Andras/BoundlessFlowCampus2K

Fork 0

835-loginService-JWT-v2 #973

Merged

a22erigr merged 12 commits from 835-loginService-JWT-v2 into team_2_week_6

2026-05-18 09:46:46 +00:00

b23albst commented

2026-05-15 12:23:26 +00:00

Collaborator

What's been done

Added role to users in database 02-users and updated existing code in loginService to handle this
Implemented TokenService in loginService to generate JWT access tokens
Added so that logging in generates an access token and stores it in a cookie
Created example of protected endpoints in loginService/ProtectedEndpoints.cs for debugging/ as a template for how it can be used
Added and commented out implementation of authorization to energyService as a template for how this can be used
- To test yourself, uncomment the stuff in EnergyEndpoints.cs, Program.cs and energyService.csproj (all in energyService, of course)
- !!Do not forget to uncomment the line in nginx.conf and to add the env variables to energyService in compose.yaml!
Updated installation scripts to generate new env variables
- The windows script has not been tested...
- The JWT key should be a 32 characters long random string. I did not know how to gracefully implement this in the windows installation script, so it currently is just a placeholder

For the tester/reviewer

Since the endpoints for creating an account and logging in (as well as the example protected enpoints) are not reachable from the application, so to test this you can use something like postman or the browser extension RESTer
Created accounts have Students as their default role, so they won't be able to reach the admin endpoint
Remember to run the installation scrip to generate the new env variables!
When you are not logged in accessing protected endpoints should return 401. When logged in and accessing endpoint you are not authorized for (eg. student trying to reach admin endpoint), it shoud return 403 (I think)

Continued work

This is a start, but here are some things that should be implemented after this has been merged:

Implement so that windows install script generates proper random JWT key
Add unit tests for additions to loginService
Make login and SignUp endpoints reachable from the application (perhaps from the login modal)
Implement refresh tokens and refresh token rotation
Add authorization to appropriate endpoints in different services
- An example of this could be implementing an endpoint to delete accounts, and making only admins allowed to use it.
Research use of interceptors (such as axios) to catch things like 401s and 403 before they reach the frontend

# What's been done + Added role to users in database 02-users and updated existing code in loginService to handle this + Implemented TokenService in loginService to generate JWT access tokens + Added so that logging in generates an access token and stores it in a cookie + Created example of protected endpoints in loginService/ProtectedEndpoints.cs for debugging/ as a template for how it can be used + Added and commented out implementation of authorization to energyService as a template for how this can be used + To test yourself, uncomment the stuff in EnergyEndpoints.cs, Program.cs and energyService.csproj (all in energyService, of course) + !!Do not forget to uncomment the line in nginx.conf and to add the env variables to energyService in compose.yaml! + Updated installation scripts to generate new env variables + The windows script has not been tested... + The JWT key should be a 32 characters long random string. I did not know how to gracefully implement this in the windows installation script, so it currently is just a placeholder # For the tester/reviewer + Since the endpoints for creating an account and logging in (as well as the example protected enpoints) are not reachable from the application, so to test this you can use something like postman or the browser extension RESTer + Created accounts have Students as their default role, so they won't be able to reach the admin endpoint + Remember to run the installation scrip to generate the new env variables! + When you are not logged in accessing protected endpoints should return 401. When logged in and accessing endpoint you are not authorized for (eg. student trying to reach admin endpoint), it shoud return 403 (I think) # Continued work This is a start, but here are some things that should be implemented after this has been merged: + Implement so that windows install script generates proper random JWT key + Add unit tests for additions to loginService + Make login and SignUp endpoints reachable from the application (perhaps from the login modal) + Implement refresh tokens and refresh token rotation + Add authorization to appropriate endpoints in different services + An example of this could be implementing an endpoint to delete accounts, and making only admins allowed to use it. + Research use of interceptors (such as [axios](https://www.geeksforgeeks.org/html/what-is-axios/)) to catch things like 401s and 403 before they reach the frontend

b23albst added 10 commits

2026-05-15 12:23:27 +00:00

Added roles to database and authentication services to project file 792f13940d

I give up b964db1c0b

Sort of working b56b115934

Working on new branch from team 2 0530ba3a4c

Added commented out authorization as example in energyService. 2f7dda0922

Changed so that JWT uses env file (did not implement this for the example in energyService) 082d94b552

Updated install scripts to generate new env variables 8cf60cd906

Added some comments 8d21ee91ca

Some more comments 3bc93e8e0c

Added the env variables to the example in energyService 776d36ab9c

a22erigr

2026-05-15 12:25:25 +00:00

added the
needs review

Under-review
labels
requested review from a24noabe

a24noabe requested changes

2026-05-15 14:22:56 +00:00

Dismissed

a24noabe left a comment

Collaborator

Review on JWT implementation

Tested on Windows 11 using Bruno

Functionality:

Ran Install script for windows (failed)
Tried signing up (passed)
Tried signing up with invalid payload (passed, didn't create user)
Tried logging in with wrong credentials (passed, didn't return token)
Tried logging in with correct credentials (passed)
Tried the protected endpoints with token (all passed)
Tried the protected endpoints without token (all passed, 401 unauthorized)
Tried energyService protected endpoints with token (all passed)
Tried energyService protected endpoints without token (all passed, 401 unauthorized)

Code:

All files look good except BoundlessFlowCampus2K/scripts/WindowsInstallation.bat, there is a misspelling on line 146: JWT_EXPIR=60 >> "./.env" should be echo JWT_EXPIRY=60 >> "./.env"

Conclusion

Ready to be merged after fix to WindowsInstallation.bat

## Review on JWT implementation ### Tested on Windows 11 using Bruno #### Functionality: - Ran Install script for windows (failed) - Tried signing up (passed) - Tried signing up with invalid payload (passed, didn't create user) - Tried logging in with wrong credentials (passed, didn't return token) - Tried logging in with correct credentials (passed) - Tried the protected endpoints with token (all passed) - Tried the protected endpoints without token (all passed, 401 unauthorized) - Tried energyService protected endpoints with token (all passed) - Tried energyService protected endpoints without token (all passed, 401 unauthorized) #### Code: - All files look good except `BoundlessFlowCampus2K/scripts/WindowsInstallation.bat`, there is a misspelling on line 146: `JWT_EXPIR=60 >> "./.env"` should be `echo JWT_EXPIRY=60 >> "./.env" ` ### Conclusion Ready to be merged after fix to WindowsInstallation.bat

b23albst added 1 commit

2026-05-17 19:22:41 +00:00

Merged team_2_week_6 into this branch and solved merge conflict 046a9783f8

b23albst added 1 commit

2026-05-17 19:29:48 +00:00

Corrected generated env variable name in windows install script 7884dbd5c7

a22erigr requested review from a24noabe

2026-05-18 07:38:58 +00:00

a24noabe approved these changes

2026-05-18 09:43:33 +00:00

a24noabe left a comment

Collaborator