3. Security

A secutiry of the system is a very important aspect of the system. All security systems are based on authentication and authorization.

Authentication is the process of verifying the identity of a user.
Authorization is the process of verifying what the user has access to.

flowchart LR
    subgraph api [Trusted Layer]
        direction TB
        gateway --> account
        gateway --> others
        gateway e4@==> auth:::red
        auth e2@==> account
        account --> db@{ shape: cyl, label: "Database" }
        others --> db
    end
    internet e1@==>|request| gateway:::orange
    e1@{ animate: true }
    e2@{ animate: true }
    e4@{ animate: true }
    classDef red fill:#fcc
    classDef orange fill:#FCBE3E

classDiagram
    namespace auth {
        class AuthController {
            +register(RegisterIn RegisterIn): TokenOut
            +login(LoginIn loginIn): TokenOut
        }
        class RegisterIn {
            -String name
            -String email
            -String password
        }
        class LoginIn {
            -String name
            -String email
        }
        class TokenOut {
            -String token
        }
        class SolveOut {
            -String idAccount
        }
    }
    namespace auth-service {
        class AuthResource {
            +register(RegisterIn RegisterIn) TokenOut
            +login(LoginIn loginIn) TokenOut
        }
        class AuthService {
            +register(Register) Regiter
            +login(LoginIn loginIn) String
        }
        class Register {
            -String id
            -String name
            -String email
            -String password
        }
    }
    <<Interface>> AuthController
    AuthController ..> RegisterIn
    AuthController ..> LoginIn
    AuthController ..> TokenOut

    AuthController <|-- AuthResource
    AuthResource *-- AuthService
    AuthService ..> Register

Auth

📁 api
└── 📁 auth
    ├── 📁 src
    │   └── 📁 main
    │       └── 📁 java
    │           └── 📁 store
    │               └── 📁 auth
    │                   ├── 📄 AuthController.java
    │                   ├── 📄 LoginIn.java
    │                   ├── 📄 RegisterIn.java
    │                   ├── 📄 SolveOut.java
    │                   └── 📄 TokenOut.java
    └── 📄 pom.xml

Source

pom.xmlAuthController.javaLoginIn.javaRegisterIn.javaSolveOut.javaTokenOut.java

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>3.4.2</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>
    <groupId>store</groupId>
    <artifactId>auth</artifactId>
    <version>1.0.0</version>
    <name>auth</name>
    <properties>
        <java.version>21</java.version>
        <spring-cloud.version>2024.0.0</spring-cloud.version>
        <maven.compiler.proc>full</maven.compiler.proc>
    </properties>
    <dependencies>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-openfeign</artifactId>
        </dependency>
        <dependency>
            <groupId>org.projectlombok</groupId>
            <artifactId>lombok</artifactId>
            <optional>true</optional>
        </dependency>
    </dependencies>

    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>org.springframework.cloud</groupId>
                <artifactId>spring-cloud-dependencies</artifactId>
                <version>${spring-cloud.version}</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>
        </dependencies>
    </dependencyManagement>

</project>

package store.auth;

import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;

public interface AuthController {

    @PostMapping("/auth/register")
    public ResponseEntity<TokenOut> register(
        @RequestBody RegisterIn registerIn
    );

    @PostMapping("/auth/login")
    public ResponseEntity<TokenOut> login(
        @RequestBody LoginIn loginIn
    );

    @PostMapping("auth/solve")
    public ResponseEntity<SolveOut> solve(
        @RequestBody TokenOut token
    );

}

package store.auth;

import lombok.Builder;
import lombok.experimental.Accessors;

@Builder @Accessors(fluent = true)
public record LoginIn(
    String email,
    String password
) {
}

package store.auth;

import lombok.Builder;
import lombok.experimental.Accessors;

@Builder @Accessors(fluent = true)
public record RegisterIn(
    String name,
    String email,
    String password
) {

}

package store.auth;

import lombok.Builder;
import lombok.experimental.Accessors;

