ivfrost/hydro-api
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refactor: first iteration of modular and dockerized approach

Browse Source
This commit is contained in:
ivfrost
2026-01-24 15:14:16 +01:00
parent 43e55f9f18
commit 938877d852
147 changed files with 4103 additions and 3044 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
.gitignore vendored
View File

@@ -1,4 +1,4 @@
HELP.md
JOURNAL.md
target/
.mvn/wrapper/maven-wrapper.jar
!**/src/main/**/target/
@@ -32,3 +32,23 @@ build/
### VS Code ###
.vscode/
hydro-backend.tar
### Keys ###
*.jks
*.key
*.pub
*.pem
*.p12
*.der
### Dev database files ###
*.mv.db
*.trace.db
### Env files ###
.env
.env.test
.env.production
.env.development
.env.local

51
Dockerfile Normal file
View File

@@ -0,0 +1,51 @@
# syntax=docker/dockerfile:1
FROM eclipse-temurin:21-jdk-jammy AS deps
WORKDIR /build
COPY --chmod=0755 mvnw mvnw
COPY .mvn .mvn
COPY pom.xml .
RUN --mount=type=cache,target=/root/.m2 ./mvnw dependency:go-offline -DskipTests
# Compile and package the application
FROM deps AS package
WORKDIR /build
ARG CACHEBUST
COPY src src
RUN --mount=type=cache,target=/root/.m2 ./mvnw package -DskipTests && \
mv target/$(./mvnw help:evaluate -Dexpression=project.artifactId -q -DforceStdout)-\
$(./mvnw help:evaluate -Dexpression=project.version -q -DforceStdout).jar target/app.jar
# Extract layers from the packaged jar
FROM package AS extract
WORKDIR /build
RUN java -Djarmode=layertools -jar target/app.jar extract --destination target/extracted
# DEVELOPMENT: Use the JDK and enable remote debugging.
FROM extract AS development
WORKDIR /build
RUN cp -r /build/target/extracted/dependencies/ ./
RUN cp -r /build/target/extracted/spring-boot-loader/ ./
RUN cp -r /build/target/extracted/snapshot-dependencies/ ./
RUN cp -r /build/target/extracted/application/ ./
ENV JAVA_TOOL_OPTIONS -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:8000
CMD ["java", "-Dspring.profiles.active=default", "org.springframework.boot.loader.launch.JarLauncher"]
# PRODUCTION: Use the JRE and a non-root user.
FROM eclipse-temurin:21-jre-jammy AS production
ARG UID=10001
RUN adduser \
--disabled-password \
--gecos "" \
--home "/nonexistent" \
--shell "/sbin/nologin" \
--no-create-home \
--uid "${UID}" \
appuser
USER appuser
COPY --from=extract /build/target/extracted/dependencies/ ./
COPY --from=extract /build/target/extracted/spring-boot-loader/ ./
COPY --from=extract /build/target/extracted/snapshot-dependencies/ ./
COPY --from=extract /build/target/extracted/application/ ./
ENTRYPOINT ["java", "org.springframework.boot.loader.launch.JarLauncher"]

5
build-dockerized.sh
View File

@@ -1,5 +0,0 @@
#!/bin/bash
export $(grep -v '^#' ./src/main/resources/.env | xargs)
# Build the Docker image
# to skip tests: -Dmaven.test.skip
./mvnw spring-boot:build-image

13
deploy-image.sh
View File

@@ -1,13 +0,0 @@
#!/bin/bash
# Get the latest hydro-backend image tag
IMAGE_TAG=$(docker images --format '{{.Repository}}:{{.Tag}} {{.CreatedAt}}' | grep '^hydro-backend:' | sort -k2 -r | head -n1 | awk '{print $1}')
# Save the Docker image to a tar file
docker save "$IMAGE_TAG" > /tmp/hydro-backend.tar
# Copy the tar file to the remote server
scp /tmp/hydro-backend.tar admin@netoasis.app:/home/admin/hydro-backend.tar
# SSH into the remote server and execute commands with a pseudo-terminal
ssh -t admin@netoasis.app "docker load -i /home/admin/hydro-backend.tar && cd /home/admin/ && docker-compose up"

76
docker-compose.yml Normal file
View File

@@ -0,0 +1,76 @@
services:
api:
build:
context: .
args:
CACHEBUST: $(date +%s)
ports:
- "8080:8080"
environment:
SPRING_DATASOURCE_URL: jdbc:postgresql://postgres:5432/postgres
SPRING_DATA_REDIS_HOST: redis
VAULT_URI: ${VAULT_URI}
VAULT_ROLE_ID: ${VAULT_ROLE_ID}
VAULT_SECRET_ID: ${VAULT_SECRET_ID}
JWT_REFRESH_EXPIRATION_MS: 2592000000
JWT_ACCESS_EXPIRATION_MS: 900000
MQTT_JWT_PRIVATE_KEY_PATH: /app/private_key.der
SPRING_PROFILES_ACTIVE: dev
SERVER_PORT: 8080
volumes:
- ./private_key.der:/app/private_key.der:ro,z
depends_on:
- postgres
- mosquitto
- redis
networks:
- hydro-network
postgres:
image: postgres:16
volumes:
- pgdata:/var/lib/postgresql/data
environment:
POSTGRES_USER: admin
POSTGRES_PASSWORD: supersecret
POSTGRES_DB: hydrodb
networks:
- hydro-network
redis:
image: redis:latest
restart: always
ports:
- '6379:6379'
command: redis-server --save 20 1 --loglevel warning --requirepass supersecret
volumes:
- cache:/data
networks:
- hydro-network
mosquitto:
build:
context: ./mosquitto
ports:
- "1883:1883"
networks:
- hydro-network
#
# rabbitmq:
# image: 'rabbitmq:latest'
# environment:
# - 'RABBITMQ_DEFAULT_PASS=supersecret'
# - 'RABBITMQ_DEFAULT_USER=myuser'
# ports:
# - '5672:5672'
#
volumes:
pgdata:
cache:
networks:
hydro-network:
driver: bridge

BIN
hydro-backend.tar
View File

Binary file not shown.

22
mosquitto/Dockerfile Normal file
View File

@@ -0,0 +1,22 @@
FROM eclipse-mosquitto:2.0
RUN apk add --no-cache \
rust \
cargo \
build-base \
openssl-dev \
mosquitto-dev \
git
RUN git clone https://github.com/wiomoc/mosquitto-jwt-auth.git /jwt-auth
WORKDIR /jwt-auth
RUN cargo build --release
RUN mkdir -p /usr/lib/mosquitto && \
cp target/release/libmosquitto_jwt_auth.so /usr/lib/mosquitto/
RUN apk del build-base git
COPY mosquitto.conf /mosquitto/config/mosquitto.conf
COPY public_key.pem /mosquitto/config/public_key.pem
RUN chown -R mosquitto:mosquitto /mosquitto/config

9
mosquitto/mosquitto.conf Normal file
View File

@@ -0,0 +1,9 @@
listener 1883
allow_anonymous false
auth_plugin /usr/lib/mosquitto/libmosquitto_jwt_auth.so
auth_opt_jwt_alg RS256
auth_opt_jwt_sec_file /mosquitto/config/public_key.pem
auth_opt_jwt_iss HydroAPI
auth_opt_jwt_validate_exp true
auth_opt_jwt_validate_sub_match_username false

4
mvnw vendored
View File

@@ -256,10 +256,10 @@ else
tar xzf${__MVNW_QUIET_TAR:+"$__MVNW_QUIET_TAR"} "$TMP_DOWNLOAD_DIR/$distributionUrlName" -C "$TMP_DOWNLOAD_DIR" || die "failed to untar"
fi
# Find the actual extracted directory name (handles snapshots where filename != directory name)
# Find the actual extracted directory friendlyName (handles snapshots where filename != directory friendlyName)
actualDistributionDir=""
# First try the expected directory name (for regular distributions)
# First try the expected directory friendlyName (for regular distributions)
if [ -d "$TMP_DOWNLOAD_DIR/$distributionUrlNameMain" ]; then
if [ -f "$TMP_DOWNLOAD_DIR/$distributionUrlNameMain/bin/$MVN_CMD" ]; then
actualDistributionDir="$distributionUrlNameMain"

400
pom.xml
View File

@@ -1,177 +1,229 @@
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>3.5.5</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>dev.ivfrost</groupId>
<artifactId>hydro-backend</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>hydro-backend</name>
<description>Backend API for Hydro UI: user accounts, device linking, QR code verification</description>
<properties>
<java.version>17</java.version>
<spring-cloud.version>2025.0.0</spring-cloud.version>
</properties>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dependencies</artifactId>
<version>${spring-cloud.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.postgresql</groupId>
<artifactId>postgresql</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
<!-- Extra dependencies -->
<!-- https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-core -->
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-core</artifactId>
<version>2.20.0</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.springframework.cloud/spring-cloud-starter-openfeign -->
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-openfeign</artifactId>
</dependency>
<!-- https://mvnrepository.com/artifact/org.projectlombok/lombok -->
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<version>1.18.38</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.springframework.security/spring-security-crypto -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-crypto</artifactId>
<version>6.5.3</version>
</dependency>
<!-- https://mvnrepository.com/artifact/jakarta.validation/jakarta.validation-api -->
<dependency>
<groupId>jakarta.validation</groupId>
<artifactId>jakarta.validation-api</artifactId>
<version>3.0.2</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-validation -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-validation</artifactId>
</dependency>
<!-- https://mvnrepository.com/artifact/org.springdoc/springdoc-openapi-starter-webmvc-ui -->
<dependency>
<groupId>org.springdoc</groupId>
<artifactId>springdoc-openapi-starter-webmvc-ui</artifactId>
<version>2.8.9</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-mail</artifactId>
</dependency>
<!-- https://mvnrepository.com/artifact/io.jsonwebtoken/jjwt-api -->
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-api</artifactId>
<version>0.12.6</version>
</dependency>
<!-- https://mvnrepository.com/artifact/com.auth0/java-jwt -->
<dependency>
<groupId>com.auth0</groupId>
<artifactId>java-jwt</artifactId>
<version>4.5.0</version>
</dependency>
<!-- https://mvnrepository.com/artifact/com.bucket4j/bucket4j_jdk17-core -->
<dependency>
<groupId>com.bucket4j</groupId>
<artifactId>bucket4j_jdk17-core</artifactId>
<version>8.15.0</version>
</dependency>
<project xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://maven.apache.org/POM/4.0.0"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<artifactId>hydro-api</artifactId>
<build>
<plugins>
<plugin>
<artifactId>maven-compiler-plugin</artifactId>
<configuration>
<annotationProcessorPaths>
<path>
<artifactId>lombok</artifactId>
<groupId>org.projectlombok</groupId>
</path>
</annotationProcessorPaths>
</configuration>
<groupId>org.apache.maven.plugins</groupId>
</plugin>
<plugin>
<artifactId>native-maven-plugin</artifactId>
<groupId>org.graalvm.buildtools</groupId>
</plugin>
<plugin>
<artifactId>spring-boot-maven-plugin</artifactId>
<configuration>
<excludes>
<exclude>
<artifactId>lombok</artifactId>
<groupId>org.projectlombok</groupId>
</exclude>
</excludes>
</configuration>
<groupId>org.springframework.boot</groupId>
</plugin>
<plugin>
<artifactId>springdoc-openapi-maven-plugin</artifactId>
<configuration>
<apiDocsUrl>http://localhost:8080/v3/api-docs</apiDocsUrl>
<outputDir>${project.build.directory}</outputDir>
<outputFileName>openapi.json</outputFileName>
</configuration>
<executions>
<execution>
<goals>
<goal>generate</goal>
</goals>
<id>integration-test</id>
</execution>
</executions>
<groupId>org.springdoc</groupId>
<version>1.5</version>
</plugin>
</plugins>
</build>
<dependencies>
<dependency>
<artifactId>spring-boot-starter-data-jpa</artifactId>
<groupId>org.springframework.boot</groupId>
</dependency>
<dependency>
<artifactId>spring-boot-starter-security</artifactId>
<groupId>org.springframework.boot</groupId>
</dependency>
<dependency>
<artifactId>spring-boot-starter-webmvc</artifactId>
<groupId>org.springframework.boot</groupId>
</dependency>
<dependency>
<artifactId>spring-cloud-starter-vault-config</artifactId>
<groupId>org.springframework.cloud</groupId>
</dependency>
<dependency>
<artifactId>spring-modulith-starter-core</artifactId>
<groupId>org.springframework.modulith</groupId>
</dependency>
<dependency>
<artifactId>spring-modulith-starter-jdbc</artifactId>
<groupId>org.springframework.modulith</groupId>
</dependency>
<dependency>
<artifactId>spring-modulith-starter-test</artifactId>
<groupId>org.springframework.modulith</groupId>
<scope>test</scope>
</dependency>
<dependency>
<artifactId>postgresql</artifactId>
<groupId>org.postgresql</groupId>
<scope>runtime</scope>
</dependency>
<dependency>
<artifactId>lombok</artifactId>
<groupId>org.projectlombok</groupId>
<optional>true</optional>
</dependency>
<dependency>
<artifactId>spring-boot-starter-security-test</artifactId>
<groupId>org.springframework.boot</groupId>
<scope>test</scope>
</dependency>
<dependency>
<artifactId>spring-boot-starter-webmvc-test</artifactId>
<groupId>org.springframework.boot</groupId>
<scope>test</scope>
</dependency>
<dependency>
<artifactId>spring-modulith-starter-test</artifactId>
<groupId>org.springframework.modulith</groupId>
<scope>test</scope>
</dependency>
<dependency>
<artifactId>spring-modulith-events-amqp</artifactId>
<groupId>org.springframework.modulith</groupId>
</dependency>
<dependency>
<artifactId>rest-assured</artifactId>
<groupId>io.rest-assured</groupId>
<scope>test</scope>
<version>6.0.0</version>
</dependency>
<dependency>
<artifactId>hamcrest</artifactId>
<groupId>org.hamcrest</groupId>
<scope>test</scope>
<version>3.0</version>
</dependency>
<dependency>
<artifactId>jackson-core</artifactId>
<groupId>com.fasterxml.jackson.core</groupId>
<version>2.20.0</version>
</dependency>
<dependency>
<artifactId>spring-boot-starter-validation</artifactId>
<groupId>org.springframework.boot</groupId>
</dependency>
<dependency>
<artifactId>java-jwt</artifactId>
<groupId>com.auth0</groupId>
<scope>compile</scope>
<version>4.5.0</version>
</dependency>
<dependency>
<artifactId>springdoc-openapi-starter-webmvc-ui</artifactId>
<groupId>org.springdoc</groupId>
<scope>compile</scope>
<version>3.0.1</version>
</dependency>
<dependency>
<artifactId>swagger-annotations</artifactId>
<groupId>io.swagger.core.v3</groupId>
<scope>compile</scope>
<version>2.2.41</version>
</dependency>
<dependency>
<artifactId>spring-boot-starter-data-redis</artifactId>
<groupId>org.springframework.boot</groupId>
</dependency>
<dependency>
<artifactId>spring-boot-starter-cache</artifactId>
<groupId>org.springframework.boot</groupId>
</dependency>
<dependency>
<artifactId>spring-boot-starter-amqp</artifactId>
<groupId>org.springframework.boot</groupId>
</dependency>
<dependency>
<artifactId>spring-rabbit-test</artifactId>
<groupId>org.springframework.amqp</groupId>
<scope>test</scope>
</dependency>
<dependency>
<artifactId>h2</artifactId>
<groupId>com.h2database</groupId>
<scope>runtime</scope>
</dependency>
</dependencies>
<dependencyManagement>
<dependencies>
<dependency>
<artifactId>spring-cloud-dependencies</artifactId>
<groupId>org.springframework.cloud</groupId>
<scope>import</scope>
<type>pom</type>
<version>${spring-cloud.version}</version>
</dependency>
<dependency>
<artifactId>spring-modulith-bom</artifactId>
<groupId>org.springframework.modulith</groupId>
<scope>import</scope>
<type>pom</type>
<version>${spring-modulith.version}</version>
</dependency>
</dependencies>
</dependencyManagement>
<description>Hydro API</description>
<developers>
<developer/>
</developers>
<groupId>dev.ivfrost</groupId>
<licenses>
<license/>
</licenses>
<modelVersion>4.0.0</modelVersion>
<name>hydro-api</name>
<parent>
<artifactId>spring-boot-starter-parent</artifactId>
<groupId>org.springframework.boot</groupId>
<relativePath/>
<version>4.0.1</version> <!-- lookup parent from repository -->
</parent>
<properties>
<java.version>21</java.version>
<spring-cloud.version>2025.1.0</spring-cloud.version>
<spring-modulith.version>2.0.1</spring-modulith.version>
</properties>
<scm>
<connection/>
<developerConnection/>
<tag/>
<url/>
</scm>
<url/>
<version>0.0.1-SNAPSHOT</version>
<dependency>
<groupId>com.vladmihalcea</groupId>
<artifactId>hibernate-types-60</artifactId>
<version>2.21.1</version>
</dependency>
<dependency>
<groupId>org.hibernate.orm</groupId>
<artifactId>hibernate-core</artifactId>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.graalvm.buildtools</groupId>
<artifactId>native-maven-plugin</artifactId>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.11.0</version>
<configuration>
<annotationProcessorPaths>
<path>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<version>1.18.38</version>
</path>
</annotationProcessorPaths>
</configuration>
</plugin>
</plugins>
</build>
<profiles>
<profile>
<id>native</id>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<configuration>
<image>
<builder>paketobuildpacks/builder-jammy-buildpackless-tiny</builder>
<buildpacks>
<buildpack>paketobuildpacks/oracle</buildpack>
<buildpack>paketobuildpacks/java-native-image</buildpack>
</buildpacks>
</image>
</configuration>
</plugin>
</plugins>
</build>
</profile>
</profiles>
</project>

