Protect endpoints access based on user role control

pom.xml

@@ -47,6 +47,29 @@
             <scope>test</scope>
         </dependency>
 
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt-api</artifactId>
+            <version>0.12.6</version>
+        </dependency>
+        <dependency>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt-impl</artifactId>
+            <version>0.12.6</version>
+            <scope>runtime</scope>
+        </dependency>
+        <dependency>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt-jackson</artifactId>
+            <version>0.12.6</version>
+            <scope>runtime</scope>
+        </dependency>
+
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-data-jpa</artifactId>
@@ -58,6 +81,13 @@
             <version>2.8.4</version>
         </dependency>
 
+        <dependency>
+            <groupId>org.projectlombok</groupId>
+            <artifactId>lombok</artifactId>
+            <version>1.18.36</version>
+            <scope>provided</scope>
+        </dependency>
+
 
     </dependencies>
 

src/main/java/com/box/library/authentication/AuthenticationController.java

@@ -0,0 +1,53 @@
+package com.box.library.authentication;
+
+import com.box.library.jwt.JwtUserDetailsService;
+import com.box.library.request.UserLoginRequest;
+import jakarta.validation.Valid;
+import lombok.extern.slf4j.Slf4j;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+@Slf4j
+@RestController
+@RequestMapping("/api/v1/auth")
+public class AuthenticationController {
+
+
+    private final JwtUserDetailsService jwtUserDetailsService;
+    private final AuthenticationManager authenticationManager;
+
+    private static final Logger log = LoggerFactory.getLogger(AuthenticationController.class);
+
+    public AuthenticationController(JwtUserDetailsService jwtUserDetailsService,
+                                    AuthenticationManager authenticationManager) {
+        this.jwtUserDetailsService = jwtUserDetailsService;
+        this.authenticationManager = authenticationManager;
+    }
+
+    @PostMapping
+    public ResponseEntity<?> authenticate(@RequestBody @Valid UserLoginRequest loginRequest) {
+        log.info("Autenticando com {}", loginRequest.username());
+
+        try {
+            var authenticationToken = new UsernamePasswordAuthenticationToken(
+                    loginRequest.username(), loginRequest.password());
+
+            authenticationManager.authenticate(authenticationToken);
+
+            var jwtToken = jwtUserDetailsService.getJwtToken(loginRequest.username());
+
+            return ResponseEntity.ok(jwtToken);
+        } catch (AuthenticationException e) {
+            log.error("Erro ao autenticar", e);
+        }
+        return ResponseEntity.badRequest().body(new RuntimeException("Credenciais inválidas"));
+    }
+}

src/main/java/com/box/library/book/BookController.java

@@ -4,6 +4,7 @@
 import io.swagger.v3.oas.annotations.tags.Tag;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 
 import java.util.List;
@@ -13,49 +14,49 @@
 @Tag(name = "Livros", description = "Endpoints para gerenciamento de livros")
 public class BookController {
 
-    // TODO[5]: CRUD de livros
-
     private final BookService service;
 
     public BookController(BookService service) {
         this.service = service;
     }
 
-    // TODO[1]: Criação de livro
     @PostMapping
+    @PreAuthorize("hasAuthority('ADMIN')")
     public ResponseEntity<Book> create(@RequestBody Book book) {
-
-        // TODO[9]: Usando var
         var savedBook = service.create(book);
         return ResponseEntity.ok(savedBook);
     }
 
     @GetMapping
+    @PreAuthorize("hasAnyAuthority('ADMIN', 'CLIENT')")
     public ResponseEntity<List<Book>> findAll() {
         var books = service.findAll();
         return books.isEmpty() ? ResponseEntity.noContent().build() : ResponseEntity.ok(books);
     }
 
     @GetMapping("/{id}")
+    @PreAuthorize("hasAnyAuthority('ADMIN', 'CLIENT')")
     public ResponseEntity<Book> findById(@PathVariable Long id) {
         var book = service.findById(id);
         return ResponseEntity.ok(book);
     }
 
     @DeleteMapping("/{id}")
+    @PreAuthorize("hasAuthority('ADMIN')")
     public ResponseEntity<Void> deleteById(@PathVariable Long id) {
         service.deleteById(id);
         return ResponseEntity.noContent().build();
     }
 
