Skip to content

Add JWT / OAuth 2.0 authentication to replace API-key auth #1

Description

@piush365

Background

The current authentication uses a static X-API-Key header. This works for service-to-service calls but doesn't scale to multi-tenant or user-facing deployments.

Proposed Change

Replace ApiKeyAuthFilter with Spring Security OAuth 2.0 Resource Server backed by a JWT issuer (e.g. Keycloak or Auth0).

  • Extract userId from the JWT sub claim rather than from a request parameter — eliminates a whole class of impersonation bugs.
  • Keep the existing ApiKeyAuthFilter behind a feature flag so internal callers aren't broken.

Acceptance Criteria

  • spring-boot-starter-oauth2-resource-server added to pom.xml
  • SecurityConfig updated to validate Bearer tokens
  • Integration test verifies a valid JWT is accepted and an expired JWT is rejected
  • README updated with new authentication flow
  • Old API-key path retained under a flashsale.security.mode property (api-key | jwt)

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or improvementsecurityAuthentication, authorization, or vulnerability

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions