feat: Implement JWT authentication and public service type access in the admin service

Author: RandithaK

admin-service/pom.xml

@@ -46,6 +46,10 @@
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-security</artifactId>
 		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
+		</dependency>
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-validation</artifactId>
@@ -54,6 +58,29 @@
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-web</artifactId>
 		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-webflux</artifactId>
+		</dependency>
+
+		<!--  JWT dependencies  -->
+		<dependency>
+			<groupId>io.jsonwebtoken</groupId>
+			<artifactId>jjwt-api</artifactId>
+			<version>0.12.6</version>
+		</dependency>
+		<dependency>
+			<groupId>io.jsonwebtoken</groupId>
+			<artifactId>jjwt-impl</artifactId>
+			<version>0.12.6</version>
+			<scope>runtime</scope>
+		</dependency>
+		<dependency>
+			<groupId>io.jsonwebtoken</groupId>
+			<artifactId>jjwt-jackson</artifactId>
+			<version>0.12.6</version>
+			<scope>runtime</scope>
+		</dependency>
 
 		<dependency>
 			<groupId>org.springframework.boot</groupId>

admin-service/src/main/java/com/techtorque/admin_service/config/JwtAuthenticationFilter.java

@@ -0,0 +1,82 @@
+package com.techtorque.admin_service.config;
+
+import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.Jwts;
+import io.jsonwebtoken.security.Keys;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.stereotype.Component;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import javax.crypto.SecretKey;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+import java.util.stream.Collectors;
+
+@Component
+public class JwtAuthenticationFilter extends OncePerRequestFilter {
+
+  @Value("${jwt.secret:mysecretkey}")
+  private String jwtSecret;
+
+  @Override
+  protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
+      throws ServletException, IOException {
+
+    String authHeader = request.getHeader("Authorization");
+
+    if (authHeader != null && authHeader.startsWith("Bearer ")) {
+      String token = authHeader.substring(7);
+      
+      try {
+        SecretKey key = Keys.hmacShaKeyFor(jwtSecret.getBytes(StandardCharsets.UTF_8));
+        
+        Claims claims = Jwts.parser()
+            .verifyWith(key)
+            .build()
+            .parseSignedClaims(token)
+            .getPayload();
+
+        String username = claims.getSubject();
+        @SuppressWarnings("unchecked")
+        List<String> roles = (List<String>) claims.get("roles");
+
+        if (username != null && roles != null) {
+          List<SimpleGrantedAuthority> authorities = roles.stream()
+              .map(role -> {
+                String roleUpper = role.trim().toUpperCase();
+                // Treat SUPER_ADMIN as ADMIN for authorization purposes
+                if ("SUPER_ADMIN".equals(roleUpper)) {
+                  // Add both SUPER_ADMIN and ADMIN roles
+                  return Arrays.asList(
+                      new SimpleGrantedAuthority("ROLE_SUPER_ADMIN"),
+                      new SimpleGrantedAuthority("ROLE_ADMIN")
+                  );
+                }
+                return Collections.singletonList(new SimpleGrantedAuthority("ROLE_" + roleUpper));
+              })
+              .flatMap(List::stream)
+              .collect(Collectors.toList());
+
+          UsernamePasswordAuthenticationToken authentication =
+              new UsernamePasswordAuthenticationToken(username, null, authorities);
+
+          SecurityContextHolder.getContext().setAuthentication(authentication);
+        }
+      } catch (Exception e) {
+        logger.warn("JWT token validation failed: " + e.getMessage());
+      }
+    }
+
+    filterChain.doFilter(request, response);
+  }
+}

admin-service/src/main/java/com/techtorque/admin_service/config/SecurityConfig.java

@@ -1,5 +1,6 @@
 package com.techtorque.admin_service.config;
 
+import lombok.RequiredArgsConstructor;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
@@ -12,8 +13,11 @@
 @Configuration
 @EnableWebSecurity
 @EnableMethodSecurity(prePostEnabled = true)
+@RequiredArgsConstructor
 public class SecurityConfig {
 
+    private final JwtAuthenticationFilter jwtAuthenticationFilter;
+
     // A more comprehensive whitelist for Swagger/OpenAPI, based on the auth-service config.
     private static final String[] SWAGGER_WHITELIST = {
         "/v3/api-docs/**",
@@ -24,6 +28,11 @@ public class SecurityConfig {
         "/api-docs/**"
     };
 
+    // Public endpoints accessible by all authenticated users (including CUSTOMER role)
+    private static final String[] PUBLIC_ENDPOINTS = {
+        "/public/**"
+    };
+
     @Bean
     public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
         http
@@ -42,12 +51,18 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
                 // Permit all requests to the Swagger UI and API docs paths
                 .requestMatchers(SWAGGER_WHITELIST).permitAll()
 
