fix: Fix user auth to match other services

build.gradle.kts

@@ -34,8 +34,8 @@ dependencies {
 	implementation("org.flywaydb:flyway-database-postgresql")
 	runtimeOnly("org.postgresql:postgresql")
 
-	// Security
-	implementation("org.springframework.boot:spring-boot-starter-security")
+	// Password Encoding
+	implementation("org.springframework.security:spring-security-crypto")
 
 	// RabbitMQ
 	implementation("org.springframework.boot:spring-boot-starter-amqp")
@@ -66,7 +66,6 @@ dependencies {
 
 	// Test
 	testImplementation("org.springframework.boot:spring-boot-starter-test")
-	testImplementation("org.springframework.security:spring-security-test")
 	testImplementation("org.testcontainers:junit-jupiter:1.20.4")
 	testImplementation("org.testcontainers:postgresql:1.20.4")
 	testImplementation("org.springframework.amqp:spring-rabbit-test")

src/main/java/com/devoops/user/config/PasswordEncoderConfig.java

@@ -0,0 +1,15 @@
+package com.devoops.user.config;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+
+@Configuration
+public class PasswordEncoderConfig {
+
+    @Bean
+    public PasswordEncoder passwordEncoder() {
+        return new BCryptPasswordEncoder();
+    }
+}

src/main/java/com/devoops/user/config/RequireRole.java

@@ -0,0 +1,12 @@
+package com.devoops.user.config;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+@Target({ElementType.METHOD, ElementType.TYPE})
+@Retention(RetentionPolicy.RUNTIME)
+public @interface RequireRole {
+    String[] value();
+}

src/main/java/com/devoops/user/config/RoleAuthorizationInterceptor.java

@@ -0,0 +1,50 @@
+package com.devoops.user.config;
+
+import com.devoops.user.exception.ForbiddenException;
+import com.devoops.user.exception.UnauthorizedException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.jspecify.annotations.NonNull;
+import org.springframework.stereotype.Component;
+import org.springframework.web.method.HandlerMethod;
+import org.springframework.web.servlet.HandlerInterceptor;
+
+import java.util.Arrays;
+
+@Component
+public class RoleAuthorizationInterceptor implements HandlerInterceptor {
+
+    @Override
+    public boolean preHandle(
+            @NonNull HttpServletRequest request,
+            @NonNull HttpServletResponse response,
+            @NonNull Object handler
+    )
+    {
+        if (!(handler instanceof HandlerMethod handlerMethod)) {
+            return true;
+        }
+
+        RequireRole methodAnnotation = handlerMethod.getMethodAnnotation(RequireRole.class);
+        RequireRole classAnnotation = handlerMethod.getBeanType().getAnnotation(RequireRole.class);
+
+        RequireRole requireRole = methodAnnotation != null ? methodAnnotation : classAnnotation;
+        if (requireRole == null) {
+            return true;
+        }
+
+        String role = request.getHeader("X-User-Role");
+        if (role == null) {
+            throw new UnauthorizedException("Missing authentication headers");
+        }
+
+        boolean hasRole = Arrays.stream(requireRole.value())
+                .anyMatch(r -> r.equalsIgnoreCase(role));
+
+        if (!hasRole) {
+            throw new ForbiddenException("Insufficient permissions");
+        }
+
+        return true;
+    }
+}

src/main/java/com/devoops/user/config/UserContext.java

@@ -0,0 +1,5 @@
+package com.devoops.user.config;
+
+import java.util.UUID;
+
+public record UserContext(UUID userId, String role) { }

src/main/java/com/devoops/user/config/UserContextResolver.java

@@ -0,0 +1,41 @@
+package com.devoops.user.config;
+
+import com.devoops.user.exception.UnauthorizedException;
+import org.jspecify.annotations.NonNull;
+import org.springframework.core.MethodParameter;
+import org.springframework.web.bind.support.WebDataBinderFactory;
+import org.springframework.web.context.request.NativeWebRequest;
+import org.springframework.web.method.support.HandlerMethodArgumentResolver;
+import org.springframework.web.method.support.ModelAndViewContainer;
+
+import java.util.UUID;
+
+public class UserContextResolver implements HandlerMethodArgumentResolver {
+
+    @Override
+    public boolean supportsParameter(MethodParameter parameter) {
+        return UserContext.class.isAssignableFrom(parameter.getParameterType());
+    }
+
+    @Override
+    public Object resolveArgument(
+            @NonNull MethodParameter parameter,
+            ModelAndViewContainer mavContainer,
+            NativeWebRequest webRequest,
+            WebDataBinderFactory binderFactory
+    )
+    {
+        String userId = webRequest.getHeader("X-User-Id");
+        String role = webRequest.getHeader("X-User-Role");
+
+        if (userId == null || role == null) {
+            throw new UnauthorizedException("Missing authentication headers");
+        }
+
+        try {
+            return new UserContext(UUID.fromString(userId), role);
+        } catch (IllegalArgumentException e) {
+            throw new UnauthorizedException("Invalid user ID format");
+        }
+    }
+}

