Validate Endpoints

4 weeks ago · 5bd79acda5
parent 493b1564c8
commit 5bd79acda5
5 changed files with 61 additions and 35 deletions
--- a/aconnect/src/main/java/com/mfsys/aconnect/security/constant/SecurityURI.java
+++ b/aconnect/src/main/java/com/mfsys/aconnect/security/constant/SecurityURI.java
@ -3,4 +3,5 @@ package com.mfsys.aconnect.security.constant;
 public interface SecurityURI {
  String AUTHENTICATION = "/authentication";
  String LOGIN = "/login";
+  String REGISTER = "/signup";
 }
--- a/aconnect/src/main/java/com/mfsys/aconnect/security/controller/AuthenticationController.java
+++ b/aconnect/src/main/java/com/mfsys/aconnect/security/controller/AuthenticationController.java
@ -4,6 +4,9 @@ import com.mfsys.aconnect.security.constant.SecurityURI;
 import com.mfsys.aconnect.security.dto.LoginRequest;
 import com.mfsys.aconnect.security.dto.LoginResponse;
 import com.mfsys.aconnect.security.service.AuthenticationService;
+import com.mfsys.aconnect.usermanagement.constant.UserManagementURI;
+import com.mfsys.aconnect.usermanagement.dto.UserDTOs;
+import com.mfsys.aconnect.usermanagement.service.UserService;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
@ -17,10 +20,12 @@ import org.springframework.web.bind.annotation.RestController;
 public class AuthenticationController {

  private final AuthenticationService authenticationService;
+  private final UserService  userService;

  @Autowired
-  public AuthenticationController(AuthenticationService authenticationService) {
+  public AuthenticationController(AuthenticationService authenticationService, UserService  userService) {
    this.authenticationService = authenticationService;
+    this.userService = userService;
  }

  @PostMapping(SecurityURI.LOGIN)
@ -32,4 +37,12 @@ public class AuthenticationController {
      return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
    }
  }
+
+
+  @PostMapping(SecurityURI.REGISTER)
+  public ResponseEntity<UserDTOs.UserResponse> signupUser(@RequestBody UserDTOs.UserRequest request) {
+    UserDTOs.UserResponse response = userService.createUser(request);
+    return new ResponseEntity<>(response, HttpStatus.CREATED);
+  }
+
 }
--- a/common/src/main/java/com/mfsys/common/configuration/constant/TokenBypassURI.java
+++ b/common/src/main/java/com/mfsys/common/configuration/constant/TokenBypassURI.java
@ -7,12 +7,8 @@ import java.util.List;
 public interface TokenBypassURI {
  List<String> URIs = new ArrayList<String>(Arrays.asList(
          "/aconnect/authentication/login",
+          "/aconnect/authentication/signup",
          "/aconnect/signin",
-          "/aconnect/user/createUser",
-          "/aconnect/user/getAllUsers",
-          "/aconnect/user/getUser",
-          "/aconnect/user/updateUser",
-          "/aconnect/user/deleteUser"   ,

          "/aconnect/transactions/accounttogl",
          "/aconnect/account/miscDetails",
--- a/common/src/main/java/com/mfsys/common/configuration/filter/TokenAuthenticationFilter.java
+++ b/common/src/main/java/com/mfsys/common/configuration/filter/TokenAuthenticationFilter.java
@ -1,9 +1,7 @@
 package com.mfsys.common.configuration.filter;

 import java.io.IOException;
-import java.util.Objects;

-import com.mfsys.common.configuration.constant.PropertyConstant;
 import com.mfsys.common.configuration.constant.TokenBypassURI;
 import com.mfsys.common.configuration.service.JwtService;
 import jakarta.servlet.FilterChain;
@ -23,7 +21,7 @@ import com.mfsys.common.configuration.constant.FilterPriority;
@Order(FilterPriority.AUTHENTICATION)
 public class TokenAuthenticationFilter extends OncePerRequestFilter {

-  private JwtService jwtService;
+  private final JwtService jwtService;

  @Autowired
  public TokenAuthenticationFilter(JwtService jwtService) {
@ -31,40 +29,58 @@ public class TokenAuthenticationFilter extends OncePerRequestFilter {
  }

  @Override
-  protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
-    throws ServletException, IOException {
-    // TODO: For porOrga-change we Will removed it later
-    if (!(request.getMethod().equals("OPTIONS"))) {
-
-      System.out.println(">> " + request.getRequestURI() + " <<");
-//		TODO:
-      // important add all mconnect url in tokenbypass uri and remove this if
-      // condition or implement jwt in mconnect module
-      System.out.println(request.getHeaderNames());
-      if (!(TokenBypassURI.URIs.contains(request.getRequestURI()) || request.getRequestURI().startsWith("/MCONNECT/actuator"))) {
-        String token = parseJwt(request);
-        if (Objects.isNull(token)) {
-          response.setStatus(403);
-          return;
-        } else {
-          // String porOrgacode = request.getHeader(FormPropertyConst.POR_ORGACODE);
-          String userSubject = request.getHeader("userSubject");
-          if (!jwtService.validateToken(token,userSubject)) {
-            return;
-          }
-        }
-      }
+  protected void doFilterInternal(HttpServletRequest request,
+                                  HttpServletResponse response,
+                                  FilterChain filterChain)
+          throws ServletException, IOException {

+    // 1. Always allow OPTIONS (CORS preflight)
+    if ("OPTIONS".equalsIgnoreCase(request.getMethod())) {
      filterChain.doFilter(request, response);
+      return;
    }
+
+    String requestUri = request.getRequestURI();
+
+    // 2. Skip authentication for bypass URIs
+    if (TokenBypassURI.URIs.contains(requestUri)
+            || requestUri.startsWith("/MCONNECT/actuator")) {
+      filterChain.doFilter(request, response);
+      return;
+    }
+
+    // 3. Extract JWT
+    String token = parseJwt(request);
+    if (!StringUtils.hasText(token)) {
+      response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+      return;
+    }
+
+    // 4. Extract required headers
+    String userSubject = request.getHeader("userId");
+    String porOrgaCode = request.getHeader("POR_ORGACODE");
+
+    // 5. Validate header presence
+    if (!StringUtils.hasText(userSubject) || !StringUtils.hasText(porOrgaCode)) {
+      response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
+      return;
+    }
+
+    // 6. Validate token against headers
+    if (!jwtService.validateToken(token, userSubject, porOrgaCode)) {
+      response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+      return;
+    }
+
+    // 7. Continue request
+    filterChain.doFilter(request, response);
  }

  private String parseJwt(HttpServletRequest request) {
    String headerAuth = request.getHeader("Authorization");
    if (StringUtils.hasText(headerAuth) && headerAuth.startsWith("Bearer ")) {
-      return headerAuth.substring(7, headerAuth.length());
+      return headerAuth.substring(7);
    }
    return null;
  }
-
 }
--- a/common/src/main/java/com/mfsys/common/configuration/service/JwtService.java
+++ b/common/src/main/java/com/mfsys/common/configuration/service/JwtService.java
@ -78,7 +78,7 @@ public class JwtService {
      .compact();
  }

-  public Boolean validateToken(String token, String subject) {
+  public Boolean validateToken(String token, String subject, String porOrgacode) {
    final String username = extractUsername(token);
    return (username.equals(subject) && !isTokenExpired(token));
  }