Jwt (#9)

* Add files via upload

* Adding jwt support

* enable csrf

Author: ravening

README.md

@@ -15,16 +15,16 @@
 <img height="300px" src="https://github.com/GouravRusiya30/SpringBootRestAPI/blob/master/docs/spring.png">
 
 ## Desciption
-#### This project mainly focussed on the Kickstart to the CI/CD using TravisCI. Includes CodeCoverage, Sonarqube integration which can be plugged into any application.
+#### This project mainly focused on the Kickstart to the CI/CD using TravisCI. Includes CodeCoverage, Sonarqube integration which can be plugged into any application.
 
 
 ## Task List Progress
 - [X] Rest controllers and models using SpringBoot
 - [X] MongoDB configuration
 - [X] TravisCI build
-- [X] SonarQube integration 
+- [X] SonarQube integration
 - [X] Jacoco Test report
-- [ ] JWT authentication
+- [X] JWT authentication
 - [ ] 80% and above Code Coverage (using codecov or coveralls)
 - [ ] Cloud deployment
 
@@ -33,15 +33,15 @@
 
 ### Pre-requisite and Installing Steps
 
-* Get a running instance of MongoDB that you can connect to. 
+* Get a running instance of MongoDB that you can connect to.
 For more information on getting started with MongoDB, visit their [online tutorial](https://docs.mongodb.com/manual/).
 * Start by creating a test database. I will call mine "rest_tutorial" using the following command in the MongoDB shell, or through a database manager like MongoDB Compass:
 ```use rest_tutorial;```
 
 * Create a sample collection that will hold data about different types of pets. Let's create the collection with the following command:
 ```db.createCollection("pets");```
 
