Merge pull request #34 from TP-RENTPLACE/feature/(TP-77)-add-auth-module

Feature/(tp 77) add auth module

Author: Kattsyn

.github/workflows/backend-ci-cd.yml

@@ -101,8 +101,6 @@ jobs:
           script: |
             cd Deploy
             docker compose down
-            echo '\nMAIL_USERNAME=${{ secrets.MAIL_USERNAME }}' >> .env
-            echo 'MAIL_PASSWORD=${{ secrets.MAIL_PASSWORD }}' >> .env
             docker rm $(docker ps -a -q)
             docker pull ${{ secrets.DOCKERHUB_BACKEND_IMAGE_NAME }}
             docker compose up -d --build

rentplace/src/main/java/kattsyn/dev/rentplace/configs/CorsConfig.java

@@ -10,9 +10,10 @@ public class CorsConfig implements WebMvcConfigurer {
     @Override
     public void addCorsMappings(CorsRegistry registry) {
         registry.addMapping("/**")
-                .allowedOrigins("*", "localhost")
-                .allowedMethods("GET", "POST", "PUT", "DELETE", "PATCH")
+                .allowedOriginPatterns("*")
+                .allowedMethods("GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS")
                 .allowedHeaders("*")
+                .exposedHeaders("Set-Cookie")
                 .allowCredentials(true)
                 .maxAge(3600);
     }

rentplace/src/main/java/kattsyn/dev/rentplace/configs/SecurityConfig.java

@@ -9,6 +9,7 @@
 import org.springframework.http.HttpMethod;
 import org.springframework.http.HttpStatus;
 import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -65,6 +66,7 @@ public void init() {
     @Bean
     public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
         http
+                .cors(Customizer.withDefaults())
                 .csrf(CsrfConfigurer::disable)
                 .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                 .authorizeHttpRequests(

rentplace/src/main/java/kattsyn/dev/rentplace/controllers/AuthController.java

@@ -3,6 +3,8 @@
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.tags.Tag;
 import jakarta.security.auth.message.AuthException;
+import jakarta.servlet.http.Cookie;
+import jakarta.servlet.http.HttpServletResponse;
 import kattsyn.dev.rentplace.dtos.CodeRequest;
 import kattsyn.dev.rentplace.dtos.JwtRequest;
 import kattsyn.dev.rentplace.dtos.JwtResponse;
@@ -11,10 +13,7 @@
 import kattsyn.dev.rentplace.services.VerificationCodeService;
 import lombok.RequiredArgsConstructor;
 import org.springframework.http.ResponseEntity;
-import org.springframework.web.bind.annotation.PostMapping;
-import org.springframework.web.bind.annotation.RequestBody;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.bind.annotation.*;
 
 @RestController
 @RequestMapping("${api.path}/auth")
@@ -40,9 +39,21 @@ public ResponseEntity<JwtResponse> login(@RequestBody CodeRequest codeRequest) {
             description = "Получает email и код с почты. Возвращает JWT токены"
     )
     @PostMapping("/login")
-    public ResponseEntity<JwtResponse> login(@RequestBody JwtRequest authRequest) throws AuthException {
-        final JwtResponse token = authService.login(authRequest);
-        return ResponseEntity.ok(token);
+    public ResponseEntity<JwtResponse> login(@RequestBody JwtRequest authRequest,
+                                             HttpServletResponse response) throws AuthException {
+        JwtResponse tokens = authService.login(authRequest);
+
+        // Настройка cookie для refresh token
+        Cookie refreshTokenCookie = new Cookie("refreshToken", tokens.getRefreshToken());
+        refreshTokenCookie.setHttpOnly(true);
+        refreshTokenCookie.setSecure(true); // Для HTTPS
+        refreshTokenCookie.setPath("/");
+        refreshTokenCookie.setMaxAge(30 * 24 * 60 * 60); // 30 дней
+
+        response.addCookie(refreshTokenCookie);
+
+        return ResponseEntity.ok()
+                .body(new JwtResponse(tokens.getAccessToken(), null));
     }
 
     @Operation(
@@ -60,9 +71,18 @@ public ResponseEntity<JwtResponse> getNewAccessToken(@RequestBody RefreshJwtRequ
             description = "Принимает еще не истекший RefreshToken и возвращает новый, продленный."
     )
     @PostMapping("/refresh")
-    public ResponseEntity<JwtResponse> getNewRefreshToken(@RequestBody RefreshJwtRequest request) throws AuthException {
-        final JwtResponse token = authService.refresh(request.getRefreshToken());
-        return ResponseEntity.ok(token);
+    public ResponseEntity<JwtResponse> refresh(@CookieValue(name = "refreshToken") String refreshToken, HttpServletResponse response) throws AuthException {
+        JwtResponse jwtResponse = authService.refresh(refreshToken);
+
+        Cookie refreshCookie = new Cookie("refreshToken", jwtResponse.getRefreshToken());
+        refreshCookie.setHttpOnly(true);
+        refreshCookie.setSecure(true);
+        refreshCookie.setPath("/");
+        refreshCookie.setMaxAge(30 * 24 * 60 * 60);
+        response.addCookie(refreshCookie);
+
+        return ResponseEntity.ok()
+                .body(new JwtResponse(jwtResponse.getAccessToken(), null));
     }
 
 }

rentplace/src/main/java/kattsyn/dev/rentplace/dtos/JwtResponse.java

@@ -1,5 +1,6 @@
 package kattsyn.dev.rentplace.dtos;
 
+import com.fasterxml.jackson.annotation.JsonIgnore;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 import lombok.NoArgsConstructor;
@@ -13,6 +14,8 @@ public class JwtResponse {
 
     private final String type = "Bearer ";
     private String accessToken;
+
+    @JsonIgnore
     private String refreshToken;
 
 }