Skip to content

Harden auth impl #25

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 22 commits into from
Jul 20, 2025
Merged

Harden auth impl #25

merged 22 commits into from
Jul 20, 2025

Conversation

fulleni
Copy link
Member

@fulleni fulleni commented Jul 20, 2025

Status

READY/IN DEVELOPMENT/HOLD

Description

Type of Change

  • ✨ New feature (non-breaking change which adds functionality)
  • 🛠️ Bug fix (non-breaking change which fixes an issue)
  • ❌ Breaking change (fix or feature that would cause existing functionality to change)
  • 🧹 Code refactor
  • ✅ Build configuration change
  • 📝 Documentation
  • 🗑️ Chore

fulleni added 22 commits July 20, 2025 17:49
@fulleni
chore(env): add JWT secret key requirement and update CORS origin
cedbe20 
- Add JWT_SECRET_KEY to .env.example with explanation and generation instructions
- Update CORS_ALLOWED_ORIGIN comment to clarify production requirement
- Reorder environment variables for better clarity
@fulleni
feat(config): add JWT secret key environment variable retrieval
f0b2068 
- Implement jwtSecretKey getter in EnvironmentConfig class
- Add error handling for missing JWT_SECRET_KEY environment variable
- Include detailed error message when JWT_SECRET_KEY is not set
@fulleni
refactor(auth): replace hardcoded secret key with environment variable
1639d16 
- Remove hardcoded secret key from JwtAuthTokenService
- Use EnvironmentConfig.jwtSecretKey for token signing and verification
- Import EnvironmentConfig from ht_api package
@fulleni
feat(auth): add MongoDB token blacklist service
a1468cb 
- Implements token blacklisting using MongoDB.
- Uses TTL index for automatic cleanup.
- Handles duplicate key errors gracefully.
- Includes comprehensive error handling.
- Uses `MongoDbConnectionManager` for DB access.
@fulleni
refactor(config): replace token blacklist service
0d5e933 
- Replaced InMemoryTokenBlacklistService
- with MongoDbTokenBlacklistService.
- Updated dependencies injection.
- Improved database interaction.
- Enhanced service implementation.
@fulleni
feat(auth): Add MongoDB verification code storage
01a2e5e 
- Implements verification code storage using MongoDB.
- Includes code generation and validation.
- Uses TTL index for automatic cleanup.
- Handles errors and logs relevant information.
- Adds unit tests for the new service.
@fulleni
refactor(mongodb): Improve verification code storage
0cb5741 
- Added unique index on email field
- Improved code handling and validation
- Enhanced logging messages
- Removed redundant cleanup method
- Updated comments for clarity
@fulleni
refactor(services): Replace in-memory verification code storage
8e74597 
- Replaced InMemoryVerificationCodeStorageService
- with MongoDbVerificationCodeStorageService
- Improved persistence and scalability
- Added logging to new service
- Updated AppDependencies to use new service
@fulleni
refactor(services): remove unnecessary initialization
1550783 
- Removed redundant `_init` method.
- Simplified service instantiation.
- Improved code readability.
@fulleni
refactor(services): remove unnecessary init method
eb04f61 
- Removed `_init` method.
- Simplified service initialization.
- Improved code readability.
@fulleni
feat(database): add indexes to verification codes and tokens
8e52d81 
- Added TTL index for verification codes expiry.
- Added unique index for verification codes email.
- Added TTL index for blacklisted tokens expiry.
@fulleni
refactor(auth): replace print statements with logging
48cbcfe 
- Replaced `print` statements with `Logger`.
- Improved logging for better debugging.
- Added error handling for token validation.
- Used finer logging for detailed info.
- Improved logging messages clarity.
@fulleni
fix(authorization): replace print statements with logger
76589a3 
- Replaced `print` statements with `Logger` calls.
- Improved error handling and logging.
- Enhanced debugging capabilities.
- Used `Logger.severe` for configuration errors.
- Used `Logger.warning` for unsupported actions.
@fulleni
fix(error_handler): use logger instead of print
7349220 
- Replaced print statements with logger
- Improved error logging with stack traces
- Added logging package dependency
- Used different log levels for severity
- Improved error handling clarity
@fulleni
refactor: remove unused auth & verification services
2ea1f83 
- Removed `SimpleAuthTokenService`.
- Removed `InMemoryVerificationCodeStorageService`.
@fulleni
fix(auth): improve anonymous auth error handling
74935bf 
- Added logging for unexpected errors
- Improved error handling for exceptions
- Replaced print statement with logger
@fulleni
fix(auth): improve error handling in delete-account
981e366 
- Added logging for unexpected errors.
- Improved error handling for service exceptions.
- Replaced print statements with logger.
@fulleni
fix(auth): improve error handling in request-code handler
205acd8 
- Added logging for unexpected errors.
- Improved error handling using Logger.
- Replaced print statements with logging.
- Catches and logs stack traces.
- Uses HtHttpException for known exceptions.
@fulleni
fix(auth): improve sign-out error logging
ee01c85 
- Replaced `print` statements with logger.
- Added stack traces to error logs.
- Improved error message clarity.
- Used structured logging for better analysis.
@fulleni
fix: improve error logging in verify-code handler
170539f 
- Added logging using the `logging` package.
- Log unexpected errors with stack trace.
- Improved error message clarity.
@fulleni
fix(api): replace print statements with logger
85a289b 
- Replaced `print` statements with `_logger`
- Improved error handling and logging
- Added stack traces to error logs
- Used more specific log levels
- Improved log message clarity
@fulleni
feat(auth): configure JWT issuer and expiry
89e2417 
- Added JWT issuer and expiry config to .env
- Updated JWT service to use config values
- Added TTL indexes for tokens and codes
- Improved database seeding with new indexes
- Configured CORS origin in environment
gemini-code-assist[bot]
gemini-code-assist bot reviewed Jul 20, 2025
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Summary of Changes

