Merge pull request #20 from Jalen-Stephens/7-api-implement-authcontroller-endpoints

7 api implement authcontroller endpoints

Author: ikeschmack

citations.md

@@ -495,4 +495,234 @@ Assisted in drafting a unit test suite for the `UserService` to validate identit
 
 > Portions of this test suite and build configuration were generated with assistance from OpenAI ChatGPT (GPT-5) on February 27, 2025. All AI-generated content was reviewed, verified, and finalized by the development team.
 
----
+---
+
+### **Commit / Ticket Reference**
+
+* **Commit:** `feat(auth): add Supabase auth proxy + /auth endpoints + JWKS resource server config (refs #7)`
+* **Ticket:** `#7 — Implement Supabase-backed authentication`
+* **Date:** October 21, 2025
+* **Team Member:** Jalen Stephens
+
+---
+
+### **AI Tool Information**
+
+* **Tool Used:** OpenAI ChatGPT (GPT-5)
+* **Access Method:** ChatGPT Web (.edu academic access)
+* **Configuration:** Default model settings
+* **Cost:** $0 (no paid API calls)
+
+---
+
+### **Purpose of AI Assistance**
+
+The AI assisted in designing and scaffolding the Supabase authentication proxy integration. This included creating the `AuthProxyService`, generating a preconfigured `WebClient` for Supabase Auth endpoints, adding `/auth` controller routes, wiring JWT validation through Supabase’s JWKS, and ensuring all components passed Checkstyle and compilation checks. The AI also provided setup guidance for environment variables and secure configuration management.
+
+---
+
+### **Prompts / Interaction Summary**
+
+* Repeat full proxy wiring code block for AuthController and SupabaseClientConfig
+* Add missing Javadoc comments for Checkstyle compliance
+* Resolve `HttpStatus` vs `HttpStatusCode` compilation mismatch
+* Provide environment variable export commands using `set -a` and `.env.local`
+* Validate correct JWKS configuration in Spring Boot (`spring.security.oauth2.resourceserver.jwt.jwk-set-uri`)
+* Generate `AuthControllerTest` for endpoint validation
+
+---
+
+### **Resulting Artifacts**
+
+* **New:** `SupabaseClientConfig.java`
+* **New:** `AuthProxyService.java`
+* **Modified:** `AuthController.java` (added `/auth/signup`, `/auth/login`, `/auth/refresh`, `/auth/me`)
+* **Modified:** `Dtos.java` (added `RefreshRequest` record)
+* **Modified:** `application.properties` (added Supabase env-based config and JWKS endpoint)
+* **Modified:** `pom.xml` (added WebFlux dependency)
+* **Moved:** `UserServiceTest.java` (to `service/` directory)
+
+---
+
+### **Verification**
+
+* Verified build using `mvn checkstyle:check` (0 violations)
+* Successfully compiled with `mvn -DskipTests compile` after resolving HttpStatusCode changes
+* Confirmed application startup with valid Supabase URL and key configuration
+* Manual test planned for `/auth/signup` and `/auth/me` endpoints once live Supabase credentials are applied
+
+---
+
+### **Attribution Statement**
+
+> Portions of this commit and configuration were generated with assistance from OpenAI ChatGPT (GPT-5) on October 21, 2025. All AI-generated content was reviewed, verified, and finalized by the development team.
+
+---
+
+### **Commit / Ticket Reference**
+
+* **Commit:** `test(auth): add controller slice tests + security test config for Supabase proxy (refs #7)`
+* **Ticket:** `#7 — Integrate Supabase Auth Proxy + Resource Server`
+* **Date:** October 21, 2025
+* **Team Member:** Jalen Stephens
+
+---
+
+### **AI Tool Information**
+
+* **Tool Used:** OpenAI ChatGPT (GPT-5)
+* **Access Method:** ChatGPT Web (.edu academic access)
+* **Configuration:** Default model settings
+* **Cost:** $0 (no paid API calls)
+
+---
+
+### **Purpose of AI Assistance**
+
+The AI assisted in designing and drafting controller-slice tests for the `/auth/*` endpoints, as well as creating a dedicated Spring Security test configuration to allow unauthenticated access for the proxy tests. It also helped refine the JSON content-type enforcement in the proxy response so the controller tests aligned with expected client behavior.
+
+---
+
+### **Prompts / Interaction Summary**
+
+* Requested a controller-level test suite for `AuthController`.
+* Noticed 403 and 401 blocking proxy tests → requested correction for security config.
+* Asked for `SecurityTestConfig` to disable CSRF and allow passthrough behavior.
+* AI provided corrections to enable `application/json` for returned `ResponseEntity`.
+
+---
+
+### **Resulting Artifacts**
+
+* Updated logic in `AuthController.java` (exception handler → JSON passthrough)
+* Updated `AuthProxyService.java` (explicit JSON content type)