0
build-dockerized-native.sh → scripts/build-dockerized-native.sh
View File

5
scripts/build-dockerized.sh Executable file
View File

@@ -0,0 +1,5 @@
#!/bin/bash
export $(grep -v '^#' .env | xargs)
# Build the Docker image
# to skip tests: -Dmaven.test.skip
./mvnw spring-boot:build-image

20
scripts/deploy-image.sh Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
# Build docker image
./mvnw spring-boot:build-image -Dmaven.test.skip
# Get the latest hydro-backend image tag
IMAGE_TAG=$(docker images --format '{{.Repository}}:{{.Tag}} {{.CreatedAt}}' | grep '^hydro-api:' | sort -k2 -r | head -n1 | awk '{print $1}')
IMAGE_PATH="/tmp/hydro-api.tar"
PRODUCTION_HOST="root@192.168.1.214"
PRODUCTION_PATH="/srv/hydro/"
PRODUCTION_IMAGE_PATH="/srv/hydro/hydro-api.tar"
# Save the Docker image to a tar file
docker save "$IMAGE_TAG" > $IMAGE_PATH
# Copy the tar file to the remote server
scp $IMAGE_PATH "$PRODUCTION_HOST:$PRODUCTION_PATH"
# SSH into the remote server and execute commands with a pseudo-terminal
ssh -t $PRODUCTION_HOST "docker load -i $PRODUCTION_IMAGE_PATH && cd $PRODUCTION_PATH && docker compose up"

67
src/main/java/dev/ivfrost/hydro_backend/ApiResponse.java Normal file
View File

@@ -0,0 +1,67 @@
package dev.ivfrost.hydro_backend;
import java.time.LocalDateTime;
import org.springframework.http.HttpStatus;
public record ApiResponse<T>(LocalDateTime timestamp, int status, String error, String message,
T details) {
public static <T> ApiResponse<T> success(HttpStatus status, String message) {
return new ApiResponse<>(
LocalDateTime.now(),
status.value(),
null,
message,
null
);
}
public static <T> ApiResponse<T> success(HttpStatus status, String message, T details) {
return new ApiResponse<>(
LocalDateTime.now(),
status.value(),
null,
message,
details
);
}
public static <T> ApiResponse<T> error(HttpStatus status, String message) {
return new ApiResponse<>(
LocalDateTime.now(),
status.value(),
status.getReasonPhrase(),
message,
null
);
}
public static <T> ApiResponse<T> error(HttpStatus status, String message, T details) {
return new ApiResponse<>(
LocalDateTime.now(),
status.value(),
status.getReasonPhrase(),
message,
details
);
}
public String toJson() {
return String.format(
"""
{
"timestamp": "%s",
"status": %d,
"error": "%s",
"message": "%s",
"details": "%s"
}
""",
timestamp,
status,
error,
message,
details != null ? details.toString() : "null"
);
}
}

14
src/main/java/dev/ivfrost/hydro_backend/HydroBackendApplication.java → src/main/java/dev/ivfrost/hydro_backend/HydroApiApplication.java
View File

@@ -3,16 +3,16 @@ package dev.ivfrost.hydro_backend;
import dev.ivfrost.hydro_backend.config.MyRuntimeHints;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.cloud.openfeign.EnableFeignClients;
import org.springframework.cache.annotation.EnableCaching;
import org.springframework.context.annotation.ImportRuntimeHints;
@SpringBootApplication
@EnableFeignClients
@EnableCaching
@ImportRuntimeHints(MyRuntimeHints.class)
public class HydroBackendApplication {
public class HydroApiApplication {
public static void main(String[] args) {
SpringApplication.run(HydroApiApplication.class, args);
}
public static void main(String[] args) {
SpringApplication.run(HydroBackendApplication.class, args);
}
}

31
src/main/java/dev/ivfrost/hydro_backend/config/AmqpConfig.java Normal file
View File

@@ -0,0 +1,31 @@
package dev.ivfrost.hydro_backend.config;
import org.springframework.amqp.core.Binding;
import org.springframework.amqp.core.BindingBuilder;
import org.springframework.amqp.core.Exchange;
import org.springframework.amqp.core.ExchangeBuilder;
import org.springframework.amqp.core.Queue;
import org.springframework.amqp.core.QueueBuilder;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@Configuration
public class AmqpConfig {
public static final String HYDRO_Q = "hydro_q";
@Bean
Exchange exchange() {
return ExchangeBuilder.directExchange(HYDRO_Q).build();
}
@Bean
Queue queue() {
return QueueBuilder.durable(HYDRO_Q).build();
}
@Bean
Binding binding(Queue queue, Exchange exchange) {
return BindingBuilder.bind(queue).to(exchange).with(HYDRO_Q).noargs();
}
}

50
src/main/java/dev/ivfrost/hydro_backend/config/AuthRequestCountFilter.java Normal file
View File

@@ -0,0 +1,50 @@
package dev.ivfrost.hydro_backend.config;
import dev.ivfrost.hydro_backend.devices.DeviceLoadEvent;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.jspecify.annotations.NonNull;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.filter.OncePerRequestFilter;
@RequiredArgsConstructor
@Slf4j
public class AuthRequestCountFilter extends OncePerRequestFilter {
private final ApplicationEventPublisher events;
private int count = 0;
@Override
protected void doFilterInternal(@NonNull HttpServletRequest request,
@NonNull HttpServletResponse response, @NonNull FilterChain filterChain)
throws ServletException, IOException {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if (authentication == null) {
log.trace("No authentication found in security context.");
} else if (authentication.isAuthenticated()) {
count++;
log.trace("Authenticated request count: {} (principal={})", count, authentication.getName());
// Publish only when we have a numeric user id as principal
String principalName = authentication.getName();
if (principalName != null) {
try {
long userId = Long.parseLong(principalName);
if (count == 1) {
events.publishEvent(new DeviceLoadEvent(userId));
}
} catch (NumberFormatException ex) {
log.debug("Skipping DeviceLoadEvent: principal '{}' is not a numeric user id.",
principalName);
}
}
}
filterChain.doFilter(request, response);
}
}

49
src/main/java/dev/ivfrost/hydro_backend/config/EndpointRegistry.java Normal file
View File

@@ -0,0 +1,49 @@
package dev.ivfrost.hydro_backend.config;
import java.util.List;
import java.util.stream.Stream;
import org.springframework.util.AntPathMatcher;
public class EndpointRegistry {
static final List<String> APP_PUBLIC = List.of(
"/v1/users",
"/v1/users/auth",
"/v1/users/recover",
"/v1/users/password/reset",
"/v1/validation/**",
"/v1/health"
);
static final List<String> SWAGGER = List.of(
"/v3/api-docs",
"/v3/api-docs/**",
"/swagger-ui.html",
"/swagger-ui/**"
);
static final List<String> APP_AUTHENTICATED = List.of(
"/v1/users/**",
"/v1/me/**",
"/v1/users/auth/refresh"
);
static final List<String> H2_CONSOLE = List.of(
"/h2-console/**",
"/h2-console"
);
private static final AntPathMatcher pathMatcher = new AntPathMatcher();
private static final List<String> PUBLIC_ENDPOINTS;
static {
PUBLIC_ENDPOINTS = Stream.of(APP_PUBLIC, SWAGGER, H2_CONSOLE)
.flatMap(List::stream)
.toList();
}
private EndpointRegistry() {
}
public static boolean isPublicEndpoint(String path) {
return PUBLIC_ENDPOINTS.stream().anyMatch(pattern -> pathMatcher.match(pattern, path));
}
}

147
src/main/java/dev/ivfrost/hydro_backend/config/GlobalExceptionHandler.java Normal file
View File