@Builder @Accessors(fluent = true)
public record SolveOut(
    String idAccount
) {

}

package store.auth;

import lombok.Builder;
import lombok.experimental.Accessors;

@Builder @Accessors(fluent = true)
public record TokenOut(
    String token
) {

}

Auth-Service

📁 api
└── 📁 auth-service
    ├── 📁 src
    │   ├── 📁 main
    │   │   └── 📁 java
    │   │       └── 📁 store
    │   │           └── 📁 auth
    │   │               ├── 📄 AuthApplication.java
    │   │               ├── 📄 AuthParser.java
    │   │               ├── 📄 AuthResource.java
    │   │               ├── 📄 AuthService.java
    │   │               ├── 📄 JwtService.java
    │   │               └── 📄 Register.java
    │   └── 📁 resources
    │       └── 📄 application.yaml
    ├── 📄 pom.xml
    └── 📄 Dockerfile

Source

pom.xmlapplication.yamlAuthApplication.javaAuthParser.javaAuthResource.javaAuthService.javaJwtService.javaRegister.javaDockerfile

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>3.4.2</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>
    <groupId>store</groupId>
    <artifactId>auth-service</artifactId>
    <version>1.0.0</version>
    <properties>
        <java.version>21</java.version>
        <maven.compiler.proc>full</maven.compiler.proc>
    </properties>
    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>

        <dependency>
            <groupId>store</groupId>
            <artifactId>auth</artifactId>
            <version>${project.version}</version>
        </dependency>

        <dependency>
            <groupId>store</groupId>
            <artifactId>account</artifactId>
            <version>${project.version}</version>
        </dependency>

        <dependency>
            <groupId>org.projectlombok</groupId>
            <artifactId>lombok</artifactId>
            <optional>true</optional>
        </dependency>

        <!-- https://mvnrepository.com/artifact/io.jsonwebtoken/jjwt-api -->
        <dependency>
            <groupId>io.jsonwebtoken</groupId>
            <artifactId>jjwt-api</artifactId>
            <version>0.12.6</version>
        </dependency>
        <dependency>
            <groupId>io.jsonwebtoken</groupId>
            <artifactId>jjwt-impl</artifactId>
            <version>0.12.6</version>
            <scope>runtime</scope>
        </dependency>
        <dependency>
            <groupId>io.jsonwebtoken</groupId>
            <artifactId>jjwt-jackson</artifactId> <!-- or jjwt-gson if Gson is preferred -->
            <version>0.12.6</version>
            <scope>runtime</scope>
        </dependency>

    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>

</project>

server:
  port: 8080

spring:
  application:
    name: auth


store:
  jwt:
    issuer: Insper
    secretKey: ${JWT_SECRET_KEY:yrBBgYlvJQeslzFlgX9MFZccToI2fjRFqualquercoisa}

package store.auth;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.cloud.openfeign.EnableFeignClients;

@EnableFeignClients(basePackages = {
    "store.account"
})
@SpringBootApplication
public class AuthApplication {

    public static void main(String[] args) {
        SpringApplication.run(AuthApplication.class, args);
    }

}

package store.auth;

public class AuthParser {

    public static Register to(RegisterIn in) {
        return in == null ? null :
            Register.builder()
                .name(in.name())
                .email(in.email())
                .password(in.password())
                .build();
    }

    public static TokenOut to(String token) {
        return token == null ? null :
            TokenOut.builder()
                .token(token)
                .build();
    }

}

package store.auth;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class AuthResource implements AuthController {

    @Autowired
    private AuthService authService;

    @Override
    public ResponseEntity<TokenOut> register(RegisterIn registerIn) {
        String token = authService.register(AuthParser.to(registerIn));
        return ResponseEntity.ok().body(AuthParser.to(token));
    }

    @Override
    public ResponseEntity<TokenOut> login(LoginIn loginIn) {
        String token = authService.login(loginIn.email(), loginIn.password());
        return ResponseEntity.ok().body(AuthParser.to(token));
    }

