Creates default admin user

.gitignore

@@ -31,3 +31,5 @@ build/
 
 ### VS Code ###
 .vscode/
+
+.env

pom.xml

@@ -72,6 +72,25 @@
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-webflux</artifactId>
 		</dependency>
+		<dependency>
+			<groupId>io.jsonwebtoken</groupId>
+			<artifactId>jjwt-api</artifactId>
+			<version>0.12.7</version>
+		</dependency>
+
+		<dependency>
+			<groupId>io.jsonwebtoken</groupId>
+			<artifactId>jjwt-impl</artifactId>
+			<version>0.12.7</version>
+			<scope>runtime</scope>
+		</dependency>
+
+		<dependency>
+			<groupId>io.jsonwebtoken</groupId>
+			<artifactId>jjwt-jackson</artifactId>
+			<version>0.12.7</version>
+			<scope>runtime</scope>
+		</dependency>
 	</dependencies>
 
 	<build>

src/main/java/com/litoralregas/backend_gateway/BackendGatewayApplication.java

@@ -1,12 +1,16 @@
 package com.litoralregas.backend_gateway;
 
 import com.litoralregas.backend_gateway.gateway.ProxyProperties;
+import com.litoralregas.backend_gateway.security.JwtProperties;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 
 @SpringBootApplication
-@EnableConfigurationProperties(ProxyProperties.class)
+@EnableConfigurationProperties({
+		ProxyProperties.class,
+		JwtProperties.class
+})
 public class BackendGatewayApplication {
 
 	public static void main(String[] args) {

src/main/java/com/litoralregas/backend_gateway/auth/AuthController.java

@@ -0,0 +1,28 @@
+package com.litoralregas.backend_gateway.auth;
+
+import com.litoralregas.backend_gateway.auth.dto.LoginRequest;
+import com.litoralregas.backend_gateway.auth.dto.LoginResponse;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.web.bind.annotation.*;
+
+@RestController
+@RequestMapping("/auth")
+public class AuthController {
+
+    private final AuthService authService;
+    private final PasswordEncoder passwordEncoder;
+
+    public AuthController(
+            AuthService authService,
+            PasswordEncoder passwordEncoder
+    ) {
+        this.authService = authService;
+        this.passwordEncoder = passwordEncoder;
+    }
+
+    @PostMapping("/login")
+    public LoginResponse login(@RequestBody LoginRequest request) {
+        System.out.println(passwordEncoder.encode("admin123"));
+        return authService.login(request);
+    }
+}

src/main/java/com/litoralregas/backend_gateway/auth/AuthService.java

@@ -0,0 +1,58 @@
+package com.litoralregas.backend_gateway.auth;
+
+import com.litoralregas.backend_gateway.auth.dto.LoginRequest;
+import com.litoralregas.backend_gateway.auth.dto.LoginResponse;
+import com.litoralregas.backend_gateway.security.JwtService;
+import com.litoralregas.backend_gateway.user.UserEntity;
+import com.litoralregas.backend_gateway.user.UserRepository;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.stereotype.Service;
+
+@Service
+public class AuthService {
+
+    private final UserRepository userRepository;
+    private final PasswordEncoder passwordEncoder;
+    private final JwtService jwtService;
+
+    public AuthService(
+            UserRepository userRepository,
+            PasswordEncoder passwordEncoder,
+            JwtService jwtService
+    ) {
+        this.userRepository = userRepository;
+        this.passwordEncoder = passwordEncoder;
+        this.jwtService = jwtService;
+    }
+
+    public LoginResponse login(LoginRequest request) {
+
+        UserEntity user = userRepository.findByUsername(request.username())
+                .orElseThrow(InvalidCredentialsException::new);
+
+        if (!user.isEnabled()) {
+            throw new InvalidCredentialsException();
+        }
+
+        boolean valid = passwordEncoder.matches(
+                request.password(),
+                user.getPasswordHash()
+        );
+
+        if (!valid) {
+            throw new InvalidCredentialsException();
+        }
+
+        String accessToken = jwtService.generateToken(user);
+
+        return new LoginResponse(
+                accessToken,
+                "Bearer",
+                user.getId(),
+                user.getClient().getId(),
+                user.getClient().getName(),
+                user.getUsername(),
+                user.getRole()
+        );
+    }
+}

src/main/java/com/litoralregas/backend_gateway/auth/InvalidCredentialsException.java