+* Added `SecurityTestConfig.java` for test slice security
+* Added `AuthControllerTest.java`, covering success and error paths
+
+---
+
+### **Verification**
+
+Changes were validated by:
+
+* Running `mvn clean test` to ensure all tests passed successfully
+* Confirming Spring Security configuration allowed test access to `/auth/*`
+* Inspecting JaCoCo coverage increase in controller and service layers
+* Manual code review for final consistency
+
+---
+
+### **Attribution Statement**
+
+> Portions of this commit or configuration were generated with assistance from OpenAI ChatGPT (GPT-5) on October 21, 2025. All AI-generated content was reviewed, verified, and finalized by the development team.
+
+---
+
+### Commit / Ticket Reference
+- Commit: test(auth): add AuthProxyService + config tests and branch coverage for /auth refresh (refs #7)
+- Ticket: #7 — Supabase Auth Integration
+- Date: October 21, 2025
+- Team Member: Jalen Stephens
+
+---
+
+### AI Tool Information
+- Tool Used: OpenAI ChatGPT (GPT-5)
+- Access Method: ChatGPT Web (.edu academic access)
+- Configuration: Default model settings
+- Cost: $0 (no paid API calls)
+
+---
+
+### Purpose of AI Assistance
+The AI assisted in improving controller branch coverage and validating proxy/auth configuration behavior by generating focused unit tests and updating Dtos coverage.
+
+---
+
+### Prompts / Interaction Summary
+Key prompts included:
+- “need to increase branch coverage in controllers”
+- “tweak my test cases for both these changes”
+- “write javadoc comment”
+- “fix refresh 400 test”
+- “generate commit message and citations”
+
+---
+
+### Resulting Artifacts
+- `src/test/java/dev/coms4156/project/metadetect/service/AuthProxyServiceTest.java`
+- `src/test/java/dev/coms4156/project/metadetect/config/SupabaseClientConfigTest.java`
+- `src/test/java/dev/coms4156/project/metadetect/controller/AuthControllerTest.java` (expanded branch coverage)
+- `src/test/java/dev/coms4156/project/metadetect/dto/DtosTest.java`
+- Javadoc correction for `/auth/refresh`
+- pom adjustments for test dependencies
+
+---
+
+### Verification
+Changes were validated via:
+- `mvn clean test` passing successfully
+- increased coverage reported in JaCoCo
+- manual review of error-path coverage in controller
+
+---
+
+### Attribution Statement
+> Portions of this commit or configuration were generated with assistance from OpenAI ChatGPT (GPT-5) on October 21, 2025. All AI-generated content was reviewed, verified, and finalized by the development team.
+---
+
+### **Commit / Ticket Reference**
+
+* **Commit:** `chore(security): clean SecurityConfig imports and finalize JWKS config for prod (refs #7)`
+* **Ticket:** `#7 — Supabase Auth Integration`
+* **Date:** October 21, 2025
+* **Team Member:** Jalen Stephens
+
+---
+
+### **AI Tool Information**
+
+* **Tool Used:** OpenAI ChatGPT (GPT-5)
+* **Access Method:** ChatGPT Web (.edu academic access)
+* **Configuration:** Default model settings
+* **Cost:** $0 (no paid API calls)
+
+---
+
+### **Purpose of AI Assistance**
+
+Guidance on finalizing Spring Security JWT resource server configuration for Supabase, correcting JWKS endpoint wiring, and addressing Checkstyle star-import violations in `SecurityConfig.java`.
+
+---
+
+### **Prompts / Interaction Summary**
+
+* Asked how to allow unauthenticated signup/login while keeping `/auth/me` secured.
+* Verified JWKS vs. local symmetric-signature mode for development.
+* Asked for recommended commit message and proper citation entry wording.
+* Requested guidance on Checkstyle warnings and star-import cleanup.
+
+---
+
+### **Resulting Artifacts**
+
+* Adjusted `SecurityConfig.java` (import cleanup and JWKS logic finalized).
+* Updated `application.properties` to cleanly reference `spring.security.oauth2.resourceserver.jwt.jwk-set-uri`.
+* Updated `citations.md` with this entry.
+
+---
+
+### **Verification**
+
+* Local manual authentication test via curl using Supabase-issued token.
+* Confirmed access to `POST /auth/signup` and `POST /auth/login` without JWT.
+* Confirmed `GET /auth/me` returns 200 with valid JWT and 401 without.
+* Re-ran Checkstyle and confirmed zero violations.
+
+---
+
+### **Attribution Statement**
+
+> Portions of this commit or configuration were generated with assistance from OpenAI ChatGPT (GPT-5) on October 21, 2025. All AI-generated content was reviewed, verified, and finalized by the development team.
+
+---

pom.xml

@@ -20,11 +20,32 @@
 
 	<properties>
 		<java.version>17</java.version>
-		<!-- makes the built jar name nice -->
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 	</properties>
 