    @Override
    public ResponseEntity<SolveOut> solve(TokenOut token) {
        return ResponseEntity.ok().body(
            authService.solve(token.token())
        );
    }

}

package store.auth;

import java.util.Date;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.ResponseEntity;
import org.springframework.stereotype.Service;

import store.account.AccountController;
import store.account.AccountIn;
import store.account.AccountOut;

@Service
public class AuthService {

    @Autowired
    private AccountController accountController;

    @Autowired
    private JwtService jwtService;

    public String register(Register register) {
        AccountIn accountIn = AccountIn.builder()
            .email(register.email())
            .name(register.name())
            .password(register.password())
            .build();

        // registrar no account
        // aqui estou substituindo o RestTemplate
        ResponseEntity<AccountOut> response = accountController.create(accountIn);
        AccountOut accountOut = response.getBody();

        // gerar o token
        // regra de geracao de token
        return generateToken(accountOut.id());
    }

    public String login(String email, String password) {

        ResponseEntity<AccountOut> response = accountController.findByEmailAndPassword(
            AccountIn.builder()
                .email(email)
                .password(password)
                .build()
        );
        AccountOut accountOut = response.getBody();

        return generateToken(accountOut.id());
    }

    private String generateToken(String id) {
        Date notBefore = new Date();
        Date expiration = new Date(notBefore.getTime() + 1000l * 60 * 60 * 24);
        String token = jwtService.create(id, notBefore, expiration);
        return token;
    }

    public SolveOut solve(String token) {
        return SolveOut.builder()
            .idAccount(jwtService.getId(token))
            .build();
    }

}

package store.auth;

import java.util.Date;

import javax.crypto.SecretKey;

import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Service;

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.JwtParser;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.io.Decoders;
import io.jsonwebtoken.security.Keys;

@Service
public class JwtService {

    @Value("${store.jwt.issuer}")
    private String issuer;

    @Value("${store.jwt.secret-key}")
    private String secretKey;

    public String create(String id, Date notBefore, Date expiration) {
        SecretKey key = Keys.hmacShaKeyFor(Decoders.BASE64.decode(secretKey));
        String jwt = Jwts.builder()
            .header()
            .and()
            .id(id)
            .issuer(issuer)
            .signWith(key)
            .notBefore(notBefore)
            .expiration(expiration)
            .compact();
        return jwt;
    }

    public String getId(String token) {
        Claims claims = resolveClaims(token);

        Date now = new Date();
        if (claims.getExpiration().before(now)) {
            throw new RuntimeException("Expired token");
        }
        if (claims.getNotBefore().after(now)) {
            throw new RuntimeException("Token is actived yet");
        }
        // check if token is revoked by a CRL
        return claims.getId();
    }

    private Claims resolveClaims(String token) {
        SecretKey key = Keys.hmacShaKeyFor(Decoders.BASE64.decode(secretKey));
        JwtParser parser = Jwts.parser().verifyWith(key).build();
        return parser.parseSignedClaims(token).getPayload();
    }

}

package store.auth;

import lombok.Builder;
import lombok.Data;
import lombok.experimental.Accessors;

@Builder
@Data @Accessors(fluent = true)
public class Register {

    private String id;
    private String name;
    private String email;
    private String password;

}

FROM openjdk:21-slim
VOLUME /tmp
COPY target/*.jar app.jar
ENTRYPOINT ["java","-jar","/app.jar"]

RegisterLogin

POST /auth/register

Body

{
    "name": "Antonio do Estudo",
    "email": "acme@insper.edu.br",
    "password": "123@321"
}

Sequence Diagram

sequenceDiagram
autonumber
actor User
User->>+Auth: register (RegisterIn)
Auth->>+Account: create (AccountIn)
Account->>-Auth: returns the new account (AccountOut)
Auth->>-User: returns 201 (TokenOut)