@@ -0,0 +1,12 @@
+package com.litoralregas.backend_gateway.auth;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.web.bind.annotation.ResponseStatus;
+
+@ResponseStatus(HttpStatus.UNAUTHORIZED)
+public class InvalidCredentialsException extends RuntimeException {
+
+    public InvalidCredentialsException() {
+        super("Invalid credentials");
+    }
+}

src/main/java/com/litoralregas/backend_gateway/auth/dto/LoginRequest.java

@@ -0,0 +1,7 @@
+package com.litoralregas.backend_gateway.auth.dto;
+
+public record LoginRequest(
+        String username,
+        String password
+) {
+}

src/main/java/com/litoralregas/backend_gateway/auth/dto/LoginResponse.java

@@ -0,0 +1,14 @@
+package com.litoralregas.backend_gateway.auth.dto;
+
+import com.litoralregas.backend_gateway.user.UserRole;
+
+public record LoginResponse(
+        String accessToken,
+        String tokenType,
+        Long userId,
+        Long clientId,
+        String clientName,
+        String username,
+        UserRole role
+) {
+}

src/main/java/com/litoralregas/backend_gateway/client/ClientRepository.java

@@ -7,4 +7,5 @@ import java.util.Optional;
 public interface ClientRepository extends JpaRepository<ClientEntity, Long> {
 
     Optional<ClientEntity> findByName(String name);
+    Optional<ClientEntity> findByIdAndEnabledTrue(Long id);
 }

src/main/java/com/litoralregas/backend_gateway/client/ClientResolver.java

@@ -0,0 +1,33 @@
+package com.litoralregas.backend_gateway.client;
+
+import com.litoralregas.backend_gateway.security.AuthenticatedUser;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.stereotype.Service;
+
+@Service
+public class ClientResolver {
+
+    private final ClientRepository clientRepository;
+
+    public ClientResolver(ClientRepository clientRepository) {
+        this.clientRepository = clientRepository;
+    }
+
+    public ClientEntity resolveCurrentClient() {
+
+        Authentication authentication =
+                SecurityContextHolder.getContext().getAuthentication();
+
+        if (authentication == null) {
+            throw new RuntimeException("Not authenticated");
+        }
+
+        AuthenticatedUser user =
+                (AuthenticatedUser) authentication.getPrincipal();
+
+        return clientRepository
+                .findByIdAndEnabledTrue(user.clientId())
+                .orElseThrow(() -> new RuntimeException("Client not found"));
+    }
+}

src/main/java/com/litoralregas/backend_gateway/config/AuthExceptionHandler.java

@@ -0,0 +1,17 @@
+package com.litoralregas.backend_gateway.auth;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.ExceptionHandler;
+import org.springframework.web.bind.annotation.RestControllerAdvice;
+
+@RestControllerAdvice
+public class AuthExceptionHandler {
+
+    @ExceptionHandler(InvalidCredentialsException.class)
+    public ResponseEntity<String> handleInvalidCredentials() {
+        return ResponseEntity
+                .status(HttpStatus.UNAUTHORIZED)
+                .body("Invalid credentials");
+    }
+}

src/main/java/com/litoralregas/backend_gateway/config/SecurityConfig.java

@@ -1,22 +1,32 @@
 package com.litoralregas.backend_gateway.config;
 
+import com.litoralregas.backend_gateway.security.JwtAuthenticationFilter;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 
 @Configuration
 public class SecurityConfig {
+    private final JwtAuthenticationFilter jwtAuthenticationFilter;
 
+    public SecurityConfig(JwtAuthenticationFilter jwtAuthenticationFilter) {
+        this.jwtAuthenticationFilter = jwtAuthenticationFilter;
+    }
     @Bean
     public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
         return http
                 .csrf(csrf -> csrf.disable())
                 .authorizeHttpRequests(auth -> auth
+                        .requestMatchers("/auth/**").permitAll()
+                        .requestMatchers("/admin/**").hasRole("ADMIN")
+                        .requestMatchers("/api/backend/**").authenticated()
                         .anyRequest().permitAll()
                 )
+                .addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class)
                 .build();
     }
 

src/main/java/com/litoralregas/backend_gateway/gateway/BackendProxyService.java

@@ -1,5 +1,6 @@
 package com.litoralregas.backend_gateway.gateway;
 
