✨ rewrite backend to use email instead of lhmExtId and extract mail directly from JWT token

Author: FabianWilms

personalization-service/src/main/java/de/muenchen/dbs/personalization/checklist/ChecklistController.java

@@ -26,10 +26,10 @@ public class ChecklistController {
     private final ChecklistMapper checklistMapper;
 
     @GetMapping
-    @Operation(summary = "Get all checklists by user.", description = "Returns all checklists of an user by lhmExtId")
+    @Operation(summary = "Get all checklists by user.", description = "Returns all checklists of an user (identified by JWT-Token)")
     @ResponseStatus(HttpStatus.OK)
-    public List<ChecklistReadDTO> getChecklists(@RequestHeader("lhmExtID") final String lhmExtID) {
-        final List<Checklist> checklists = checklistService.getChecklists(lhmExtID);
+    public List<ChecklistReadDTO> getChecklists() {
+        final List<Checklist> checklists = checklistService.getChecklists();
         return checklists.stream().map(checklistMapper::toReadDTO).toList();
     }
 

personalization-service/src/main/java/de/muenchen/dbs/personalization/checklist/ChecklistRepository.java

@@ -9,6 +9,6 @@
 @Repository
 public interface ChecklistRepository extends JpaRepository<Checklist, UUID> {
 
-    List<Checklist> findChecklistByLhmExtId(String lhmExtId);
+    List<Checklist> findChecklistByEmail(String email);
 
 }

personalization-service/src/main/java/de/muenchen/dbs/personalization/checklist/ChecklistService.java

@@ -10,8 +10,16 @@
 import java.util.UUID;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.hc.client5.http.HttpResponseException;
+import org.springframework.http.HttpStatus;
 import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.oauth2.jwt.Jwt;
+import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
 import org.springframework.stereotype.Service;
+import org.springframework.web.server.ResponseStatusException;
 
 @Service
 @Slf4j
@@ -20,36 +28,49 @@ public class ChecklistService {
 
     private final ChecklistRepository checklistRepository;
 
-    @PreAuthorize(Authorities.CHECKLIST_CREATE)
     public Checklist createChecklist(final Checklist checklist) {
-        log.debug("Create Checklist {}", checklist);
+        String userMail = getUserMailFromAuthenticationOrThrow();
+        log.debug("Create Checklist {} for {}", checklist, userMail);
+        checklist.setEmail(userMail);
         return checklistRepository.save(checklist);
     }
 
-    @PreAuthorize(Authorities.CHECKLIST_GET_ALL)
-    public List<Checklist> getChecklists(final String userId) {
-        log.debug("Get all checklists of {}", userId);
-        return checklistRepository.findChecklistByLhmExtId(userId);
+    public List<Checklist> getChecklists() {
+        String userMail = getUserMailFromAuthenticationOrThrow();
+        log.debug("Get all checklists of {}", userMail);
+        return checklistRepository.findChecklistByEmail(userMail);
     }
 
-    @PreAuthorize(Authorities.CHECKLIST_GET)
     public Checklist getChecklist(final UUID checklistId) {
-        log.debug("Get checklist with ID {}", checklistId);
-        return getChecklistOrThrowException(checklistId);
+        String userMail = getUserMailFromAuthenticationOrThrow();
+        log.debug("Get checklist with ID {} for {}", checklistId, userMail);
+        Checklist checklistOrThrowException = getChecklistOrThrowException(checklistId);
+
+        isChecklistOwnerOrThrow(checklistOrThrowException, userMail);
+
+        return checklistOrThrowException;
     }
 
-    @PreAuthorize(Authorities.CHECKLIST_UPDATE)
     public Checklist updateChecklist(final Checklist checklist, final UUID checklistId) {
+        String userMail = getUserMailFromAuthenticationOrThrow();
+        log.debug("Update checklist with ID {} for {}", checklistId, userMail);
         final Checklist foundChecklist = getChecklistOrThrowException(checklistId);
+
+        isChecklistOwnerOrThrow(foundChecklist, userMail);
+
         foundChecklist.setChecklistItems(checklist.getChecklistItems());
         foundChecklist.setLastUpdate(ZonedDateTime.now());
         log.debug("Update Checklist {}", foundChecklist);
         return checklistRepository.save(foundChecklist);
     }
 
-    @PreAuthorize(Authorities.CHECKLIST_DELETE)
     public void deleteChecklist(final UUID checklistId) {
-        log.debug("Delete Checklist with ID {}", checklistId);
+        String userMail = getUserMailFromAuthenticationOrThrow();
+        log.debug("Delete Checklist with ID {} for {}", checklistId, userMail);
+
+        final Checklist foundChecklist = getChecklistOrThrowException(checklistId);
+        isChecklistOwnerOrThrow(foundChecklist, userMail);
+
         checklistRepository.deleteById(checklistId);
     }
 
@@ -58,4 +79,21 @@ private Checklist getChecklistOrThrowException(final UUID checklistId) {
                 .findById(checklistId)
                 .orElseThrow(() -> new NotFoundException(String.format(MSG_NOT_FOUND, checklistId)));
     }
+
+    private String getUserMailFromAuthenticationOrThrow() {
+        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+        if(authentication.getPrincipal() instanceof Jwt jwt) {
+            String email = jwt.getClaims().get("email").toString();
+            if(!StringUtils.isBlank(email)) {
+                return email;
+            }
+        }
+        throw new ResponseStatusException(HttpStatus.UNAUTHORIZED);
+    }
+
+    private void isChecklistOwnerOrThrow(Checklist checklist, String userMail) {
+        if(!checklist.getEmail().equals(userMail)) {
+            throw new ResponseStatusException(HttpStatus.FORBIDDEN, "User does not own the checklist");
+        }
+    }
 }

personalization-service/src/main/java/de/muenchen/dbs/personalization/checklist/domain/Checklist.java