     @PutMapping("/{id}")
+    @PreAuthorize("hasAuthority('ADMIN')")
     public ResponseEntity<Book> update(@PathVariable Long id, @RequestBody UpdateBook request) {
         var updatedEntity = service.update(id, request);
         return new ResponseEntity<>(updatedEntity, HttpStatus.OK);
     }
 
-    // TODO[4]: Busca de livros por filtros
     @GetMapping("/filter")
+    @PreAuthorize("hasAnyAuthority('ADMIN', 'CLIENT')")
     public ResponseEntity<List<Book>> findAllByFilter(@RequestParam(required = false) String author, @RequestParam(required = false) String title,
                                                       @RequestParam(required = false) String isbn, @RequestParam(required = false) String publisher) {
         var books = service.findAllByFilter(author, title, isbn, publisher);

src/main/java/com/box/library/config/SecurityConfig.java

@@ -0,0 +1,62 @@
+package com.box.library.config;
+
+import com.box.library.jwt.JwtAuthorizationFilter;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpMethod;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
+import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.web.servlet.config.annotation.EnableWebMvc;
+
+@Configuration
+@EnableWebMvc
+@EnableMethodSecurity
+public class SecurityConfig {
+
+    public static final String API_PATH = "/api/v1";
+    public static final String USERS_PATH = "/users";
+    public static final String AUTHENTICATION_PATH = "/auth";
+    public static final String H2_CONSOLE_PATH = "/h2-console/**";
+
+    @Bean
+    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+        return http
+                .csrf(AbstractHttpConfigurer::disable)
+                .headers(headers -> headers.frameOptions(HeadersConfigurer.FrameOptionsConfig::disable))
+                .formLogin(AbstractHttpConfigurer::disable)
+                .httpBasic(AbstractHttpConfigurer::disable)
+                .authorizeHttpRequests(authorizeRequests -> authorizeRequests
+                        .requestMatchers(HttpMethod.POST, API_PATH + USERS_PATH).permitAll()
+                        .requestMatchers(HttpMethod.POST, API_PATH + AUTHENTICATION_PATH).permitAll()
+                        .requestMatchers(H2_CONSOLE_PATH).permitAll()
+                        .anyRequest().authenticated())
+                .sessionManagement(sessionManagement -> sessionManagement
+                        .sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+                .addFilterBefore(jwtAuthorizationFilter(), UsernamePasswordAuthenticationFilter.class)
+                .build();
+    }
+
+    @Bean
+    public JwtAuthorizationFilter jwtAuthorizationFilter() {
+        return new JwtAuthorizationFilter();
+    }
+
+    @Bean
+    public PasswordEncoder passwordEncoder() {
+        return new BCryptPasswordEncoder();
+    }
+
+    @Bean
+    public AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration) throws Exception {
+        return authenticationConfiguration.getAuthenticationManager();
+    }
+}

src/main/java/com/box/library/customer/Customer.java

@@ -0,0 +1,65 @@
+package com.box.library.customer;
+
+import com.box.library.request.CreateCustomerRequest;
+import com.box.library.user.LibraryUser;
+import jakarta.persistence.*;
+
+@Entity
+@Table(name = "customers")
+public class Customer {
+
+    @Id
+    @GeneratedValue(strategy = GenerationType.IDENTITY)
+    private Long id;
+
+    private String name;
+
+    private String cpf;
+
+    @OneToOne
+    @JoinColumn(name = "user_id", nullable = false)
+    private LibraryUser user;
+
+    // TODO: Por o endereço do cliente
+
+
+    public Customer() {
+    }
+
+    public Customer(CreateCustomerRequest request) {
+        this.name = request.name();
+        this.cpf = request.cpf();
+    }
+
+    public Long getId() {
+        return id;
+    }
+
+    public void setId(Long id) {
+        this.id = id;
+    }
+
+    public String getName() {
+        return name;
+    }
+
+    public void setName(String name) {
+        this.name = name;
+    }
+
+    public String getCpf() {
+        return cpf;
+    }
+
+    public void setCpf(String cpf) {
+        this.cpf = cpf;
+    }
+
+    public LibraryUser getUser() {
+        return user;
+    }
+
+    public void setUser(LibraryUser user) {
+        this.user = user;
+    }
+}