@@ -0,0 +1,147 @@
package dev.ivfrost.hydro_backend.config;
import com.auth0.jwt.exceptions.JWTCreationException;
import com.auth0.jwt.exceptions.JWTVerificationException;
import dev.ivfrost.hydro_backend.ApiResponse;
import dev.ivfrost.hydro_backend.exception.DeviceFetchException;
import dev.ivfrost.hydro_backend.exception.DeviceLinkException;
import dev.ivfrost.hydro_backend.exception.DeviceNotFoundException;
import dev.ivfrost.hydro_backend.exception.DuplicateMacAddressException;
import dev.ivfrost.hydro_backend.exception.ExpiredVerificationToken;
import dev.ivfrost.hydro_backend.exception.RecoveryTokenMismatchException;
import dev.ivfrost.hydro_backend.exception.RecoveryTokenNotFoundException;
import dev.ivfrost.hydro_backend.exception.TokenNotFoundException;
import dev.ivfrost.hydro_backend.exception.UserDisabledException;
import dev.ivfrost.hydro_backend.exception.UserNotAuthenticatedException;
import dev.ivfrost.hydro_backend.exception.UsernameTakenException;
import java.util.HashMap;
import java.util.Map;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.web.bind.MethodArgumentNotValidException;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.RestControllerAdvice;
@RestControllerAdvice
public class GlobalExceptionHandler {
@ExceptionHandler(UserDisabledException.class)
public ResponseEntity<ApiResponse<Void>> handleUserDisabledException(
UserDisabledException ex) {
return ResponseEntity.status(HttpStatus.UNAUTHORIZED)
.body(ApiResponse.error(HttpStatus.UNAUTHORIZED, ex.getMessage()));
}
@ExceptionHandler(AuthenticationCredentialsNotFoundException.class)
public ResponseEntity<ApiResponse<Void>> handleUserNotFoundException(
AuthenticationCredentialsNotFoundException ex) {
return ResponseEntity.status(HttpStatus.UNAUTHORIZED)
.body(ApiResponse.error(HttpStatus.UNAUTHORIZED, ex.getMessage()));
}
@ExceptionHandler(BadCredentialsException.class)
public ResponseEntity<ApiResponse<Void>> handleBadCredentialsException(
BadCredentialsException ex) {
return ResponseEntity.status(HttpStatus.UNAUTHORIZED)
.body(ApiResponse.error(HttpStatus.UNAUTHORIZED, ex.getMessage()));
}
@ExceptionHandler(UserNotAuthenticatedException.class)
public ResponseEntity<ApiResponse<Void>> handleUserNotAuthenticatedException(
UserNotAuthenticatedException ex) {
return ResponseEntity.status(HttpStatus.UNAUTHORIZED)
.body(ApiResponse.error(HttpStatus.UNAUTHORIZED, ex.getMessage()));
}
@ExceptionHandler(UsernameTakenException.class)
public ResponseEntity<ApiResponse<Void>> handleUsernameTakenException(
UsernameTakenException ex) {
return ResponseEntity.status(HttpStatus.CONFLICT)
.body(ApiResponse.error(HttpStatus.CONFLICT, ex.getMessage()));
}
@ExceptionHandler(TokenNotFoundException.class)
public ResponseEntity<ApiResponse<Void>> handleTokenNotFoundException(
TokenNotFoundException ex) {
return ResponseEntity.status(HttpStatus.NOT_FOUND)
.body(ApiResponse.error(HttpStatus.NOT_FOUND, ex.getMessage()));
}
@ExceptionHandler(ExpiredVerificationToken.class)
public ResponseEntity<ApiResponse<Void>> handleExpiredVerificationToken(
ExpiredVerificationToken ex) {
return ResponseEntity.status(HttpStatus.BAD_REQUEST)
.body(ApiResponse.error(HttpStatus.BAD_REQUEST, ex.getMessage()));
}
@ExceptionHandler(JWTCreationException.class)
public ResponseEntity<ApiResponse<Void>> handleJWTCreationException(
JWTCreationException ex) {
return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR)
.body(ApiResponse.error(HttpStatus.INTERNAL_SERVER_ERROR, ex.getMessage()));
}
@ExceptionHandler(JWTVerificationException.class)
public ResponseEntity<ApiResponse<Void>> handleJWTVerificationException(
JWTVerificationException ex) {
return ResponseEntity.status(HttpStatus.UNAUTHORIZED)
.body(ApiResponse.error(HttpStatus.UNAUTHORIZED, ex.getMessage()));
}
@ExceptionHandler(DeviceNotFoundException.class)
public ResponseEntity<ApiResponse<Void>> handleDeviceNotFoundException(
DeviceNotFoundException ex) {
return ResponseEntity.status(HttpStatus.NOT_FOUND)
.body(ApiResponse.error(HttpStatus.NOT_FOUND, ex.getMessage()));
}
@ExceptionHandler(DeviceLinkException.class)
public ResponseEntity<ApiResponse<Void>> handleDeviceLinkException(
DeviceLinkException ex) {
return ResponseEntity.status(HttpStatus.BAD_REQUEST)
.body(ApiResponse.error(HttpStatus.BAD_REQUEST, ex.getMessage()));
}
@ExceptionHandler(DeviceFetchException.class)
public ResponseEntity<ApiResponse<Void>> handleDeviceFetchException(
DeviceFetchException ex) {
return ResponseEntity.status(HttpStatus.NOT_FOUND)
.body(ApiResponse.error(HttpStatus.NOT_FOUND, ex.getMessage()));
}
@ExceptionHandler(MethodArgumentNotValidException.class)
public ResponseEntity<ApiResponse<Map<String, String>>> handleValidationException(
MethodArgumentNotValidException ex) {
Map<String, String> errors = new HashMap<>();
ex.getBindingResult()
.getFieldErrors()
.forEach(error -> errors.put(error.getField(), error.getDefaultMessage()));
return ResponseEntity.status(HttpStatus.BAD_REQUEST)
.body(
ApiResponse.error(HttpStatus.BAD_REQUEST, "Validation failed for one or more fields.",
errors));
}
@ExceptionHandler(RecoveryTokenNotFoundException.class)
public ResponseEntity<ApiResponse<Void>> handleRecoveryCodeNotFoundException(
RecoveryTokenNotFoundException ex) {
return ResponseEntity.status(HttpStatus.NOT_FOUND)
.body(ApiResponse.error(HttpStatus.NOT_FOUND, ex.getMessage()));
}
@ExceptionHandler(RecoveryTokenMismatchException.class)
public ResponseEntity<ApiResponse<Void>> handleRecoveryCodeMismatchException(
RecoveryTokenMismatchException ex) {
return ResponseEntity.status(HttpStatus.BAD_REQUEST)
.body(ApiResponse.error(HttpStatus.BAD_REQUEST, ex.getMessage()));
}
@ExceptionHandler(DuplicateMacAddressException.class)
public ResponseEntity<ApiResponse<Void>> handleDuplicateMacAddressException(
DuplicateMacAddressException ex) {
return ResponseEntity.status(HttpStatus.CONFLICT)
.body(ApiResponse.error(HttpStatus.CONFLICT, ex.getMessage()));
}
}

134
src/main/java/dev/ivfrost/hydro_backend/config/JWTFilter.java Normal file
View File

@@ -0,0 +1,134 @@
package dev.ivfrost.hydro_backend.config;
import com.auth0.jwt.exceptions.JWTVerificationException;
import com.auth0.jwt.interfaces.Claim;
import dev.ivfrost.hydro_backend.ApiResponse;
import dev.ivfrost.hydro_backend.tokens.JWTUtil;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
import java.util.Map;
import lombok.AllArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.jspecify.annotations.NonNull;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;
@Slf4j
@AllArgsConstructor
@Component
public class JWTFilter extends OncePerRequestFilter {
private final UserDetailsService userDetailsService;
private final JWTUtil jwtUtil;
private final ApplicationEventPublisher events;
@Override
protected void doFilterInternal(HttpServletRequest request,
@NonNull HttpServletResponse response,
@NonNull FilterChain filterChain)
throws ServletException, IOException {
String path = request.getRequestURI();
log.trace("JWTFilter processing path: {}", path);
// Bypass filter for authentication and validation endpoints
if (EndpointRegistry.isPublicEndpoint(path)) {
log.debug("Bypassing JWTFilter for public path: {}", path);
filterChain.doFilter(request, response);
return;
}
// Extract Authorization header
String authHeader = request.getHeader("Authorization");
log.trace("Authorization header: {}", authHeader);
// Check for Bearer token
if (authHeader != null && !authHeader.isBlank() && authHeader.startsWith("Bearer ")) {
// Extract JWT token
String jwt = authHeader.substring(7);
log.trace("Extracted JWT token (trimmed length = {}): {}", jwt.length(),
jwt.isBlank() ? "<blank>" : "<present>");
if (jwt.isBlank()) {
log.warn("JWT is blank or null");
response.sendError(HttpServletResponse.SC_BAD_REQUEST,
"Invalid JWT Token in Bearer Header");
return;
}
try {
// Validate token and retrieve claims
Map<String, Claim> claims = jwtUtil.validateTokenAndRetrieveClaims(jwt);
if (claims == null) {
log.warn("JWT contains no claims");
throw new JWTVerificationException("No claims present");
}
log.trace("JWT claims keys: {}", claims.keySet());
String username = claims.get("username").asString();
if (username == null || username.isBlank()) {
log.warn("JWT contains no username/subject");
response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Invalid JWT Token");
return;
}
String role = claims.get("role") != null ? claims.get("role").asString() : null;
log.trace("JWT username: {}, role: {}", username, role);
// Load User Details
UserDetails userDetails = userDetailsService.loadUserByUsername(username);
log.trace("Loaded userDetails for {}. Authorities: {}", username,
userDetails.getAuthorities());
// If the user is disabled (soft-deleted or inactive), deny access now
if (!userDetails.isEnabled()) {
log.info("Rejected authentication for disabled/deleted user: {}", username);
response.sendError(HttpServletResponse.SC_FORBIDDEN, "User account is disabled");
return;
}
// Update user's last online timestamp
// events.publishEvent(new UserUpdateLastOnlineEvent(username));
// Use authorities from userDetails (database), not JWT
UsernamePasswordAuthenticationToken authToken = new UsernamePasswordAuthenticationToken(
userDetails,
null, userDetails.getAuthorities());
// Set authentication in security context
if (SecurityContextHolder.getContext().getAuthentication() == null) {
SecurityContextHolder.getContext().setAuthentication(authToken);
log.debug("Authentication set in security context for user: {}", username);
} else {
log.debug("Authentication already present in security context for user: {}", username);
}
} catch (JWTVerificationException e) {
log.warn("JWT verification failed: {}", e.getMessage());
response.setStatus(HttpStatus.UNAUTHORIZED.value());
response.setContentType("application/json");
PrintWriter out = response.getWriter();
out.print(ResponseEntity.status(HttpStatus.UNAUTHORIZED)
.body(
ApiResponse.error(HttpStatus.UNAUTHORIZED, "Invalid or expired JWT token").toJson())
.getBody());
out.flush();
return;
} catch (Exception e) {
log.error("Unexpected error in JWTFilter", e);
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Authentication failed");
return;
}
} else {
log.trace("No Bearer token found in Authorization header");
}
filterChain.doFilter(request, response);
}
}

76
src/main/java/dev/ivfrost/hydro_backend/config/MyRuntimeHints.java
View File

@@ -1,51 +1,47 @@
package dev.ivfrost.hydro_backend.config;
import dev.ivfrost.hydro_backend.entity.User;
import org.springframework.aot.hint.MemberCategory;
import org.springframework.aot.hint.RuntimeHintsRegistrar;
import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import dev.ivfrost.hydro_backend.dto.UserRegisterRequest;
import dev.ivfrost.hydro_backend.dto.UserLoginRequest;
import dev.ivfrost.hydro_backend.dto.DeviceLinkRequest;
import dev.ivfrost.hydro_backend.dto.DeviceProvisionRequest;
import dev.ivfrost.hydro_backend.devices.DeviceLinkRequest;
import dev.ivfrost.hydro_backend.devices.DeviceProvisionRequest;
import dev.ivfrost.hydro_backend.users.UserLoginRequest;
import dev.ivfrost.hydro_backend.users.UserRegisterRequest;
import dev.ivfrost.hydro_backend.users.internal.User;
import org.springframework.aot.hint.MemberCategory;
import org.springframework.aot.hint.RuntimeHintsRegistrar;
import org.springframework.aot.hint.TypeReference;
// Specify to Spring AOT that these classes will be need to be accessed via reflection
public class MyRuntimeHints implements RuntimeHintsRegistrar {
@Override
public void registerHints(org.springframework.aot.hint.RuntimeHints hints, ClassLoader classLoader) {
hints.reflection().registerType(JsonNode.class);
hints.reflection().registerType(ObjectMapper.class);
hints.reflection().registerType(
TypeReference.of("org.springframework.core.annotation.TypeMappedAnnotation[]"),
MemberCategory.INVOKE_DECLARED_CONSTRUCTORS
);
// Register DTOs for reflection
hints.reflection().registerType(DeviceLinkRequest.class,
MemberCategory.INVOKE_DECLARED_CONSTRUCTORS,
MemberCategory.INVOKE_DECLARED_METHODS,
MemberCategory.DECLARED_FIELDS);
hints.reflection().registerType(DeviceProvisionRequest.class,
MemberCategory.INVOKE_DECLARED_CONSTRUCTORS,
MemberCategory.INVOKE_DECLARED_METHODS,
MemberCategory.DECLARED_FIELDS);
hints.reflection().registerType(UserRegisterRequest.class,
MemberCategory.INVOKE_DECLARED_CONSTRUCTORS,
MemberCategory.INVOKE_DECLARED_METHODS,
MemberCategory.DECLARED_FIELDS);
hints.reflection().registerType(UserLoginRequest.class,
MemberCategory.INVOKE_DECLARED_CONSTRUCTORS,
MemberCategory.INVOKE_DECLARED_METHODS,
MemberCategory.DECLARED_FIELDS);
@Override
public void registerHints(org.springframework.aot.hint.RuntimeHints hints,
ClassLoader classLoader) {
hints.reflection().registerType(JsonNode.class);
hints.reflection().registerType(ObjectMapper.class);
hints.reflection()
.registerType(
TypeReference.of("org.springframework.core.annotation.TypeMappedAnnotation[]"),
MemberCategory.INVOKE_DECLARED_CONSTRUCTORS);
// Register DTOs for reflection
hints.reflection()
.registerType(DeviceLinkRequest.class, MemberCategory.INVOKE_DECLARED_CONSTRUCTORS,
MemberCategory.INVOKE_DECLARED_METHODS, MemberCategory.DECLARED_FIELDS);
hints.reflection()
.registerType(DeviceProvisionRequest.class, MemberCategory.INVOKE_DECLARED_CONSTRUCTORS,
MemberCategory.INVOKE_DECLARED_METHODS, MemberCategory.DECLARED_FIELDS);
hints.reflection()
.registerType(UserRegisterRequest.class, MemberCategory.INVOKE_DECLARED_CONSTRUCTORS,
MemberCategory.INVOKE_DECLARED_METHODS, MemberCategory.DECLARED_FIELDS);
hints.reflection()
.registerType(UserLoginRequest.class, MemberCategory.INVOKE_DECLARED_CONSTRUCTORS,
MemberCategory.INVOKE_DECLARED_METHODS, MemberCategory.DECLARED_FIELDS);
// Validation of individual entity fields with reflection
hints.reflection()
.registerType(User.class, MemberCategory.INVOKE_DECLARED_CONSTRUCTORS,
MemberCategory.INVOKE_DECLARED_METHODS, MemberCategory.DECLARED_FIELDS);
}
// Validation of individual entity fields with reflection
hints.reflection().registerType(
User.class,
MemberCategory.INVOKE_DECLARED_CONSTRUCTORS,
MemberCategory.INVOKE_DECLARED_METHODS,
MemberCategory.DECLARED_FIELDS
);
}
}

