 +83,18 @@ public Instant getExpirationDate(String token) {
 	public String extractUsername(String token) {
 		return parseClaims(token).getSubject();
 	}
+	
+	public List<String> extractRoles(String token) {
+	    Claims claims = parseClaims(token);
+	    Object roles = claims.get("roles");
+	    if (roles instanceof List<?> list) {
+	        return list.stream()
+	                .filter(String.class::isInstance)
+	                .map(String.class::cast)
+	                .toList();
+	    }
+	    return List.of();
+	}
 
 	public boolean isTokenValid(String token) {
 		try {

src/main/java/com/example/library/user/CustomUserDetailsService.java

@@ -5,17 +5,16 @@
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.stereotype.Service;
 
+import lombok.RequiredArgsConstructor;
+
+@RequiredArgsConstructor
 @Service
 public class CustomUserDetailsService implements UserDetailsService {
 
 	private static final org.slf4j.Logger log = org.slf4j.LoggerFactory.getLogger(CustomUserDetailsService.class);
 
 	private final UserRepository repository;
 
-	public CustomUserDetailsService(UserRepository userRepository) {
-		this.repository = userRepository;
-	}
-
 	@Override
 	public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
 

src/main/java/com/example/library/user/UserLookupService.java

@@ -4,4 +4,6 @@
 
 public interface UserLookupService {
 	Optional<User> findById(Long id);
+
+	Optional<User> findByEmail(String email);
 }

src/main/java/com/example/library/user/UserLookupServiceImpl.java

@@ -18,4 +18,10 @@ public class UserLookupServiceImpl implements UserLookupService {
 	public Optional<User> findById(Long id) {
 		return repository.findById(id);
 	}
+
+	@Override
+	@Transactional(readOnly = true)
+	public Optional<User> findByEmail(String email) {
+		return repository.findByEmail(email);
+	}
 }