BUMETCS673
diff --git a/‎README.md‎
Lines changed: 11 additions & 0 deletions b/‎README.md‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎code/backend/.gitignore‎
Lines changed: 3 additions & 0 deletions b/‎code/backend/.gitignore‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎code/backend/pom.xml‎
Lines changed: 22 additions & 0 deletions b/‎code/backend/pom.xml‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎code/backend/src/main/java/com/cs673/careerforge/configs/SecurityBeansConfig.java‎
Lines changed: 0 additions & 35 deletions b/‎code/backend/src/main/java/com/cs673/careerforge/configs/SecurityBeansConfig.java‎
Lines changed: 0 additions & 35 deletions
diff --git a/‎code/backend/src/main/java/com/cs673/careerforge/configs/SecurityConfig.java‎
Lines changed: 75 additions & 16 deletions b/‎code/backend/src/main/java/com/cs673/careerforge/configs/SecurityConfig.java‎
Lines changed: 75 additions & 16 deletions
diff --git a/‎code/backend/src/main/java/com/cs673/careerforge/controller/AdminController.java‎
Lines changed: 15 additions & 0 deletions b/‎code/backend/src/main/java/com/cs673/careerforge/controller/AdminController.java‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎code/backend/src/main/java/com/cs673/careerforge/controller/AuthController.java‎
Lines changed: 43 additions & 0 deletions b/‎code/backend/src/main/java/com/cs673/careerforge/controller/AuthController.java‎
Lines changed: 43 additions & 0 deletions
diff --git a/‎code/backend/src/main/java/com/cs673/careerforge/controller/SecureController.java‎
Lines changed: 27 additions & 0 deletions b/‎code/backend/src/main/java/com/cs673/careerforge/controller/SecureController.java‎
Lines changed: 27 additions & 0 deletions
diff --git a/‎code/backend/src/main/java/com/cs673/careerforge/health/JwtHealthIndicator.java‎
Lines changed: 31 additions & 0 deletions b/‎code/backend/src/main/java/com/cs673/careerforge/health/JwtHealthIndicator.java‎
Lines changed: 31 additions & 0 deletions
diff --git a/‎code/backend/src/main/java/com/cs673/careerforge/model/AuthRequest.java‎
Lines changed: 30 additions & 0 deletions b/‎code/backend/src/main/java/com/cs673/careerforge/model/AuthRequest.java‎
Lines changed: 30 additions & 0 deletions
@@ -94,6 +94,17 @@ server/               # Java backend (to be added)
 This project uses job data via the **Rise Jobs API**: [https://pitchwall.co/product/rise-jobs-api](https://pitchwall.co/product/rise-jobs-api).
 Please review and respect the provider’s terms of service and attribution guidelines.
 
+## Security
+### JWT Secret Setup
+- **Development:** No setup required!  
+  The app auto-generates a secure secret on first run and saves it to `~/.jwt-secret`.
+
+- **Production:** You must provide a real secret via
+    - Environment variable: `APP_JWT_SECRET`, or
+    - Spring property: `app.jwt.secret`
+
+If no secret is provided in production, the app will fail to start.
+
 ## License
 
 For educational use as part of BU CS673 course project.
@@ -31,3 +31,6 @@ build/
 
 ### VS Code ###
 .vscode/
+
+### Security ###
+~/.jwt-secret
@@ -60,13 +60,30 @@
       <artifactId>h2</artifactId>
       <scope>runtime</scope>
     </dependency>
+
     <!-- Use the modern MySQL driver artifact; let Boot manage the version -->
     <dependency>
       <groupId>com.mysql</groupId>
       <artifactId>mysql-connector-j</artifactId>
       <scope>runtime</scope>
     </dependency>
 