18
src/main/java/dev/ivfrost/hydro_backend/config/OpenApiConfig.java
View File

@@ -5,23 +5,17 @@ import io.swagger.v3.oas.annotations.enums.SecuritySchemeType;
import io.swagger.v3.oas.annotations.info.Info;
import io.swagger.v3.oas.annotations.security.SecurityRequirement;
import io.swagger.v3.oas.annotations.security.SecurityScheme;
import io.swagger.v3.oas.annotations.servers.Server;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
@Configuration
@OpenAPIDefinition(
info = @Info(title = "Hydro Backend API", version = "v1"),
security = @SecurityRequirement(name = "bearerAuth"),
servers = {@Server(url = "${server.servlet.context-path}", description = "Default Server URL")}
)
@SecurityScheme(
name = "bearerAuth",
type = SecuritySchemeType.HTTP,
scheme = "bearer",
bearerFormat = "JWT"
info = @Info(title = "Hydro API",
version = "v1"),
security = @SecurityRequirement(name = "bearerAuth")
)
@SecurityScheme(name = "bearerAuth", type = SecuritySchemeType.HTTP, scheme = "bearer", bearerFormat = "JWT")
@EnableMethodSecurity(prePostEnabled = true)
public class OpenApiConfig {
}
}

17
src/main/java/dev/ivfrost/hydro_backend/config/RateLimitConfig.java
View File

@@ -1,17 +0,0 @@
package dev.ivfrost.hydro_backend.config;
import io.github.bucket4j.Bucket;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
@Configuration
public class RateLimitConfig {
@Bean
public ConcurrentMap<String, Bucket> buckets() {
return new ConcurrentHashMap<>();
}
}

196
src/main/java/dev/ivfrost/hydro_backend/config/SecurityConfig.java
View File

@@ -1,128 +1,94 @@
package dev.ivfrost.hydro_backend.config;
import dev.ivfrost.hydro_backend.security.JWTFilter;
import dev.ivfrost.hydro_backend.service.MyUserDetailsService;
import jakarta.servlet.http.HttpServletResponse;
import lombok.AllArgsConstructor;
import lombok.NonNull;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.web.servlet.config.annotation.CorsRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
import static org.springframework.security.config.Customizer.withDefaults;
@AllArgsConstructor
import dev.ivfrost.hydro_backend.users.MyUserDetailsService;
import jakarta.servlet.http.HttpServletResponse;
import java.util.Arrays;
import java.util.List;
import lombok.AllArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer;
import org.springframework.security.config.annotation.web.configurers.HttpBasicConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.factory.PasswordEncoderFactories;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
@Slf4j
@Configuration
@AllArgsConstructor
@EnableWebSecurity
public class SecurityConfig {
private final MyUserDetailsService userDetailsService;
private final JWTFilter jwtFilter;
private final String[] allowedOrigins = {
"https://netoasis.app",
"87.223.194.213",
"http://localhost:5173"
};
private final MyUserDetailsService userDetailsService;
private final JWTFilter jwtFilter;
@Value("${cors.allowed-origins}")
private String[] allowedOrigins;
@Bean
public SecurityFilterChain securityFilterChain(final HttpSecurity http) throws Exception {
System.out.println("Configuring security filter chain");
http
.csrf(AbstractHttpConfigurer::disable)
.httpBasic(AbstractHttpConfigurer::disable)
.cors(withDefaults())
.addFilterBefore(this.jwtFilter, UsernamePasswordAuthenticationFilter.class)
.authorizeHttpRequests(req -> req
.requestMatchers(
"/docs/",
"/docs/**",
"/v1/api/**",
"/v2/api-docs",
"/v3/api-docs",
"/v3/api-docs/**",
"/swagger-resources",
"/swagger-resources/**",
"/configuration/ui",
"/configuration/security",
"/swagger-ui/**",
"/webjars/**",
"/swagger-ui.html",
"/v1/users",
"/v1/users/auth",
"/v1/users/password/reset",
"/v1/validation",
"/v1/validation/**",
"/v1/health"
).permitAll()
.requestMatchers(
"/v1/me/**",
"/v1/users/**",
"/v1/devices/**"
).hasAnyRole("USER", "ADMIN")
.anyRequest().authenticated()
)
.userDetailsService(this.userDetailsService)
.exceptionHandling(e -> e.authenticationEntryPoint((request, response, authException) ->
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized")))
.sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
System.out.println("Security filter chain configured");
return http.build();
}
@Bean
public SecurityFilterChain securityFilterChain(final HttpSecurity http) throws Exception {
log.info("Configuring security filter chain...");
http.csrf(AbstractHttpConfigurer::disable)
.httpBasic(HttpBasicConfigurer::disable)
// Enable CORS
.cors(withDefaults())
// Disable frame options for H2 console in dev
.headers(h -> h.frameOptions(HeadersConfigurer.FrameOptionsConfig::disable))
// Run JWTFilter in place of UsernamePasswordAuthenticationFilter
// .addFilterBefore(authRequestCountFilter, UsernamePasswordAuthenticationFilter.class)
.addFilterBefore(jwtFilter, UsernamePasswordAuthenticationFilter.class)
.authorizeHttpRequests(req -> req
.requestMatchers(EndpointRegistry.H2_CONSOLE.toArray(new String[0]))
.permitAll()
.requestMatchers(EndpointRegistry.SWAGGER.toArray(new String[0]))
.permitAll()
.requestMatchers(EndpointRegistry.APP_PUBLIC.toArray(new String[0]))
.permitAll()
.requestMatchers(EndpointRegistry.APP_AUTHENTICATED.toArray(new String[0]))
.hasAnyRole("USER", "ADMIN")
.anyRequest()
.authenticated())
.userDetailsService(this.userDetailsService)
.exceptionHandling(
e -> e.authenticationEntryPoint(
(request, response, authException) ->
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized")))
.sessionManagement(
session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
log.info("Security filter chain configured successfully.");
return http.build();
}
// Authentication manager bean to be used in AuthController
@Bean
public AuthenticationManager authenticationManager(final AuthenticationConfiguration authenticationConfiguration) throws Exception {
return authenticationConfiguration.getAuthenticationManager();
}
// Conform to the best password encoding practices (bcrypt)
@Bean
PasswordEncoder passwordEncoder() {
return PasswordEncoderFactories.createDelegatingPasswordEncoder();
}
// Password encoder bean (BCrypt)
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
// Provide the CorsConfigurationSource bean referenced by http.cors(withDefaults()).
// Allow front-end to make requests to the API.
@Bean
CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(Arrays.asList(allowedOrigins));
configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS"));
configuration.setAllowedHeaders(List.of("*"));
configuration.setAllowCredentials(true);
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
// CORS configuration
@Bean
public WebMvcConfigurer corsConfigurer() {
return new WebMvcConfigurer() {
@Override
public void addCorsMappings(@NonNull final CorsRegistry registry) {
registry.addMapping("/v1/validation")
.allowedOrigins(allowedOrigins)
.allowedMethods("*");
registry.addMapping("/v1/validation/**")
.allowedOrigins(allowedOrigins)
.allowedMethods("*");
registry.addMapping("/v1/api/**")
.allowedOrigins(allowedOrigins)
.allowedMethods("*");
registry.addMapping("/v1/users")
.allowedOrigins(allowedOrigins)
.allowedMethods("*");
registry.addMapping("/v1/users/**")
.allowedOrigins(allowedOrigins)
.allowedMethods("*");
registry.addMapping("/v1/me/**")
.allowedOrigins(allowedOrigins)
.allowedMethods("*");
registry.addMapping("/v1/devices/**")
.allowedOrigins(allowedOrigins)
.allowedMethods("*");
registry.addMapping("/v1/health")
.allowedOrigins(allowedOrigins)
.allowedMethods("*");
}
};
}
}

86
src/main/java/dev/ivfrost/hydro_backend/controller/AuthController.java
View File

@@ -1,86 +0,0 @@
package dev.ivfrost.hydro_backend.controller;
import dev.ivfrost.hydro_backend.dto.*;
import dev.ivfrost.hydro_backend.service.UserService;
import dev.ivfrost.hydro_backend.util.RateLimitUtils;
import io.github.bucket4j.Bucket;
import io.swagger.v3.oas.annotations.Operation;
import io.swagger.v3.oas.annotations.tags.Tag;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.validation.Valid;
import lombok.AllArgsConstructor;
import org.springdoc.webmvc.core.service.RequestService;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import java.util.Optional;
@Tag(name = "User Authentication", description = "API endpoints for user authentication")
@AllArgsConstructor
@RestController
@RequestMapping("/v1/")
public class AuthController {
private final UserService userService;
private final RateLimitUtils rateLimitUtils;
private final RequestService requestService;
//======= NON-AUTHENTICATED USERS ENDPOINTS =======//
// Data provision
@Operation(
summary = "Register a new user",
description = "Creates a new user account."
)
@PostMapping("/users")
public ResponseEntity<ApiResponse<UserRegisterResponse>> registerUser(
@Valid @RequestBody UserRegisterRequest userRegisterRequest, HttpServletRequest req) {
Optional<Bucket> bucketOpt = rateLimitUtils
.getBucketByUserOrIp(userService.getCurrentUser(), RateLimitUtils.extractClientIp(req));
if (bucketOpt.isEmpty() || !bucketOpt.get().tryConsume(5)) {
return ResponseEntity.status(HttpStatus.TOO_MANY_REQUESTS)
.body(ApiResponse.build(HttpStatus.TOO_MANY_REQUESTS, "Too many requests - rate limit exceeded", null));
}
UserRegisterResponse recoveryCodes = userService.addUser(userRegisterRequest);
return ResponseEntity
.status(HttpStatus.CREATED)
.body(ApiResponse.build(HttpStatus.CREATED, "User registered successfully", recoveryCodes));
}
@Operation(
summary = "Authenticate user",
description = "Authenticates a user and returns a JWT token."
)
@PostMapping("/users/auth")
public ResponseEntity<ApiResponse<AuthResponse>> authenticateUser(
@Valid @RequestBody UserLoginRequest userLoginRequest, HttpServletRequest req) {
Optional<Bucket> bucketOpt = rateLimitUtils
.getBucketByUserOrIp(userService.getCurrentUser(), RateLimitUtils.extractClientIp(req));
if (bucketOpt.isEmpty() || !bucketOpt.get().tryConsume(2)) {
return ResponseEntity.status(HttpStatus.TOO_MANY_REQUESTS)
.body(ApiResponse.build(HttpStatus.TOO_MANY_REQUESTS, "", null));
}
AuthResponse authResponse = userService.authenticateUser(userLoginRequest);
ApiResponse<AuthResponse> response = ApiResponse.build(HttpStatus.OK, "User authenticated successfully", authResponse);
return ResponseEntity.ok(response);
}
@Operation(
summary = "Refresh JWT token",
description = "Refreshes the JWT token for an authenticated user."
)
@PostMapping("/users/refresh")
public ResponseEntity<ApiResponse<AuthResponse>> refreshToken() {
AuthResponse authResponse = userService.refreshTokens();
ApiResponse<AuthResponse> response = ApiResponse.build(HttpStatus.OK, "Token refreshed successfully", authResponse);
return ResponseEntity.ok(response);
}
}

