adds basic working authentication / authorization via Spring Security + JWT

Author: halfhp

src/main/scala/com/example/scalaspringexperiment/SpringConfig.scala

@@ -2,28 +2,29 @@ package com.example.scalaspringexperiment
 
 import cats.effect.unsafe.IORuntime
 import cats.effect.{IO, Resource}
-import com.example.scalaspringexperiment.auth.JwtAuthManager
+import com.example.scalaspringexperiment.auth.{JwtAuthManager, JwtServerAuthConverter}
 import com.example.scalaspringexperiment.util.{CirceJsonDecoder, CirceJsonEncoder}
 import doobie.{DataSourceTransactor, ExecutionContexts}
 import doobie.util.transactor.Transactor
-import org.springframework.context.annotation.{Bean, Configuration}
+import org.springframework.context.annotation.{Bean, Configuration, Primary}
+import org.springframework.http.HttpStatus
 import org.springframework.http.codec.ServerCodecConfigurer
+import org.springframework.security.authentication.{DelegatingReactiveAuthenticationManager, UsernamePasswordAuthenticationToken}
 import org.springframework.security.config.Customizer
 import org.springframework.security.config.annotation.method.configuration.EnableReactiveMethodSecurity
 import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity
-import org.springframework.security.config.web.server.ServerHttpSecurity
+import org.springframework.security.config.web.server.{SecurityWebFiltersOrder, ServerHttpSecurity}
 import org.springframework.security.web.server.SecurityWebFilterChain
-import org.springframework.security.web.server.context.NoOpServerSecurityContextRepository
+import org.springframework.security.web.server.authentication.AuthenticationWebFilter
+import org.springframework.security.web.server.context.{NoOpServerSecurityContextRepository, WebSessionServerSecurityContextRepository}
 import org.springframework.web.reactive.config.WebFluxConfigurer
 
 import javax.sql.DataSource
 
+
 @Configuration
-@EnableWebFluxSecurity
-@EnableReactiveMethodSecurity
 class SpringConfig(
   dataSource: DataSource,
-  jwtAuthManager: JwtAuthManager,
 ) {
 
   @Bean
@@ -32,19 +33,37 @@ class SpringConfig(
       ce <- ExecutionContexts.fixedThreadPool[IO](32) // our connect EC
     } yield Transactor.fromDataSource[IO](dataSource, ce)
   }
+}
 
+@Configuration
+@EnableWebFluxSecurity
+@EnableReactiveMethodSecurity
+class SecurityConfig(
+  jwtAuthManager: JwtAuthManager,
+) {
   @Bean
-  def securityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain = {
+  def securityFilterChain(
+    http: ServerHttpSecurity,
+    jwtAuthFilter: AuthenticationWebFilter,
+  ): SecurityWebFilterChain = {
     http
       .cors(Customizer.withDefaults())
       .csrf(csrf => csrf.disable())
-      .securityContextRepository(NoOpServerSecurityContextRepository.getInstance()) // optional, disables session caching
-      .authorizeExchange(authz =>
-        authz.anyExchange().permitAll()
-      )
-      .authenticationManager(jwtAuthManager)
+      .authorizeExchange(_.anyExchange().permitAll())
+      .addFilterAt(jwtAuthFilter, SecurityWebFiltersOrder.AUTHENTICATION)
+      .securityContextRepository(NoOpServerSecurityContextRepository.getInstance()) // stateless auth
       .build()
   }
+
+    @Bean
+    def jwtAuthFilter(
+      jwtAuthManager: JwtAuthManager
+    ): AuthenticationWebFilter = {
+      val filter = new AuthenticationWebFilter(jwtAuthManager)
+      filter.setServerAuthenticationConverter(new JwtServerAuthConverter)
+      filter.setSecurityContextRepository(NoOpServerSecurityContextRepository.getInstance())
+      filter
+    }
 }
 
 @Configuration(proxyBeanMethods = false)

src/main/scala/com/example/scalaspringexperiment/auth/JwtAuthFilter.scala

@@ -3,11 +3,12 @@ package com.example.scalaspringexperiment.auth
 import cats.data.EitherT
 import cats.effect.IO
 import cats.effect.unsafe.IORuntime
-import com.example.scalaspringexperiment.auth.JwtAuthManager.{AuthError, InvalidCredentials, LoginSuccess, RegisterSuccess, UserExists, UserNotFound}
+import com.example.scalaspringexperiment.auth.JwtAuthManager.{AuthError, InvalidCredentials, LoginSuccess, ROLE_USER, RegisterSuccess, UserExists, UserNotFound}
 import com.example.scalaspringexperiment.entity.{Person, RegisteredUser}
 import com.example.scalaspringexperiment.service.{PersonService, RegisteredUserService}
 import org.springframework.context.annotation.Lazy
 import org.springframework.security.authentication.{ReactiveAuthenticationManager, UsernamePasswordAuthenticationToken}
+import org.springframework.security.core.authority.SimpleGrantedAuthority
 import org.springframework.security.core.{Authentication, GrantedAuthority}
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder
 import org.springframework.stereotype.Component
@@ -19,6 +20,8 @@ import java.time.Instant
 import scala.jdk.CollectionConverters.*
 