+import com.litoralregas.backend_gateway.client.ClientResolver;
 import jakarta.servlet.http.HttpServletRequest;
 import org.springframework.http.HttpMethod;
 import org.springframework.http.HttpStatus;
@@ -12,19 +13,18 @@ import org.springframework.web.reactive.function.client.WebClientResponseExcepti
 public class BackendProxyService {
 
     private final WebClient webClient;
-    private final ProxyProperties proxyProperties;
+    private final ClientResolver clientResolver;
 
-    public BackendProxyService(WebClient webClient, ProxyProperties proxyProperties) {
+    public BackendProxyService(
+            WebClient webClient,
+            ClientResolver clientResolver
+    ) {
         this.webClient = webClient;
-        this.proxyProperties = proxyProperties;
+        this.clientResolver = clientResolver;
     }
 
     public String getHealth() {
-        return webClient.get()
+        return "UP";
-                .uri(proxyProperties.getBackendBaseUrl() + "/actuator/health")
-                .retrieve()
-                .bodyToMono(String.class)
-                .block();
     }
 
     public ResponseEntity<String> proxy(HttpServletRequest request, String body) {
@@ -33,7 +33,7 @@ public class BackendProxyService {
         String query = request.getQueryString();
 
         String targetUrl =
-                proxyProperties.getBackendBaseUrl()
+                resolveBackendUrl()
                         + path
                         + (query != null ? "?" + query : "");
 
@@ -76,4 +76,10 @@ public class BackendProxyService {
                     .body("Backend unavailable");
         }
     }
+
+    private String resolveBackendUrl() {
+        return clientResolver
+                .resolveCurrentClient()
+                .getBackendBaseUrl();
+    }
 }

src/main/java/com/litoralregas/backend_gateway/security/AuthenticatedUser.java

@@ -0,0 +1,11 @@
+package com.litoralregas.backend_gateway.security;
+
+import com.litoralregas.backend_gateway.user.UserRole;
+
+public record AuthenticatedUser(
+        Long userId,
+        Long clientId,
+        String username,
+        UserRole role
+) {
+}

src/main/java/com/litoralregas/backend_gateway/security/JwtAuthenticationFilter.java

@@ -0,0 +1,70 @@
+package com.litoralregas.backend_gateway.security;
+
+import com.litoralregas.backend_gateway.user.UserRole;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.stereotype.Component;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import java.io.IOException;
+import java.util.List;
+
+@Component
+public class JwtAuthenticationFilter extends OncePerRequestFilter {
+
+    private final JwtService jwtService;
+
+    public JwtAuthenticationFilter(JwtService jwtService) {
+        this.jwtService = jwtService;
+    }
+
+    @Override
+    protected void doFilterInternal(
+            HttpServletRequest request,
+            HttpServletResponse response,
+            FilterChain filterChain
+    ) throws ServletException, IOException {
+
+        String authHeader = request.getHeader("Authorization");
+
+        if (authHeader == null || !authHeader.startsWith("Bearer ")) {
+            filterChain.doFilter(request, response);
+            return;
+        }
+
+        String token = authHeader.substring(7);
+
+        if (!jwtService.isValid(token)) {
+            filterChain.doFilter(request, response);
+            return;
+        }
+
+        String username = jwtService.extractUsername(token);
+        Long userId = jwtService.extractUserId(token);
+        Long clientId = jwtService.extractClientId(token);
+        UserRole role = UserRole.valueOf(jwtService.extractRole(token));
+
+        AuthenticatedUser authenticatedUser = new AuthenticatedUser(
+                userId,
+                clientId,
+                username,
+                role
+        );
+
+        UsernamePasswordAuthenticationToken authentication =
+                new UsernamePasswordAuthenticationToken(
+                        authenticatedUser,
+                        null,
+                        List.of(new SimpleGrantedAuthority("ROLE_" + role.name()))
+                );
+
+        SecurityContextHolder.getContext().setAuthentication(authentication);
+
+        filterChain.doFilter(request, response);
+    }
+}