POST /auth/login

Body

{
    "email": "acme@insper.edu.br",
    "password": "123@321"
}

Sequence Diagram

sequenceDiagram
autonumber
actor User
User->>+Auth: authenticate (LoginIn)
Auth->>+Account: findByEmailAndPassword
critical validated
    Account->>-Auth: returns the account
option denied
    Auth-->>User: unauthorized message
end  
Auth->>Auth: generates a token
Auth->>-User: returns TokenOut
User->>User: stores the token to use for the next requests

Security

Security is an important aspect of software development. It involves protecting the confidentiality, integrity, and availability of data and resources. Two key concepts in security are authentication and authorization.

Authentication

Authentication is the process of verifying the identity of a user or system. It ensures that the user or system is who they claim to be. Common authentication methods include passwords, biometrics, and two-factor authentication. The system checks these credentials against the stored data. If the credentials are valid, the system confirms the user's identity.

In many systems, after successful authentication, the system generates a token. This token is a piece of data that represents the user's authentication session. It's like a digital ticket that proves the user's identity for a certain period of time.

This token is then sent back to the user. The user's client software (like a web browser) stores this token and sends it along with every subsequent request to the server (in case of stateless server). This way, the server knows that the request comes from an authenticated user without needing to ask for the credentials again.

Here's a simplified step-by-step process:

sequenceDiagram
  autonumber
  actor User
  User->>+Auth Service: authentication(credentials)
  Auth Service->>Auth Service: verifies credenditals and generates a token
  Auth Service->>-User: returns the token
  User->>User: stores the token to use for the next requests

The user sends their username and password (or other credentials) to the server;
The server verifies the credentials. If they're valid, the server generates a token.
The server sends this token back to the user.
The user's client software stores this token.
For every subsequent request, the client sends this token along with the request.
The server checks the token to ensure it's valid and hasn't expired.
This token-based authentication process is commonly used in many modern web applications and APIs. It helps maintain the user's session and allows the server to authenticate requests without storing the user's state.

Authorization

Authorization is the process of granting or denying access to specific resources or actions based on the authenticated user's privileges. It determines what a user is allowed to do within a system. Authorization can be role-based, where permissions are assigned based on predefined roles, or attribute-based, where permissions are based on specific attributes of the user.

In many systems, the token not only represents the user's identity, but also includes information about their permissions or roles. This is often done using a type of token called a JSON Web Token (JWT), which can include a payload of data.

Here's a simplified step-by-step process:

sequenceDiagram
  autonumber
  actor User
  User->>Auth Service: request with token
  Auth Service->>Auth Service: decodes the token and extracts claims
  Auth Service->>Auth Service: verifies permissions
  critical allowed
    Auth Service->>Secured Resource: authorizes the request
    Secured Resource->>User: returns the response
  option denied
    Auth Service-->>User: unauthorized message
  end

After authentication, the user's client software sends a request to a server. This request includes the token.
The server decodes the token and extracts the user's identity and permissions.
The server checks whether the user has the necessary permissions for the requested action. This could involve checking the user's roles or other attributes against the requirements for the action.
If the user has the necessary permissions, the server allows the action. If not, the server denies the action.

This process allows the server to authorize actions without needing to repeatedly look up the user's permissions. It also allows for stateless servers, as the necessary information is included in every request.

By implementing strong authentication and authorization mechanisms, software systems can ensure that only authorized users have access to sensitive data and functionalities, reducing the risk of unauthorized access and potential security breaches.

As the platform has only one entrace point, it is

JWT is a decentralized

The point of entrance of API is the gateway, then as suggested by ⁸.

The gateway is responsible for the security of the system. It is the first point of contact for all incoming requests. The gateway is responsible for routing requests to the appropriate services and ensuring that only authorized users can access the system.

sequenceDiagram
  autonumber
  actor User
  User->>Gateway: route(ServerHttpRequest)
  Gateway->>+AuthorizationFilter: filter(ServerWebExchange, GatewayFilterChain)
  AuthorizationFilter->>RouteValidator: isSecured.test(ServerHttpRequest)
  RouteValidator-->>AuthorizationFilter: True | False
  critical notSecured
    AuthorizationFilter->>Gateway: follow the flux
  end
  AuthorizationFilter->>AuthorizationFilter: isAuthMissing(ServerHttpRequest)
  critical isAuthMissing
    AuthorizationFilter->>User: unauthorized message
  end
  AuthorizationFilter->>AuthorizationFilter: validateAuthorizationHeader()
  critical isInvalidAuthorizationHeader
    AuthorizationFilter->>User: unauthorized message
  end
  AuthorizationFilter->>Auth: solve(Token)
  critical isInvalidToken
    Auth->>User: unauthorized message
  end
  Auth->>AuthorizationFilter: returns SolveOut
  AuthorizationFilter->>AuthorizationFilter: updateRequestHeader(ServerHttpRequest)
  AuthorizationFilter->>Gateway: follow the flux

Gateway-Service

📁 api
└── 📁 gateway-service
    ├── 📁 src
    │   └── 📁 main
    │       ├── 📁 java
    │       │   └── 📁 store
    │       │       └── 📁 gateway
    │       │           ├── 📄 GatewayApplication.java
    │       │           ├── 📄 GatewayResource.java
    │       │           └── 📁 security
    │       │               ├── 📄 AuthorizationFilter.java
    │       │               ├── 📄 CorsFilter.java
    │       │               ├── 📄 RouterValidator.java
    │       │               ├── 📄 SolveOut.java
    │       │               └── 📄 TokenOut.java
    │       └── 📁 resources
    │           └── 📄 application.yaml
    ├── 📄 pom.xml
    └── 📄 Dockerfile

Source

pom.xmlapplication.yamlGatewayApplication.javaGatewayResource.javaAuthorizationFilter.javaCorsFilter.javaRouterValidator.javaSolveOut.javaTokenOut.javaDockerfile

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>3.4.2</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>
    <groupId>store</groupId>
    <artifactId>gateway-service</artifactId>
    <version>1.0.0</version>
    <properties>
        <java.version>21</java.version>
        <spring-cloud.version>2024.0.0</spring-cloud.version>
        <maven.compiler.proc>full</maven.compiler.proc>
    </properties>
    <dependencies>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-gateway</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-webflux</artifactId>
        </dependency>

        <dependency>
            <groupId>org.projectlombok</groupId>
            <artifactId>lombok</artifactId>
            <optional>true</optional>
        </dependency>

    </dependencies>

    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>org.springframework.cloud</groupId>
                <artifactId>spring-cloud-dependencies</artifactId>
                <version>${spring-cloud.version}</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>
        </dependencies>
    </dependencyManagement>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>

</project>

server:
  port: 8080

spring:
  application:
    name: gateway

  cloud:
    gateway:
      routes:

        # - id: google
        #   uri: https://www.google.com
        #   predicates:
        #     - Path=/google/**

        - id: account
          uri: http://account:8080
          predicates:
            - Path=/account/**

        - id: auth
          uri: http://auth:8080
          predicates:
            - Path=/auth/**

        # - id: exchange
        #   uri: http://exchange:80
        #   predicates:
        #     - Path=/exchange/**

logging:
  level:
    store: ${LOGGING_LEVEL_STORE:debug}

package store.gateway;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;

@SpringBootApplication
public class GatewayApplication {

    public static void main(String[] args) {
        SpringApplication.run(GatewayApplication.class, args);
    }

}

package store.gateway;

import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.Map;

import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class GatewayResource {

