-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implemented user authentication #32
Conversation
…enerate jwt tokens. Authenticate users. Added request/response DTOs. Refactored existing code
…dden to 401 Unauthorized handling logic
…TestBase and added Authorization headers with valid token to every request.
…ar. Fixed security issue with secretKey
…Changed how we secure the secretKey. Configured tests so they work again.
… application.properties file for simplicity
[feature-22] Resource availability by resource and total resource quantity. test -> main
…validation/exception handling. Custom exceptions thrown with custom error messages showing correctly.
…on and unit tests.
… created/thrown/handled. Validation to UserRequestDto.
… refactor. Added more exceptions
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The logic for validating the jwt token seems more complex than I thought it would be. We have a lot of exception handling that I am not sure when we are supposed to hit. If we have cases in which these scenarios could happen, then I suggest creating tests for them. If not, we should consider simplifying the code. (I am not saying I know how but would love to dive deeper and try to understand it)
src/main/java/jewellery/inventory/dto/request/UserRequestDto.java
Outdated
Show resolved
Hide resolved
src/main/java/jewellery/inventory/exception/GlobalExceptionHandler.java
Outdated
Show resolved
Hide resolved
src/main/java/jewellery/inventory/exception/GlobalExceptionHandler.java
Outdated
Show resolved
Hide resolved
src/main/java/jewellery/inventory/exception/not_found/UserNotFoundException.java
Outdated
Show resolved
Hide resolved
src/test/java/jewellery/inventory/integration/AuthIntegrationTest.java
Outdated
Show resolved
Hide resolved
void testInvalidUrlReturnsUnauthorized() { | ||
ResponseEntity<Void> response = | ||
testRestTemplate.exchange("/invalid-url", HttpMethod.GET, null, Void.class); | ||
assertEquals(HttpStatus.UNAUTHORIZED, response.getStatusCode()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we need this test case. We are supposed to return 401 for every request that is not authorized (except for the post to /auth/token). If a request is authorized but the url is not valid, then we should return 404. Is this not the case currently?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed it. The idea came from a colleague of mine who told me what integration tests they write for their project.. And with spring security I do not know how to make it so it returns 404 Not found instead of unauthorized for not existing endpoints... I think the default behavior is to return always unauthorized. I just tested - tried to hit not existing endpoint and provided valid token in the headers - it returned 401 unauthorized.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hm, that's interesting. I wonder why...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably because we override the default behavior and tell it to return 401 instead of 403 🗡️
src/test/java/jewellery/inventory/unit/service/security/JwtTokenServiceTest.java
Outdated
Show resolved
Hide resolved
…Needs more tests.
…permissions for USER and ADMIN
…ass. Added 1 test and small adjustments.
src/test/java/jewellery/inventory/unit/service/security/AuthServiceTest.java
Outdated
Show resolved
Hide resolved
|
||
private String generateExpiredToken() { | ||
Date expiredDate = | ||
new Date(System.currentTimeMillis() - (1000 * 60 * 60 * 24)); // 1 day in the past |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please, remove the comment. You can, instead, extract the complex calculation (1000 * 60 * 60 * 24) in a variable named dayInMillis.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see you ended up not extracting dayInMillis = (1000 * 60 * 60 * 24)
. Any reason why not?
…ion tests failing after changes. Refactored services related to security to be in their package in /service package.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Apart from the comments, here, please change passwords to be char arrays instead of Strings. Let me know if it turns out to be too much of a hassle.
src/test/java/jewellery/inventory/unit/service/security/AuthServiceTest.java
Outdated
Show resolved
Hide resolved
src/test/java/jewellery/inventory/unit/service/security/AuthServiceTest.java
Outdated
Show resolved
Hide resolved
src/test/java/jewellery/inventory/integration/AuthIntegrationTest.java
Outdated
Show resolved
Hide resolved
src/test/java/jewellery/inventory/integration/AuthIntegrationTest.java
Outdated
Show resolved
Hide resolved
src/test/java/jewellery/inventory/integration/AuthIntegrationTest.java
Outdated
Show resolved
Hide resolved
src/test/java/jewellery/inventory/integration/AuthIntegrationTest.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good!
…ons and authentication method instructions
Kudos, SonarCloud Quality Gate passed! |
No description provided.