pedro-acsousa
commented
9 months ago @BFARIAAL Please review the code as need and refer to the detailed explanation above for the authentication procedure
Open pedro-acsousa opened 9 months ago
pedro-acsousa
commented
9 months ago @BFARIAAL Please review the code as need and refer to the detailed explanation above for the authentication procedure
BFARIAAL
commented
9 months ago Please run unit testing and attach the document to the PR
pedro-acsousa
commented
9 months ago All comments have been resolved.
NOTES: The authentication folder should not be under dto as they are not DTOs - Changed JwtResponse does not appear to be an entity. Please review - Deleted as it was unnecessary Please do not keep files in the main api package. Place them into a correct package - Config files MUST be in the root directory as they are autowired by default on run. This is not changeable
pedro-acsousa
commented
9 months ago
An example of the authentication protocol has been implemented. The authentication protocol uses a secret-protected JWT token which is generated with specific "levels" or "attributes", referred to as "Authorities".
The token generated includes an expiry date which can be adjusted (though for the implementation testing, the expiry date is currently not being verified). The authorisation happens via a request filter which is run each time a request is made to the API. The filter examines the "Authorities" contained within the JWT token, and extracts the path of the corresponding request to validate against the JWT token authority list.
The JWT token cannot be manually edited. If the token has been interfered with, it will be deemed invalid due to the individual not having access to the "secret" required for encoding a JWT token.
This can be expanded to support further endpoints and expand the corresponding authority list.
Tokens can be generated on demand via the class/method provided.