    @GetMapping("/info")
    public ResponseEntity<Map<String, String>> version() {

        String hostname = "hostname can not be resolved";
        try {
            InetAddress addr;
            addr = InetAddress.getLocalHost();
            hostname = addr.getHostName();
        } catch (UnknownHostException ex) { }

        return new ResponseEntity<Map<String, String>>(
            Map.ofEntries(
                Map.entry("hostname", hostname),
                Map.entry("os.arch", System.getProperty("os.arch")),
                Map.entry("os.name", System.getProperty("os.name")),
                Map.entry("os.version", System.getProperty("os.version")),
                Map.entry("file.separator", System.getProperty("file.separator")),
                Map.entry("java.class.path", System.getProperty("java.class.path")),
                Map.entry("java.home", System.getProperty("java.home")),
                Map.entry("java.vendor", System.getProperty("java.vendor")),
                Map.entry("java.vendor.url", System.getProperty("java.vendor.url")),
                Map.entry("java.version", System.getProperty("java.version")),
                Map.entry("line.separator", System.getProperty("line.separator")),
                Map.entry("path.separator", System.getProperty("path.separator")),
                Map.entry("user.dir", System.getProperty("user.dir")),
                Map.entry("user.home", System.getProperty("user.home")),
                Map.entry("user.name", System.getProperty("user.name")),
                Map.entry("jar", new java.io.File(
                    GatewayApplication.class.getProtectionDomain()
                        .getCodeSource()
                        .getLocation()
                        .getPath()
                    ).toString())
            ), HttpStatus.OK
        );
    }

}

package store.gateway.security;

import java.util.Arrays;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.cloud.gateway.filter.GatewayFilterChain;
import org.springframework.cloud.gateway.filter.GlobalFilter;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.stereotype.Component;
import org.springframework.web.reactive.function.client.WebClient;
import org.springframework.web.server.ResponseStatusException;
import org.springframework.web.server.ServerWebExchange;

import reactor.core.publisher.Mono;

@Component
public class AuthorizationFilter implements GlobalFilter  {

    private static Logger logger = LoggerFactory.getLogger(AuthorizationFilter.class);

    private static final String AUTHORIZATION_HEADER = "Authorization";
    private static final String AUTHORIZATION_BEARER_TOKEN_HEADER = "Bearer";
    private static final String AUTH_SERVICE_TOKEN_SOLVE = "http://auth:8080/auth/solve";

    @Autowired
    private RouterValidator routerValidator;

    @Autowired
    private WebClient.Builder webClient;

    @Override
    public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain) {
        logger.debug("Entrou no filtro de authorization");
        ServerHttpRequest request = exchange.getRequest();
        if (!routerValidator.isSecured.test(request)) {
            logger.debug("Rota nao eh segura");
            return chain.filter(exchange);
        }
        logger.debug("Rota segura");
        if (!isAuthMissing(request)) {
            logger.debug("Tem Authorization no Header");
            final String[] parts = this.getAuthHeader(request).split(" ");
            if (parts.length != 2 || !parts[0].equals(AUTHORIZATION_BEARER_TOKEN_HEADER)) {
                logger.debug("Formato enviado: " + Arrays.toString(parts));
                throw new ResponseStatusException(HttpStatus.BAD_REQUEST, "Authorization header format must be: 'Bearer {token}'");
            }
            logger.debug("Resolver o token");
            return requestAuthTokenSolve(exchange, chain, parts[1]);
        }

        throw new ResponseStatusException(HttpStatus.UNAUTHORIZED, "Unauthorized");
    }

    private boolean isAuthMissing(ServerHttpRequest request) {
        return !request.getHeaders().containsKey(AUTHORIZATION_HEADER);
    }

    private String getAuthHeader(ServerHttpRequest request) {
        return request.getHeaders().getOrEmpty(AUTHORIZATION_HEADER).get(0);
    }

