feat: add jwt authentication (#22)

Author: jianggang

pom.xml

@@ -220,10 +220,6 @@
             <version>${version.powermock}</version>
             <scope>test</scope>
         </dependency>
-        <dependency>
-            <groupId>org.springframework.session</groupId>
-            <artifactId>spring-session-jdbc</artifactId>
-        </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-test</artifactId>
@@ -235,6 +231,11 @@
                 </exclusion>
             </exclusions>
         </dependency>
+        <dependency>
+            <groupId>com.auth0</groupId>
+            <artifactId>java-jwt</artifactId>
+            <version>4.0.0</version>
+        </dependency>
     </dependencies>
 
     <build>

src/main/java/com/featureprobe/api/auth/JWTAuthenticationFilter.java

@@ -0,0 +1,77 @@
+package com.featureprobe.api.auth;
+
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.JWTVerifier;
+import com.auth0.jwt.algorithms.Algorithm;
+import com.auth0.jwt.interfaces.DecodedJWT;
+import com.featureprobe.api.base.exception.ForbiddenException;
+import com.featureprobe.api.entity.Member;
+import com.featureprobe.api.mapper.JsonMapper;
+import com.featureprobe.api.repository.MemberRepository;
+import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
+import org.springframework.util.Base64Utils;
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.util.Arrays;
+import java.util.Date;
+import java.util.Map;
+
+@Slf4j
+public class JWTAuthenticationFilter extends BasicAuthenticationFilter {
+
+    private static final String TOKEN_KEY = "token";
+
+    MemberRepository memberRepository;
+
+    public JWTAuthenticationFilter(AuthenticationManager authenticationManager, MemberRepository memberRepository) {
+        super(authenticationManager);
+        this.memberRepository = memberRepository;
+    }
+
+    @Override
+    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
+            throws IOException, ServletException {
+        final String authHeader = request.getHeader(JWTUtils.AUTH_HEADER_KEY);
+        if (StringUtils.isBlank(authHeader) || !authHeader.startsWith(JWTUtils.TOKEN_PREFIX)) {
+            chain.doFilter(request, response);
+            return;
+        }
+        try {
+            final String token = authHeader.substring(7);
+            String payload = JWT.decode(token).getPayload();
+            byte[] decode = Base64Utils.decode(payload.getBytes(StandardCharsets.UTF_8));
+            String user = new String(decode);
+            Long userId = Long.parseLong(String.valueOf(JsonMapper.toObject(user, Map.class).get("userId")));
+            Member member = memberRepository.findById(userId).orElseThrow(() -> new ForbiddenException());
+            JWTVerifier verifier = JWT.require(Algorithm.HMAC256(member.getPassword())).build();
+            DecodedJWT decodedJWT = verifier.verify(token);
+            Date expiresAt = decodedJWT.getExpiresAt();
+            if (new Date().after(expiresAt)) {
+                log.error("Token has expired");
+                throw new ForbiddenException();
+            }
+            UserPasswordAuthenticationToken userPasswordAuthenticationToken =
+                    new UserPasswordAuthenticationToken(member,
+                            Arrays.asList(new SimpleGrantedAuthority(member.getRole().name())));
+            SecurityContextHolder.getContext().setAuthentication(userPasswordAuthenticationToken);
+            if ((expiresAt.getTime() - new Date().getTime()) < 600) {
+                response.setHeader(TOKEN_KEY, JWTUtils.getToken(member));
+            } else {
+                response.setHeader(TOKEN_KEY, token);
+            }
+        }catch (Exception e) {
+            log.error("Token is forbidden", e);
+            throw new ForbiddenException();
+        }
+        chain.doFilter(request, response);
+    }
+}

src/main/java/com/featureprobe/api/auth/JWTUtils.java

@@ -0,0 +1,31 @@
+package com.featureprobe.api.auth;
+
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.algorithms.Algorithm;
+import com.featureprobe.api.entity.Member;
+
+import java.time.LocalDateTime;
+import java.time.ZoneId;
+
+public class JWTUtils {
+
+    public static final String AUTH_HEADER_KEY = "Authorization";
+    public static final String TOKEN_PREFIX = "Bearer ";
+    private static final String ISS_KEY = "iss";
+    private static final String ISS_VALUE = "https://featureprobe.com";
+    private static final String ACCOUNT_KEY = "account";
+    private static final String USER_ID_KEY = "userId";
+    private static final String ROLE_KEY = "role";
+
+    public static String getToken(Member member) {
+        LocalDateTime now = LocalDateTime.now();
+        return JWT.create()
+                .withExpiresAt(LocalDateTime.now().plusMinutes(30L).atZone(ZoneId.systemDefault()).toInstant())
+                .withClaim(ISS_KEY, ISS_VALUE)
+                .withClaim(ACCOUNT_KEY, member.getAccount())
+                .withClaim(USER_ID_KEY, member.getId())
+                .withClaim(ROLE_KEY, member.getRole().name())
+                .sign(Algorithm.HMAC256(member.getPassword()));
+    }
+
+}

src/main/java/com/featureprobe/api/auth/LoginSuccessHandler.java

@@ -1,7 +1,8 @@
 package com.featureprobe.api.auth;
 