 object JwtAuthManager {
+  val ROLE_USER = "ROLE_USER"
+  val ROLE_ADMIN = "ROLE_ADMIN"
   sealed trait AuthError {
     val message: String
   }
@@ -63,18 +66,24 @@ class JwtAuthManager(
   private val secretKey: String = "secretKey"
   private val algo = JwtAlgorithm.HS256
 
-  override def authenticate(
-    authentication: Authentication
-  ): Mono[Authentication] = {
+  override def authenticate(authentication: Authentication): Mono[Authentication] = {
+    println(s"[AUTH DEBUG] Called with credentials: ${authentication.getCredentials}")
     try {
       val token = authentication.getCredentials.toString
       val claim = JwtCirce.decode(token, secretKey, Seq(algo)).get
-      Mono.just(new UsernamePasswordAuthenticationToken(claim.subject.get, null, Seq[GrantedAuthority]().asJava))
+      val authorities = Seq(new SimpleGrantedAuthority(ROLE_USER))
+      val auth = new UsernamePasswordAuthenticationToken(
+        claim.subject.get,
+        null,
+        authorities.asJava
+      )
+      Mono.just(auth)
     } catch {
       case e: Exception => Mono.empty()
     }
   }
 
+
   def generateTokenForRegisteredUser(
     user: RegisteredUser,
     expiration: Instant

src/main/scala/com/example/scalaspringexperiment/auth/JwtAuthManager.scala

@@ -0,0 +1,20 @@
+package com.example.scalaspringexperiment.auth
+
+import org.springframework.http.HttpHeaders
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken
+import org.springframework.security.core.Authentication
+import org.springframework.security.web.server.authentication.ServerAuthenticationConverter
+import org.springframework.web.server.ServerWebExchange
+import reactor.core.publisher.Mono
+
+class JwtServerAuthConverter extends ServerAuthenticationConverter {
+  override def convert(exchange: ServerWebExchange): Mono[Authentication] = {
+    val authHeader = Option(exchange.getRequest.getHeaders.getFirst(HttpHeaders.AUTHORIZATION))
+    authHeader match {
+      case Some(header) if header.startsWith("Bearer ") =>
+        val token = header.stripPrefix("Bearer ").trim
+        Mono.just(new UsernamePasswordAuthenticationToken(token, token))
+      case _ => Mono.empty()
+    }
+  }
+}

src/main/scala/com/example/scalaspringexperiment/auth/JwtServerAuthConverter.scala

@@ -90,15 +90,26 @@ class AuthController(
   @PreAuthorize("permitAll()")
   @GetMapping(path = Array("authtest/optional"))
   def maybeAuthTest(): Mono[ResponseEntity[Json]] = helper.maybeAuth { ctx =>
-    ctx.authentication match {
-      case Some(auth) =>
-        IO(ResponseEntity.ok(Json.obj(
-          "message" -> Json.fromString("Signed in"),
-        )))
-      case None =>
-        IO(ResponseEntity.ok(Json.obj(
-          "message" -> Json.fromString("Not signed in"),
-        )))
-    }
+    IO(ResponseEntity.ok(Json.obj(
+      "isAuthenticated" -> ctx.authentication.isDefined.asJson,
+    )))
+  }
+
+  @PreAuthorize("isAuthenticated()")
+  @GetMapping(path = Array("authtest/required"))
+  def requiredAuthTest(): Mono[ResponseEntity[Json]] = helper.auth { ctx =>
+    IO(ResponseEntity.ok(Json.obj()))
+  }
+
+  @PreAuthorize("hasRole('ROLE_USER')")
+  @GetMapping(path = Array("authtest/user"))
+  def userAuthTest(): Mono[ResponseEntity[Json]] = helper.auth { ctx =>
+    IO(ResponseEntity.ok(Json.obj()))
+  }
+
+  @PreAuthorize("hasRole('ROLE_ADMIN')")
+  @GetMapping(path = Array("authtest/admin"))
+  def adminAuthTest(): Mono[ResponseEntity[Json]] = helper.auth { ctx =>
+    IO(ResponseEntity.ok(Json.obj()))
   }
 }

src/main/scala/com/example/scalaspringexperiment/controller/AuthController.scala

@@ -3,7 +3,7 @@ package com.example.scalaspringexperiment.controller
 import cats.effect.IO
 import cats.effect.unsafe.IORuntime
 import org.springframework.security.core.Authentication
-import org.springframework.security.core.context.SecurityContextHolder
+import org.springframework.security.core.context.{ReactiveSecurityContextHolder, SecurityContext, SecurityContextHolder}
 import org.springframework.stereotype.Component
 import reactor.core.publisher.Mono
 
@@ -21,9 +21,9 @@ case class AuthCtx(
 class ControllerHelper(
   runtime: IORuntime
 ) {
-  
+
   given rt: IORuntime = runtime
-  
+
   private given ioToMono[A](): Conversion[IO[A], Mono[A]] with {
     def apply(io: IO[A]): Mono[A] = {
       Mono.fromFuture(new CompletableFuture[A]().tap { cf =>
@@ -41,13 +41,16 @@ class ControllerHelper(
 
   def maybeAuth[T](
     cb: Ctx => IO[T]
-  ): Mono[T] = cb(Ctx(
-    authentication = Option(SecurityContextHolder.getContext.getAuthentication
-    )))
+  ): Mono[T] = {
+    ReactiveSecurityContextHolder.getContext
+      .map(sc => Option(sc.getAuthentication))
+      .defaultIfEmpty(None)
+      .flatMap(auth => cb(Ctx(auth)))
+  }
 
   def auth[T](
-    cb: AuthCtx => T
-  ): T = {
+    cb: AuthCtx => IO[T]
+  ): Mono[T] = {
     Option(AuthCtx(
       authentication = SecurityContextHolder.getContext.getAuthentication
     )) match {

src/main/scala/com/example/scalaspringexperiment/controller/ControllerErrorHandler.scala

@@ -119,4 +119,62 @@ class AuthControllerTest {
       .expectBody()
       .consumeWith(TestUtils.responsePrinter)
   }
+
+  @Test
+  def maybeAuth_showsAuthenticated_forAuthenticatedRequest(): Unit = {
+    val (_, _, token) = testUtils.newRegisteredUser()
+    webTestClient.get()
+      .uri("/authtest/optional")
+      .header("Authorization", s"Bearer $token")
+      .exchange()
+      .expectStatus().isOk
+      .expectBody()
+      .consumeWith(TestUtils.responsePrinter)
+      .jsonPath("$.isAuthenticated").isEqualTo(true)
+  }
+
+  @Test
+  def maybeAuth_showsUnauthenticated_forUnauthenticatedRequest(): Unit = {
+    webTestClient.get()
+      .uri("/authtest/optional")
+      .exchange()
+      .expectStatus().isOk
+      .expectBody()
+      .consumeWith(TestUtils.responsePrinter)
+      .jsonPath("$.isAuthenticated").isEqualTo(false)
+  }
+
+  @Test
+  def requiredAuth_returnsUnauthorized_forUnauthenticatedRequest(): Unit = {
+    webTestClient.get()
+      .uri("/authtest/required")
+      .exchange()
+      .expectStatus().isUnauthorized
+      .expectBody()
+      .consumeWith(TestUtils.responsePrinter)
+  }
+
+  @Test
+  def userAuthTest_returnsOk_forAuthenticatedUserRequest(): Unit = {
+    val (_, _, token) = testUtils.newRegisteredUser()
+    webTestClient.get()
+      .uri("/authtest/user")
+      .header("Authorization", s"Bearer $token")
+      .exchange()
+      .expectStatus().isOk
+      .expectBody()
+      .consumeWith(TestUtils.responsePrinter)
+  }
+
+  @Test
+  def adminAuthTest_returnsForbidden_forAuthenticatedNonAdminRequest(): Unit = {
+    val (_, _, token) = testUtils.newRegisteredUser()
+    webTestClient.get()
+      .uri("/authtest/admin")
+      .header("Authorization", s"Bearer $token")
+      .exchange()
+      .expectStatus().isEqualTo(403)
+      .expectBody()
+      .consumeWith(TestUtils.responsePrinter)
+  }
 }

src/main/scala/com/example/scalaspringexperiment/controller/ControllerHelper.scala

@@ -11,10 +11,8 @@ import javax.sql.DataSource
 @Profile(Array("test"))
 class SpringTestConfig(
   dataSource: DataSource,
-  jwtAuthManager: JwtAuthManager,
 ) extends SpringConfig(
   dataSource,
-  jwtAuthManager
 ) {
 
   // something that exists in prod that we dont want initializing in our tests