Skip to content

CGDMF-73: Properly verify JWT token with secret#144

Merged
hartman merged 15 commits into
developfrom
CGDMF-73-authorization
May 28, 2026
Merged

CGDMF-73: Properly verify JWT token with secret#144
hartman merged 15 commits into
developfrom
CGDMF-73-authorization

Conversation

@wouterpot

Copy link
Copy Markdown
Collaborator

remove 'bypass' secret & logging of JWT token

@wouterpot
wouterpot force-pushed the CGDMF-73-authorization branch 4 times, most recently from f751c46 to 318df33 Compare May 4, 2026 11:27
@wouterpot
wouterpot requested review from Copilot and hartman May 4, 2026 11:27

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tightens the authentication path around ZGW JWTs in the DRC by removing the old bypass flow, adding optional HS256 secret verification, and introducing role-based protection for internal admin routes.

Changes:

  • Add per-client ZGW secret lookup, optional signature enforcement, and configurable admin-role settings.
  • Add a reusable 403 Problem Details helper and wire admin-role checks into /admin routing.
  • Update Bruno’s generated ZGW token payload to include an admin role for manual testing.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
src/main/kotlin/config/AuthenticationModule.kt Reworks ZGW JWT verification and removes the bypass token flow.
src/main/kotlin/config/AuthenticationConfig.kt Adds auth-related env config for ZGW secrets, signature enforcement, and admin role selection.
src/main/kotlin/api/models/ProblemDetailsResponse.kt Adds a helper for 403 Problem Details responses.
src/main/kotlin/api/admin/AdminRoutes.kt Adds JWT role extraction and admin-role enforcement around /admin routes.
.bruno/CG-DMF/collection.bru Adds an admin role claim to Bruno-generated JWTs.

Comment thread src/main/kotlin/config/AuthenticationModule.kt Outdated
Comment thread src/main/kotlin/api/admin/AdminRoutes.kt Outdated
Comment thread src/main/kotlin/config/AuthenticationConfig.kt Outdated
@wouterpot
wouterpot force-pushed the CGDMF-73-authorization branch 3 times, most recently from 91f928a to 3eb4061 Compare May 5, 2026 11:00
@wouterpot
wouterpot requested a review from Copilot May 5, 2026 11:20

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 5 comments.

Comment thread src/main/kotlin/config/AuthenticationModule.kt Outdated
Comment thread src/main/kotlin/api/settings/SettingsRoutes.kt
Comment thread docker-compose.k6.yml
Comment thread src/main/kotlin/api/settings/SettingsRoutes.kt
Comment thread src/main/kotlin/config/AuthenticationConfig.kt Outdated
@wouterpot
wouterpot force-pushed the CGDMF-73-authorization branch 7 times, most recently from b0b6c0f to c67854f Compare May 7, 2026 16:26
@wouterpot
wouterpot marked this pull request as ready for review May 12, 2026 11:50
@wouterpot
wouterpot force-pushed the CGDMF-73-authorization branch from c67854f to 2be049a Compare May 12, 2026 11:50
Comment thread src/main/kotlin/config/AuthenticationConfig.kt Outdated
Comment thread src/main/kotlin/config/AuthenticationConfig.kt Outdated
Comment thread src/main/kotlin/config/AuthenticationConfig.kt Outdated
Comment thread src/main/kotlin/config/AuthenticationModule.kt Outdated
Comment thread src/main/kotlin/config/AuthenticationModule.kt
Comment thread src/main/kotlin/config/AuthenticationModule.kt
Comment thread src/main/kotlin/config/AuthenticationModule.kt Outdated
Comment thread src/main/kotlin/config/AuthenticationModule.kt Outdated
Comment thread docker-compose.integration-test.yml Outdated
@wouterpot
wouterpot force-pushed the CGDMF-73-authorization branch from 2be049a to d8a12c8 Compare May 28, 2026 11:51
wouterpot and others added 6 commits May 28, 2026 14:09
improve comments

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

add finish() in roleCheck

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

remove finish()
@wouterpot
wouterpot force-pushed the CGDMF-73-authorization branch 2 times, most recently from 36ced55 to 0912414 Compare May 28, 2026 12:38
@wouterpot
wouterpot force-pushed the CGDMF-73-authorization branch from 0912414 to 4b55c8b Compare May 28, 2026 13:05
@hartman
hartman merged commit 4895a9b into develop May 28, 2026
8 checks passed
@wouterpot
wouterpot deleted the CGDMF-73-authorization branch May 29, 2026 08:30
github-actions Bot added a commit that referenced this pull request Jun 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants