Merge pull request #19 from Throyer/development

chore: swagger auth

Author: Throyer

README.md

@@ -125,7 +125,7 @@ docker-compose -p common-api-development -f docker-compose.dev.yml up -d
 Building image for production
 ```bash
 cd docker
-DOCKER_BUILDKIT=1 docker build -f Dockerfile.prod -t common-api:4.1.1 .
+DOCKER_BUILDKIT=1 docker build -f Dockerfile.prod -t common-api:4.1.1 ../
 ```
 
 docker compose for production

docker/.env.example

@@ -1,3 +1,4 @@
 DB_URL=common_app
 DB_USERNAME=root
-DB_PASSWORD=root
+DB_PASSWORD=root
+TOKEN_SECRET=secret

docker/docker-compose.prod.yml

@@ -28,3 +28,6 @@ services:
       DB_URL: database:5432/${DB_NAME}
       DB_USERNAME: ${DB_USERNAME}
       DB_PASSWORD: ${DB_PASSWORD}
+      TOKEN_SECRET: ${TOKEN_SECRET}
+      DB_SHOW_SQL: "false"
+      PRIVATE_SWAGGER: "true"

pom.xml

@@ -15,6 +15,7 @@
     <description>Exemplo de api simples com Spring Boot</description>
 
     <properties>
+        <springdoc.version>1.6.9</springdoc.version>
         <java.version>17</java.version>
     </properties>
 
@@ -86,17 +87,17 @@
         <dependency>
             <groupId>org.springdoc</groupId>
             <artifactId>springdoc-openapi-ui</artifactId>
-            <version>1.6.6</version>
+            <version>${springdoc.version}</version>
         </dependency>
         <dependency>
             <groupId>org.springdoc</groupId>
             <artifactId>springdoc-openapi-webmvc-core</artifactId>
-            <version>1.6.6</version>
+            <version>${springdoc.version}</version>
         </dependency>
         <dependency>
             <groupId>org.springdoc</groupId>
             <artifactId>springdoc-openapi-security</artifactId>
-            <version>1.6.5</version>
+            <version>${springdoc.version}</version>
         </dependency>
 
         <!-- Token JWT -->

src/main/java/com/github/throyer/common/springboot/configurations/SpringSecurityConfiguration.java

@@ -8,15 +8,14 @@
 import static com.github.throyer.common.springboot.constants.SECURITY.LOGOUT_URL;
 import static com.github.throyer.common.springboot.constants.SECURITY.PASSWORD_ENCODER;
 import static com.github.throyer.common.springboot.constants.SECURITY.PASSWORD_PARAMETER;
+import static com.github.throyer.common.springboot.constants.SECURITY.PRIVATE_SWAGGER;
 import static com.github.throyer.common.springboot.constants.SECURITY.PUBLIC_API_ROUTES;
 import static com.github.throyer.common.springboot.constants.SECURITY.SESSION_COOKIE_NAME;
-import static com.github.throyer.common.springboot.constants.SECURITY.STATIC_FILES;
 import static com.github.throyer.common.springboot.constants.SECURITY.TOKEN_SECRET;
 import static com.github.throyer.common.springboot.constants.SECURITY.USERNAME_PARAMETER;
 import static com.github.throyer.common.springboot.utils.Responses.forbidden;
 import static org.springframework.http.HttpMethod.GET;
 import static org.springframework.http.HttpMethod.POST;
-import static org.springframework.security.config.Customizer.withDefaults;
 import static org.springframework.security.config.http.SessionCreationPolicy.STATELESS;
 
 import com.github.throyer.common.springboot.domain.session.service.SessionService;
@@ -32,7 +31,6 @@
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
@@ -72,19 +70,13 @@ public AuthenticationManager authenticationManager(
     ) throws Exception {
         return configuration.getAuthenticationManager();
     }
-
-    @Bean
-    public WebSecurityCustomizer webSecurityCustomizer() {
-        return (web) -> web.ignoring().antMatchers(STATIC_FILES);
-    }
-
+    
     @Bean
     @Order(1)
     public SecurityFilterChain api(HttpSecurity http) throws Exception {
         PUBLIC_API_ROUTES.injectOn(http);
 
         http
-            .httpBasic(withDefaults())
             .antMatcher("/api/**")
                 .authorizeRequests()
                     .anyRequest()
@@ -141,4 +133,25 @@ public SecurityFilterChain app(HttpSecurity http) throws Exception {
 
