Enterprise-grade Spring Boot authentication platform with JWT, MFA, session control, and observability-first operations.
- JWT-based authentication with access/refresh token lifecycle and key rotation support
- Email verification, password reset, and secure account recovery workflows
- MFA enrollment/challenge/disable flows with temporary token support
- Session management (list sessions, revoke single session, revoke other sessions)
- Role-aware user and admin APIs (user management, status/role updates, impersonation)
- Security hardening: rate limiting, request signing, bot detection, IP reputation controls
- Auditable auth events with Prometheus metrics and Grafana-ready dashboards
- Java 25
- Spring Boot 4 (Web, Security, Data JPA/JDBC, Validation, Actuator)
- PostgreSQL + Flyway migrations
- Redis (token/session and security support)
- JWT (
jjwt) + Bouncy Castle cryptography - OAuth2 client (Google), Spring Mail
- OpenAPI (
springdoc-openapi) - Maven, JUnit/Spring Test, jqwik
- Observability: Micrometer + Prometheus + Grafana
- Performance tooling: k6
[ Clients ]
|
[ REST API Layer ] -> auth / user / admin / security modules
|
[ Service Layer ] -> token, MFA, mail, session, audit, risk controls
|
[ Data Layer ] -> JPA/JDBC repositories
/ \
[PostgreSQL] [Redis]
|
[ Observability ] -> Actuator + Micrometer -> Prometheus -> Grafana
- JDK 25
- Maven 3.9+ (or use
mvnw) - PostgreSQL and Redis (for local profile)
git clone https://github.com/Omar-Mega-Byte/Advanced-Authentication-System.git
cd "Advanced Authentication System/advanced_authentication_system"./mvnw spring-boot:runOn Windows PowerShell:
.\mvnw.cmd spring-boot:runCore variables used across profiles:
SPRING_PROFILES_ACTIVE(local,test,perf,prod)DATABASE_URL,DATABASE_USERNAME,DATABASE_PASSWORDREDIS_HOST,REDIS_PORT,REDIS_PASSWORDJWT_SIGNING_KID,JWT_CURRENT_PRIVATE_KEY_PATH,JWT_CURRENT_PUBLIC_KEY_PATHPASSWORD_PEPPER,APP_AES_KEY_BASE64MAIL_HOST,MAIL_PORT,MAIL_USERNAME,MAIL_PASSWORD,MAIL_FROM_ADDRESSGOOGLE_CLIENT_ID,GOOGLE_CLIENT_SECRET,GOOGLE_REDIRECT_URICORS_ALLOWED_ORIGINS
Base path: /api/v1
Main auth endpoints:
POST /auth/registerGET /auth/verify-emailPOST /auth/loginPOST /auth/refreshPOST /auth/logoutPOST /auth/forgot-passwordPOST /auth/reset-passwordPOST /auth/mfa/enrollmentPOST /auth/mfa/confirmPOST /auth/mfa/challenge
Main user/session endpoints:
GET /users/mePATCH /users/mePATCH /users/me/passwordGET /users/me/sessionsDELETE /users/me/sessions/{sessionId}
Main admin endpoints:
GET /admin/usersPATCH /admin/users/{id}/statusPATCH /admin/users/{id}/rolesGET /admin/auth/logs
OpenAPI UI (default): /swagger-ui/index.html
advanced_authentication_system/- Spring Boot application source, resources, and Maven builddocs/- architecture, design decisions, lifecycle docs, planning artifactsLearning/- onboarding and engineering learning notesperformance/- SQL analysis and k6 load profilesobservability/- Prometheus alert rules and Grafana dashboard JSONscripts/- utility scripts for performance setup/seedingTest Results/- security/performance/testing phase reports
Run tests from advanced_authentication_system/:
./mvnw test
./mvnw verifyWindows PowerShell:
.\mvnw.cmd test
.\mvnw.cmd verify- Build:
./mvnw -B clean package - Run with
prodprofile and production environment variables - Use managed PostgreSQL/Redis, externalized secrets, and TLS at ingress
- Expose Actuator metrics to Prometheus and import Grafana dashboard from
observability/grafana/
- Add dedicated CI/CD workflow with security gates and environment promotions
- Expand anomaly/risk scoring with adaptive authentication policies
- Add API version governance and contract testing
- Harden zero-downtime key rotation and incident runbooks
License: Apache-2.0