feat(backend): implement step 08 - private endpoint and JWT validation

Author: rhofkens

CHANGELOG.md

@@ -16,6 +16,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - **Step 05** – Implement client-side caching for public health endpoint using `sessionStorage` to display stale data when the backend is unavailable. Added a 'stale data' badge to the UI.
 - **Step 06** – Added OIDC configuration skeleton (using standard scopes), environment variable setup, and updated gitignore for `.env` files. Updated subsequent step plans (7, 8) to remove custom scope references.
 - **Step 07** – Implemented frontend login/logout flow using oidc-client-ts for PKCE. Added tests for Header, AuthCallback, AuthProvider, and AuthService.
+- **Step 08** – Added private endpoint and JWT validation.
 
 ### Fixed
 

README.md

@@ -159,3 +159,21 @@ Example response:
 {
   "message": "Service up"
 }
+
+### Testing Private Endpoint
+
+To test the private endpoint, you need a valid JWT access token obtained from your OIDC provider (e.g., Zitadel). This token must contain the necessary claims or roles (like `AUTH_USER`) that the backend expects.
+
+```bash
+# Replace <your_jwt_token> with a valid access token
+curl -H "Authorization: Bearer <your_jwt_token>" http://localhost:8080/api/v1/private/info
+```
+
+Example response (if authorized):
+```json
+{
+  "info": "This is private information for authenticated users."
+}
+```
+
+You can obtain a test token from the Zitadel console or by using an OIDC client tool after authenticating.

backend/pom.xml

@@ -42,11 +42,22 @@
 			<version>2.4.0</version>
 		</dependency>
 
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
+		</dependency>
+
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-test</artifactId>
 			<scope>test</scope>
 		</dependency>
+
+		<dependency>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>spring-security-test</artifactId>
+			<scope>test</scope>
+		</dependency>
 	</dependencies>
 
 	<build>

backend/src/main/java/ai/bluefields/oidcauthdemo/config/SecurityConfig.java

@@ -0,0 +1,74 @@
+package ai.bluefields.oidcauthdemo.config; // Correct package
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.Customizer;
+import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.web.SecurityFilterChain;
+
+/**
+ * Configures Spring Security settings for the application, including JWT validation, authorization
+ * rules, and CSRF protection. Enables method-level security checks using {@link
+ * EnableMethodSecurity}.
+ */
+@Configuration
+@EnableWebSecurity
+@EnableMethodSecurity // Enables @PreAuthorize, @PostAuthorize, etc.
+public class SecurityConfig {
+
+  /**
+   * Defines the main security filter chain for the application.
+   *
+   * <p>Configuration details:
+   *
+   * <ul>
+   *   <li>Disables CSRF protection as the API is stateless and relies on JWTs.
+   *   <li>Configures authorization rules:
+   *       <ul>
+   *         <li>Permits access to public API endpoints (`/api/v1/public/**`).
+   *         <li>Permits access to OpenAPI/Swagger UI endpoints.
+   *         <li>Requires authentication for private API endpoints (`/api/v1/private/**`).
+   *         <li>Requires authentication for any other request not explicitly matched.
+   *       </ul>
+   *   <li>Enables OAuth 2.0 Resource Server support with JWT validation using default settings.
+   *   <li>Sets session management to STATELESS, as JWTs handle session state.
+   * </ul>
+   *
+   * @param http The {@link HttpSecurity} to configure.
+   * @return The configured {@link SecurityFilterChain}.
+   * @throws Exception If an error occurs during configuration.
+   */
+  @Bean
+  public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+    http.csrf(AbstractHttpConfigurer::disable) // Disable CSRF for stateless API
+        .httpBasic(AbstractHttpConfigurer::disable) // Disable HTTP Basic Auth
+        .authorizeHttpRequests(
+            authz ->
+                authz
+                    .requestMatchers(
+                        "/api/v1/public/**", // Public endpoints
+                        "/v3/api-docs/**", // OpenAPI spec
+                        "/swagger-ui/**", // Swagger UI webjar
+                        "/swagger-ui.html", // Swagger UI entry point
+                        "/error" // Permit default error handling path
+                        )
+                    .permitAll()
+                    .requestMatchers("/api/v1/private/**")
+                    .authenticated() // Require authentication for private endpoints
+                    .anyRequest()
+                    .authenticated() // Default deny: require auth for anything else
+            )
+        .oauth2ResourceServer(
+            oauth2 -> oauth2.jwt(Customizer.withDefaults())) // Enable JWT resource server
+        .sessionManagement(
+            session ->
+                session.sessionCreationPolicy(
+                    SessionCreationPolicy.STATELESS)); // Stateless sessions
+
+    return http.build();
+  }
+}