+    <dependency>
+      <groupId>io.jsonwebtoken</groupId>
+      <artifactId>jjwt-api</artifactId>
+      <version>0.11.5</version>
+    </dependency>
+    <dependency>
+      <groupId>io.jsonwebtoken</groupId>
+      <artifactId>jjwt-impl</artifactId>
+      <version>0.11.5</version>
+      <scope>runtime</scope>
+    </dependency>
+    <dependency>
+      <groupId>io.jsonwebtoken</groupId>
+      <artifactId>jjwt-jackson</artifactId>
+      <version>0.11.5</version>
+    </dependency>
     <!-- Flyway migrations -->
     <dependency>
       <groupId>org.flywaydb</groupId>
@@ -104,6 +121,11 @@
       <artifactId>mysql</artifactId>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>com.h2database</groupId>
+      <artifactId>h2</artifactId>
+      <scope>test</scope>
+    </dependency>
   </dependencies>
 
   <build>
 
@@ -7,31 +7,90 @@
 import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.web.SecurityFilterChain;
+import com.cs673.careerforge.security.JwtRequestFilter;
+import com.cs673.careerforge.security.JwtUtil;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
+import org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl;
+import com.cs673.careerforge.security.JwtAuthenticationEntryPoint;
 
 @Configuration
 public class SecurityConfig {
 
     @Bean
-    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-        http
-            .csrf(csrf -> csrf.disable())
-            // allow H2 console to render in a frame
-            .headers(h -> h.frameOptions(f -> f.sameOrigin()))
-            .authorizeHttpRequests(auth -> auth
-                .requestMatchers(
-                    "/actuator/health",
-                    "/h2-console/**",
-                    "/public/**"
-                ).permitAll()
-                .anyRequest().authenticated()
-            )
-            .httpBasic(Customizer.withDefaults());
-
-        return http.build();
+    public SecurityFilterChain filterChain(HttpSecurity http,
+                                           JwtRequestFilter jwtRequestFilter,
+                                           JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint) throws Exception {
+        //csrf.disable -> typical for stateless APIs
+        return http
+                .csrf(csrf -> csrf.disable())
+                // allow H2 console to render in a frame
+                .headers(h -> h.frameOptions(f -> f.sameOrigin()))
+                .authorizeHttpRequests(auth -> auth
+                        .requestMatchers(
+                                //For testing uncomment out the first line below to allow all endpoints to be unauthenticated
+                                //"/",
+                                "/actuator/health",
+                                "/h2-console/**",
+                                "/public/**",
+                                "/authenticate", // change for login endpoint
+                                "/register"        // change for signup endpoint
+                        ).permitAll()
+                        .requestMatchers("/secure").authenticated() // secure endpoint requires JWT
+                     //   .requestMatchers("/secure").hasRole("USER") // secure endpoint requires JWT, both USER and ADMIN get in
+                        .requestMatchers("/admin/**").hasRole("ADMIN") //only ADMIN. Not implemented yet. Just being used for tests
+                        .anyRequest().authenticated()
+                )
+                .sessionManagement(session -> session
+                        .sessionCreationPolicy(SessionCreationPolicy.STATELESS) // no HTTP sessions
+                )
+                // plug in the custom entrypoint
+                .exceptionHandling(ex ->
+                        ex.authenticationEntryPoint(jwtAuthenticationEntryPoint)
+                )
+                .addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class)
+                .build();
     }
 