+	<dependencyManagement>
+		<dependencies>
+			<!-- Keep Netty versions consistent -->
+			<dependency>
+				<groupId>io.netty</groupId>
+				<artifactId>netty-bom</artifactId>
+				<version>4.1.119.Final</version>
+				<type>pom</type>
+				<scope>import</scope>
+			</dependency>
+		</dependencies>
+	</dependencyManagement>
+
 	<dependencies>
+		<!-- macOS native DNS resolver -->
+		<dependency>
+			<groupId>io.netty</groupId>
+			<artifactId>netty-resolver-dns-native-macos</artifactId>
+			<version>4.1.119.Final</version>
+			<classifier>${os.detected.name}-${os.detected.arch}</classifier>
+			<scope>runtime</scope>
+		</dependency>
+
 		<!-- Spring Security core -->
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
@@ -103,9 +124,27 @@
 			<version>11.14.0</version>
 		</dependency>
 
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-webflux</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>com.squareup.okhttp3</groupId>
+			<artifactId>mockwebserver</artifactId>
+			<version>4.12.0</version>
+			<scope>test</scope>
+		</dependency>
 	</dependencies>
 
 	<build>
+		<extensions>
+			<extension>
+				<groupId>kr.motd.maven</groupId>
+				<artifactId>os-maven-plugin</artifactId>
+				<version>1.7.1</version>
+			</extension>
+		</extensions>
 		<finalName>${project.artifactId}-${project.version}</finalName>
 		<plugins>
 			<plugin>
@@ -186,6 +225,13 @@
 					</execution>
 				</executions>
 			</plugin>
+			<plugin>
+				<groupId>org.springframework.boot</groupId>
+				<artifactId>spring-boot-maven-plugin</artifactId>
+				<configuration>
+					<jvmArguments>--enable-native-access=ALL-UNNAMED</jvmArguments>
+				</configuration>
+			</plugin>
 		</plugins>
 	</build>
 </project>

src/main/java/dev/coms4156/project/metadetect/config/SecurityConfig.java

@@ -1,16 +1,20 @@
-// src/main/java/dev/coms4156/project/metadetect/config/SecurityConfig.java
-
 package dev.coms4156.project.metadetect.config;
 
-import java.util.Collection;
-import java.util.Collections;
+import java.nio.charset.StandardCharsets;
+import javax.crypto.spec.SecretKeySpec;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator;
+import org.springframework.security.oauth2.core.OAuth2TokenValidator;
+import org.springframework.security.oauth2.jose.jws.MacAlgorithm;
 import org.springframework.security.oauth2.jwt.Jwt;
-import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
+import org.springframework.security.oauth2.jwt.JwtDecoder;
+import org.springframework.security.oauth2.jwt.JwtException;
+import org.springframework.security.oauth2.jwt.JwtValidators;
+import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
 import org.springframework.security.web.SecurityFilterChain;
 
 /**
@@ -24,26 +28,32 @@ public class SecurityConfig {
   @Bean
   SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
     http
-        .csrf(csrf -> csrf.disable())
-        .authorizeHttpRequests(auth -> auth
-        .requestMatchers("/health", "/actuator/**").permitAll()
+      .csrf(csrf -> csrf.disable())
+      .authorizeHttpRequests(auth -> auth
+        .requestMatchers("/health", "/actuator/**", "/auth/signup", "/auth/login", "/auth/refresh")
+        .permitAll()
         .anyRequest().authenticated()
       )
-        .oauth2ResourceServer(oauth2 -> oauth2
-        .jwt(jwt -> jwt.jwtAuthenticationConverter(jwtAuthenticationConverter()))
-        );
+        .oauth2ResourceServer(oauth2 -> oauth2.jwt(Customizer.withDefaults()));
     return http.build();
   }
 
   @Bean
-  JwtAuthenticationConverter jwtAuthenticationConverter() {
-    // Keep authorities empty for now; we only need claims (sub, email).
-    JwtAuthenticationConverter conv = new JwtAuthenticationConverter();
-    conv.setJwtGrantedAuthoritiesConverter(SecurityConfig::emptyAuthorities);
-    return conv;
-  }
+  JwtDecoder jwtDecoder(
+      @Value("${metadetect.supabase.jwtSecret}") String jwtSecret,
+      @Value("${metadetect.supabase.url}") String issuer
+  ) {
+    var key = new SecretKeySpec(jwtSecret.getBytes(StandardCharsets.UTF_8), "HmacSHA256");
+    var decoder = NimbusJwtDecoder.withSecretKey(key)
+        .macAlgorithm(MacAlgorithm.HS256)
+        .build();
+
+    // Validate issuer + standard claims; audience in Supabase is "authenticated"
+    OAuth2TokenValidator<Jwt> withIssuer = JwtValidators.createDefaultWithIssuer(
+        issuer + "/auth/v1");
+    OAuth2TokenValidator<Jwt> validator = new DelegatingOAuth2TokenValidator<>(withIssuer);
+    decoder.setJwtValidator(validator);
 
-  private static Collection<GrantedAuthority> emptyAuthorities(Jwt jwt) {
-    return Collections.emptyList();
+    return decoder;
   }
 }