…ields/oidcauthdemo/HealthController.java …uthdemo/controller/HealthController.javabackend/src/main/java/ai/bluefields/oidcauthdemo/HealthController.java renamed to backend/src/main/java/ai/bluefields/oidcauthdemo/controller/HealthController.java backend/src/main/java/ai/bluefields/oidcauthdemo/HealthController.java renamed to backend/src/main/java/ai/bluefields/oidcauthdemo/controller/HealthController.java

@@ -1,7 +1,7 @@
-package ai.bluefields.oidcauthdemo;
+package ai.bluefields.oidcauthdemo.controller;
 
-import ai.bluefields.oidcauthdemo.health.HealthResponse;
-import ai.bluefields.oidcauthdemo.health.HealthService;
+import ai.bluefields.oidcauthdemo.dto.HealthResponse; // Updated import
+import ai.bluefields.oidcauthdemo.service.HealthService;
 import io.swagger.v3.oas.annotations.Operation;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;

backend/src/main/java/ai/bluefields/oidcauthdemo/controller/PrivateInfoController.java

@@ -0,0 +1,61 @@
+package ai.bluefields.oidcauthdemo.controller; // Updated package
+
+import ai.bluefields.oidcauthdemo.dto.PrivateInfoResponse;
+import ai.bluefields.oidcauthdemo.service.PrivateInfoService;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import io.swagger.v3.oas.annotations.security.SecurityRequirement;
+import io.swagger.v3.oas.annotations.tags.Tag;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.security.core.annotation.AuthenticationPrincipal;
+import org.springframework.security.oauth2.jwt.Jwt;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+/**
+ * Controller handling requests for private information, requiring authentication and authorization.
+ */
+@RestController
+@RequestMapping("/api/v1/private")
+@Tag(name = "Private Info API", description = "Endpoints requiring authentication")
+@SecurityRequirement(name = "bearerAuth") // Link to security scheme defined in OpenAPI config
+public class PrivateInfoController {
+
+  private final PrivateInfoService privateInfoService;
+
+  /**
+   * Constructs the controller with the necessary service dependency.
+   *
+   * @param privateInfoService The service used to retrieve private information.
+   */
+  public PrivateInfoController(PrivateInfoService privateInfoService) {
+    this.privateInfoService = privateInfoService;
+  }
+
+  /**
+   * Retrieves private information for the authenticated user. Requires the user to have the
+   * 'ROLE_AUTH_USER' authority.
+   *
+   * @param jwt The JWT representing the authenticated user, injected by Spring Security.
+   * @return A {@link PrivateInfoResponse} containing a message and the user's email.
+   */
+  @GetMapping("/info")
+  @PreAuthorize("hasAuthority('ROLE_AUTH_USER')")
+  @Operation(
+      summary = "Get Private Information",
+      description =
+          "Returns a simple message and the authenticated user's email. Requires ROLE_AUTH_USER.",
+      responses = {
+        @ApiResponse(responseCode = "200", description = "Successfully retrieved private info"),
+        @ApiResponse(
+            responseCode = "401",
+            description = "Unauthorized - JWT token missing or invalid"),
+        @ApiResponse(
+            responseCode = "403",
+            description = "Forbidden - User lacks ROLE_AUTH_USER authority")
+      })
+  public PrivateInfoResponse getPrivateInfo(@AuthenticationPrincipal Jwt jwt) {
+    return privateInfoService.getInfo(jwt);
+  }
+}

…/oidcauthdemo/health/HealthResponse.java …lds/oidcauthdemo/dto/HealthResponse.javabackend/src/main/java/ai/bluefields/oidcauthdemo/health/HealthResponse.java renamed to backend/src/main/java/ai/bluefields/oidcauthdemo/dto/HealthResponse.java backend/src/main/java/ai/bluefields/oidcauthdemo/health/HealthResponse.java renamed to backend/src/main/java/ai/bluefields/oidcauthdemo/dto/HealthResponse.java

@@ -1,6 +1,7 @@
-package ai.bluefields.oidcauthdemo.health;
+package ai.bluefields.oidcauthdemo.dto; // Updated package
 
 /**
  * Record representing the health check response. Contains a message indicating the service status.
+ * Data Transfer Object (DTO).
  */
 public record HealthResponse(String message) {}

backend/src/main/java/ai/bluefields/oidcauthdemo/dto/PrivateInfoResponse.java

@@ -0,0 +1,10 @@
+package ai.bluefields.oidcauthdemo.dto;
+
+/**
+ * Represents the response containing private information accessible only to authenticated users.
+ * Data Transfer Object (DTO).
+ *
+ * @param message A static message confirming access.
+ * @param email The email address of the authenticated user, extracted from the JWT.
+ */
+public record PrivateInfoResponse(String message, String email) {}

…efields/oidcauthdemo/error/ApiError.java …lds/oidcauthdemo/exception/ApiError.javabackend/src/main/java/ai/bluefields/oidcauthdemo/error/ApiError.java renamed to backend/src/main/java/ai/bluefields/oidcauthdemo/exception/ApiError.java backend/src/main/java/ai/bluefields/oidcauthdemo/error/ApiError.java renamed to backend/src/main/java/ai/bluefields/oidcauthdemo/exception/ApiError.java

@@ -1,4 +1,4 @@
-package ai.bluefields.oidcauthdemo.error;
+package ai.bluefields.oidcauthdemo.exception;
 
 import java.time.Instant;
 

…thdemo/error/GlobalExceptionHandler.java …mo/exception/GlobalExceptionHandler.javabackend/src/main/java/ai/bluefields/oidcauthdemo/error/GlobalExceptionHandler.java renamed to backend/src/main/java/ai/bluefields/oidcauthdemo/exception/GlobalExceptionHandler.java backend/src/main/java/ai/bluefields/oidcauthdemo/error/GlobalExceptionHandler.java renamed to backend/src/main/java/ai/bluefields/oidcauthdemo/exception/GlobalExceptionHandler.java

@@ -1,11 +1,12 @@
-package ai.bluefields.oidcauthdemo.error;
+package ai.bluefields.oidcauthdemo.exception;
 
 import java.time.Instant;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.authorization.AuthorizationDeniedException;
 import org.springframework.web.HttpMediaTypeNotSupportedException;
 import org.springframework.web.HttpRequestMethodNotSupportedException;
 import org.springframework.web.bind.annotation.ExceptionHandler;
@@ -148,4 +149,28 @@ public ResponseEntity<ApiError> handleUnsupportedMediaType(
         .contentType(MediaType.valueOf("application/problem+json"))
         .body(apiError);
   }
+
+  /**
+   * Handles {@link AuthorizationDeniedException} (typically thrown by {@code @PreAuthorize}) and
+   * converts it to a standardized {@link ApiError} response with HTTP status 403 (Forbidden).
+   *
+   * @param ex the exception that was thrown
+   * @return a {@link ResponseEntity} containing an {@link ApiError} with status 403
+   */
+  @ExceptionHandler(AuthorizationDeniedException.class)
+  public ResponseEntity<ApiError> handleAuthorizationDenied(AuthorizationDeniedException ex) {
+    logger.warn("Authorization denied: {}", ex.getMessage());
+
+    ApiError apiError =
+        new ApiError(
+            "https://api.bluefields.ai/errors/forbidden",
+            "Forbidden",
+            HttpStatus.FORBIDDEN.value(),
+            "Access to the requested resource is forbidden",
+            Instant.now());
+
+    return ResponseEntity.status(HttpStatus.FORBIDDEN)
+        .contentType(MediaType.valueOf("application/problem+json"))
+        .body(apiError);
+  }
 }