    // este metodo eh responsavel por enviar o token ao Auth Microservice
    // a fim de interpretar o token, a chamada eh feita via Rest.
    private Mono<Void> requestAuthTokenSolve(ServerWebExchange exchange, GatewayFilterChain chain, String jwt) {
        logger.debug("solving jwt: " + jwt);
        return webClient
            .defaultHeader(
                HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE
            )
            .build()
            .post()
            .uri(AUTH_SERVICE_TOKEN_SOLVE)
            .bodyValue(TokenOut.builder().token(jwt).build())
            .retrieve()
            .toEntity(SolveOut.class)
            .flatMap(response -> {
                if (response != null && response.hasBody() && response.getBody() != null) {
                    final SolveOut out = response.getBody();
                    logger.debug("id account" + out.idAccount());
                    ServerWebExchange modifiedExchange = this.updateRequest(exchange, out);
                    return chain.filter(modifiedExchange);
                } else {
                    throw new ResponseStatusException(HttpStatus.UNAUTHORIZED, "Invalid token");
                }
            });
    }

    private ServerWebExchange updateRequest(ServerWebExchange exchange, SolveOut out) {
        logger.debug("original headers: " + exchange.getRequest().getHeaders().toString());
        ServerWebExchange modified = exchange.mutate()
            .request(
                exchange.getRequest()
                    .mutate()
                    .header("id-account", out.idAccount())
                    .build()
            ).build();
        logger.debug("updated headers: " + modified.getRequest().getHeaders().toString());
        return modified;
    }

}

package store.gateway.security;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.reactive.CorsWebFilter;
import org.springframework.web.cors.reactive.UrlBasedCorsConfigurationSource;

@Configuration
public class CorsFilter {

    @Bean
    public CorsWebFilter corsWebFilter() {

        CorsConfiguration corsConfig = new CorsConfiguration();
        corsConfig.setAllowCredentials(false);
        corsConfig.addAllowedHeader("*");
        corsConfig.addAllowedMethod("*");
        corsConfig.addAllowedOrigin("*");

        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", corsConfig);

        return new CorsWebFilter(source);
    }

}

package store.gateway.security;

import java.util.List;
import java.util.function.Predicate;

import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.stereotype.Component;

@Component
public class RouterValidator {

    private List<String> openApiEndpoints = List.of(
        "POST /auth/register",
        "POST /auth/login"
    );

    public Predicate<ServerHttpRequest> isSecured =
        request -> openApiEndpoints
            .stream()
            .noneMatch(uri -> {
                String[] parts = uri.replaceAll("[^a-zA-Z0-9// *]", "").split(" ");
                final String method = parts[0];
                final String path = parts[1];
                final boolean deep = path.endsWith("/**");
                return ("ANY".equalsIgnoreCase(method) || request.getMethod().toString().equalsIgnoreCase(method))
                    && (request.getURI().getPath().equals(path) || (deep && request.getURI().getPath().startsWith(path.replace("/**", ""))));
            });

}

package store.gateway.security;

import lombok.Builder;
import lombok.experimental.Accessors;

@Builder @Accessors(fluent = true)
public record SolveOut(
    String idAccount
) {

}

package store.gateway.security;

import lombok.Builder;
import lombok.experimental.Accessors;

@Builder @Accessors(fluent = true)
public record TokenOut(
    String token
) {

}

FROM openjdk:21-slim
VOLUME /tmp
COPY target/*.jar app.jar
ENTRYPOINT ["java","-jar","/app.jar"]

JWT - JSON Web Token

JWT stands for JSON Web Token. It is a compact, URL-safe means of representing claims between two parties. JWTs are commonly used to secure the transmission of information between parties in a web environment, typically for authentication and information exchange. The JWT specification is defined by RFC 7519¹ and it is a decentralized approach for security (which can support horizontal scalability).