         return http.build();
     }
+
+    @Bean
+    @Order(4)
+    public SecurityFilterChain swagger(HttpSecurity http) throws Exception {
+
+        if (PRIVATE_SWAGGER) {
+            http
+                .authorizeRequests()
+                        .antMatchers("/swagger-ui/**", "/swagger-ui.html", "/**.html", "/documentation/**")
+                            .authenticated()
+                .and()
+                    .httpBasic();
+        } else {
+            http
+                .authorizeRequests()
+                        .antMatchers("/swagger-ui/**", "/swagger-ui.html", "/**.html", "/documentation/**")
+                            .permitAll();
+        }
+
+        return http.build();
+    }
 }

src/main/java/com/github/throyer/common/springboot/constants/SECURITY.java

@@ -18,27 +18,20 @@ public class SECURITY {
     public SECURITY(
         @Value("${token.secret}") String tokenSecret,
         @Value("${token.expiration-in-hours}") Integer tokenExpirationInHours,
-        @Value("${token.refresh.expiration-in-days}") Integer refreshTokenExpirationInDays
+        @Value("${token.refresh.expiration-in-days}") Integer refreshTokenExpirationInDays,
+        @Value("${server.servlet.session.cookie.name}") String sessionCookieName,
+        @Value("${swagger.is-private}") Boolean privateSwagger
     ) {
         SECURITY.TOKEN_SECRET = tokenSecret;
         SECURITY.TOKEN_EXPIRATION_IN_HOURS = tokenExpirationInHours;
         SECURITY.REFRESH_TOKEN_EXPIRATION_IN_DAYS = refreshTokenExpirationInDays;
+        SECURITY.SESSION_COOKIE_NAME = sessionCookieName;
+        SECURITY.PRIVATE_SWAGGER = privateSwagger;
     }
 
-    public static final String[] STATIC_FILES = {
-        "/robots.txt",
-        "/font/**",
-        "/css/**",
-        "/webjars/**",
-        "/js/**",
-        "/favicon.ico",
-        "/**.html",
-        "/documentation/**"
-    };
-
     public static final PublicRoutes PUBLIC_API_ROUTES = create()
-            .add(GET, "/api", "/api/documentation/**")
-            .add(POST, "/api/users", "/api/sessions/**", "/api/recoveries/**", "/api/documentation/**");
+            .add(GET, "/api")
+            .add(POST, "/api/users", "/api/sessions/**", "/api/recoveries/**");
 
     public static final Integer DAY_MILLISECONDS = 86400;
     public static final JsonWebToken JWT = new JsonWebToken();
@@ -52,6 +45,9 @@ public SECURITY(
     public static Integer TOKEN_EXPIRATION_IN_HOURS;
     public static Integer REFRESH_TOKEN_EXPIRATION_IN_DAYS;
 
+    public static String SESSION_COOKIE_NAME;
+    public static Boolean PRIVATE_SWAGGER;
+
     public static final String USERNAME_PARAMETER = "email";
     public static final String PASSWORD_PARAMETER = "password";
 
@@ -61,8 +57,6 @@ public SECURITY(
     public static final String ACESSO_NEGADO_URL = LOGIN_URL + "?denied=true";
     public static final String LOGOUT_URL = "/app/logout";
 
-    public static final String SESSION_COOKIE_NAME = "JSESSIONID";
-
     public static final String SECURITY_TYPE = "Bearer";
     public static final String AUTHORIZATION_HEADER = "Authorization";
     public static final String ACCEPTABLE_TOKEN_TYPE = SECURITY_TYPE + " ";

src/main/resources/application.properties

@@ -28,10 +28,12 @@ springdoc.api-docs.path=/documentation/schemas
 springdoc.default-produces-media-type=application/json
 springdoc.default-consumes-media-type=application/json
 
-# token
+# security
 token.expiration-in-hours=${TOKEN_EXPIRATION_IN_HOURS:24}
 token.refresh.expiration-in-days=${REFRESH_TOKEN_EXPIRATION_IN_DAYS:7}
 token.secret=${TOKEN_SECRET:secret}
+server.servlet.session.cookie.name=API_EXAMPLE_SESSION_ID
+swagger.is-private=${PRIVATE_SWAGGER:true}
 
 # smtp configurations
 spring.mail.host=${SMTP_HOST:smtp.gmail.com}

src/test/resources/application.properties

@@ -25,6 +25,8 @@ spring.jpa.hibernate.ddl-auto=none
 token.expiration-in-hours=24
 token.refresh.expiration-in-days=7
 token.secret=secret
+server.servlet.session.cookie.name=JSESSIONID
+swagger.is-private=false
 
 # recovery email
 recovery.minutes-to-expire=20