CGDMF-73: Properly verify JWT token with secret#144
Merged
Conversation
wouterpot
force-pushed
the
CGDMF-73-authorization
branch
4 times, most recently
from
May 4, 2026 11:27
f751c46 to
318df33
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR tightens the authentication path around ZGW JWTs in the DRC by removing the old bypass flow, adding optional HS256 secret verification, and introducing role-based protection for internal admin routes.
Changes:
- Add per-client ZGW secret lookup, optional signature enforcement, and configurable admin-role settings.
- Add a reusable 403 Problem Details helper and wire admin-role checks into
/adminrouting. - Update Bruno’s generated ZGW token payload to include an admin role for manual testing.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| src/main/kotlin/config/AuthenticationModule.kt | Reworks ZGW JWT verification and removes the bypass token flow. |
| src/main/kotlin/config/AuthenticationConfig.kt | Adds auth-related env config for ZGW secrets, signature enforcement, and admin role selection. |
| src/main/kotlin/api/models/ProblemDetailsResponse.kt | Adds a helper for 403 Problem Details responses. |
| src/main/kotlin/api/admin/AdminRoutes.kt | Adds JWT role extraction and admin-role enforcement around /admin routes. |
| .bruno/CG-DMF/collection.bru | Adds an admin role claim to Bruno-generated JWTs. |
wouterpot
force-pushed
the
CGDMF-73-authorization
branch
3 times, most recently
from
May 5, 2026 11:00
91f928a to
3eb4061
Compare
wouterpot
force-pushed
the
CGDMF-73-authorization
branch
7 times, most recently
from
May 7, 2026 16:26
b0b6c0f to
c67854f
Compare
wouterpot
marked this pull request as ready for review
May 12, 2026 11:50
wouterpot
force-pushed
the
CGDMF-73-authorization
branch
from
May 12, 2026 11:50
c67854f to
2be049a
Compare
hartman
requested changes
May 13, 2026
wouterpot
force-pushed
the
CGDMF-73-authorization
branch
from
May 28, 2026 11:51
2be049a to
d8a12c8
Compare
use toBoolean() iso "true" comparison Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
improve comments Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> add finish() in roleCheck Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> remove finish()
wouterpot
force-pushed
the
CGDMF-73-authorization
branch
2 times, most recently
from
May 28, 2026 12:38
36ced55 to
0912414
Compare
wouterpot
force-pushed
the
CGDMF-73-authorization
branch
from
May 28, 2026 13:05
0912414 to
4b55c8b
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
remove 'bypass' secret & logging of JWT token