Feature/jwt auth

[trett]

No description provided.

[gemini-code-assist]

Summary of Changes

Hello @trett, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly refactors the application's authentication flow by transitioning from traditional server-side sessions to a more scalable and stateless JWT-based system. This change streamlines user authentication and authorization, reducing server overhead associated with session state. It also includes necessary configuration adjustments and a minor client-side file reorganization.

Highlights

• Authentication Mechanism Refactor: The application's authentication system has been migrated from a server-side session management approach to a stateless JSON Web Token (JWT) based system. This involves replacing SessionManager with a new JwtManager.
• JWT Library Integration: The jwt-circe library has been added to the project dependencies to facilitate JWT creation and verification.
• Configuration Update: A new jwt.secret configuration property has been introduced in application.conf and AppConfig.scala to securely sign and verify JWTs.
• Client Manifest Relocation: The site.webmanifest file has been moved from client/site.webmanifest to client/public/site.webmanifest, with updated image paths.

Changelog

• build.sbt
  • Added jwt-circe dependency for JWT handling.
• client/public/site.webmanifest
  • Added a new web manifest file.
• client/site.webmanifest
  • Removed the old web manifest file.
• server/src/main/resources/application.conf
  • Introduced a new jwt configuration section to define the JWT secret.
• server/src/main/scala/ru/trett/rss/server/Server.scala
  • Replaced SessionManager with JwtManager initialization.
  • Updated route definitions to pass JwtManager instead of SessionManager.
• server/src/main/scala/ru/trett/rss/server/authorization/AuthFilter.scala
  • Modified AuthFilter to use JwtManager for verifying session tokens from cookies.
• server/src/main/scala/ru/trett/rss/server/authorization/JwtManager.scala
  • Added a new JwtManager class responsible for creating and verifying JWTs.
• server/src/main/scala/ru/trett/rss/server/authorization/SessionManager.scala
  • Removed the SessionManager class, as its functionality is now handled by JwtManager.
• server/src/main/scala/ru/trett/rss/server/config/AppConfig.scala
  • Added JwtConfig to the application's configuration structure.
• server/src/main/scala/ru/trett/rss/server/controllers/LoginController.scala
  • Updated to generate and set JWTs as sessionId cookies upon successful login.
  • Removed the in-controller logout endpoint, delegating it to LogoutController.
• server/src/main/scala/ru/trett/rss/server/controllers/LogoutController.scala
  • Refactored to invalidate the sessionId cookie directly upon logout, removing dependency on SessionManager.

Activity

• The pull request description is empty, indicating no specific details were provided by the author at creation.
• No comments or reviews have been made on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request successfully replaces the previous session-based authentication with a JWT-based approach. However, this introduces a security regression by removing the ability to revoke sessions on the server side, and there's an inconsistency in how the session cookie is cleared during logout, potentially leaving sessions active. Additionally, there are general issues such as the use of magic numbers for token/cookie expiration and a lack of error logging in the authentication filter. It is recommended to implement a token revocation mechanism or reduce token expiration times, and ensure consistent cookie attributes for logout.