Background
The current authentication uses a static X-API-Key header. This works for service-to-service calls but doesn't scale to multi-tenant or user-facing deployments.
Proposed Change
Replace ApiKeyAuthFilter with Spring Security OAuth 2.0 Resource Server backed by a JWT issuer (e.g. Keycloak or Auth0).
- Extract
userId from the JWT sub claim rather than from a request parameter — eliminates a whole class of impersonation bugs.
- Keep the existing
ApiKeyAuthFilter behind a feature flag so internal callers aren't broken.
Acceptance Criteria
Background
The current authentication uses a static
X-API-Keyheader. This works for service-to-service calls but doesn't scale to multi-tenant or user-facing deployments.Proposed Change
Replace
ApiKeyAuthFilterwith Spring Security OAuth 2.0 Resource Server backed by a JWT issuer (e.g. Keycloak or Auth0).userIdfrom the JWTsubclaim rather than from a request parameter — eliminates a whole class of impersonation bugs.ApiKeyAuthFilterbehind a feature flag so internal callers aren't broken.Acceptance Criteria
spring-boot-starter-oauth2-resource-serveradded topom.xmlSecurityConfigupdated to validate Bearer tokensflashsale.security.modeproperty (api-key|jwt)