src/main/java/com/litoralregas/backend_gateway/security/JwtProperties.java

@@ -0,0 +1,26 @@
+package com.litoralregas.backend_gateway.security;
+
+import org.springframework.boot.context.properties.ConfigurationProperties;
+
+@ConfigurationProperties(prefix = "jwt")
+public class JwtProperties {
+
+    private String secret;
+    private long expirationMinutes;
+
+    public String getSecret() {
+        return secret;
+    }
+
+    public long getExpirationMinutes() {
+        return expirationMinutes;
+    }
+
+    public void setSecret(String secret) {
+        this.secret = secret;
+    }
+
+    public void setExpirationMinutes(long expirationMinutes) {
+        this.expirationMinutes = expirationMinutes;
+    }
+}

src/main/java/com/litoralregas/backend_gateway/security/JwtService.java

@@ -0,0 +1,101 @@
+package com.litoralregas.backend_gateway.security;
+
+import com.litoralregas.backend_gateway.user.UserEntity;
+import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.JwtException;
+import io.jsonwebtoken.Jwts;
+import io.jsonwebtoken.security.Keys;
+import org.springframework.stereotype.Service;
+
+import javax.crypto.SecretKey;
+import java.nio.charset.StandardCharsets;
+import java.time.Instant;
+import java.util.Date;
+
+@Service
+public class JwtService {
+
+    private final JwtProperties jwtProperties;
+
+    public JwtService(JwtProperties jwtProperties) {
+        this.jwtProperties = jwtProperties;
+    }
+
+    public String generateToken(UserEntity user) {
+        Instant now = Instant.now();
+        Instant expiresAt = now.plusSeconds(jwtProperties.getExpirationMinutes() * 60);
+
+        return Jwts.builder()
+                .subject(user.getUsername())
+                .claim("userId", user.getId())
+                .claim("clientId", user.getClient().getId())
+                .claim("role", user.getRole().name())
+                .issuedAt(Date.from(now))
+                .expiration(Date.from(expiresAt))
+                .signWith(getSigningKey())
+                .compact();
+    }
+
+    private SecretKey getSigningKey() {
+        return Keys.hmacShaKeyFor(
+                jwtProperties.getSecret().getBytes(StandardCharsets.UTF_8)
+        );
+    }
+
+    private Claims getClaims(String token) {
+
+        return Jwts.parser()
+                .verifyWith(getSigningKey())
+                .build()
+                .parseSignedClaims(token)
+                .getPayload();
+    }
+
+    public boolean isValid(String token) {
+
+        try {
+            getClaims(token);
+            return true;
+        } catch (JwtException ex) {
+            return false;
+        }
+    }
+
+    public String extractUsername(String token) {
+        return getClaims(token).getSubject();
+    }
+
+    public Long extractClientId(String token) {
+
+        Object value = getClaims(token).get("clientId");
+
+        if (value instanceof Integer integer) {
+            return integer.longValue();
+        }
+
+        if (value instanceof Long longValue) {
+            return longValue;
+        }
+
+        return Long.parseLong(value.toString());
+    }
+
+    public String extractRole(String token) {
+        return getClaims(token).get("role", String.class);
+    }
+
+    public Long extractUserId(String token) {
+
+        Object value = getClaims(token).get("userId");
+
+        if (value instanceof Integer integer) {
+            return integer.longValue();
+        }
+
+        if (value instanceof Long longValue) {
+            return longValue;
+        }
+
+        return Long.parseLong(value.toString());
+    }
+}

src/main/resources/application.yaml

@@ -23,4 +23,8 @@ gateway:
   proxy:
     backend-base-url: http://10.100.1.2:18450
     connect-timeout: 3s
-    response-timeout: 10s
+    response-timeout: 10s
+
+jwt:
+  secret: ${JWT_SECRET}
+  expiration-minutes: ${JWT_EXPIRATION_MINUTES:1440}

src/main/resources/db/migration/V3__bootstrap_default_admin.sql

@@ -0,0 +1,16 @@
+INSERT INTO clients (name, backend_base_url, enabled)
+SELECT 'dev-local', 'http://10.100.1.2:18450', 1
+WHERE NOT EXISTS (
+    SELECT 1 FROM clients WHERE name = 'dev-local'
+);
+
+INSERT INTO users (client_id, username, password_hash, role, enabled)
+SELECT
+    (SELECT id FROM clients WHERE name = 'dev-local'),
+    'admin',
+    '$2a$10$it1vy5t1FXISQTWit2A39udaMR0N0yqJtJUnxMqF1Xz4SuNBaam6u',
+    'ADMIN',
+    1
+WHERE NOT EXISTS (
+    SELECT 1 FROM users WHERE username = 'admin'
+);