Authentication - uzh/marugoto GitHub Wiki

The application supports two ways to authenticate.

Guest credentials

Credentials login is implemented via JWT authentication (stateless).

All classes used for JWT auth can be found in the following package:

ch.uzh.marugoto.backend.security

The request paths requiring authentication are defined under WebSecurityConfig.java > configure(HttpSecurity http).

// Following paths require no authentication
.antMatchers("/api/", "/api/dev/**", "/api/auth/generate-token").permitAll()
// Following paths require token authentication
.antMatchers("/api/**").authenticated()

Token validitiy period is defined in Constants.java > ACCESS_TOKEN_VALIDITY_MS:

public static final long ACCESS_TOKEN_VALIDITY_MS = Duration.ofHours(5).toMillis();

The credentials check against the database is done in UserService (by implementing UserDetailsService):

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        var applicationUser = userRepository.findByMail(username);
        if (applicationUser == null)
            throw new UsernameNotFoundException(username);
        
        return new User(applicationUser.getMail(), applicationUser.getPasswordHash(), Collections.emptyList());
    }

Swagger integration

Swagger does by default not send a JWT with the request if not explicitly configured for the endpoint method. @ApiOperation(authorizations) needs to be defined for every method requiring authentication:

    @ApiOperation(value = "Load page by ID.", authorizations = { @Authorization(value = "apiKey") })
    @GetMapping("pages/{id}")
    public Map<String, Object> getPage(@ApiParam("ID of page.") @PathVariable String id) {

Every method having the authorization option configured will have a lock symbol in Swagger UI (see below).

To authenticate via Swagger UI:

1. use the authentication-controller > /api/auth/generate-token endpoint to generate a token
2. copy token to clipboard (including "Bearer ")
3. Click on Authorize button in Swagger:
   
4. Paste token afterwards (including "Bearer ")
   
5. Click on Authorize
6. Every request having a lock symbol will now use the supplied token for authentication:
   

Switch AAI with Shibboleth

To be implemented.