cleanup of JWT handling + code comments

Author: halfhp

README.md

@@ -4,10 +4,10 @@
 Demonstrates using Spring Framework with Scala 3.
 
 The biggest headaches of upgrading from Scala 2.13 to Scala 3 has been with the level of compatibility tools like IntellIJ offer, and the relatively small market share
-it has of Scala projects and libraries. Builds sometimes slow to a crawl or hang or randomly fail, only to succeed after a second or third retry.
+it has of Scala projects and libraries. Builds sometimes slow to a crawl, hang, or randomly fail, only to succeed after a second or third retry.
 
-The jury is still out on whether the migration is worthwhile for established projects, but
-as of 2025 I do feel like Scala 3 is the way to go for new projects.
+The jury is still out on whether the migration is worthwhile for established projects, but I do feel that Scala 3 has reached the point
+where it is the better choice for new projects.
 
 :speech_balloon: **Questions / comments / suggestions are welcome in the [discussions](https://github.com/halfhp/ScalaSpringExperiment/discussions), or feel free to [contact me](mailto:halfhp@gmail.com) directly.**
 
@@ -20,16 +20,18 @@ the app to use it.
 * Gradle[^1]
 * Spring Boot
 * Spring Security
-* Circe - JSON serialization and deserialization
+* [JWT Scala](https://github.com/jwt-scala/jwt-scala)
+* [Circe](https://github.com/circe/circe) - JSON serialization and deserialization
 * ~~ZIO~~ (Sticking with with Cats Effect out of preference, and because ZIO seems to have been [abandoned by its author](https://degoes.net/articles/splendid-scala-journey).)
 * Cats Effect
 * [Doobie](https://github.com/typelevel/doobie)[^2]
 * Flyway - Database schema definitions and migrations
 * ScalaTest
 * Mockito
 
-[^1]: I chose Gradle over SBT initially out of curiosity.  At this point I've used for several Scala projects now and have no regrets.
-SBT I believe might have some minor performance benefits, but you really cant Gradle in terms of features and support.
+[^1]: I've used for several Scala projects now and have few regrets. SBT I believe might have some minor performance benefits, 
+but you really cant beat Gradle in terms of features and support.  Having said that, it is possible that some of the build
+instability / Intellij bugginess I am experiencing is due to Gradle.
 
 [^2]: So why Doobie and not one of the options that come packaged with Spring?  Two main reasons: 1) Integrates seemlessly with Cats Effect and the IO monad, which is my
 preferred tool for structured concurrency.  2) Doobie is oriented around writing pure SQL and producing results as immutable case classes which I prefer over ORM approaches etc. that involve things like Hibernate, JPA, "live objects", etc.
@@ -129,6 +131,7 @@ what happens under load in situations where there are fewer cores than threads,
 ## Spring Security
 * Add OAuth2 request/ refresh tokens
 * Add Oauth2 client to support third party authentication (Google, etc)
+* Add JTI to JWT tokens to support revocation
 
 ## Async Rest Controller
 Create an AsyncController that demonstrates adapting Spring's async programming model

src/main/scala/com/example/scalaspringexperiment/auth/JwtAuthManager.scala

@@ -3,13 +3,14 @@ package com.example.scalaspringexperiment.auth
 import cats.data.EitherT
 import cats.effect.IO
 import cats.effect.unsafe.IORuntime
-import com.example.scalaspringexperiment.auth.JwtAuthManager.{AuthError, InvalidCredentials, LoginSuccess, ROLE_USER, RegisterSuccess, UserExists, UserNotFound}
+import com.example.scalaspringexperiment.auth.JwtAuthManager.{AuthError, DEFAULT_TOKEN_LIFETIME_SECONDS, InvalidCredentials, LoginSuccess, ROLE_USER, RegisterSuccess, UserExists, UserNotFound}
 import com.example.scalaspringexperiment.entity.{Person, RegisteredUser}
 import com.example.scalaspringexperiment.service.{PersonService, RegisteredUserService}
+import com.example.scalaspringexperiment.util.AsyncUtils
 import org.springframework.context.annotation.Lazy
 import org.springframework.security.authentication.{ReactiveAuthenticationManager, UsernamePasswordAuthenticationToken}
 import org.springframework.security.core.authority.SimpleGrantedAuthority
-import org.springframework.security.core.{Authentication, GrantedAuthority}
+import org.springframework.security.core.Authentication
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder
 import org.springframework.stereotype.Component
 import pdi.jwt.{JwtAlgorithm, JwtCirce, JwtClaim}
@@ -20,8 +21,11 @@ import java.time.Instant
 import scala.jdk.CollectionConverters.*
 
 object JwtAuthManager {
-  val ROLE_USER = "ROLE_USER"
-  val ROLE_ADMIN = "ROLE_ADMIN"
+
+  val ROLE_USER: String = "ROLE_USER"
+  val ROLE_ADMIN: String = "ROLE_ADMIN"
+  val DEFAULT_TOKEN_LIFETIME_SECONDS: Int = 3600 * 24 * 30 // 30 days
+
   sealed trait AuthError {
     val message: String
   }
@@ -62,28 +66,28 @@ class JwtAuthManager(
 
   given theRuntime: IORuntime = runtime
 
+  import AsyncUtils.ioToMono
+
   // TODO: this is very bad:
   private val secretKey: String = "secretKey"
   private val algo = JwtAlgorithm.HS256
 
