refactor(auth): implements HttpOnly Cookies to improve security

Author: renancvitor

src/main/java/com/github/renancvitor/inventory/application/authentication/controller/AuthenticationController.java

@@ -10,7 +10,10 @@
 import com.github.renancvitor.inventory.application.authentication.dto.JWTTokenData;
 import com.github.renancvitor.inventory.application.authentication.dto.LoginData;
 import com.github.renancvitor.inventory.application.authentication.service.AuthenticationService;
+import com.github.renancvitor.inventory.application.user.dto.UserSummaryData;
 
+import jakarta.servlet.http.Cookie;
+import jakarta.servlet.http.HttpServletResponse;
 import jakarta.validation.Valid;
 import lombok.RequiredArgsConstructor;
 
@@ -23,9 +26,21 @@ public class AuthenticationController {
     private final AuthenticationService authenticationService;
 
     @PostMapping
-    public ResponseEntity<JWTTokenData> authentication(@RequestBody @Valid LoginData data) {
+    public ResponseEntity<UserSummaryData> authentication(@RequestBody @Valid LoginData data,
+            HttpServletResponse response) {
         JWTTokenData jwtTokenData = authenticationService.authentication(data, authenticationManager);
-        return ResponseEntity.ok(jwtTokenData);
+
+        Cookie cookie = new Cookie("access_token", jwtTokenData.token());
+        cookie.setHttpOnly(true);
+        cookie.setSecure(true);
+        cookie.setPath("/");
+        cookie.setMaxAge(60 * 60 * 2);
+
+        cookie.setAttribute("SameSite", "Lax");
+
+        response.addCookie(cookie);
+
+        return ResponseEntity.ok(jwtTokenData.user());
     }
 
 }

src/main/java/com/github/renancvitor/inventory/infra/security/SecurityFilter.java

@@ -13,6 +13,7 @@
 
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
+import jakarta.servlet.http.Cookie;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 
@@ -59,10 +60,16 @@ protected void doFilterInternal(
     }
 
     private String recoveryToken(HttpServletRequest request) {
-        String authorizationHeader = request.getHeader("Authorization");
-        if (authorizationHeader != null && authorizationHeader.startsWith("Bearer ")) {
-            return authorizationHeader.substring(7);
+        if (request.getCookies() == null) {
+            return null;
         }
+
+        for (Cookie cookie : request.getCookies()) {
+            if ("access_token".equals(cookie.getName())) {
+                return cookie.getValue();
+            }
+        }
+
         return null;
     }
 }

src/test/java/com/github/renancvitor/inventory/controller/authentication/AuthenticationControllerTests.java

@@ -4,6 +4,9 @@
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.verifyNoInteractions;
 import static org.mockito.Mockito.when;
 
 import org.junit.jupiter.api.BeforeEach;
@@ -21,6 +24,10 @@
 import com.github.renancvitor.inventory.application.authentication.dto.JWTTokenData;
 import com.github.renancvitor.inventory.application.authentication.dto.LoginData;
 import com.github.renancvitor.inventory.application.authentication.service.AuthenticationService;
+import com.github.renancvitor.inventory.application.user.dto.UserSummaryData;
+
+import jakarta.servlet.http.Cookie;
+import jakarta.servlet.http.HttpServletResponse;
 
 @ExtendWith(MockitoExtension.class)
 @ActiveProfiles("test")
@@ -48,25 +55,45 @@ void setup() {
     class PositiveCases {
         @Test
         void shouldReturn200AndJWTTokenDataWhenAuthenticationSucceeds() {
-            when(authenticationService.authentication(any(LoginData.class), any(AuthenticationManager.class)))
+            HttpServletResponse response = mock(HttpServletResponse.class);
+
+            when(authenticationService.authentication(
+                    any(LoginData.class),
+                    any(AuthenticationManager.class)))
                     .thenReturn(jwtTokenData);
 
-            ResponseEntity<JWTTokenData> response = authenticationController.authentication(loginData);
+            ResponseEntity<UserSummaryData> result = authenticationController.authentication(loginData, response);
+
+            assertNotNull(result);
+            assertEquals(200, result.getStatusCode().value());
+            assertEquals(jwtTokenData.user(), result.getBody());
+
+            verify(authenticationService).authentication(
+                    any(LoginData.class),
+                    any(AuthenticationManager.class));
 
-            assertNotNull(response);
-            assertEquals(200, response.getStatusCode().value());
-            assertEquals(jwtTokenData, response.getBody());
+            verify(response).addCookie(any(Cookie.class));
         }
     }
 
     @Nested
     class NegativeCases {
         @Test
         void shouldPropagateExceptionWhenServiceThrows() {
-            when(authenticationService.authentication(any(LoginData.class), any(AuthenticationManager.class)))
+            HttpServletResponse response = mock(HttpServletResponse.class);
+
+            when(authenticationService.authentication(
+                    any(LoginData.class),
+                    any(AuthenticationManager.class)))
                     .thenThrow(new RuntimeException("Auth failed"));
 
-            assertThrows(RuntimeException.class, () -> authenticationController.authentication(loginData));
+            assertThrows(RuntimeException.class, () -> authenticationController.authentication(loginData, response));
+
+            verify(authenticationService).authentication(
+                    any(LoginData.class),
+                    any(AuthenticationManager.class));
+
+            verifyNoInteractions(response);
         }
     }
 }