45
src/main/java/dev/ivfrost/hydro_backend/controller/DeviceAuthController.java
View File

@@ -1,45 +0,0 @@
package dev.ivfrost.hydro_backend.controller;
import dev.ivfrost.hydro_backend.dto.ApiResponse;
import dev.ivfrost.hydro_backend.dto.DeviceLinkRequest;
import dev.ivfrost.hydro_backend.dto.MqttCredentialsResponse;
import dev.ivfrost.hydro_backend.service.DeviceService;
import io.swagger.v3.oas.annotations.Operation;
import io.swagger.v3.oas.annotations.tags.Tag;
import lombok.AllArgsConstructor;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.*;
@AllArgsConstructor
@Tag(name = "Device Authentication", description = "API endpoints for proving device ownership and getting credentials")
@RestController
@RequestMapping("/v1")
public class DeviceAuthController {
private final DeviceService deviceService;
@Operation(
summary = "Link device to authenticated user",
description = "Links a device to the currently authenticated user using the device's ownership hash."
)
@PostMapping("/me/devices/link")
public ResponseEntity<ApiResponse<Void>> linkDevice(@RequestParam String hash) {
deviceService.linkDevice(new DeviceLinkRequest(hash));
return ResponseEntity
.status(HttpStatus.OK)
.body(ApiResponse.build(HttpStatus.OK, "Device linked to user successfully", null));
}
@Operation(
summary = "Get MQTT credentials",
description = "Retrieves MQTT credentials for the currently authenticated user."
)
@GetMapping("/me/devices/credentials")
public ResponseEntity<ApiResponse<MqttCredentialsResponse>> getMqttCredentials() {
MqttCredentialsResponse credentials = deviceService.getMqttCredentials();
return ResponseEntity
.status(HttpStatus.OK)
.body(ApiResponse.build(HttpStatus.OK, "MQTT credentials retrieved successfully", credentials));
}
}

149
src/main/java/dev/ivfrost/hydro_backend/controller/DeviceController.java
View File

@@ -1,149 +0,0 @@
package dev.ivfrost.hydro_backend.controller;
import dev.ivfrost.hydro_backend.dto.*;
import dev.ivfrost.hydro_backend.service.DeviceService;
import io.swagger.v3.oas.annotations.Operation;
import io.swagger.v3.oas.annotations.tags.Tag;
import jakarta.validation.Valid;
import lombok.AllArgsConstructor;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.*;
import java.util.List;
@Tag(name = "Device Management", description = "API endpoints for managing devices")
@AllArgsConstructor
@RestController
@RequestMapping("/v1")
public class DeviceController {
private final DeviceService deviceService;
@PreAuthorize("hasRole('ADMIN')")
@Operation(
summary = "Link device to user by ID (Admin only)",
description = "Links a device to a specific user by their unique ID using the device's ownership hash. Access restricted to administrators."
)
@PostMapping("/users/{userId}/devices/link")
public ResponseEntity<ApiResponse<Void>> linkDeviceById(
@RequestBody @Valid DeviceLinkRequest linkDeviceRequest,
@PathVariable Long userId) {
deviceService.linkDevice(linkDeviceRequest, userId);
return ResponseEntity
.status(HttpStatus.OK)
.body(ApiResponse.build(HttpStatus.OK, "Device linked to user successfully", null));
}
@Operation(
summary = "Unlink device from authenticated user",
description = "Unlinks a device from the currently authenticated user using the device's unique ID."
)
@DeleteMapping("/me/devices/{deviceId}/unlink")
public ResponseEntity<ApiResponse<Void>> unlinkDevice(@PathVariable Long deviceId) {
deviceService.unlinkDevice(deviceId);
return ResponseEntity
.status(HttpStatus.OK)
.body(ApiResponse.build(HttpStatus.OK, "Device unlinked from user successfully", null));
}
@Operation(
summary = "Get linked devices",
description = "Retrieves all devices linked to the currently authenticated user."
)
@GetMapping("/me/devices")
public ResponseEntity<ApiResponse<List<DeviceResponse>>> getUserDevices() {
List<DeviceResponse> response = deviceService.getUserDevices();
return ResponseEntity
.status(HttpStatus.OK)
.body(ApiResponse.build(HttpStatus.OK, "Devices retrieved successfully", response));
}
@PreAuthorize("hasRole('ADMIN')")
@GetMapping("/users/{userId}/devices")
@Operation(
summary = "Get devices by user ID (Admin only)",
description = "Retrieves all devices linked to a specific user by their unique ID."
)
public ResponseEntity<ApiResponse<List<DeviceResponse>>> getUserDevicesById(@PathVariable Long userId) {
List<DeviceResponse> response = deviceService.getUserDevicesById(userId);
return ResponseEntity
.status(HttpStatus.OK)
.body(ApiResponse.build(HttpStatus.OK, "Devices retrieved successfully", response));
}
@PreAuthorize("hasRole('ADMIN')")
@Operation(
summary = "Get all provisioned devices (Admin only)",
description = "Retrieves all devices provisioned in the system."
)
@GetMapping("/devices")
public ResponseEntity<ApiResponse<List<DeviceResponse>>> getAllDevices() {
List<DeviceResponse> response = deviceService.getAllDevices();
return ResponseEntity
.status(HttpStatus.OK)
.body(ApiResponse.build(HttpStatus.OK, "All devices retrieved successfully", response));
}
@PreAuthorize("hasRole('ADMIN')")
@Operation(
summary = "Provision new device (Admin only)",
description = "Provisions a new device in the system."
)
@PostMapping("/devices")
public ResponseEntity<ApiResponse<DeviceResponse>> provisionDevice(@RequestBody @Valid DeviceProvisionRequest req) {
DeviceResponse device = deviceService.provisionDevice(req);
return ResponseEntity
.status(HttpStatus.CREATED)
.body(ApiResponse.build(HttpStatus.CREATED, "Device provisioned successfully", device));
}
@Operation(
summary = "Update order or user-defined name of a device",
description = "Updates the display order or user-defined name of a device linked to the authenticated user."
)
@PutMapping("/me/devices/{deviceId}")
public ResponseEntity<ApiResponse<DeviceResponse>> updateUserDeviceById(
@PathVariable Long deviceId,
@RequestBody @Valid DeviceUpdateRequest req) {
DeviceResponse updatedDevice = deviceService.updateUserDeviceById(deviceId, req);
return ResponseEntity
.status(HttpStatus.OK)
.body(ApiResponse.build(HttpStatus.OK, "Device updated successfully", updatedDevice));
}
@PreAuthorize("hasRole('ADMIN')")
@Operation(
summary = "Update device by ID (Admin only)",
description = "Updates the details of a device by its unique ID."
)
@PutMapping("/devices/{deviceId}")
public ResponseEntity<ApiResponse<DeviceResponse>> updateDeviceById(
@PathVariable Long deviceId,
@RequestBody @Valid DeviceUpdateRequest req,
@RequestParam String technicalName,
@RequestParam String firmware) {
DeviceResponse updatedDevice = deviceService.updateDeviceById(deviceId, req, technicalName, firmware);
return ResponseEntity
.status(HttpStatus.OK)
.body(ApiResponse.build(HttpStatus.OK, "Device updated successfully", updatedDevice));
}
@PreAuthorize("hasRole('ADMIN')")
@Operation(
summary = "Delete device by ID (Admin only)",
description = "Deletes a device from the system by its unique ID."
)
@DeleteMapping("/devices/{deviceId}")
public ResponseEntity<ApiResponse<Void>> deleteDeviceById(@PathVariable Long deviceId) {
deviceService.deleteDeviceById(deviceId);
return ResponseEntity
.status(HttpStatus.OK)
.body(ApiResponse.build(HttpStatus.OK, "Device deleted successfully", null));
}
}

113
src/main/java/dev/ivfrost/hydro_backend/controller/GlobalExceptionHandler.java
View File

@@ -1,113 +0,0 @@
package dev.ivfrost.hydro_backend.controller;
import com.auth0.jwt.exceptions.JWTCreationException;
import com.auth0.jwt.exceptions.JWTVerificationException;
import dev.ivfrost.hydro_backend.dto.ApiResponse;
import dev.ivfrost.hydro_backend.exception.*;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.MethodArgumentNotValidException;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.RestControllerAdvice;
import java.time.LocalDateTime;
import java.util.HashMap;
import java.util.Map;
@RestControllerAdvice
public class GlobalExceptionHandler {
@ExceptionHandler(UserDeletedException.class)
public ResponseEntity<ApiResponse<LocalDateTime>> handleUserDeletedException(UserDeletedException ex) {
return ResponseEntity.status(HttpStatus.FORBIDDEN).body(
ApiResponse.build(HttpStatus.FORBIDDEN, ex.getMessage(), LocalDateTime.now())
);
}
@ExceptionHandler(UserNotFoundException.class)
public ResponseEntity<ApiResponse<LocalDateTime>> handleUserNotFoundException(UserNotFoundException ex) {
return ResponseEntity.status(HttpStatus.NOT_FOUND).body(
ApiResponse.build(HttpStatus.NOT_FOUND, ex.getMessage(), LocalDateTime.now())
);
}
@ExceptionHandler(UserNotAuthenticatedException.class)
public ResponseEntity<ApiResponse<LocalDateTime>> handleUserNotAuthenticatedException(UserNotAuthenticatedException ex) {
return ResponseEntity.status(HttpStatus.UNAUTHORIZED).body(
ApiResponse.build(HttpStatus.UNAUTHORIZED, ex.getMessage(), LocalDateTime.now())
);
}
@ExceptionHandler(TokenNotFoundException.class)
public ResponseEntity<ApiResponse<LocalDateTime>> handleTokenNotFoundException(TokenNotFoundException ex) {
return ResponseEntity.status(HttpStatus.NOT_FOUND).body(
ApiResponse.build(HttpStatus.NOT_FOUND, ex.getMessage(), LocalDateTime.now())
);
}
@ExceptionHandler(ExpiredVerificationToken.class)
public ResponseEntity<ApiResponse<LocalDateTime>> handleExpiredVerificationToken(ExpiredVerificationToken ex) {
return ResponseEntity.status(HttpStatus.BAD_REQUEST).body(
ApiResponse.build(HttpStatus.BAD_REQUEST, ex.getMessage(), LocalDateTime.now())
);
}
@ExceptionHandler(JWTCreationException.class)
public ResponseEntity<ApiResponse<LocalDateTime>> handleJWTCreationException(JWTCreationException ex) {
return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).body(
ApiResponse.build(HttpStatus.INTERNAL_SERVER_ERROR, ex.getMessage(), LocalDateTime.now())
);
}
@ExceptionHandler(JWTVerificationException.class)
public ResponseEntity<ApiResponse<LocalDateTime>> handleJWTVerificationException(JWTVerificationException ex) {
return ResponseEntity.status(HttpStatus.UNAUTHORIZED).body(
ApiResponse.build(HttpStatus.UNAUTHORIZED, ex.getMessage(), LocalDateTime.now())
);
}
@ExceptionHandler(DeviceLinkException.class)
public ResponseEntity<ApiResponse<LocalDateTime>> handleDeviceLinkException(DeviceLinkException ex) {
return ResponseEntity.status(HttpStatus.BAD_REQUEST).body(
ApiResponse.build(HttpStatus.BAD_REQUEST, ex.getMessage(), LocalDateTime.now())
);
}
@ExceptionHandler(DeviceFetchException.class)
public ResponseEntity<ApiResponse<LocalDateTime>> handleDeviceFetchException(DeviceFetchException ex) {
return ResponseEntity.status(HttpStatus.NOT_FOUND).body(
ApiResponse.build(HttpStatus.NOT_FOUND, ex.getMessage(), LocalDateTime.now())
);
}
@ExceptionHandler(MethodArgumentNotValidException.class)
public ResponseEntity<ApiResponse<Object>> handleValidationException(MethodArgumentNotValidException ex) {
// Collect field errors into a map
Map<String, String> errors = new HashMap<>();
ex.getBindingResult().getFieldErrors().forEach(error ->
errors.put(error.getField(), error.getDefaultMessage())
);
String message = "Validation failed for one or more fields.";
return ResponseEntity.status(HttpStatus.BAD_REQUEST).body(
ApiResponse.build(HttpStatus.BAD_REQUEST, message, errors)
);
}
@ExceptionHandler(RecoveryTokenNotFoundException.class)
public ResponseEntity<ApiResponse<LocalDateTime>> handleRecoveryCodeNotFoundException(
RecoveryTokenNotFoundException ex) {
return ResponseEntity.status(HttpStatus.NOT_FOUND).body(
ApiResponse.build(HttpStatus.NOT_FOUND, ex.getMessage(), LocalDateTime.now())
);
}
@ExceptionHandler(RecoveryTokenMismatchException.class)
public ResponseEntity<ApiResponse<LocalDateTime>> handleRecoveryCodeMismatchException(
RecoveryTokenMismatchException ex) {
return ResponseEntity.status(HttpStatus.BAD_REQUEST).body(
ApiResponse.build(HttpStatus.BAD_REQUEST, ex.getMessage(), LocalDateTime.now())
);
}
}