-* Once the collection is created, we need to add some data! 
+* Once the collection is created, we need to add some data!
 We can add data to the collection with the below query, you can add any number of data like this :
 ```db.pets.insertMany([```
   ```{```
@@ -62,11 +62,29 @@ We can add data to the collection with the below query, you can add any number o
 ```]);```
 
 * Add the mongodb authentication-database, username & password in [application.properties](https://github.com/GouravRusiya30/SpringBootRestAPI/blob/master/src/main/resources/application.properties)
-If there is no authrntication when you are running locally then you can also remove these properties from this file.
+If there is no authentication when you are running locally then you can also remove these properties from this file.
 
+* Create the user roles in the database. The user roles can be one of "USER, MODERATOR or ADMIN"
+```
+db.roles.insertMany([
+   { name: "ROLE_USER" },
+   { name: "ROLE_MODERATOR" },
+   { name: "ROLE_ADMIN" },
+])
+```
 
 ### Running the tests
-Once the server starts, you are free to test your API however you choose.
+Once the server starts, your first need to register a user and login as that user to get a token.\
+
+##### [user registration](https://github.com/ravening/SpringBootRestAPI/blob/master/docs/UserRegistration.png)
+
+##### [User login](https://github.com/ravening/SpringBootRestAPI/blob/master/docs/UserLogin.png)
+
+Once you get the token, you need to pass that token for every request you make to the backend
+In the postman, select the "header" section and enter `Authorization` for the key and\
+"Bearer <the token you copied above>" for the value
+
+you are free to test your API however you choose.
 Use postman for the below tests :
 ##### [getAllPets](https://github.com/GouravRusiya30/SpringBootRestAPI/blob/master/docs/getAllPets.png)
 
@@ -78,6 +96,10 @@ Use postman for the below tests :
 
 ##### [modifyPetById](https://github.com/GouravRusiya30/SpringBootRestAPI/blob/master/docs/modifyPetById.png)
 
+Once done with all the testing, you can logout using the endpoint `/api/auth/logout`
+
+##### [logout](https://github.com/ravening/SpringBootRestAPI/blob/master/docs/UserLogout.png)
+
 ### Code Coverage
 For code coverage reports integration, I have shown example using Codecov and Coveralls as both are pretty popular and easy to integrate with the travis.
 
@@ -91,10 +113,10 @@ Awesome but please first go through the [ISSUE TEMPLATE.md](https://github.com/G
 
 ### Pull Request Template
 ``Are you up for your first PR for this project !!!``
-Awesome but please first go through the [PULL REQUEST TEMPLATE.md](https://github.com/GouravRusiya30/SpringBootRestAPI/blob/master/PULL_REQUEST_TEMPLATE.md) and use this template to submit your PR.
+Awesome but please first go through the [PULL REQUEST TEMPLATE.md](https://github.com/GouravRusiya30/SpringBootRestAPI/blob/master/PULL_REQUEST_TEMPLATE) and use this template to submit your PR.
 
 ### Contributing
 Please read [CONTRIBUTING.md](https://github.com/GouravRusiya30/SpringBootRestAPI/blob/master/CONTRIBUTING.md) and [CODE OF CONDUCT.md](https://github.com/GouravRusiya30/SpringBootRestAPI/blob/master/CODE_OF_CONDUCT.md) for details on our code of conduct, and the process for submitting pull requests to us.
 
 ### Authors
-* **Gourav Rusiya** 
+* **Gourav Rusiya**

build.gradle

@@ -32,6 +32,8 @@ repositories {
 dependencies {
     compile group: 'org.springframework.boot', name: 'spring-boot-starter-data-mongodb', version:'2.1.1.RELEASE'
     compile group: 'org.springframework.boot', name: 'spring-boot-starter-web', version:'2.1.1.RELEASE'
+    compile group: 'org.springframework.boot', name: 'spring-boot-starter-security', version: '2.1.1.RELEASE'
+    compile group: 'io.jsonwebtoken', name: 'jjwt', version: '0.9.1'
     testCompile group: 'org.springframework.boot', name: 'spring-boot-starter-test', version:'2.1.1.RELEASE'
 }
 

docs/GetRequest.png

@@ -0,0 +1,61 @@
+package com.gourav.restapi.config;
+
+import com.gourav.restapi.config.jwt.AuthEntryPointJwt;
+import com.gourav.restapi.config.jwt.AuthTokenFilter;
+import com.gourav.restapi.config.services.UserDetailsServiceImpl;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+
+@Configuration
+@EnableWebSecurity
+@EnableGlobalMethodSecurity(prePostEnabled = true)
+public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
+    @Autowired
+    UserDetailsServiceImpl userDetailsService;
+
+    @Autowired
+    AuthEntryPointJwt unauthorizedHandler;
+
+    @Bean
+    public AuthTokenFilter authenticationJwtTokenFilter() {
+        return new AuthTokenFilter();
+    }
+
+    @Override
+    public void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
+        authenticationManagerBuilder.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
+    }
+
+    @Bean
+    @Override
+    public AuthenticationManager authenticationManagerBean() throws Exception {
+        return super.authenticationManagerBean();
+    }
+
+    @Bean
+    public PasswordEncoder passwordEncoder() {
+        return new BCryptPasswordEncoder();
+    }
+
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http.cors().and().csrf().and()
+                .exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()
+                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
+                .authorizeRequests().antMatchers("/api/auth/**").permitAll()
+                .anyRequest().authenticated();
+