src/main/java/com/devoops/user/config/WebConfig.java

@@ -0,0 +1,27 @@
+package com.devoops.user.config;
+
+import lombok.RequiredArgsConstructor;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.method.support.HandlerMethodArgumentResolver;
+import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+
+import java.util.List;
+
+@Configuration
+@RequiredArgsConstructor
+public class WebConfig implements WebMvcConfigurer {
+
+    private final RoleAuthorizationInterceptor roleAuthorizationInterceptor;
+
+    @Override
+    public void addArgumentResolvers(List<HandlerMethodArgumentResolver> resolvers) {
+        resolvers.add(new UserContextResolver());
+    }
+
+    @Override
+    public void addInterceptors(InterceptorRegistry registry) {
+        registry.addInterceptor(roleAuthorizationInterceptor);
+    }
+
+}

src/main/java/com/devoops/user/controller/UserController.java

@@ -1,5 +1,7 @@
 package com.devoops.user.controller;
 
+import com.devoops.user.config.RequireRole;
+import com.devoops.user.config.UserContext;
 import com.devoops.user.dto.request.ChangePasswordRequest;
 import com.devoops.user.dto.request.UpdateUserRequest;
 import com.devoops.user.dto.response.AuthenticationResponse;
@@ -8,8 +10,6 @@
 import jakarta.validation.Valid;
 import lombok.RequiredArgsConstructor;
 import org.springframework.http.ResponseEntity;
-import org.springframework.security.access.prepost.PreAuthorize;
-import org.springframework.security.core.Authentication;
 import org.springframework.web.bind.annotation.*;
 
 @RestController
@@ -20,25 +20,25 @@ public class UserController {
     private final UserService userService;
 
     @GetMapping
-    @PreAuthorize("hasAnyRole('HOST', 'GUEST')")
-    public ResponseEntity<UserResponse> getProfile(Authentication auth) {
-        return ResponseEntity.ok(userService.getProfile(auth));
+    @RequireRole({"HOST", "GUEST"})
+    public ResponseEntity<UserResponse> getProfile(UserContext userContext) {
+        return ResponseEntity.ok(userService.getProfile(userContext.userId()));
     }
 
     @PutMapping
-    @PreAuthorize("hasAnyRole('HOST', 'GUEST')")
+    @RequireRole({"HOST", "GUEST"})
     public ResponseEntity<AuthenticationResponse> updateProfile(
-            Authentication auth,
+            UserContext userContext,
             @RequestBody @Valid UpdateUserRequest request) {
-        return ResponseEntity.ok(userService.updateProfile(auth, request));
+        return ResponseEntity.ok(userService.updateProfile(userContext.userId(), request));
     }
 
     @PutMapping("/password")
-    @PreAuthorize("hasAnyRole('HOST', 'GUEST')")
+    @RequireRole({"HOST", "GUEST"})
     public ResponseEntity<Void> changePassword(
-            Authentication auth,
+            UserContext userContext,
             @RequestBody @Valid ChangePasswordRequest request) {
-        userService.changePassword(auth, request);
+        userService.changePassword(userContext.userId(), request);
         return ResponseEntity.noContent().build();
     }
 }

src/main/java/com/devoops/user/entity/User.java

@@ -6,12 +6,6 @@
 import org.hibernate.annotations.JdbcTypeCode;
 import org.hibernate.annotations.SQLRestriction;
 import org.hibernate.type.SqlTypes;
-import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.authority.SimpleGrantedAuthority;
-import org.springframework.security.core.userdetails.UserDetails;
-
-import java.util.Collection;
-import java.util.List;
 
 @Entity
 @Table(name = "users")
@@ -21,7 +15,7 @@
 @NoArgsConstructor
 @AllArgsConstructor
 @SuperBuilder
-public class User extends BaseEntity implements UserDetails {
+public class User extends BaseEntity {
 
     @Column(nullable = false, unique = true, length = 50)
     private String username;
@@ -45,30 +39,4 @@ public class User extends BaseEntity implements UserDetails {
     @Column(nullable = false, columnDefinition = "user_role")
     @JdbcTypeCode(SqlTypes.NAMED_ENUM)
     private Role role;
-
-    @Override
-    @NonNull
-    public Collection<? extends GrantedAuthority> getAuthorities() {
-        return List.of(new SimpleGrantedAuthority("ROLE_" + role.name()));
-    }
-
-    @Override
-    public boolean isAccountNonExpired() {
-        return true;
-    }
-
-    @Override
-    public boolean isAccountNonLocked() {
-        return true;
-    }
-
-    @Override
-    public boolean isCredentialsNonExpired() {
-        return true;
-    }
-
-    @Override
-    public boolean isEnabled() {
-        return true;
-    }
 }

src/main/java/com/devoops/user/exception/ForbiddenException.java

@@ -0,0 +1,8 @@
+package com.devoops.user.exception;
+
+public class ForbiddenException extends RuntimeException {
+
+    public ForbiddenException(String message) {
+        super(message);
+    }
+}