153
src/main/java/dev/ivfrost/hydro_backend/controller/UserController.java
View File

@@ -1,153 +0,0 @@
package dev.ivfrost.hydro_backend.controller;
import dev.ivfrost.hydro_backend.dto.*;
import dev.ivfrost.hydro_backend.entity.User;
import dev.ivfrost.hydro_backend.service.UserService;
import dev.ivfrost.hydro_backend.util.RateLimitUtils;
import io.github.bucket4j.Bucket;
import io.swagger.v3.oas.annotations.Operation;
import io.swagger.v3.oas.annotations.tags.Tag;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.validation.Valid;
import lombok.AllArgsConstructor;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.*;
import java.util.Optional;
@Tag(name = "User Management", description = "API endpoints for managing users")
@AllArgsConstructor
@RestController
@RequestMapping("/v1")
public class UserController {
private final UserService userService;
private final RateLimitUtils rateLimitUtils;
//======= NON-AUTHENTICATED USERS ENDPOINTS =======//
// Data modification
@Operation(
summary = "Reset user password",
description = "Resets the user's password using one of the recovery codes provided on registration"
)
@PutMapping("/users/password/reset")
public ResponseEntity<ApiResponse<Void>> resetPassword(
@Valid @RequestBody PasswordResetRequest passwordResetConfirmRequest, HttpServletRequest req) {
Optional<Bucket> bucketOpt = rateLimitUtils
.getBucketByUserOrIp(userService.getCurrentUser(), RateLimitUtils.extractClientIp(req));
if (bucketOpt.isEmpty() || !bucketOpt.get().tryConsume(3)) {
return ResponseEntity.status(HttpStatus.TOO_MANY_REQUESTS)
.body(ApiResponse.build(HttpStatus.TOO_MANY_REQUESTS, "", null));
}
userService.resetPassword(passwordResetConfirmRequest);
return ResponseEntity
.status(HttpStatus.OK)
.body(ApiResponse.build(HttpStatus.OK, "Password has been reset successfully", null));
}
//======= AUTHENTICATED USERS ENDPOINTS =======//
// Data retrieval
@Operation(
summary = "Get authenticated user's profile",
description = "Retrieves the profile of the currently authenticated user."
)
@GetMapping("/me")
public ResponseEntity<ApiResponse<UserResponse>> getCurrentUserProfile() {
UserResponse userResponse = userService.getCurrentUserProfile();
return ResponseEntity
.status(HttpStatus.OK)
.body(ApiResponse.build(HttpStatus.OK, "User profile retrieved successfully", userResponse));
}
// Data modification
@Operation(
summary = "Update user's account settings",
description = "Updates the account settings of the currently authenticated user."
)
@PutMapping("/me")
public ResponseEntity<ApiResponse<UserResponse>> updateCurrentUser(
@Valid @RequestBody UserUpdateRequest userUpdateRequest, HttpServletRequest req) {
Optional<Bucket> bucketOpt = rateLimitUtils
.getBucketByUserOrIp(userService.getCurrentUser(), RateLimitUtils.extractClientIp(req));
if (bucketOpt.isEmpty() || !bucketOpt.get().tryConsume(1)) {
return ResponseEntity.status(HttpStatus.TOO_MANY_REQUESTS)
.body(ApiResponse.build(HttpStatus.TOO_MANY_REQUESTS,
"", null));
}
UserResponse updatedUser = userService.updateCurrentUser(userUpdateRequest);
return ResponseEntity
.status(HttpStatus.OK)
.body(ApiResponse.build(HttpStatus.OK, "User profile updated successfully", updatedUser));
}
// Data removal
@Operation(
summary = "Delete authenticated user",
description = "Deletes the currently authenticated user (soft delete)."
)
@DeleteMapping("/me")
public ResponseEntity<ApiResponse<Void>> deleteCurrentUser(HttpServletRequest req) {
Optional<Bucket> bucketOpt = rateLimitUtils
.getBucketByUserOrIp(userService.getCurrentUser(), RateLimitUtils.extractClientIp(req));
if (bucketOpt.isEmpty() || !bucketOpt.get().tryConsume(2)) {
return ResponseEntity.status(HttpStatus.TOO_MANY_REQUESTS)
.body(ApiResponse.build(HttpStatus.TOO_MANY_REQUESTS,
"", null));
}
userService.deleteCurrentUser();
return ResponseEntity
.status(HttpStatus.NO_CONTENT)
.body(ApiResponse.build(HttpStatus.NO_CONTENT, "User deleted successfully", null));
}
//======= ADMIN-ONLY ENDPOINTS =======//
// Data provision
@PreAuthorize("hasRole('ADMIN')")
@Operation(
summary = "Register a new user (Admin only)",
description = "Creates a new user account at admin's discretion and returns a JWT token. Allows setting user role."
)
@PostMapping("/users/new")
public ResponseEntity<ApiResponse<Void>> registerUsersAdmin(
@Valid @RequestBody UserRegisterRequest req, @RequestParam(required = false) User.Role role) {
return ResponseEntity
.status(HttpStatus.CREATED)
.body(ApiResponse.build(HttpStatus.CREATED, "User registered successfully", null));
}
// Data retrieval
@PreAuthorize("hasRole('ADMIN')")
@Operation(
summary = "Get user profile by ID (Admin only)",
description = "Retrieves a user profile by ID."
)
@GetMapping("/users/{userId}")
public ResponseEntity<ApiResponse<UserResponse>> getUserProfileById(@PathVariable Long userId) {
UserResponse userResponse = userService.getUserProfileById(userId);
return ResponseEntity
.status(HttpStatus.OK)
.body(ApiResponse.build(HttpStatus.OK, "User profile retrieved successfully", userResponse));
}
// Data removal
@PreAuthorize("hasRole('ADMIN')")
@Operation(
summary = "Delete user by ID (Admin only)",
description = "Deletes a user by ID (soft delete)."
)
@DeleteMapping("/users/{userId}")
public ResponseEntity<ApiResponse<Void>> deleteUserById(@PathVariable Long userId) {
userService.deleteUserById(userId);
return ResponseEntity
.status(HttpStatus.NO_CONTENT)
.body(ApiResponse.build(HttpStatus.NO_CONTENT, "User deleted successfully", null));
}
}

123
src/main/java/dev/ivfrost/hydro_backend/controller/ValidationController.java
View File

@@ -1,123 +0,0 @@
package dev.ivfrost.hydro_backend.controller;
import dev.ivfrost.hydro_backend.dto.*;
import dev.ivfrost.hydro_backend.repository.UserTokenRepository;
import dev.ivfrost.hydro_backend.service.UserService;
import dev.ivfrost.hydro_backend.service.UserTokenService;
import dev.ivfrost.hydro_backend.util.RateLimitUtils;
import dev.ivfrost.hydro_backend.util.ValidationUtils;
import io.github.bucket4j.Bucket;
import io.swagger.v3.oas.annotations.Operation;
import io.swagger.v3.oas.annotations.tags.Tag;
import jakarta.servlet.http.HttpServletRequest;
import lombok.AllArgsConstructor;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.*;
import java.util.HashMap;
import java.util.Map;
import java.util.Optional;
@Tag(name = "Validation ", description = "API endpoints for validating data")
@AllArgsConstructor
@RequestMapping("/v1/validation")
@RestController
public class ValidationController {
private final UserTokenRepository userTokenRepository;
ValidationUtils validationUtils;
HashMap<String, Bucket> buckets;
RateLimitUtils rateLimitUtils;
UserService userService;
UserTokenService userTokenService;
@Operation(summary = "Get validation rules for a specific class")
@GetMapping("/rules")
public ResponseEntity<?> getClassValidationRules(@RequestParam String className, HttpServletRequest req) {
Optional<Bucket> bucketOpt = rateLimitUtils
.getBucketByUserOrIp(userService.getCurrentUser(), RateLimitUtils.extractClientIp(req));
if (bucketOpt.isEmpty() || !bucketOpt.get().tryConsume(1)) {
return ResponseEntity.status(HttpStatus.TOO_MANY_REQUESTS)
.body(ApiResponse.build(HttpStatus.TOO_MANY_REQUESTS, "", null));
}
Map<String, Object> rules;
String message;
switch (className) {
case "UserRegisterRequest" -> {
rules = validationUtils.getClassValidationRules(UserRegisterRequest.class);
message = "User register validation rules";
}
case "UserLoginRequest" -> {
rules = validationUtils.getClassValidationRules(UserLoginRequest.class);
message = "User login validation rules";
}
case "DeviceProvisionRequest" -> {
rules = validationUtils.getClassValidationRules(DeviceProvisionRequest.class);
message = "Device provision validation rules";
}
case "DeviceLinkRequest" -> {
rules = validationUtils.getClassValidationRules(DeviceLinkRequest.class);
message = "Device link validation rules";
}
default -> {
return ResponseEntity.status(HttpStatus.BAD_REQUEST)
.body(ApiResponse.build(HttpStatus.BAD_REQUEST, "Invalid field", null));
}
}
return ResponseEntity.ok(ApiResponse.build(HttpStatus.OK, message, rules));
}
@Operation(summary = "Get availability of a username or email")
@GetMapping("/availability")
public ResponseEntity<?> checkUsernameEmailAvailability(
@RequestParam(required = false) String username,
@RequestParam(required = false) String email,
HttpServletRequest req) {
if (username == null && email == null) {
return ResponseEntity.status(HttpStatus.BAD_REQUEST)
.body(ApiResponse.build(HttpStatus.BAD_REQUEST, "Either username or email must be provided", null));
}
if (username != null && email != null) {
return ResponseEntity.status(HttpStatus.BAD_REQUEST)
.body(ApiResponse.build(HttpStatus.BAD_REQUEST, "Only one of username or email must be provided", null));
}
boolean isAvailable;
String field;
if (username != null) {
isAvailable = validationUtils.isUsernameAvailable(username);
field = "username";
} else {
isAvailable = validationUtils.isEmailAvailable(email);
field = "email";
}
String message = isAvailable ? field + " is available" : field + " is already taken";
return ResponseEntity.ok(ApiResponse.build(HttpStatus.OK, message, isAvailable));
}
@Operation(summary = "Get validity of recovery code for a given email")
@PostMapping("/recovery-code")
public ResponseEntity<?> checkRecoveryCodeValidity(@RequestParam String rawCode, @RequestParam String email,
HttpServletRequest req) {
Optional<Bucket> bucketOpt = rateLimitUtils
.getBucketByUserOrIp(userService.getCurrentUser(), RateLimitUtils.extractClientIp(req));
if (bucketOpt.isEmpty() || !bucketOpt.get().tryConsume(1)) {
return ResponseEntity.status(HttpStatus.TOO_MANY_REQUESTS)
.body(ApiResponse.build(HttpStatus.TOO_MANY_REQUESTS, "Too many requests - rate limit exceeded", null));
}
boolean isValid = userTokenService.isRecoveryCodeValid(rawCode, email);
String message = isValid ? "Recovery code is valid" : "Invalid recovery code or email";
return ResponseEntity.ok(ApiResponse.build(HttpStatus.OK, message, isValid));
}
@Operation(summary = "Health check endpoint")
@GetMapping("/health")
@ResponseBody
public ResponseEntity<?> health() {
return ResponseEntity.ok(Map.of("status", "ok"));
}
}

29
src/main/java/dev/ivfrost/hydro_backend/converter/JsonNodeConverter.java
View File

@@ -1,29 +0,0 @@
package dev.ivfrost.hydro_backend.converter;
import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import jakarta.persistence.AttributeConverter;
import jakarta.persistence.Converter;
@Converter
public class JsonNodeConverter implements AttributeConverter<JsonNode, String> {
private final ObjectMapper objectMapper = new ObjectMapper();
@Override
public String convertToDatabaseColumn(JsonNode attribute) {
try {
return objectMapper.writeValueAsString(attribute);
} catch (Exception e) {
throw new IllegalArgumentException("Error converting JsonNode to String", e);
}
}
@Override
public JsonNode convertToEntityAttribute(String dbData) {
try {
return objectMapper.readTree(dbData);
} catch (Exception e) {
throw new IllegalArgumentException("Error converting String to JsonNode", e);
}
}
}

13
src/main/java/dev/ivfrost/hydro_backend/devices/DeviceAuthRequest.java Normal file
View File

@@ -0,0 +1,13 @@
package dev.ivfrost.hydro_backend.devices;
import jakarta.validation.constraints.NotBlank;
public record DeviceAuthRequest(
@NotBlank(message = "Device ID is required")
Long deviceId,
@NotBlank(message = "Device secret is required")
String secret
) {
}

9
src/main/java/dev/ivfrost/hydro_backend/devices/DeviceLinkEvent.java Normal file
View File

