Implemented user authentication #32
Conversation
…enerate jwt tokens. Authenticate users. Added request/response DTOs. Refactored existing code
…dden to 401 Unauthorized handling logic
…TestBase and added Authorization headers with valid token to every request.
…ar. Fixed security issue with secretKey
…Changed how we secure the secretKey. Configured tests so they work again.
… application.properties file for simplicity
[feature-22] Resource availability by resource and total resource quantity. test -> main
…validation/exception handling. Custom exceptions thrown with custom error messages showing correctly.
…on and unit tests.
… created/thrown/handled. Validation to UserRequestDto.
… refactor. Added more exceptions
There was a problem hiding this comment.
The logic for validating the jwt token seems more complex than I thought it would be. We have a lot of exception handling that I am not sure when we are supposed to hit. If we have cases in which these scenarios could happen, then I suggest creating tests for them. If not, we should consider simplifying the code. (I am not saying I know how but would love to dive deeper and try to understand it)
src/main/java/jewellery/inventory/dto/request/UserRequestDto.java
Outdated
Show resolved
Hide resolved
src/main/java/jewellery/inventory/exception/GlobalExceptionHandler.java
Outdated
Show resolved
Hide resolved
src/main/java/jewellery/inventory/exception/GlobalExceptionHandler.java
Outdated
Show resolved
Hide resolved
src/main/java/jewellery/inventory/exception/not_found/UserNotFoundException.java
Outdated
Show resolved
Hide resolved
src/test/java/jewellery/inventory/integration/AuthIntegrationTest.java
Outdated
Show resolved
Hide resolved
| void testInvalidUrlReturnsUnauthorized() { | ||
| ResponseEntity<Void> response = | ||
| testRestTemplate.exchange("/invalid-url", HttpMethod.GET, null, Void.class); | ||
| assertEquals(HttpStatus.UNAUTHORIZED, response.getStatusCode()); |
There was a problem hiding this comment.
I don't think we need this test case. We are supposed to return 401 for every request that is not authorized (except for the post to /auth/token). If a request is authorized but the url is not valid, then we should return 404. Is this not the case currently?
There was a problem hiding this comment.
Removed it. The idea came from a colleague of mine who told me what integration tests they write for their project.. And with spring security I do not know how to make it so it returns 404 Not found instead of unauthorized for not existing endpoints... I think the default behavior is to return always unauthorized. I just tested - tried to hit not existing endpoint and provided valid token in the headers - it returned 401 unauthorized.
There was a problem hiding this comment.
hm, that's interesting. I wonder why...
There was a problem hiding this comment.
Probably because we override the default behavior and tell it to return 401 instead of 403 🗡️
src/test/java/jewellery/inventory/unit/service/security/JwtTokenServiceTest.java
Outdated
Show resolved
Hide resolved
…Needs more tests.
…permissions for USER and ADMIN
…ass. Added 1 test and small adjustments.
src/test/java/jewellery/inventory/unit/service/security/AuthServiceTest.java
Outdated
Show resolved
Hide resolved
|
|
||
| private String generateExpiredToken() { | ||
| Date expiredDate = | ||
| new Date(System.currentTimeMillis() - (1000 * 60 * 60 * 24)); // 1 day in the past |
There was a problem hiding this comment.
Please, remove the comment. You can, instead, extract the complex calculation (1000 * 60 * 60 * 24) in a variable named dayInMillis.
There was a problem hiding this comment.
I see you ended up not extracting dayInMillis = (1000 * 60 * 60 * 24). Any reason why not?
…ion tests failing after changes. Refactored services related to security to be in their package in /service package.
src/test/java/jewellery/inventory/unit/service/security/AuthServiceTest.java
Outdated
Show resolved
Hide resolved
src/test/java/jewellery/inventory/unit/service/security/AuthServiceTest.java
Outdated
Show resolved
Hide resolved
src/test/java/jewellery/inventory/integration/AuthIntegrationTest.java
Outdated
Show resolved
Hide resolved
src/test/java/jewellery/inventory/integration/AuthIntegrationTest.java
Outdated
Show resolved
Hide resolved
src/test/java/jewellery/inventory/integration/AuthIntegrationTest.java
Outdated
Show resolved
Hide resolved
src/test/java/jewellery/inventory/integration/AuthIntegrationTest.java
Outdated
Show resolved
Hide resolved
…ons and authentication method instructions
|
Kudos, SonarCloud Quality Gate passed! |
No description provided.