@@ -25,9 +25,9 @@ public class Checklist extends BaseEntity {
     @Serial
     private static final long serialVersionUID = 1L;
 
-    @Column(name = "lhm_ext_id", nullable = false)
+    @Column(name = "email", nullable = false)
     @NotNull
-    private String lhmExtId;
+    private String email;
 
     @Column(name = "title")
     @NotNull

personalization-service/src/main/java/de/muenchen/dbs/personalization/checklist/domain/ChecklistCreateDTO.java

@@ -3,6 +3,6 @@
 import jakarta.validation.constraints.NotNull;
 import java.util.List;
 
-public record ChecklistCreateDTO(@NotNull String lhmExtId, @NotNull String title, @NotNull List<ChecklistItemDTO> checklistItems) {
+public record ChecklistCreateDTO(@NotNull String title, @NotNull List<ChecklistItemDTO> checklistItems) {
 
 }

personalization-service/src/main/java/de/muenchen/dbs/personalization/checklist/domain/ChecklistMapper.java

@@ -10,6 +10,7 @@ public interface ChecklistMapper {
     ChecklistReadDTO toReadDTO(Checklist checklist);
 
     @Mapping(target = "id", ignore = true)
+    @Mapping(target = "email", ignore = true)
     Checklist toCreateChecklist(ChecklistCreateDTO checklistUpdateDTO);
 
     @Mapping(target = "id", ignore = true)

personalization-service/src/main/java/de/muenchen/dbs/personalization/checklist/domain/ChecklistReadDTO.java

@@ -5,7 +5,7 @@
 import java.util.List;
 import java.util.UUID;
 
-public record ChecklistReadDTO(@NotNull UUID id, @NotNull String lhmExtId, @NotNull String title, @NotNull ZonedDateTime lastUpdate,
+public record ChecklistReadDTO(@NotNull UUID id, @NotNull String email, @NotNull String title, @NotNull ZonedDateTime lastUpdate,
         @NotNull List<ChecklistItemDTO> checklistItems) {
 
 }

personalization-service/src/main/java/de/muenchen/dbs/personalization/checklist/domain/ChecklistUpdateDTO.java

@@ -4,6 +4,6 @@
 import java.util.List;
 import java.util.UUID;
 
-public record ChecklistUpdateDTO(@NotNull UUID id, @NotNull String lhmExtId, @NotNull String title, @NotNull List<ChecklistItemDTO> checklistItems) {
+public record ChecklistUpdateDTO(@NotNull UUID id, @NotNull String email, @NotNull String title, @NotNull List<ChecklistItemDTO> checklistItems) {
 
 }

personalization-service/src/main/resources/db/migration/schema/V001__Checklist_schema.sql

@@ -1,5 +1,5 @@
 create table checklist (
-    lhm_ext_id varchar(255) not null,
+    email varchar(255) not null,
     title varchar(255) not null,
     last_update timestamp with time zone,
     id uuid not null,

personalization-service/src/main/resources/db/migration/testdata/R__Testdata.sql

@@ -1,15 +1,15 @@
 truncate checklist CASCADE;
 truncate checklist_item CASCADE;
 
-INSERT INTO checklist (lhm_ext_id, title, last_update, id) VALUES
-('user1', 'title1', NOW(), '123e4567-e89b-12d3-a456-426614174000'),
-('user2', 'title2', NOW(), '123e4567-e89b-12d3-a456-426614174001'),
-('user3', 'title3', NOW(), '123e4567-e89b-12d3-a456-426614174002');
+INSERT INTO checklist (email, title, last_update, id) VALUES
+('user1@example.com', 'title1', NOW(), '123e4567-e89b-12d3-a456-426614174000'),
+('user2@example.com', 'title2', NOW(), '123e4567-e89b-12d3-a456-426614174001'),
+('user3@example.com', 'title3', NOW(), '123e4567-e89b-12d3-a456-426614174002');
 
 INSERT INTO checklist_item (service_id, checked, title, note, required, checklist_id) VALUES
-('service1', NOW(), 'Item 1', 'Note for Item 1', TRUE, (select id from checklist where lhm_ext_id='user1')),
-('service2', NOW(), 'Item 2', 'Note for Item 2', FALSE, (select id from checklist where lhm_ext_id='user1')),
-('service3', NOW(), 'Item 3', 'Note for Item 3', FALSE, (select id from checklist where lhm_ext_id='user2')),
-('service4', NOW(), 'Item 4', 'Note for Item 4', TRUE, (select id from checklist where lhm_ext_id='user3')),
-('service5', NOW(), 'Item 5', 'Note for Item 5', TRUE, (select id from checklist where lhm_ext_id='user3')),
-('service6', NOW(), 'Item 6', 'Note for Item 6', FALSE, (select id from checklist where lhm_ext_id='user3'));
+('service1', NOW(), 'Item 1', 'Note for Item 1', TRUE, (select id from checklist where email='user1@example.com')),
+('service2', NOW(), 'Item 2', 'Note for Item 2', FALSE, (select id from checklist where email='user1@example.com')),
+('service3', NOW(), 'Item 3', 'Note for Item 3', FALSE, (select id from checklist where email='user2@example.com')),
+('service4', NOW(), 'Item 4', 'Note for Item 4', TRUE, (select id from checklist where email='user3@example.com')),
+('service5', NOW(), 'Item 5', 'Note for Item 5', TRUE, (select id from checklist where email='user3@example.com')),
+('service6', NOW(), 'Item 6', 'Note for Item 6', FALSE, (select id from checklist where email='user3@example.com'));