-import com.featureprobe.api.dto.MemberResponse;
+import com.featureprobe.api.dto.CertificationUserResponse;
 import com.featureprobe.api.mapper.JsonMapper;
+import lombok.AllArgsConstructor;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
 import org.springframework.security.core.Authentication;
@@ -15,6 +16,7 @@
 import java.nio.charset.StandardCharsets;
 
 @Component
+@AllArgsConstructor
 public class LoginSuccessHandler implements AuthenticationSuccessHandler {
 
     @Override
@@ -25,7 +27,9 @@ public void onAuthenticationSuccess(HttpServletRequest request, HttpServletRespo
         response.setCharacterEncoding(StandardCharsets.UTF_8.name());
         UserPasswordAuthenticationToken token =
                 (UserPasswordAuthenticationToken) SecurityContextHolder.getContext().getAuthentication();
-        response.getWriter().write(JsonMapper.toJSONString(new MemberResponse(token.getAccount(), token.getRole())));
+        String jwt = JWTUtils.getToken(token.getPrincipal());
+        response.getWriter()
+                .write(JsonMapper.toJSONString(new CertificationUserResponse(token.getAccount(), token.getRole(),jwt)));
     }
 
 }

src/main/java/com/featureprobe/api/auth/SecurityConfig.java

@@ -2,6 +2,7 @@
 
 import com.featureprobe.api.dto.BaseResponse;
 import com.featureprobe.api.mapper.JsonMapper;
+import com.featureprobe.api.repository.MemberRepository;
 import lombok.AllArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.context.annotation.Bean;
@@ -12,9 +13,9 @@
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
-
 import java.nio.charset.StandardCharsets;
 
 @Slf4j
@@ -29,6 +30,8 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
 
     private CustomLogoutSuccessHandler customLogoutSuccessHandler;
 
+    private MemberRepository memberRepository;
+
     UserPasswordAuthenticationProcessingFilter userPasswordAuthenticationProcessingFilter(
             AuthenticationManager authenticationManager) {
         UserPasswordAuthenticationProcessingFilter userPasswordAuthenticationProcessingFilter =
@@ -39,6 +42,12 @@ UserPasswordAuthenticationProcessingFilter userPasswordAuthenticationProcessingF
         return userPasswordAuthenticationProcessingFilter;
     }
 
+    JWTAuthenticationFilter jwtAuthenticationFilter(AuthenticationManager authenticationManager,
+                                                    MemberRepository memberRepository) {
+        JWTAuthenticationFilter jwtAuthenticationFilter =
+                new JWTAuthenticationFilter(authenticationManager, memberRepository);
+        return jwtAuthenticationFilter;
+    }
 
     @Bean
     AuthenticationEntryPoint authenticationEntryPoint() {
@@ -56,6 +65,7 @@ AuthenticationEntryPoint authenticationEntryPoint() {
 
     @Override
     protected void configure(HttpSecurity http) throws Exception {
+        http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
         http.headers().frameOptions().disable();
         http.csrf().disable();
         http
@@ -75,8 +85,9 @@ protected void configure(HttpSecurity http) throws Exception {
                 .accessDeniedHandler(((httpServletRequest, httpServletResponse, e) ->
                         httpServletResponse.setStatus(HttpStatus.UNAUTHORIZED.value())))
                 .authenticationEntryPoint(authenticationEntryPoint());
-        http.addFilterBefore(userPasswordAuthenticationProcessingFilter(authenticationManager()),
-                UsernamePasswordAuthenticationFilter.class);
+        http.addFilter(jwtAuthenticationFilter(authenticationManager(), memberRepository))
+                .addFilterBefore(userPasswordAuthenticationProcessingFilter(authenticationManager()),
+                        UsernamePasswordAuthenticationFilter.class);
     }
 
 }

src/main/java/com/featureprobe/api/dto/CertificationUserResponse.java

@@ -0,0 +1,15 @@
+package com.featureprobe.api.dto;
+
+import lombok.AllArgsConstructor;
+import lombok.Data;
+
+@Data
+@AllArgsConstructor
+public class CertificationUserResponse {
+
+    private String account;
+
+    private String role;
+
+    private String token;
+}

src/main/resources/db/migration/V14__detele_session_table.sql

@@ -0,0 +1,2 @@
+drop table SPRING_SESSION;
+drop table SPRING_SESSION_ATTRIBUTES;