add an API key authentication

Author: sergejsvisockis

README.md

@@ -70,6 +70,39 @@ aws dynamodb create-table \
     --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5
 ```
 
+Make an API key DynamoDB table:
+
+```shell
+aws dynamodb create-table \
+    --table-name api_key \
+    --attribute-definitions AttributeName=apiKeyId,AttributeType=S \
+    --key-schema AttributeName=apiKeyId,KeyType=HASH \
+    --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5
+```
+
+For the sake of simplicity an API key is inserted manually into the DynamoDB.
+An API key must be Base64 encoded string.
+In real production-grade application the same approach could be followed as well, when more manual approach is
+acceptable.
+However, it also could be that an API key is generated by the 3rd party service as well.
+
+Overall API key suits the best for these types of applications due to the essential simplicity it has, including the
+fact that it works in isolation.
+Let's assume that this service is being built and supported by a separate team within the large enterprise.
+No OAuth2 is needed in that case since no support for a common SSO is required so as token exchange over the HTTP that
+comes with that.
+
+Here is an example:
+
+```shell
+aws dynamodb put-item \
+    --table-name api_key  \
+    --item \
+        '{"apiKeyId": {"S": "c09e472f-08ad-42a8-8e72-22205bc4d262"}, "apiKey": {"S": "NjZhMTkwMzEtZjdmNC00YWU2LTk0ZTctODllOWQ3OWZkNDAx"}, "assignee": {"S": "Sergejs Visockis"}, "assigneeContactDetails": {"S": "[email protected]"}, "expirationDate": {"S": "2026-08-16T14:14:14.627646"}}'
+```
+
+An API key is - 66a19031-f7f4-4ae6-94e7-89e9d79fd401
+
 Make an SNS topic:
 
 ```shell

service/pom.xml

@@ -22,6 +22,10 @@
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-web</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.projectlombok</groupId>
             <artifactId>lombok</artifactId>

service/src/main/java/io/github/sergejsvisockis/documentservice/Bootstrap.java

@@ -2,8 +2,11 @@
 
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration;
 
-@SpringBootApplication
+@SpringBootApplication(exclude = {
+        UserDetailsServiceAutoConfiguration.class
+})
 public class Bootstrap {
 
     public static void main(String[] args) {

service/src/main/java/io/github/sergejsvisockis/documentservice/auth/ApiKeyAuthentication.java

@@ -0,0 +1,27 @@
+package io.github.sergejsvisockis.documentservice.auth;
+
+import org.springframework.security.authentication.AbstractAuthenticationToken;
+import org.springframework.security.core.GrantedAuthority;
+
+import java.util.Collection;
+
+public class ApiKeyAuthentication extends AbstractAuthenticationToken {
+
+    private final String apiKey;
+
+    public ApiKeyAuthentication(String apiKey, Collection<? extends GrantedAuthority> authorities) {
+        super(authorities);
+        this.apiKey = apiKey;
+        setAuthenticated(true);
+    }
+
+    @Override
+    public Object getCredentials() {
+        return null;
+    }
+
+    @Override
+    public Object getPrincipal() {
+        return apiKey;
+    }
+}

service/src/main/java/io/github/sergejsvisockis/documentservice/auth/AuthenticationFilter.java

@@ -0,0 +1,52 @@
+package io.github.sergejsvisockis.documentservice.auth;
+
+import io.github.sergejsvisockis.documentservice.utils.JsonUtil;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletRequest;
+import jakarta.servlet.ServletResponse;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.http.MediaType;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.stereotype.Component;
+import org.springframework.web.filter.GenericFilterBean;
+
+import java.io.IOException;
+import java.io.PrintWriter;
+
+@Slf4j
+@RequiredArgsConstructor
+@Component
+public class AuthenticationFilter extends GenericFilterBean {
+
+    private final AuthenticationService authenticationService;
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException {
+        try {
+            Authentication authentication = authenticationService.getAuthentication((HttpServletRequest) request);
+            SecurityContextHolder.getContext().setAuthentication(authentication);
+            filterChain.doFilter(request, response);
+        } catch (Exception e) {
+            HttpServletResponse httpResponse = (HttpServletResponse) response;
+            httpResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+            httpResponse.setContentType(MediaType.APPLICATION_JSON_VALUE);
+
+            PrintWriter writer = httpResponse.getWriter();
+            writer.print(JsonUtil.toJson(new FailedAuthResponse(
+                    System.currentTimeMillis(),
+                    e.getMessage()))
+            );
+            writer.flush();
+            writer.close();
+        }
+    }
+
+    record FailedAuthResponse(long timestamp, String message) {
+
+    }
+
+}