@@ -0,0 +1,9 @@
package dev.ivfrost.hydro_backend.devices;
import dev.ivfrost.hydro_backend.config.AmqpConfig;
import org.springframework.modulith.events.Externalized;
@Externalized(target = AmqpConfig.HYDRO_Q)
public record DeviceLinkEvent(DeviceLinkRequest req, Long userId, boolean unlink) {
}

20
src/main/java/dev/ivfrost/hydro_backend/devices/DeviceLinkProvider.java Normal file
View File

@@ -0,0 +1,20 @@
package dev.ivfrost.hydro_backend.devices;
public interface DeviceLinkProvider {
/**
* Links a device to a user
*
* @param req the device link request containing the device secret
* @param userId the user ID to link the device to
*/
void linkDevice(DeviceLinkRequest req, Long userId);
/**
* Unlinks a device from a user
*
* @param req the device link request containing the device secret
* @param userId the user ID to unlink from
*/
void unlinkDevice(DeviceLinkRequest req, Long userId);
}

8
src/main/java/dev/ivfrost/hydro_backend/devices/DeviceLinkRequest.java Normal file
View File

@@ -0,0 +1,8 @@
package dev.ivfrost.hydro_backend.devices;
import jakarta.annotation.Nullable;
import jakarta.validation.constraints.NotNull;
public record DeviceLinkRequest(@NotNull Long deviceId, @Nullable String secret) {
}

9
src/main/java/dev/ivfrost/hydro_backend/devices/DeviceLoadEvent.java Normal file
View File

@@ -0,0 +1,9 @@
package dev.ivfrost.hydro_backend.devices;
import dev.ivfrost.hydro_backend.config.AmqpConfig;
import org.springframework.modulith.events.Externalized;
@Externalized(target = AmqpConfig.HYDRO_Q)
public record DeviceLoadEvent(Long userId) {
}

7
src/main/java/dev/ivfrost/hydro_backend/devices/DeviceOrderResponse.java Normal file
View File

@@ -0,0 +1,7 @@
package dev.ivfrost.hydro_backend.devices;
import java.util.Map;
public record DeviceOrderResponse(Map<String, Long> deviceOrder) {
}

13
src/main/java/dev/ivfrost/hydro_backend/devices/DeviceProvisionRequest.java Normal file
View File

@@ -0,0 +1,13 @@
package dev.ivfrost.hydro_backend.devices;
import jakarta.validation.constraints.Size;
public record DeviceProvisionRequest(
@Size(max = 20)
String firmware,
@Size(max = 40)
String technicalName,
@Size(max = 17, min = 17)
String macAddress) {
}

19
src/main/java/dev/ivfrost/hydro_backend/devices/DeviceResponse.java Normal file
View File

@@ -0,0 +1,19 @@
package dev.ivfrost.hydro_backend.devices;
import java.time.Instant;
public record DeviceResponse(
Long id,
String name,
String location,
String firmware,
String technicalName,
String ip,
Instant createdAt,
Instant updatedAt,
Instant linkedAt,
Instant lastSeen,
Long userId,
Long order) {
}

14
src/main/java/dev/ivfrost/hydro_backend/devices/DeviceTopicProvider.java Normal file
View File

@@ -0,0 +1,14 @@
package dev.ivfrost.hydro_backend.devices;
import java.util.List;
public interface DeviceTopicProvider {
/**
* Gets MQTT topics for a user's devices
*
* @param userId the user ID
* @return list of topics in format "hydro/{SECRET}/#"
*/
List<String> getTopicsForUser(Long userId);
}

13
src/main/java/dev/ivfrost/hydro_backend/devices/DeviceUpdateRequest.java Normal file
View File

@@ -0,0 +1,13 @@
package dev.ivfrost.hydro_backend.devices;
public record DeviceUpdateRequest(
Long id,
String friendlyName,
String technicalName,
String firmware,
Long userId,
Long displayOrder
) {
}

96
src/main/java/dev/ivfrost/hydro_backend/devices/internal/Device.java Normal file
View File

@@ -0,0 +1,96 @@
package dev.ivfrost.hydro_backend.devices.internal;
import dev.ivfrost.hydro_backend.tokens.DeviceSecretConverter;
import jakarta.persistence.Column;
import jakarta.persistence.Convert;
import jakarta.persistence.Entity;
import jakarta.persistence.GeneratedValue;
import jakarta.persistence.GenerationType;
import jakarta.persistence.Id;
import jakarta.persistence.PrePersist;
import jakarta.persistence.Table;
import jakarta.validation.constraints.Pattern;
import jakarta.validation.constraints.Size;
import java.io.Serial;
import java.io.Serializable;
import java.time.Instant;
import lombok.AllArgsConstructor;
import lombok.Builder;
import lombok.Data;
import lombok.NoArgsConstructor;
import org.hibernate.annotations.CreationTimestamp;
import org.hibernate.annotations.UpdateTimestamp;
@Data
@NoArgsConstructor
@AllArgsConstructor
@Builder
@Table(name = "devices")
@Entity
public class Device implements Serializable {
@Serial
private static final long serialVersionUID = 1L;
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
private long id;
@Size(max = 17, min = 17)
@Column(nullable = false, name = "mac_address", unique = true)
private String macAddress;
@Size(min = 1, max = 40)
@Column(name = "friendly_name")
private String friendlyName;
@Size(max = 255)
private String location;
@Size(max = 20)
@Column(nullable = false)
private String firmware;
@Size(max = 40)
@Column(name = "technical_name", nullable = false)
private String technicalName;
@Size(max = 255)
@Column(name = "secret")
@Convert(converter = DeviceSecretConverter.class)
private String secret;
@Pattern(regexp = "^((25[0-5]|2[0-4]\\d|[01]?\\d\\d?)\\.){3}(25[0-5]|2[0-4]\\d|[01]?\\d\\d?)$")
@Size(max = 15)
@Column
private String ip;
@CreationTimestamp
@Column(name = "created_at", nullable = false)
private Instant createdAt;
@UpdateTimestamp
@Column(name = "updated_at", nullable = false)
private Instant updatedAt;
@Column(name = "linked_at")
private Instant linkedAt;
@Column(name = "last_seen", nullable = false)
private Instant lastSeen;
@Column(name = "user_id")
private Long userId;
@Column(name = "display_order")
private Long displayOrder;
@PrePersist
protected void onCreate() {
this.createdAt = Instant.now();
this.updatedAt = Instant.now();
this.lastSeen = Instant.now();
}
}

176
src/main/java/dev/ivfrost/hydro_backend/devices/internal/DeviceController.java Normal file
View File

@@ -0,0 +1,176 @@
package dev.ivfrost.hydro_backend.devices.internal;
import dev.ivfrost.hydro_backend.ApiResponse;
import dev.ivfrost.hydro_backend.devices.DeviceAuthRequest;
import dev.ivfrost.hydro_backend.devices.DeviceLinkRequest;
import dev.ivfrost.hydro_backend.devices.DeviceProvisionRequest;
import dev.ivfrost.hydro_backend.devices.DeviceResponse;
import dev.ivfrost.hydro_backend.devices.DeviceUpdateRequest;
import io.swagger.v3.oas.annotations.Hidden;
import io.swagger.v3.oas.annotations.Operation;
import io.swagger.v3.oas.annotations.tags.Tag;
import jakarta.validation.Valid;
import java.util.List;
import java.util.Map;
import lombok.AllArgsConstructor;
import org.springdoc.core.annotations.ParameterObject;
import org.springframework.data.domain.Page;
import org.springframework.data.domain.Pageable;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.DeleteMapping;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.PutMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@Tag(name = "Devices Module", description = "API endpoints for device management")
@AllArgsConstructor
@RestController
@RequestMapping("/v1")
public class DeviceController {
private final DeviceService deviceService;
@Hidden
@PreAuthorize("hasRole('ADMIN')")
@Operation(summary = "Link device to user by ID (Admin only)",
description = "Links a device to a specific user by their unique ID using the device's secret as ownership proof.")
@PostMapping("/users/{userId}/devices/link")
public ResponseEntity<ApiResponse<Void>> linkDeviceById(
@RequestBody @Valid DeviceLinkRequest linkDeviceRequest,
@PathVariable Long userId) {
deviceService.linkDevice(linkDeviceRequest, userId, false);
return ResponseEntity.status(HttpStatus.OK)
.body(ApiResponse.success(HttpStatus.OK, "Device linked to user successfully"));
}
@Hidden
@PreAuthorize("hasRole('ADMIN')")
@GetMapping("/users/{userId}/devices")
@Operation(summary = "Get devices by user ID (Admin only)",
description = "Retrieves all devices linked to a specific user by their unique ID.")
public ResponseEntity<ApiResponse<List<DeviceResponse>>> getUserDevicesById(
@PathVariable Long userId) {
return ResponseEntity.status(HttpStatus.OK)
.body(ApiResponse.success(HttpStatus.OK, "User devices retrieved successfully",
deviceService.getDevicesByUserId(userId)));
}
@Hidden
@PreAuthorize("hasRole('ADMIN')")
@Operation(summary = "Get all provisioned devices (Admin only)",
description = "Retrieves all devices provisioned in the system.")
@GetMapping("/devices")
public ResponseEntity<ApiResponse<Page<DeviceResponse>>> getAllDevices(
@ParameterObject Pageable pageable) {
return ResponseEntity.status(HttpStatus.OK)
.body(ApiResponse.success(HttpStatus.OK, "All devices retrieved successfully",
deviceService.getAllDevices(pageable)));
}
@Hidden
@PreAuthorize("hasRole('ADMIN')")
@Operation(summary = "Provision new device (Admin only)", description = "Provisions a new device in the system.")
@PostMapping("/devices")
public ResponseEntity<ApiResponse<DeviceResponse>> provisionDevice(
@RequestBody @Valid DeviceProvisionRequest req) {
return ResponseEntity.status(HttpStatus.CREATED)
.body(ApiResponse.success(HttpStatus.CREATED, "Device provisioned successfully",
deviceService.provisionDevice(req)));
}
@Hidden
@PreAuthorize("hasRole('ADMIN')")
@Operation(summary = "Update device by ID (Admin only)",
description = "Updates the details of a device by its unique ID.")
@PutMapping("/devices/{deviceId}")
public ResponseEntity<ApiResponse<DeviceResponse>> updateDeviceDetails
(@RequestBody @Valid DeviceUpdateRequest req, @PathVariable Long deviceId) {
return ResponseEntity.status(HttpStatus.OK)
.body(ApiResponse.success(HttpStatus.OK, "Device updated successfully",
deviceService.updateDeviceDetails(req)));
}
@Hidden
@PreAuthorize("hasRole('ADMIN')")
@Operation(summary = "Delete device by ID (Admin only)",
description = "Deletes a device from the system by its unique ID.")
@DeleteMapping("/devices/{deviceId}")
public ResponseEntity<ApiResponse<Void>> deleteDeviceById(@PathVariable Long deviceId) {
deviceService.deleteDeviceById(deviceId);
return ResponseEntity.status(HttpStatus.OK)
.body(ApiResponse.success(HttpStatus.OK, "Device deleted successfully"));
}
@Hidden
@PreAuthorize("hasRole('ADMIN')")
@Operation(summary = "Get device secret by ID",
description = "Retrieves the decrypted device secret for a specific device by its ID.")
@GetMapping("/devices/{deviceId}/secret")
public ResponseEntity<ApiResponse<Map<String, String>>> getDeviceSecret(
@PathVariable Long deviceId) {
String secret = deviceService.getSecretByDeviceId(deviceId);
Map<String, String> response = Map.of(
"deviceId", deviceId.toString(),
"secret", secret != null ? secret : ""
);
return ResponseEntity.status(HttpStatus.OK)
.body(ApiResponse.success(HttpStatus.OK, "Device secret retrieved successfully", response));
}
@Hidden
@PreAuthorize("hasRole('ADMIN')")
@Operation(summary = "Regenerate device secret (Admin only)",
description = "Generates a new secret for a device, replacing the old one.")
@PostMapping("/devices/{deviceId}/secret/regenerate")
public ResponseEntity<ApiResponse<Map<String, String>>> regenerateDeviceSecret(
@PathVariable Long deviceId) {
String newSecret = deviceService.regenerateDeviceSecret(deviceId);
Map<String, String> response = Map.of(
"deviceId", deviceId.toString(),
"newSecret", newSecret
);
return ResponseEntity.status(HttpStatus.OK).body(
ApiResponse.success(HttpStatus.OK, "Device secret regenerated successfully", response));
}
// @Operation(summary = "Get device order from Redis for authenticated user",
// description = "Retrieves the device order stored in Redis for the currently authenticated user.")
// @GetMapping("/me/devices/order")
// public ResponseEntity<ApiResponse<DeviceOrderResponse>> getDeviceOrderFromCurrentUser() {
// Map<String, Long> deviceOrderMap = deviceStateService.getDeviceOrderFromCurrentUser();
// return ResponseEntity.status(HttpStatus.OK)
// .body(ApiResponse.success(HttpStatus.OK, "Device order retrieved successfully",
// new DeviceOrderResponse(deviceOrderMap)));
// }
@Operation(summary = "Update device friendly friendlyName",
description = "Updates the friendly friendlyName of a device linked to the currently authenticated user.")
@PutMapping("/me/devices/{deviceId}")
public ResponseEntity<ApiResponse<DeviceResponse>> updateDeviceNickname(
@RequestBody @Valid DeviceUpdateRequest req) {
return ResponseEntity.status(HttpStatus.OK)
.body(ApiResponse.success(HttpStatus.OK, "Device nickname updated successfully",
deviceService.updateDeviceFriendlyName(req)));
}
@Operation(summary = "Authenticate device for MQTT",
description = "Authenticates a device and returns a signed JWT token for MQTT broker authentication. The device uses its ID and secret as credentials.")
@PostMapping("/devices/auth/mqtt")
public ResponseEntity<ApiResponse<Map<String, String>>> authenticateDeviceForMqtt(
@RequestBody @Valid DeviceAuthRequest req) {
String mqttToken = deviceService.getMqttAuthToken(req);
Map<String, String> response = Map.of(
"deviceId", req.deviceId().toString(),
"token", mqttToken
);
return ResponseEntity.status(HttpStatus.OK)
.body(ApiResponse.success(HttpStatus.OK, "Device MQTT token generated successfully",
response));
}
}

