Implemented Authentication & Authorization

.gitignore

@@ -31,3 +31,6 @@ build/
 
 ### VS Code ###
 .vscode/
+
+### Secrets
+secrets

pom.xml

@@ -77,6 +77,33 @@
 			<artifactId>spring-security-test</artifactId>
 			<scope>test</scope>
 		</dependency>
+
+        <!-- Authentication & Authorization-->
+        <!-- Source: https://mvnrepository.com/artifact/io.jsonwebtoken/jjwt-api -->
+        <dependency>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt-api</artifactId>
+            <version>0.13.0</version>
+            <scope>compile</scope>
+        </dependency>
+
+        <!-- Source: https://mvnrepository.com/artifact/io.jsonwebtoken/jjwt-impl -->
+        <dependency>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt-impl</artifactId>
+            <version>0.13.0</version>
+            <scope>runtime</scope>
+        </dependency>
+
+        <!-- Source: https://mvnrepository.com/artifact/io.jsonwebtoken/jjwt-jackson -->
+        <dependency>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt-jackson</artifactId>
+            <version>0.13.0</version>
+            <scope>runtime</scope>
+        </dependency>
+
+
 	</dependencies>
 
 	<build>

src/main/java/com/SkillsForge/expensetracker/ExpenseTrackerBackendJavaApplication.java

@@ -2,8 +2,10 @@
 
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.data.jpa.repository.config.EnableJpaAuditing;
 
 @SpringBootApplication
+@EnableJpaAuditing
 public class ExpenseTrackerBackendJavaApplication {
 
   public static void main(String[] args) {

src/main/java/com/SkillsForge/expensetracker/app/Config.java

@@ -1,3 +1,67 @@
 package com.SkillsForge.expensetracker.app;
 
-public class Config {}
+import com.SkillsForge.expensetracker.security.JwtAuthenticationFilter;
+import lombok.RequiredArgsConstructor;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
+import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+
+@Configuration
+@EnableWebSecurity
+@EnableMethodSecurity // Enables @PreAuthorize, @PostAuthorize annotations
+@RequiredArgsConstructor
+public class Config {
+
+  private final JwtAuthenticationFilter jwtAuthenticationFilter;
+
+  @Bean
+  public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+    http
+        // Disable CSRF (Cross-Site Request Forgery) protection
+        // We use stateless JWT, so CSRF is not needed
+        .csrf(AbstractHttpConfigurer::disable)
+
+        // Configure endpoint authorization
+            .authorizeHttpRequests(auth -> auth
+                    .requestMatchers(
+                            "/api/v1/auth/signup",
+                            "/api/v1/auth/login",
+                            "/api/v1/auth/refresh-token" // if you have one
+                    ).permitAll()
+
+                    //  LOCKED DOORS (Everything else, including /auth/current-user)
+                    .anyRequest().authenticated()
+            )
+        // Configure session management
+        // STATELESS = no server-side sessions, use JWT only
+        .sessionManagement(
+            session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+
+        // Add our JWT filter before Spring Security's authentication filter
+        // This ensures JWT validation happens before standard authentication
+        .addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
+
+    return http.build();
+  }
+
+  @Bean
+  public PasswordEncoder passwordEncoder() {
+    return new BCryptPasswordEncoder();
+  }
+
+  @Bean
+  public AuthenticationManager authenticationManager(AuthenticationConfiguration config)
+      throws Exception {
+    return config.getAuthenticationManager();
+  }
+}

src/main/java/com/SkillsForge/expensetracker/app/enums/Permissions.java

@@ -0,0 +1,10 @@
+package com.SkillsForge.expensetracker.app.enums;
+
+public enum Permissions {
+  TRANSACTION_READ,
+  TRANSACTION_WRITE,
+  TRANSACTION_DELETE,
+  USER_READ,
+  USER_WRITE,
+  ADMIN_ACCESS
+}

src/main/java/com/SkillsForge/expensetracker/app/enums/Role.java

@@ -0,0 +1,20 @@
+package com.SkillsForge.expensetracker.app.enums;
+
+import java.util.Set;
+
+public enum Role {
+  USER,
+  ADMIN;
+
+  public Set<Permissions> getPermissions() {
+    return switch (this) {
+      case ADMIN -> Set.of(Permissions.values()); // Admin has all permissions
+      case USER -> Set.of(
+          Permissions.TRANSACTION_READ,
+          Permissions.TRANSACTION_WRITE,
+          Permissions.TRANSACTION_DELETE,
+          Permissions.USER_READ,
+          Permissions.USER_WRITE);
+    };
+  }
+}

src/main/java/com/SkillsForge/expensetracker/controller/AuthController.java

@@ -0,0 +1,45 @@
+package com.SkillsForge.expensetracker.controller;
+
+import com.SkillsForge.expensetracker.dto.AuthResponse;
+import com.SkillsForge.expensetracker.dto.LoginRequest;
+import com.SkillsForge.expensetracker.dto.SignupRequest;
+import com.SkillsForge.expensetracker.dto.UserDto;
+import com.SkillsForge.expensetracker.service.UserService;
+import jakarta.validation.Valid;
+import lombok.RequiredArgsConstructor;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+@RequestMapping("/api/v1/auth")
+@RequiredArgsConstructor
+public class AuthController {
+
+  private final UserService userService;
+
+  @PostMapping("/signup")
+  public ResponseEntity<AuthResponse> signup(@Valid @RequestBody SignupRequest request) {
+    AuthResponse response = userService.signup(request);
+    return new ResponseEntity<>(response, HttpStatus.CREATED);
+  }
+
+  @PostMapping("/login")
+  public ResponseEntity<AuthResponse> login(@Valid @RequestBody LoginRequest request) {
+    AuthResponse response = userService.login(request);
+    return ResponseEntity.ok(response);
+  }
+
+
+  @GetMapping("/me")
+  @PreAuthorize("hasAuthority('USER_READ')")
+  public ResponseEntity<UserDto> getCurrentUser() {
+    UserDto user = userService.getCurrentUser();
+    return ResponseEntity.ok(user);
+  }
+}

src/main/java/com/SkillsForge/expensetracker/controller/TransactionController.java