service/src/main/java/io/github/sergejsvisockis/documentservice/auth/AuthenticationService.java

@@ -0,0 +1,59 @@
+package io.github.sergejsvisockis.documentservice.auth;
+
+import io.github.sergejsvisockis.documentservice.repository.ApiKey;
+import io.github.sergejsvisockis.documentservice.repository.ApiKeyRepository;
+import jakarta.servlet.http.HttpServletRequest;
+import lombok.RequiredArgsConstructor;
+import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.stereotype.Service;
+
+import java.time.LocalDateTime;
+import java.util.Base64;
+import java.util.Optional;
+
+@Service
+@RequiredArgsConstructor
+public class AuthenticationService {
+
+    static final String AUTH_TOKEN_HEADER_NAME = "x-api-key";
+    static final String INCORRECT_API_KEY_MESSAGE = "Incorrect API key passed";
+    static final String NO_API_KEY_FOUND_MESSAGE = "NO associated API key found";
+    static final String API_KEY_EXPIRED_MESSAGE = "An API key has expired";
+
+    private final ApiKeyRepository apiKeyRepository;
+
+    public Authentication getAuthentication(HttpServletRequest request) {
+        String apiKey = request.getHeader(AUTH_TOKEN_HEADER_NAME);
+        if (apiKey == null) {
+            throw new BadCredentialsException(INCORRECT_API_KEY_MESSAGE);
+        }
+
+        Optional<ApiKey> apiAuthKey = findApiAuthKey(apiKey);
+        if (apiAuthKey.isEmpty()) {
+            throw new BadCredentialsException(NO_API_KEY_FOUND_MESSAGE);
+        }
+
+        if (!isValid(apiAuthKey.get())) {
+            throw new BadCredentialsException(API_KEY_EXPIRED_MESSAGE);
+        }
+
+        return new ApiKeyAuthentication(apiKey, AuthorityUtils.NO_AUTHORITIES);
+    }
+
+    private boolean isValid(ApiKey apiKey) {
+        LocalDateTime validTo = LocalDateTime.parse(apiKey.getExpirationDate());
+        return LocalDateTime.now().isBefore(validTo);
+    }
+
+    private Optional<ApiKey> findApiAuthKey(String key) {
+        return apiKeyRepository.findApiKey(encodeApiKey(key));
+
+    }
+
+    private String encodeApiKey(String key) {
+        return Base64.getEncoder().encodeToString(key.getBytes());
+    }
+
+}

service/src/main/java/io/github/sergejsvisockis/documentservice/config/SecurityConfig.java

@@ -0,0 +1,35 @@
+package io.github.sergejsvisockis.documentservice.config;
+
+import io.github.sergejsvisockis.documentservice.auth.AuthenticationFilter;
+import lombok.RequiredArgsConstructor;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+
+@Configuration
+@EnableWebSecurity
+@RequiredArgsConstructor
+public class SecurityConfig {
+
+    private final AuthenticationFilter authenticationFilter;
+
+    @Bean
+    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+        return http
+                .csrf(AbstractHttpConfigurer::disable)
+                .authorizeHttpRequests(registry ->
+                        registry.requestMatchers("/**").authenticated())
+                .formLogin(AbstractHttpConfigurer::disable)
+                .httpBasic(AbstractHttpConfigurer::disable)
+                .sessionManagement(configurer -> configurer
+                        .sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+                .addFilterBefore(authenticationFilter, UsernamePasswordAuthenticationFilter.class)
+                .build();
+    }
+
+}

service/src/main/java/io/github/sergejsvisockis/documentservice/repository/ApiKey.java

