Closed ongiant closed 4 months ago
@ongiant thanks for bringing this up!
JwtDecoder
and ReactiveJwtDecoder
beans in the integration tests because Spring Security would otherwise try to contact the real authorisation server configured in the properties as the Issuer URI to obtain the certificate needed to validate the signatures on received Access Tokens (JWTs). In slice tests like BookControllerMvcTests
and OrderControllerWebFluxTests
, it's not needed anymore (it used to, at some point, and I missed that it's not the case anymore, thank you for making me aware). I cleaned up the tests in the repo accordingly.Thanks again for sharing your thoughts about this.
OrderControllerWebFluxTests
, I noticed thatReactiveJwtDecoder
MockBean
was ultimately not utilized. The same appears to be true forJwtDecoder
MockBean
within theBookControllerMvcTests
class insection 12.2.3
. These injections seem to be superfluous and may need to be reevaluated.OrderService
would be more logically protected under thecustomer
role, and there are a couple of reasons for this thought process: $\quad$ (1) Within theOrderControllerWebFluxTests
class, thewhenBookNotAvailableThenRejectOrder
method utilizeswebTestClient
to send a mock request with a mockjwt
holding theROLE_customer
authority. This test method would render moot if all requests were allowed to pass. $\quad$ (2) It seems unreasonable to me that aguest
should have the ability to submit an order without the appropriate permissions.Therefore, restricting this action could be beneficial for our application control.