Hello @fulleni, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly strengthens the application's authentication mechanisms. My changes focus on enhancing data persistence for critical authentication components, externalizing sensitive configurations for improved security, and streamlining operational aspects through automated data cleanup and better logging. The overall aim is to make the authentication implementation more robust, secure, and production-ready.

Highlights

  • Persistent Authentication Data: I've transitioned the token blacklisting and email verification code storage from volatile in-memory solutions to persistent MongoDB collections. This ensures that blacklisted tokens and active verification codes are retained across application restarts, significantly enhancing the reliability and security of the authentication system.
  • Externalized JWT Configuration: Sensitive JWT (JSON Web Token) configuration parameters, such as the secret key, issuer URL, and token expiry duration, are no longer hardcoded. They are now retrieved from environment variables, improving security practices and making the application more flexible for different deployment environments.
  • Automated Data Cleanup with TTL Indexes: I've implemented MongoDB's Time-To-Live (TTL) indexes on the new blacklisted_tokens and verification_codes collections. This automates the cleanup of expired tokens and verification codes directly within the database, reducing manual maintenance and ensuring data hygiene.
  • Enhanced Structured Logging: I've refactored logging across key authentication middlewares and API route handlers. All print statements have been replaced with calls to the logging package, providing structured and more informative log outputs for better observability, debugging, and monitoring.
  • Removal of Debugging Auth Service: The SimpleAuthTokenService, which was a minimal, in-memory token service primarily used for debugging, has been removed. This signifies a complete and confident transition to the more robust and secure JWT-based authentication system.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in issue comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@fulleni fulleni merged commit 94305fd into main Jul 20, 2025
1 check failed
@fulleni fulleni deleted the harden_auth_impl branch July 20, 2025 18:51
gemini-code-assist[bot]
gemini-code-assist bot reviewed Jul 20, 2025
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request significantly hardens the authentication implementation. Key improvements include replacing hardcoded JWT secrets with environment variables, transitioning from in-memory to persistent MongoDB storage for token blacklists and verification codes using TTL indexes for automatic cleanup, and replacing print statements with a structured logging solution. The changes are well-structured and greatly improve the security and maintainability of the service.

I've identified one critical syntax error that would prevent compilation and several medium-severity issues related to improving error logging by including stack traces in catch blocks. Addressing these will further enhance the robustness of the new services.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@fulleni