-  override def authenticate(authentication: Authentication): Mono[Authentication] = {
-    println(s"[AUTH DEBUG] Called with credentials: ${authentication.getCredentials}")
-    try {
-      val token = authentication.getCredentials.toString
-      val claim = JwtCirce.decode(token, secretKey, Seq(algo)).get
-      val authorities = Seq(new SimpleGrantedAuthority(ROLE_USER))
-      val auth = new UsernamePasswordAuthenticationToken(
+  override def authenticate(
+    authentication: Authentication
+  ): Mono[Authentication] = {
+    for {
+      token <- IO(authentication.getCredentials.toString)
+      claim <- IO(JwtCirce.decode(token, secretKey, Seq(algo)).get)
+      user <- registeredUserService.findById(claim.subject.map(_.toLong).getOrElse(???))
+      authorities <- IO(user.getOrElse(???).roles.map(role => new SimpleGrantedAuthority(role)))
+      auth <- IO(new UsernamePasswordAuthenticationToken(
         claim.subject.get,
         null,
         authorities.asJava
-      )
-      Mono.just(auth)
-    } catch {
-      case e: Exception => Mono.empty()
-    }
+      ))
+    } yield auth
   }
 
-
   def generateTokenForRegisteredUser(
     user: RegisteredUser,
     expiration: Instant
@@ -124,7 +128,10 @@ class JwtAuthManager(
         case Some(p) => Right(p)
         case None => Left(UserNotFound("Person not found"))
       })
-      jwtToken <- EitherT.liftF[IO, AuthError, String](generateTokenForRegisteredUser(registeredUser, Instant.now.plusSeconds(3600 * 30)))
+      jwtToken <- EitherT.liftF[IO, AuthError, String](generateTokenForRegisteredUser(
+        user = registeredUser,
+        expiration = Instant.now.plusSeconds(DEFAULT_TOKEN_LIFETIME_SECONDS)
+      ))
     } yield LoginSuccess(
         registeredUser = registeredUser,
         person = person,
@@ -152,7 +159,7 @@ class JwtAuthManager(
         email = email,
         passwordHash = passwordHash,
         personId = person.id,
-        roles = List() // TODO
+        roles = List(ROLE_USER) // TODO
       )))
       jwtToken <- EitherT.liftF(generateTokenForRegisteredUser(registeredUser, Instant.now.plusSeconds(3600 * 30))) // 30 days
     } yield RegisterSuccess(

src/main/scala/com/example/scalaspringexperiment/controller/ControllerHelper.scala

@@ -2,12 +2,12 @@ package com.example.scalaspringexperiment.controller
 
 import cats.effect.IO
 import cats.effect.unsafe.IORuntime
+import com.example.scalaspringexperiment.util.AsyncUtils
 import org.springframework.security.core.Authentication
 import org.springframework.security.core.context.{ReactiveSecurityContextHolder, SecurityContext, SecurityContextHolder}
 import org.springframework.stereotype.Component
 import reactor.core.publisher.Mono
 
-import java.util.concurrent.CompletableFuture
 import scala.util.chaining.*
 
 case class Ctx(
@@ -23,22 +23,19 @@ class ControllerHelper(
 ) {
 
   given rt: IORuntime = runtime
-
-  private given ioToMono[A](): Conversion[IO[A], Mono[A]] with {
-    def apply(io: IO[A]): Mono[A] = {
-      Mono.fromFuture(new CompletableFuture[A]().tap { cf =>
-        io.unsafeRunAsync {
-          case Right(value) => cf.complete(value)
-          case Left(error) => cf.completeExceptionally(error)
-        }
-      })
-    }
-  }
+  import AsyncUtils.ioToMono
 
   private def fromIO [T](
     cb: () => IO[T],
   ): Mono[T] = cb()
 
+  /**
+   * Used by controller endpoints where authentication is not required.  If the user is authenticated, the authentication
+   * will be made available in the Ctx object.  Also handles the conversion from IO[T] to Mono[T].
+   * @param cb
+   * @tparam T
+   * @return
+   */
   def maybeAuth[T](
     cb: Ctx => IO[T]
   ): Mono[T] = {
@@ -48,6 +45,13 @@ class ControllerHelper(
       .flatMap(auth => cb(Ctx(auth)))
   }
 
+  /**
+   * Used by controller endpoints where authentication is required.
+   * Also handles the conversion from IO[T] to Mono[T].
+   * @param cb
+   * @tparam T
+   * @return
+   */
   def auth[T](
     cb: AuthCtx => IO[T]
   ): Mono[T] = {

src/main/scala/com/example/scalaspringexperiment/util/AsyncUtils.scala

@@ -0,0 +1,29 @@
+package com.example.scalaspringexperiment.util
+
+import cats.effect.IO
+import cats.effect.unsafe.IORuntime
+import reactor.core.publisher.Mono
+
+import java.util.concurrent.CompletableFuture
+import scala.util.chaining.*
+
+object AsyncUtils {
+
+  /**
+   * Convert an IO[A] to a Mono[A].  This implemntation should be efficient in the sense that while Mono is waiting for
+   * the IO to resolve, it will not block a thread.  The IO will be run on the provided IORuntime, and the Mono threadpool will be free
+   * to process other Mono tasks while it waits.
+   */
+  given ioToMono[A]()(
+    using runtime: IORuntime
+  ): Conversion[IO[A], Mono[A]] with {
+    def apply(io: IO[A]): Mono[A] = {
+      Mono.fromFuture(new CompletableFuture[A]().tap { cf =>
+        io.unsafeRunAsync {
+          case Right(value) => cf.complete(value)
+          case Left(error) => cf.completeExceptionally(error)
+        }
+      })
+    }
+  }
+}