+        http.addFilterBefore(authenticationJwtTokenFilter(), UsernamePasswordAuthenticationFilter.class);
+    }
+}

docs/UserLogin.png

@@ -0,0 +1,24 @@
+package com.gourav.restapi.config.jwt;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.stereotype.Component;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+@Component
+public class AuthEntryPointJwt implements AuthenticationEntryPoint {
+    private static final Logger logger = LoggerFactory.getLogger(AuthEntryPointJwt.class);
+
+    @Override
+    public void commence(HttpServletRequest request, HttpServletResponse response,
+                         AuthenticationException authException) throws IOException, ServletException {
+        logger.error("Unauthorized error: {}", authException.getMessage());
+        response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Error: Unauthorized");
+    }
+}

docs/UserLogout.png

@@ -0,0 +1,62 @@
+package com.gourav.restapi.config.jwt;
+
+import com.gourav.restapi.config.services.UserDetailsServiceImpl;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
+import org.springframework.stereotype.Component;
+import org.springframework.util.StringUtils;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+@Component
+public class AuthTokenFilter extends OncePerRequestFilter {
+    @Autowired
+    private JwtUtils jwtUtils;
+
+    @Autowired
+    private UserDetailsServiceImpl userDetailsService;
+
+    private static final Logger logger = LoggerFactory.getLogger(AuthTokenFilter.class);
+
+    @Override
+    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
+            throws ServletException, IOException {
+        try {
+            String jwt = parseJwt(request);
+            if (jwt != null && jwtUtils.validateJwtToken(jwt)) {
+                String username = jwtUtils.getUserNameFromJwtToken(jwt);
+
+                UserDetails userDetails = userDetailsService.loadUserByUsername(username);
+                UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userDetails, null,
+                        userDetails.getAuthorities());
+                authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
+
+                SecurityContextHolder.getContext().setAuthentication(authentication);
+            }
+        } catch (Exception e) {
+            logger.error("Cannot set user authentication: {}", e.getMessage());
+        }
+
+        filterChain.doFilter(request, response);
+    }
+
+    private String parseJwt(HttpServletRequest request) {
+        String headerAuth = request.getHeader("Authorization");
+
+        if (StringUtils.hasText(headerAuth) && headerAuth.startsWith("Bearer ")) {
+            return headerAuth.substring(7, headerAuth.length());
+        }
+
+        return null;
+    }
+}

docs/UserRegistration.png

@@ -0,0 +1,75 @@
+package com.gourav.restapi.config.jwt;
+
+import com.gourav.restapi.config.services.UserDetailsImpl;
+import io.jsonwebtoken.ExpiredJwtException;
+import io.jsonwebtoken.Jwts;
+import io.jsonwebtoken.MalformedJwtException;
+import io.jsonwebtoken.SignatureAlgorithm;
+import io.jsonwebtoken.SignatureException;
+import io.jsonwebtoken.UnsupportedJwtException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.security.core.Authentication;
+import org.springframework.stereotype.Component;
+
+import java.util.Date;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+
+@Component
+public class JwtUtils {
+    private static final Logger logger = LoggerFactory.getLogger(JwtUtils.class);
+
+    @Value("${springboot.app.jwtSecret}")
+    private String jwtSecret;
+
+    @Value("${springboot.app.jwtExpirationMs}")
+    private int jwtExpirationMs;
+
+    private Map<String, Boolean> jwtMap = new ConcurrentHashMap<>();
+
+    public String generateJwtToken(Authentication authentication) {
+        UserDetailsImpl userPrincipal = (UserDetailsImpl) authentication.getPrincipal();
+
+        String token = Jwts.builder()
+                .setSubject((userPrincipal.getUsername()))
+                .setIssuedAt(new Date())
+                .setExpiration(new Date((new Date()).getTime() + jwtExpirationMs))
+                .signWith(SignatureAlgorithm.HS512, jwtSecret)
+                .compact();
+
+        // store this token
+        jwtMap.put(token, false);
+        return token;
+    }
+
+    public String getUserNameFromJwtToken(String token) {
+        return Jwts.parser().setSigningKey(jwtSecret).parseClaimsJws(token).getBody().getSubject();
+    }
+
+    public boolean validateJwtToken(String authToken) {
+        if (jwtMap.containsKey(authToken)) {
+            try {
+                Jwts.parser().setSigningKey(jwtSecret).parseClaimsJws(authToken);
+                return true;
+            } catch (SignatureException e) {
+                logger.error("Invalid JWT signature: {}", e.getMessage());
+            } catch (MalformedJwtException e) {
+                logger.error("Invalid JWT token: {}", e.getMessage());
+            } catch (ExpiredJwtException e) {
+                jwtMap.remove(authToken);
+                logger.error("JWT token is expired: {}", e.getMessage());
+            } catch (UnsupportedJwtException e) {
+                logger.error("JWT token is unsupported: {}", e.getMessage());
+            } catch (IllegalArgumentException e) {
+                logger.error("JWT claims string is empty: {}", e.getMessage());
+            }
+        }
+        return false;
+    }
+
+    public void invalidateToken(String token) {
+        jwtMap.remove(token);
+    }
+}