feat(security): require JWT authentication on the Viron API (#149)#150
Merged
Conversation
Viron previously exposed every endpoint unauthenticated over plain HTTP,
contradicting the architecture (RFC 0001), which specifies JWT auth for all
services. Add JWT bearer-token authentication that validates tokens issued by
the UserAuth service.
- SecurityConfig: stateless filter chain requiring a valid bearer token on all
endpoints except actuator health and the OpenAPI/Swagger docs. The JwtDecoder
mirrors UserAuth's JwtConfig (HMAC HS256/384/512 with a shared secret, issuer
validation), so UserAuth-minted tokens validate here with no network call.
- New config: app.jwt.secret (${JWT_SECRET}, required, >= 32 bytes for HS256),
app.jwt.issuer (default userauth), app.jwt.algorithm (default HS256).
- Tests: new SecurityConfigTest (unauthenticated -> 401, health public); the
five controller tests run as @WithMockUser. Full suite: 228 passing under
JDK 21 (./mvnw test).
BREAKING: callers must now send `Authorization: Bearer <token>`; the app
requires JWT_SECRET (matching UserAuth's) to start. HTTPS is expected at the
gateway, as for the other services.
Closes #149
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #149. Viron exposed every endpoint unauthenticated over plain HTTP — an open read/write API to world state — contradicting the architecture (RFC 0001), which specifies JWT auth for all services. This adds JWT bearer-token authentication that validates tokens issued by UserAuth.
SecurityConfig— a stateless Spring Security filter chain. All endpoints require a validAuthorization: Bearer <token>except/actuator/healthand the OpenAPI/Swagger docs. TheJwtDecodermirrors UserAuth's ownJwtConfig(HMAC HS256/384/512 with a shared secret + issuer validation), so a token minted by UserAuth validates here with no network call (fast, fits Viron's hot path).app.jwt.secret(${JWT_SECRET}),app.jwt.issuer(defaultuserauth),app.jwt.algorithm(defaultHS256).SecurityConfigTest(unauthenticated → 401; health public); the five controller tests run as@WithMockUser.Validation
./mvnw testunder JDK 21 (the CI command). Includes the new auth tests and all existing tests.401.JWT_SECRET(no default — the app fails fast without it) and it must match UserAuth'sJWT_SECRET(≥ 32 bytes for HS256).JWT_ISSUER/JWT_ALGORITHMdefault touserauth/HS256.Left for your review rather than auto-merged, given the breaking behavior and the new operational requirement.
Possible follow-ups (not in this PR)
GET /session/validate) if you want logged-out tokens rejected before expiry — local HS256 validation was chosen for performance.JWT_SECRETin the README / a.env.example(Viron currently has neither).Closes #149
Opened by Claude on behalf of Daniel Stephenson; verified with
./mvnw test(228 passing) under JDK 21.