+                // Allow authenticated users to access public endpoints
+                .requestMatchers(PUBLIC_ENDPOINTS).authenticated()
+                
                 // All other requests must be authenticated
                 .anyRequest().authenticated()
             )
 
-            // Add our custom filter to read headers from the Gateway
-            .addFilterBefore(new GatewayHeaderFilter(), UsernamePasswordAuthenticationFilter.class);
+            // Add JWT filter first (for direct service-to-service calls with JWT)
+            .addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class)
+
+            // Add our custom filter to read headers from the Gateway (for gateway-routed calls)
+            .addFilterAfter(new GatewayHeaderFilter(), JwtAuthenticationFilter.class);
 
         return http.build();
     }

admin-service/src/main/java/com/techtorque/admin_service/controller/PublicServiceTypeController.java

@@ -0,0 +1,43 @@
+package com.techtorque.admin_service.controller;
+
+import com.techtorque.admin_service.dto.response.ServiceTypeResponse;
+import com.techtorque.admin_service.service.AdminServiceConfigService;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.tags.Tag;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.*;
+
+import java.util.List;
+
+/**
+ * Public controller for service types - accessible by all authenticated users and other microservices
+ * This allows customers and other services to read active service types without admin privileges
+ */
+@RestController
+@RequestMapping("/public/service-types")
+@RequiredArgsConstructor
+@Slf4j
+@Tag(name = "Public Service Types", description = "Public API for accessing service types")
+public class PublicServiceTypeController {
+
+  private final AdminServiceConfigService adminServiceConfigService;
+
+  @GetMapping
+  @Operation(summary = "Get all active service types", description = "Retrieve all active service types available to customers")
+  public ResponseEntity<List<ServiceTypeResponse>> getActiveServiceTypes() {
+    log.info("Public request: Fetching all active service types");
+    List<ServiceTypeResponse> serviceTypes = adminServiceConfigService.getAllServiceTypes(true); // activeOnly = true
+    log.info("Retrieved {} active service types for public access", serviceTypes.size());
+    return ResponseEntity.ok(serviceTypes);
+  }
+
+  @GetMapping("/{id}")
+  @Operation(summary = "Get service type by ID", description = "Retrieve a specific service type by its ID")
+  public ResponseEntity<ServiceTypeResponse> getServiceTypeById(@PathVariable String id) {
+    log.info("Public request: Fetching service type with ID: {}", id);
+    ServiceTypeResponse serviceType = adminServiceConfigService.getServiceTypeById(id);
+    return ResponseEntity.ok(serviceType);
+  }
+}

admin-service/src/main/java/com/techtorque/admin_service/dto/response/ServiceTypeResponse.java

@@ -20,8 +20,8 @@ public class ServiceTypeResponse {
     private String name;
     private String description;
     private String category;
-    private BigDecimal price;
-    private Integer durationMinutes;
+    private BigDecimal basePriceLKR;  // Changed from 'price' to match frontend
+    private Integer estimatedDurationMinutes;  // Changed from 'durationMinutes' to match frontend
     private Boolean active;
     private Boolean requiresApproval;
     private Integer dailyCapacity;

admin-service/src/main/java/com/techtorque/admin_service/service/impl/AdminServiceConfigServiceImpl.java

@@ -134,8 +134,8 @@ private ServiceTypeResponse convertToResponse(ServiceType serviceType) {
             .name(serviceType.getName())
             .description(serviceType.getDescription())
             .category(serviceType.getCategory())
-            .price(serviceType.getPrice())
-            .durationMinutes(serviceType.getDefaultDurationMinutes())
+            .basePriceLKR(serviceType.getPrice())
+            .estimatedDurationMinutes(serviceType.getDefaultDurationMinutes())
             .active(serviceType.getActive())
             .requiresApproval(serviceType.getRequiresApproval())
             .dailyCapacity(serviceType.getDailyCapacity())

admin-service/src/main/resources/application.properties

@@ -17,6 +17,9 @@ spring.jpa.properties.hibernate.format_sql=true
 # Development/Production Profile
 spring.profiles.active=${SPRING_PROFILE:dev}
 
+# JWT Configuration (must match Auth Service secret)
+jwt.secret=${JWT_SECRET:YourSuperSecretKeyForJWTGoesHereAndItMustBeVeryLongForSecurityPurposes}
+
 # OpenAPI access URL
 # http://localhost:8087/swagger-ui/index.html