@@ -9,6 +9,7 @@
 import org.springframework.data.domain.Page;
 import org.springframework.data.domain.Pageable;
 import org.springframework.http.HttpStatus;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.*;
 
@@ -20,23 +21,27 @@ public class TransactionController {
 
   @PostMapping
   @ResponseStatus(HttpStatus.CREATED)
+  @PreAuthorize("hasAuthority('TRANSACTION_WRITE')")
   public TransactionDto createTransaction(
       @RequestBody @Validated CreateTransactionRequest request) {
     return transactionService.createTransaction(request);
   }
 
   @GetMapping("/{id}")
+  @PreAuthorize("hasAuthority('TRANSACTION_READ')")
   public TransactionDto getTransactionById(@PathVariable Long id) {
     return transactionService.getTransactionById(id);
   }
 
   @PutMapping("/{id}")
+  @PreAuthorize("hasAuthority('TRANSACTION_WRITE')")
   public TransactionDto updateTransaction(
       @PathVariable Long id, @RequestBody TransactionUpdateRequest request) {
     return transactionService.updateTransaction(id, request);
   }
 
   @GetMapping
+  @PreAuthorize("hasAuthority('TRANSACTION_READ')")
   public Page<TransactionDto> getAllTransactions(
       @ModelAttribute TransactionFilter filter, Pageable pageable) {
     return transactionService.getAllTransactions(filter, pageable);

src/main/java/com/SkillsForge/expensetracker/dto/AuthResponse.java

@@ -0,0 +1,21 @@
+package com.SkillsForge.expensetracker.dto;
+
+import com.SkillsForge.expensetracker.app.enums.Role;
+import lombok.AllArgsConstructor;
+import lombok.Builder;
+import lombok.Data;
+import lombok.NoArgsConstructor;
+
+@Data
+@Builder
+@AllArgsConstructor
+@NoArgsConstructor
+public class AuthResponse {
+  // no need for validation, this is output
+  private String token; // the JWT token string
+  private String type; // token type, always "Bearer"
+  private Long id;
+  private String username;
+  private String email;
+  private Role role; // USER or ADMIN
+}

src/main/java/com/SkillsForge/expensetracker/dto/LoginRequest.java

@@ -0,0 +1,19 @@
+package com.SkillsForge.expensetracker.dto;
+
+import jakarta.validation.constraints.NotBlank;
+import lombok.AllArgsConstructor;
+import lombok.Builder;
+import lombok.Data;
+import lombok.NoArgsConstructor;
+
+@Data
+@Builder
+@AllArgsConstructor
+@NoArgsConstructor
+public class LoginRequest {
+  @NotBlank(message = "Username cannot be blank")
+  private String username;
+
+  @NotBlank(message = "Password cannot be blank")
+  private String password;
+}

src/main/java/com/SkillsForge/expensetracker/dto/SignupRequest.java

@@ -0,0 +1,27 @@
+package com.SkillsForge.expensetracker.dto;
+
+import jakarta.validation.constraints.Email;
+import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.Size;
+import lombok.AllArgsConstructor;
+import lombok.Builder;
+import lombok.Data;
+import lombok.NoArgsConstructor;
+
+@Data
+@Builder
+@AllArgsConstructor
+@NoArgsConstructor
+public class SignupRequest {
+  @NotBlank(message = "Email is required")
+  @Email
+  private String email;
+
+  @NotBlank(message = "Username cannot be blank")
+  @Size(min = 3, max = 20, message = "Username must be between 3 and 20 characters")
+  private String username;
+
+  @NotBlank(message = "Password is required")
+  @Size(min = 6, max = 50, message = "Password must be between 6 and 50 characters")
+  private String password;
+}

src/main/java/com/SkillsForge/expensetracker/dto/UserDto.java

@@ -0,0 +1,25 @@
+package com.SkillsForge.expensetracker.dto;
+
+import com.SkillsForge.expensetracker.app.enums.Role;
+import com.SkillsForge.expensetracker.persistence.entity.User;
+import java.time.LocalDateTime;
+
+public record UserDto(
+    Long id,
+    String username,
+    String email,
+    Role role,
+    boolean enabled,
+    LocalDateTime createdAt,
+    LocalDateTime updatedAt) {
+  public static UserDto from(User user) {
+    return new UserDto(
+        user.getId(),
+        user.getUsername(),
+        user.getEmail(),
+        user.getRole(),
+        user.isEnabled(),
+        user.getCreatedAt(),
+        user.getUpdatedAt());
+  }
+}

src/main/java/com/SkillsForge/expensetracker/exception/EmailAlreadyExistsException.java

@@ -0,0 +1,7 @@
+package com.SkillsForge.expensetracker.exception;
+
+public class EmailAlreadyExistsException extends RuntimeException {
+  public EmailAlreadyExistsException(String message) {
+    super(message);
+  }
+}