Here are the key components and concepts of JWT:

JSON Format: JWTs are represented as JSON objects that are easy to parse and generate. The JSON format makes them human-readable and easy to work with.
Three Parts: JWTs consist of three parts separated by dots (.): Header, Payload, and Signature.
- Header: The header typically consists of two parts: the type of the token (JWT) and the signing algorithm being used, such as HMAC SHA256 or RSA.
- Payload: The payload contains the claims. Claims are statements about an entity (typically, the user) and additional data. There are three types of claims: registered, public, and private claims.
- Signature: To create the signature part, you take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.
Encoding: Each of the three parts is Base64Url encoded, and the resulting strings are concatenated with periods between them. The final JWT looks like: xxxxx.yyyyy.zzzzz.
Stateless and Self-contained: JWTs are stateless, meaning that all the information needed is within the token itself. The server doesn't need to store the user's state. They are also self-contained, meaning that all the information needed is contained within the token.
Use Cases: JWTs are commonly used for authentication and information exchange between parties. For example, after a user logs in, a server could generate a JWT and send it to the client. The client can then include the JWT in the headers of subsequent requests to access protected resources. The server can verify the authenticity of the JWT using the stored secret key.
Security Considerations: While JWTs are widely used and versatile, it's important to handle them securely. For instance, the key used to sign the JWT should be kept secret, and HTTPS should be used to transmit JWTs to prevent man-in-the-middle attacks.

Here's a simple example of a JWT created on JWT Builder²:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJJbnNwZXIiLCJpYXQiOjE3MDMwMDgzMzgsImV4cCI6MjAxODU0MTEzOCwiYXVkIjoid3d3Lmluc3Blci5lZHUuYnIiLCJzdWIiOiJodW1iZXJ0b3JzQGluc3Blci5lZHUuYnIiLCJHaXZlbk5hbWUiOiJIdW1iZXJ0byIsIlN1cm5hbWUiOiJTYW5kbWFubiIsIkVtYWlsIjoiaHVtYmVydG9yc0BpbnNwZXIuZWR1LmJyIiwiUm9sZSI6IlByb2Zlc3NvciJ9.SsGdvR5GbYWTRbxY7IGxHt1vSxhkpRueBJWsi0lrPhJVCICp119QjU8F3QvHW0yF5tw-HhQ9RVh0l89t4M0LNw

This JWT consists of three parts, decoded by ³:

HeaderPayloadSignature

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9

{
  "typ": "JWT",
  "alg": "HS512"
}

eyJpc3MiOiJJbnNwZXIiLCJpYXQiOjE3MDMwMDgzMzgsImV4cCI6MjAxODU0MTEzOCwiYXVkIjoid3d3Lmluc3Blci5lZHUuYnIiLCJzdWIiOiJodW1iZXJ0b3JzQGluc3Blci5lZHUuYnIiLCJHaXZlbk5hbWUiOiJIdW1iZXJ0byIsIlN1cm5hbWUiOiJTYW5kbWFubiIsIkVtYWlsIjoiaHVtYmVydG9yc0BpbnNwZXIuZWR1LmJyIiwiUm9sZSI6IlByb2Zlc3NvciJ9

{
  "iss": "Insper",
  "iat": 1703008338,
  "exp": 2018541138,
  "aud": "www.insper.edu.br",
  "sub": "humbertors@insper.edu.br",
  "GivenName": "Humberto",
  "Surname": "Sandmann",
  "Email": "humbertors@insper.edu.br",
  "Role": "Professor"
}

SsGdvR5GbYWTRbxY7IGxHt1vSxhkpRueBJWsi0lrPhJVCICp119QjU8F3QvHW0yF5tw-HhQ9RVh0l89t4M0LNw

HMACSHA512(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  qwertyuiopasdfghjklzxcvbnm123456,
)

JWTs are widely used in web development due to their simplicity, flexibility, and support across various programming languages and frameworks. They are commonly used in token-based authentication systems.

Addtional Material

RFC 7519 - JSON Web Token (JWT), 2015. ↩
JWT - Builder. ↩
jwt.io - JWT Verification. ↩
Unix Time Stamp - Epoch Converter. ↩
DELANTHA, R., Spring Cloud Gateway security with JWT, 2023. ↩
Wikipedia - Pepper (cryptography). ↩
PGzlan, Serve your hash with Salt and Pepper for Stronger Account Security, 2023. ↩
DELANTHA, R., Spring Cloud Gateway security with JWT, 2023. ↩