Add custom JWT error messages for authentication failures

[JinnJarBurger]

Fixes #22

Description

A custom AuthenticationEntryPoint has been implemented named JwtAuthenticationEntryPoint which intercepts any JWT Exceptions from the SecurityFilterChain and sets up the ProblemDetails accordingly wrapped inside the ErrorRes Object . The response content type has been set to "application/json" for increased readability.

Screenshots

[deepsource-io]

Here's the code health analysis summary for commits d44ca98..23b6b26. View details on DeepSource ↗.

Analysis Summary

Analyzer	Status	Summary	Link
Java	✅ Success		View Check ↗
Test coverage	⚠️ Artifact not reported	Timed out: Artifact was never reported	View Check ↗
Docker	✅ Success		View Check ↗
Secrets	✅ Success		View Check ↗

---

💡 If you’re a repository administrator, you can configure the quality gates from the settings.

[JinnJarBurger]

Hello @nmarulo, please check this PR also I have some queries:

• The security filter chain allows all the request to be accessed without any authentication.
• Are you planning on opening up the "/api/auth/**" open to everyone and then make the rest of the URL authenticated?
• If so should this PR address this or is this going to be handled later on?

Also please let me know if everything's alright. Thanks!

[nmarulo]

Thank you for the PR 😄.

When I finish reviewing it, I may comment on something else.

[nmarulo]

Hello @nmarulo, please check this PR also I have some queries:

• The security filter chain allows all the request to be accessed without any authentication.

If this is correct, I want to be able to test the application without logging in or registering.

• Are you planning on opening up the "/api/auth/**" open to everyone and then make the rest of the URL authenticated?

Yes, the idea is that if you want a private list, you will have to register and log in.

• If so should this PR address this or is this going to be handled later on?

No, I just want if the token fails to return a custom message in the response body.

[JinnJarBurger]

Also I forgot to mention to be able to test if the authentication handling is correct or not we can customize the SpringFilterChain accordingly:

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.securityMatcher(appProperties.getPathPrefix() + "/**")
            .authorizeHttpRequests(authorize -> {
                authorize.requestMatchers(appProperties.getPathPrefix() + "/auth/**")
                         .permitAll()
                         .anyRequest()
                         .authenticated();
            })
            .httpBasic(AbstractHttpConfigurer::disable)
            .csrf(AbstractHttpConfigurer::disable)
            .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
            .oauth2ResourceServer(configOAuth2())
            .cors(value -> value.configurationSource(corsConfigurationSource()));
        
        return http.build();
    }

This way we can get the bearer token after logging in then access all the other endpoints with the valid bearer token. If the bearer token is invalid (manipulation) or expired, the response body should output a custom error message with all the necessary details accordingly. Thanks!

[nmarulo]

@JinnJarBurger Thanks 👍

[JinnJarBurger]

@JinnJarBurger Thanks 👍

Anytime! 😃