src/main/java/com/box/library/customer/CustomerController.java

@@ -0,0 +1,42 @@
+package com.box.library.customer;
+
+import com.box.library.jwt.JwtUserDetails;
+import com.box.library.request.CreateCustomerRequest;
+import jakarta.validation.Valid;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.security.core.annotation.AuthenticationPrincipal;
+import org.springframework.web.bind.annotation.*;
+
+@RestController
+@RequestMapping("api/v1/customers")
+public class CustomerController {
+
+    private final CustomerService service;
+
+    public CustomerController(CustomerService service) {
+        this.service = service;
+    }
+
+    @PostMapping
+    @PreAuthorize("hasAuthority('ADMIN') OR (hasAuthority('CLIENT') AND #id == authentication.principal.id)")
+    public ResponseEntity<Customer> create(@Valid @RequestBody CreateCustomerRequest request,
+                                           @AuthenticationPrincipal JwtUserDetails jwtUserDetails) {
+        var entity = service.save(request, jwtUserDetails);
+        return ResponseEntity.status(HttpStatus.CREATED).body(entity);
+    }
+
+    @GetMapping("/{id}")
+    @PreAuthorize("hasAuthority('ADMIN') OR (hasAuthority('CLIENT') AND #id == authentication.principal.id)")
+    public ResponseEntity<Customer> findById(@PathVariable Long id) {
+        return ResponseEntity.ok(service.findById(id));
+    }
+
+    @GetMapping("/details")
+    @PreAuthorize("hasAuthority('ADMIN') OR (hasAuthority('CLIENT') AND #id == authentication.principal.id)")
+    public ResponseEntity<Customer> getDetails(@AuthenticationPrincipal JwtUserDetails jwtUserDetails) {
+        var entity = service.findUserById(jwtUserDetails.getId());
+        return ResponseEntity.ok(entity);
+    }
+}

src/main/java/com/box/library/customer/CustomerRepository.java

@@ -0,0 +1,9 @@
+package com.box.library.customer;
+
+import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.stereotype.Repository;
+
+@Repository
+public interface CustomerRepository extends JpaRepository<Customer, Long> {
+    Customer findByUserId(Long id);
+}

src/main/java/com/box/library/customer/CustomerService.java

@@ -0,0 +1,39 @@
+package com.box.library.customer;
+
+import com.box.library.jwt.JwtUserDetails;
+import com.box.library.request.CreateCustomerRequest;
+import com.box.library.user.LibraryUserService;
+import org.springframework.stereotype.Service;
+import org.springframework.transaction.annotation.Transactional;
+
+@Service
+public class CustomerService {
+
+    private final CustomerRepository repository;
+    private final LibraryUserService libraryUserService;
+
+    public CustomerService(CustomerRepository repository, LibraryUserService libraryUserService) {
+        this.repository = repository;
+        this.libraryUserService = libraryUserService;
+    }
+
+    @Transactional
+    public Customer save(CreateCustomerRequest request, JwtUserDetails jwtUserDetails) {
+        Customer entity = new Customer(request);
+
+        entity.setUser(libraryUserService.findById(jwtUserDetails.getId()));
+
+        return repository.save(entity);
+    }
+
+    @Transactional(readOnly = true)
+    public Customer findById(Long id) {
+        return repository.findById(id).orElseThrow(
+                () -> new RuntimeException("Customer id [" + id + "] not found"));
+    }
+
+    @Transactional(readOnly = true)
+    public Customer findUserById(Long id) {
+        return repository.findByUserId(id);
+    }
+}

src/main/java/com/box/library/exception/GlobalExceptionHandler.java

@@ -23,6 +23,11 @@ public ResponseEntity<String> handleNoFilterProvidedException(NoFilterProvidedEx
         return ResponseEntity.status(HttpStatus.BAD_REQUEST).body(ex.getMessage());
     }
 
+    @ExceptionHandler
+    public ResponseEntity<String> handleInvalidPasswordException(InvalidPasswordException ex) {
+        return ResponseEntity.status(HttpStatus.BAD_REQUEST).body(ex.getMessage());
+    }
+
     @ExceptionHandler
     public ResponseEntity<String> handleLoanNotFoundException(LoanNotFoundException ex) {
         return ResponseEntity.status(HttpStatus.NOT_FOUND).body(ex.getMessage());