     @Bean
     public AuthenticationManager authenticationManager(AuthenticationConfiguration cfg) throws Exception {
         return cfg.getAuthenticationManager();
     }
+
+    @Bean
+    public UserDetailsService users(
+            @Value("${app.security.user.name}") String userName,
+            @Value("${app.security.user.password}") String userPass,
+            @Value("${app.security.admin.name}") String adminName,
+            @Value("${app.security.admin.password}") String adminPass) {
+
+        PasswordEncoder encoder = passwordEncoder();
+
+        UserDetails user = User.withUsername(userName)
+                .password(encoder.encode(userPass))
+                .roles("USER")
+                .build();
+
+        UserDetails admin = User.withUsername(adminName)
+                .password(encoder.encode(adminPass))
+                .roles("ADMIN")
+                .build();
+
+        return new InMemoryUserDetailsManager(user, admin);
+    }
+
+    @Bean
+    public PasswordEncoder passwordEncoder() {
+        return new BCryptPasswordEncoder();
+    }
 }
+
@@ -0,0 +1,15 @@
+package com.cs673.careerforge.controllers;
+
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+@RequestMapping("/admin")
+public class AdminController {
+
+    @GetMapping("/dashboard")
+    public String dashboard() {
+        return "Admin dashboard works!";
+    }
+}
@@ -0,0 +1,43 @@
+package com.cs673.careerforge.model;
+
+import com.cs673.careerforge.model.AuthRequest;
+import com.cs673.careerforge.model.AuthResponse;
+import com.cs673.careerforge.security.JwtUtil;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.web.bind.annotation.*;
+
+@RestController
+public class AuthController {
+
+    @Autowired
+    private AuthenticationManager authenticationManager;
+
+    @Autowired
+    private JwtUtil jwtUtil;
+
+    @Autowired
+    private UserDetailsService userDetailsService;
+
+    @PostMapping("/authenticate")
+    public AuthResponse createAuthToken(@RequestBody AuthRequest authRequest) throws Exception {
+        try {
+            authenticationManager.authenticate(
+                    new UsernamePasswordAuthenticationToken(authRequest.getUsername(), authRequest.getPassword())
+            );
+            //For debugging below
+            //System.out.println(">>> /authenticate called with: " + authRequest.getUsername());
+        } catch (BadCredentialsException e) {
+            throw new Exception("Incorrect username or password", e);
+        }
+
+        final UserDetails userDetails = userDetailsService.loadUserByUsername(authRequest.getUsername());
+        final String jwt = jwtUtil.generateToken(userDetails);
+
+        return new AuthResponse(jwt);
+    }
+}
@@ -0,0 +1,27 @@
+package com.cs673.careerforge.controllers;
+
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RestController;
+import org.springframework.security.core.Authentication;
+
+
+@RestController
+public class SecureController {
+
+    @GetMapping("/secure")
+    public String secureEndpoint(Authentication authentication) {
+        boolean isAdmin = authentication.getAuthorities().stream()
+                .anyMatch(auth -> auth.getAuthority().equals("ROLE_ADMIN"));
+
+        if (isAdmin) {
+            return "Hello Admin: " + authentication.getName();
+        } else {
+            return "Hello User: " + authentication.getName();
+        }
+    }
+
+    @GetMapping("/public/hello")
+    public String publicHello() {
+        return "👋 Anyone can see this!";
+    }
+}
@@ -0,0 +1,31 @@
+import org.springframework.boot.actuate.health.Health;
+import org.springframework.boot.actuate.health.HealthIndicator;
+import org.springframework.stereotype.Component;
+import com.cs673.careerforge.security.JwtUtil;
+
+@Component
+public class JwtHealthIndicator implements HealthIndicator {
+
+    private final JwtUtil jwtUtil;
+
+    public JwtHealthIndicator(JwtUtil jwtUtil) {
+        this.jwtUtil = jwtUtil;
+    }
+
+    @Override
+    public Health health() {
+        try {
+            if (jwtUtil.getSigningKey() != null) {
+                return Health.up()
+                        .withDetail("jwt", "Secret key is loaded")
+                        .build();
+            } else {
+                return Health.down()
+                        .withDetail("jwt", "Secret key is null")
+                        .build();
+            }
+        } catch (Exception e) {
+            return Health.down(e).build();
+        }
+    }
+}
@@ -0,0 +1,30 @@
+package com.cs673.careerforge.model;
+
+//For testing to hold login credentials from the request
+
+public class AuthRequest {
+    private String username;
+    private String password;
+
+    public AuthRequest(String username, String password) {
+    this.username = username;
+    this.password = password;
+    }
+
+    public String getUsername() {
+    return username;
+    }
+
+    public String getPassword() {
+    return password;
+    }
+
+    public void setUsername(String username) {
+    this.username = username;
+    }
+
+    public void setPassword(String password) {
+    this.password = password;
+    }
+
+}