diff --git a/auth-service/src/main/java/com/techtorque/auth_service/config/SecurityConfig.java b/auth-service/src/main/java/com/techtorque/auth_service/config/SecurityConfig.java index 19f6b1d..36a7ff0 100644 --- a/auth-service/src/main/java/com/techtorque/auth_service/config/SecurityConfig.java +++ b/auth-service/src/main/java/com/techtorque/auth_service/config/SecurityConfig.java @@ -16,11 +16,11 @@ import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; -import org.springframework.web.cors.CorsConfiguration; -import org.springframework.web.cors.CorsConfigurationSource; -import org.springframework.web.cors.UrlBasedCorsConfigurationSource; - -import java.util.Arrays; +// CorsConfiguration and related imports are no longer needed +// import org.springframework.web.cors.CorsConfiguration; +// import org.springframework.web.cors.CorsConfigurationSource; +// import org.springframework.web.cors.UrlBasedCorsConfigurationSource; +// import java.util.Arrays; @Configuration @EnableWebSecurity @@ -56,38 +56,37 @@ public AuthenticationManager authenticationManager(AuthenticationConfiguration a return authConfig.getAuthenticationManager(); } - // NOTE: The WebSecurityCustomizer bean has been completely removed. - @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http .csrf(AbstractHttpConfigurer::disable) - .cors(cors -> cors.configurationSource(corsConfigurationSource())) + // ===================================================================== + // CORS CONFIGURATION HAS BEEN REMOVED FROM THE SPRING BOOT SERVICE + // The Go API Gateway is now solely responsible for handling CORS. + // .cors(cors -> cors.configurationSource(corsConfigurationSource())) + // ===================================================================== .exceptionHandling(exception -> exception.authenticationEntryPoint(unauthorizedHandler)) .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS)) .authorizeHttpRequests(auth -> auth - .requestMatchers( - // Public API endpoints - "/api/v1/auth/**", // Fixed: more specific auth path - "/api/auth/**", // Keep both for backward compatibility - - // Public controller endpoints - "/favicon.ico", - "/error", // Add error page + .requestMatchers( + // Permit the paths AS SEEN BY THE JAVA SERVICE after the gateway strips the prefixes. + "/login", + "/register", + "/health", - // Health check and actuator endpoints (if needed) + // Backwards-compatible patterns (if any clients bypass the gateway) + "/api/v1/auth/**", + "/api/auth/**", + "/favicon.ico", + "/error", "/actuator/**", - - // All OpenAPI and Swagger UI resources "/v3/api-docs/**", "/swagger-ui/**", "/swagger-ui.html", - "/swagger-resources/**", // Include swagger-resources - "/webjars/**", // Include webjars - "/api-docs/**" // Additional swagger endpoint pattern + "/swagger-resources/**", + "/webjars/**", + "/api-docs/**" ).permitAll() - - // All other requests require authentication. .anyRequest().authenticated() ); @@ -97,33 +96,21 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { return http.build(); } + // ===================================================================== + // THE CORS CONFIGURATION BEAN HAS BEEN COMPLETELY REMOVED. + // ===================================================================== + /* @Bean public CorsConfigurationSource corsConfigurationSource() { CorsConfiguration configuration = new CorsConfiguration(); - - // Allow specific origins - configuration.setAllowedOrigins(Arrays.asList( - "http://localhost:3000", // Next.js dev server - "http://127.0.0.1:3000" // Alternative localhost - )); - - // Allow all headers + configuration.setAllowedOrigins(Arrays.asList("http://localhost:3000", "http://127.0.0.1:3000")); configuration.setAllowedHeaders(Arrays.asList("*")); - - // Allow specific HTTP methods - configuration.setAllowedMethods(Arrays.asList( - "GET", "POST", "PUT", "DELETE", "OPTIONS", "PATCH" - )); - - // Allow credentials (important for cookies/auth tokens) + configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS", "PATCH")); configuration.setAllowCredentials(true); - - // Cache preflight response for 1 hour configuration.setMaxAge(3600L); - UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); source.registerCorsConfiguration("/**", configuration); - return source; } + */ } \ No newline at end of file diff --git a/auth-service/src/main/java/com/techtorque/auth_service/controller/AuthController.java b/auth-service/src/main/java/com/techtorque/auth_service/controller/AuthController.java index 941eff5..e918061 100644 --- a/auth-service/src/main/java/com/techtorque/auth_service/controller/AuthController.java +++ b/auth-service/src/main/java/com/techtorque/auth_service/controller/AuthController.java @@ -26,8 +26,10 @@ * Handles login, registration, and health check requests */ @RestController -@RequestMapping("/api/v1/auth") -@CrossOrigin(origins = "*", maxAge = 3600) +// Class-level request mapping removed — gateway strips prefixes before forwarding +// @RequestMapping("/api/v1/auth") +// CORS handled at the API Gateway; remove @CrossOrigin to avoid conflicts +// @CrossOrigin(origins = "*", maxAge = 3600) @Tag(name = "Authentication", description = "Authentication and user management endpoints") public class AuthController { diff --git a/auth-service/src/main/java/com/techtorque/auth_service/controller/UserController.java b/auth-service/src/main/java/com/techtorque/auth_service/controller/UserController.java index e3ad85e..7ca2860 100644 --- a/auth-service/src/main/java/com/techtorque/auth_service/controller/UserController.java +++ b/auth-service/src/main/java/com/techtorque/auth_service/controller/UserController.java @@ -25,8 +25,10 @@ * Endpoints in this controller are accessible to users with ADMIN or SUPER_ADMIN roles. */ @RestController -@RequestMapping("/api/v1/users") -@CrossOrigin(origins = "*", maxAge = 3600) +// Class-level request mapping removed — endpoints are exposed as internal paths +// @RequestMapping("/api/v1/users") +// CORS handled by API Gateway; remove @CrossOrigin to avoid conflicts +// @CrossOrigin(origins = "*", maxAge = 3600) @PreAuthorize("hasRole('ADMIN') or hasRole('SUPER_ADMIN')") @Tag(name = "User Management", description = "User management endpoints (Admin/Super Admin only)") @SecurityRequirement(name = "bearerAuth") diff --git a/auth-service/src/main/java/com/techtorque/auth_service/util/JwtUtil.java b/auth-service/src/main/java/com/techtorque/auth_service/util/JwtUtil.java index 97d6388..6a25700 100644 --- a/auth-service/src/main/java/com/techtorque/auth_service/util/JwtUtil.java +++ b/auth-service/src/main/java/com/techtorque/auth_service/util/JwtUtil.java @@ -15,6 +15,7 @@ import org.springframework.stereotype.Component; import javax.crypto.SecretKey; +import java.nio.charset.StandardCharsets; import java.util.Date; import java.util.HashMap; import java.util.List; @@ -123,7 +124,8 @@ public boolean validateJwtToken(String token) { * Generates a SecretKey object from the Base64 encoded secret string. */ private SecretKey getSignInKey() { - byte[] keyBytes = Decoders.BASE64.decode(jwtSecret); + // Use the raw UTF-8 bytes of the secret string, just like the Go gateway. + byte[] keyBytes = jwtSecret.getBytes(StandardCharsets.UTF_8); return Keys.hmacShaKeyFor(keyBytes); } } \ No newline at end of file