@@ -0,0 +1,48 @@
+package io.github.sergejsvisockis.documentservice.repository;
+
+import io.github.sergejsvisockis.documentservice.dynamodb.TableName;
+import lombok.Setter;
+import software.amazon.awssdk.enhanced.dynamodb.mapper.annotations.DynamoDbAttribute;
+import software.amazon.awssdk.enhanced.dynamodb.mapper.annotations.DynamoDbBean;
+import software.amazon.awssdk.enhanced.dynamodb.mapper.annotations.DynamoDbPartitionKey;
+
+import static io.github.sergejsvisockis.documentservice.repository.ApiKey.TABLE_NAME;
+
+@Setter
+@DynamoDbBean
+@TableName(name = TABLE_NAME)
+public class ApiKey {
+
+    public static final String TABLE_NAME = "api_key";
+
+    private String apiKeyId;
+    private String apiKey;
+    private String assignee;
+    private String assigneeContactDetails;
+    private String expirationDate;
+
+    @DynamoDbPartitionKey
+    public String getApiKeyId() {
+        return apiKeyId;
+    }
+
+    @DynamoDbAttribute("apiKey")
+    public String getApiKey() {
+        return apiKey;
+    }
+
+    @DynamoDbAttribute("assignee")
+    public String getAssignee() {
+        return assignee;
+    }
+
+    @DynamoDbAttribute("assigneeContactDetails")
+    public String getAssigneeContactDetails() {
+        return assigneeContactDetails;
+    }
+
+    @DynamoDbAttribute("expirationDate")
+    public String getExpirationDate() {
+        return expirationDate;
+    }
+}

service/src/main/java/io/github/sergejsvisockis/documentservice/repository/ApiKeyRepository.java

@@ -0,0 +1,32 @@
+package io.github.sergejsvisockis.documentservice.repository;
+
+import io.awspring.cloud.dynamodb.DynamoDbTemplate;
+import lombok.RequiredArgsConstructor;
+import org.springframework.stereotype.Repository;
+import software.amazon.awssdk.enhanced.dynamodb.Expression;
+import software.amazon.awssdk.enhanced.dynamodb.model.ScanEnhancedRequest;
+import software.amazon.awssdk.services.dynamodb.model.AttributeValue;
+
+import java.util.Map;
+import java.util.Optional;
+
+@Repository
+@RequiredArgsConstructor
+public class ApiKeyRepository {
+
+    private final DynamoDbTemplate dynamoDbTemplate;
+
+    public Optional<ApiKey> findApiKey(String key) {
+        ScanEnhancedRequest request = ScanEnhancedRequest.builder()
+                .filterExpression(Expression.builder()
+                        .expression("apiKey = :key")
+                        .expressionValues(Map.of(":key", AttributeValue.fromS(key)))
+                        .build())
+                .build();
+        return dynamoDbTemplate.scan(request, ApiKey.class)
+                .stream()
+                .flatMap(p -> p.items().stream())
+                .findFirst();
+    }
+
+}

service/src/test/java/io/github/sergejsvisockis/documentservice/auth/ApiKeyAuthenticationTest.java

@@ -0,0 +1,25 @@
+package io.github.sergejsvisockis.documentservice.auth;
+
+import org.junit.jupiter.api.Test;
+import org.springframework.security.core.authority.AuthorityUtils;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+class ApiKeyAuthenticationTest {
+
+    @Test
+    void shouldCreateAuthenticationWithApiKey() {
+        // given
+        String apiKey = "test-api-key";
+
+        // when
+        ApiKeyAuthentication authentication = new ApiKeyAuthentication(apiKey, AuthorityUtils.NO_AUTHORITIES);
+
+        // then
+        assertEquals(apiKey, authentication.getPrincipal());
+        assertNull(authentication.getCredentials());
+        assertTrue(authentication.isAuthenticated());
+    }
+}