TechTorque-2025 · RandithaK · Sep 28, 2025 · Sep 27, 2025 · Sep 28, 2025 · Sep 28, 2025
diff --git a/auth-service/src/main/java/com/techtorque/auth_service/config/SecurityConfig.java b/auth-service/src/main/java/com/techtorque/auth_service/config/SecurityConfig.java
@@ -16,11 +16,11 @@
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
-import org.springframework.web.cors.CorsConfiguration;
-import org.springframework.web.cors.CorsConfigurationSource;
-import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
-
-import java.util.Arrays;
+// CorsConfiguration and related imports are no longer needed
+// import org.springframework.web.cors.CorsConfiguration;
+// import org.springframework.web.cors.CorsConfigurationSource;
+// import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
+// import java.util.Arrays;
 
 @Configuration
 @EnableWebSecurity
@@ -56,38 +56,37 @@ public AuthenticationManager authenticationManager(AuthenticationConfiguration a
     return authConfig.getAuthenticationManager();
   }
 
-  // NOTE: The WebSecurityCustomizer bean has been completely removed.
-
   @Bean
   public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
     http
             .csrf(AbstractHttpConfigurer::disable)
-            .cors(cors -> cors.configurationSource(corsConfigurationSource()))
+            // =====================================================================
+            // CORS CONFIGURATION HAS BEEN REMOVED FROM THE SPRING BOOT SERVICE
+            // The Go API Gateway is now solely responsible for handling CORS.
+            // .cors(cors -> cors.configurationSource(corsConfigurationSource()))
+            // =====================================================================
             .exceptionHandling(exception -> exception.authenticationEntryPoint(unauthorizedHandler))
             .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
             .authorizeHttpRequests(auth -> auth
-                    .requestMatchers(
-                            // Public API endpoints
-                            "/api/v1/auth/**",  // Fixed: more specific auth path
-                            "/api/auth/**",     // Keep both for backward compatibility
-
-                            // Public controller endpoints
-                            "/favicon.ico",
-                            "/error",           // Add error page
+        .requestMatchers(
+          // Permit the paths AS SEEN BY THE JAVA SERVICE after the gateway strips the prefixes.
+          "/login",
+          "/register",
+          "/health",
 
-                            // Health check and actuator endpoints (if needed)
+          // Backwards-compatible patterns (if any clients bypass the gateway)
+          "/api/v1/auth/**",
+          "/api/auth/**",
+                            "/favicon.ico",
+                            "/error",
                             "/actuator/**",
-
-                            // All OpenAPI and Swagger UI resources
                             "/v3/api-docs/**",
                             "/swagger-ui/**",
                             "/swagger-ui.html",
-                            "/swagger-resources/**", // Include swagger-resources
-                            "/webjars/**",          // Include webjars
-                            "/api-docs/**"          // Additional swagger endpoint pattern
+                            "/swagger-resources/**",
+                            "/webjars/**",
+                            "/api-docs/**"
                     ).permitAll()
-
-                    // All other requests require authentication.
                     .anyRequest().authenticated()
             );
 
@@ -97,33 +96,21 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
     return http.build();
   }
 
+  // =====================================================================
+  // THE CORS CONFIGURATION BEAN HAS BEEN COMPLETELY REMOVED.
+  // =====================================================================
+  /*
   @Bean
   public CorsConfigurationSource corsConfigurationSource() {
     CorsConfiguration configuration = new CorsConfiguration();
-
-    // Allow specific origins
-    configuration.setAllowedOrigins(Arrays.asList(
-        "http://localhost:3000",  // Next.js dev server
-        "http://127.0.0.1:3000"   // Alternative localhost
-    ));
-
-    // Allow all headers
+    configuration.setAllowedOrigins(Arrays.asList("http://localhost:3000", "http://127.0.0.1:3000"));
     configuration.setAllowedHeaders(Arrays.asList("*"));
-
-    // Allow specific HTTP methods
-    configuration.setAllowedMethods(Arrays.asList(
-        "GET", "POST", "PUT", "DELETE", "OPTIONS", "PATCH"
-    ));
-
-    // Allow credentials (important for cookies/auth tokens)
+    configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS", "PATCH"));
     configuration.setAllowCredentials(true);
-
-    // Cache preflight response for 1 hour
     configuration.setMaxAge(3600L);
-
     UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
     source.registerCorsConfiguration("/**", configuration);
-
     return source;
   }
+  */
 }
diff --git a/auth-service/src/main/java/com/techtorque/auth_service/controller/AuthController.java b/auth-service/src/main/java/com/techtorque/auth_service/controller/AuthController.java
@@ -26,8 +26,10 @@
  * Handles login, registration, and health check requests
  */
 @RestController
-@RequestMapping("/api/v1/auth")
-@CrossOrigin(origins = "*", maxAge = 3600)
+// Class-level request mapping removed — gateway strips prefixes before forwarding
+// @RequestMapping("/api/v1/auth")
+// CORS handled at the API Gateway; remove @CrossOrigin to avoid conflicts
+// @CrossOrigin(origins = "*", maxAge = 3600)
 @Tag(name = "Authentication", description = "Authentication and user management endpoints")
 public class AuthController {
 

diff --git a/auth-service/src/main/java/com/techtorque/auth_service/controller/UserController.java b/auth-service/src/main/java/com/techtorque/auth_service/controller/UserController.java
@@ -25,8 +25,10 @@
  * Endpoints in this controller are accessible to users with ADMIN or SUPER_ADMIN roles.
  */
 @RestController
-@RequestMapping("/api/v1/users")
-@CrossOrigin(origins = "*", maxAge = 3600)
+// Class-level request mapping removed — endpoints are exposed as internal paths
+// @RequestMapping("/api/v1/users")
+// CORS handled by API Gateway; remove @CrossOrigin to avoid conflicts
+// @CrossOrigin(origins = "*", maxAge = 3600)
 @PreAuthorize("hasRole('ADMIN') or hasRole('SUPER_ADMIN')")
 @Tag(name = "User Management", description = "User management endpoints (Admin/Super Admin only)")
 @SecurityRequirement(name = "bearerAuth")

diff --git a/auth-service/src/main/java/com/techtorque/auth_service/util/JwtUtil.java b/auth-service/src/main/java/com/techtorque/auth_service/util/JwtUtil.java
@@ -15,6 +15,7 @@
 import org.springframework.stereotype.Component;
 
 import javax.crypto.SecretKey;
+import java.nio.charset.StandardCharsets;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.List;
@@ -123,7 +124,8 @@ public boolean validateJwtToken(String token) {
    * Generates a SecretKey object from the Base64 encoded secret string.
    */
   private SecretKey getSignInKey() {
-    byte[] keyBytes = Decoders.BASE64.decode(jwtSecret);
+    // Use the raw UTF-8 bytes of the secret string, just like the Go gateway.
+    byte[] keyBytes = jwtSecret.getBytes(StandardCharsets.UTF_8);
     return Keys.hmacShaKeyFor(keyBytes);
   }
 }