14
src/main/java/dev/ivfrost/hydro_backend/devices/internal/DeviceRepository.java Normal file
View File

@@ -0,0 +1,14 @@
package dev.ivfrost.hydro_backend.devices.internal;
import java.util.List;
import org.springframework.data.jpa.repository.JpaRepository;
public interface DeviceRepository extends JpaRepository<Device, Long> {
boolean existsByMacAddress(String macAddress);
List<Device> findAllByUserIdIsNull();
List<Device> findAllByUserId(Long userId);
}

405
src/main/java/dev/ivfrost/hydro_backend/devices/internal/DeviceService.java Normal file
View File

@@ -0,0 +1,405 @@
package dev.ivfrost.hydro_backend.devices.internal;
import dev.ivfrost.hydro_backend.devices.DeviceAuthRequest;
import dev.ivfrost.hydro_backend.devices.DeviceLinkRequest;
import dev.ivfrost.hydro_backend.devices.DeviceLoadEvent;
import dev.ivfrost.hydro_backend.devices.DeviceProvisionRequest;
import dev.ivfrost.hydro_backend.devices.DeviceResponse;
import dev.ivfrost.hydro_backend.devices.DeviceUpdateRequest;
import dev.ivfrost.hydro_backend.exception.DeviceFetchException;
import dev.ivfrost.hydro_backend.exception.DeviceLinkException;
import dev.ivfrost.hydro_backend.exception.DeviceNotFoundException;
import dev.ivfrost.hydro_backend.exception.DuplicateMacAddressException;
import dev.ivfrost.hydro_backend.tokens.EncryptionUtil;
import dev.ivfrost.hydro_backend.tokens.MqttTokenProvider;
import dev.ivfrost.hydro_backend.users.UserMqttTokenPayload;
import java.time.Instant;
import java.util.Comparator;
import java.util.List;
import java.util.Objects;
import lombok.AllArgsConstructor;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.springframework.cache.annotation.CacheEvict;
import org.springframework.cache.annotation.Cacheable;
import org.springframework.data.domain.Page;
import org.springframework.data.domain.Pageable;
import org.springframework.modulith.events.ApplicationModuleListener;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;
@Slf4j
@RequiredArgsConstructor
@Service
public class DeviceService {
private final DeviceRepository deviceRepository;
private final DeviceCacheService deviceCacheService;
private final MqttTokenProvider mqttTokenProvider;
/**
* Provisions a new device and generates a secret for ownership verification.
*
* @param req the device provision request DTO
* @return the provisioned device response DTO
* @throws DuplicateMacAddressException if a device with the same MAC address already exists
*/
@CacheEvict(value = "allDevicesCache", allEntries = true)
@Transactional
public DeviceResponse provisionDevice(DeviceProvisionRequest req) {
// Check for duplicate MAC address before attempting save
if (deviceRepository.existsByMacAddress(req.macAddress())) {
throw new DuplicateMacAddressException(req.macAddress());
}
Device device = convertRequestToDevice(req);
// Generate and encrypt device secret (serves as ownership proof)
device.setSecret(
EncryptionUtil.generateRandomString(32)); // Will be auto-encrypted by converter
return DeviceUtil.convertDeviceToResponse(deviceRepository.save(device));
}
/**
* Links an unlinked device to a user using the device secret as ownership proof
*
* @param req the device link request DTO (contains device secret)
* @throws DeviceLinkException if the device is already linked
* @throws DeviceNotFoundException if the device is not found
*/
@CacheEvict(value = "allDevicesCache", allEntries = true)
@Transactional
public void linkDevice(DeviceLinkRequest req, Long userId, boolean unlink) {
// Get device by ID from request, then verify secret matches
Device device = deviceRepository.findById(req.deviceId())
.orElseThrow(() -> new DeviceNotFoundException("Device not found"));
// Verify the secret matches (converter automatically decrypts)
if (device.getSecret() == null || !device.getSecret().equals(req.secret())) {
throw new DeviceNotFoundException("Device secret does not match");
}
if (!unlink) {
// Linking device
if (device.getUserId() != null) {
throw new DeviceLinkException("Device is already linked to a user");
}
device.setUserId(userId);
device.setLinkedAt(Instant.now());
device.setDisplayOrder(calculateDeviceOrder(userId));
deviceRepository.save(device);
} else {
// Unlinking device
if (device.getUserId() == null || !Objects.equals(device.getUserId(), userId)) {
throw new DeviceLinkException("Device is not linked to this user");
}
device.setUserId(null);
device.setDisplayOrder(0L);
deviceRepository.save(device);
}
}
/**
* Verify device ownership
*
* @param userId the user to verify ownership against
* @param deviceId the ID of the device to verify
* @throws DeviceNotFoundException if the device is not found
* @throws IllegalArgumentException if the device does not belong to the specified user
*/
public void verifyDeviceOwnership(Long userId, Long deviceId) {
Device device = deviceRepository.findById(deviceId)
.orElseThrow(() -> new DeviceNotFoundException(deviceId));
if (!Objects.equals(device.getUserId(), userId)) {
throw new IllegalArgumentException("Device does not belong to the specified user");
}
}
/**
* Retrieves devices owned by a specific user, by user ID (Admin only).
*
* @param userId the ID of the user whose devices are to be retrieved
* @return a list of device response DTOs
* @throws DeviceFetchException if no devices are found for the user
*/
public List<DeviceResponse> getDevicesByUserId(Long userId) {
List<Device> devices = deviceRepository.findAllByUserId(userId);
log.debug("Fetched {} devices for user ID {}", devices.size(), userId);
if (devices.isEmpty()) {
throw new DeviceFetchException("No devices found for user");
}
return devices
.stream()
.map(DeviceUtil::convertDeviceToResponse)
.sorted(Comparator.comparing(DeviceResponse::order))
.toList();
}
/**
* Retrieves all devices provisioned in the system (Admin only, paginated).
*
* @return a list of all device response DTOs
* @throws DeviceFetchException if no devices are found
*/
public Page<DeviceResponse> getAllDevices(Pageable pageable) {
Page<Device> devices = deviceCacheService.getAllDevices(pageable);
if (devices.isEmpty()) {
throw new DeviceFetchException("No devices found in the system");
}
return devices.map(DeviceUtil::convertDeviceToResponse);
}
/**
* Updates the friendly friendlyName of a specific device by its ID.
*/
@Transactional
public DeviceResponse updateDeviceFriendlyName(DeviceUpdateRequest req) {
Long deviceId = req.id();
Device device = deviceRepository.findById(deviceId)
.orElseThrow(() -> new DeviceNotFoundException(deviceId));
verifyDeviceOwnership(req.userId(), deviceId);
device.setFriendlyName(req.friendlyName());
return DeviceUtil.convertDeviceToResponse(deviceRepository.save(device));
}
/**
* Updates fields of a specific device by its ID.
*
* @param req the device update request DTO
* @return the updated device response DTO
* @throws DeviceNotFoundException if the device is not found
* @throws IllegalArgumentException if the device does not belong to the user
*/
public DeviceResponse updateDeviceDetails(DeviceUpdateRequest req) {
Long deviceId = req.id();
Device device = deviceRepository.findById(deviceId).orElseThrow(
() -> new DeviceNotFoundException(deviceId));
// Verify ownership
if (!Objects.equals(device.getUserId(), req.userId())) {
throw new IllegalArgumentException("Device does not belong to the user");
}
String technicalName = req.technicalName();
String firmware = req.firmware();
String name = req.friendlyName();
if (technicalName != null && !technicalName.isEmpty()) {
device.setTechnicalName(technicalName);
}
if (firmware != null && !firmware.isEmpty()) {
device.setFirmware(firmware);
}
if (name != null && !name.isEmpty()) {
device.setFriendlyName(name);
}
return DeviceUtil.convertDeviceToResponse(deviceRepository.save(device));
}
/**
* Delete a device by its ID (Admin only).
*
* @param deviceId the ID of the device to delete
* @throws DeviceNotFoundException if the device is not found
*/
public void deleteDeviceById(Long deviceId) {
Device device = deviceRepository.findById(deviceId)
.orElseThrow(() -> new DeviceNotFoundException(deviceId));
deviceRepository.delete(device);
}
/**
* Persists the device order stored in Redis to the main database for the authenticated user.
*/
@Transactional
public void saveDeviceOrder(DeviceUpdateRequest req) {
Device device = deviceRepository.findById(req.id())
.orElseThrow(() -> new DeviceNotFoundException(req.id()));
verifyDeviceOwnership(req.userId(), req.id());
device.setDisplayOrder(req.displayOrder());
deviceRepository.save(device);
}
/**
* Authenticates a device and returns an MQTT JWT token. Device publishes to the topic:
* hydro/{device-secret}/*
*/
public String getMqttAuthToken(DeviceAuthRequest req) {
// Load device by ID and verify secret matches
Device device = deviceRepository.findById(req.deviceId())
.orElseThrow(() -> new DeviceNotFoundException("Device not found"));
// Verify the secret matches (converter automatically decrypts)
if (device.getSecret() == null || !device.getSecret().equals(req.secret())) {
throw new DeviceNotFoundException("Device secret does not match");
}
// Build topics list containing only this device's publish topic
List<String> topics = List.of("hydro/" + device.getSecret() + "/#");
log.debug("Generating MQTT token for device {}, topics: {}", device.getId(), topics);
return mqttTokenProvider.generateMqttToken(
new UserMqttTokenPayload(device.getId(), topics)
);
}
/**
* Authenticates a device (using DeviceLinkRequest) and returns an MQTT JWT token.
*/
public String getMqttAuthToken(DeviceLinkRequest req) {
return getMqttAuthToken(new DeviceAuthRequest(req.deviceId(), req.secret()));
}
/*--------------------------*/
/* Helper Methods */
/*--------------------------*/
/**
* Converts a DeviceProvisionRequest DTO to a Device entity.
*
* @param req the device provision request DTO
* @return the device entity
*/
private Device convertRequestToDevice(DeviceProvisionRequest req) {
Device device = new Device();
device.setTechnicalName(req.technicalName());
device.setFirmware(req.firmware());
device.setMacAddress(req.macAddress());
return device;
}
/**
* Calculates the next display order for a user's devices.
*
* @param userId the user whose devices are being ordered
* @return the next display order
*/
private long calculateDeviceOrder(Long userId) {
List<Device> devices = deviceCacheService.getDevicesByUserId(userId);
return devices.stream()
.map(Device::getDisplayOrder)
.filter(Objects::nonNull)
.max(Comparator.naturalOrder())
.map(maxOrder -> maxOrder + 1)
.orElse(1L);
}
/**
* Retrieves a device by its ID.
*
* @param deviceId the ID of the device to retrieve
* @return the device entity
* @throws DeviceNotFoundException if the device is not found
*/
public Device getDeviceById(Long deviceId) {
return deviceCacheService.getDeviceById(deviceId);
}
/**
* Regenerates a device's secret.
*
* @param deviceId the ID of the device
* @return the new secret (decrypted)
* @throws DeviceNotFoundException if the device is not found
*/
@Transactional
public String regenerateDeviceSecret(Long deviceId) {
Device device = getDeviceById(deviceId);
String newSecret = EncryptionUtil.generateRandomString(32);
device.setSecret(newSecret); // Will be auto-encrypted by converter
deviceRepository.save(device);
return newSecret; // Return decrypted secret
}
/**
* Retrieves the secret for a device by its ID (decrypted). The secret is automatically decrypted
* by the JPA converter.
*
* @param deviceId the ID of the device
* @return the device's secret (decrypted)
* @throws DeviceNotFoundException if the device is not found
*/
public String getSecretByDeviceId(Long deviceId) {
Device device = getDeviceById(deviceId);
return device.getSecret();
}
/**
* Builds the list of MQTT topics the current user can access based on their devices.
*
* @return the list of MQTT topics
*/
public List<String> getUserDeviceTopics(Long userId) {
List<Device> devices = deviceRepository.findAllByUserId(userId);
return devices.stream()
.map(device -> "hydro/" + device.getSecret() + "/#")
.toList();
}
@ApplicationModuleListener
public void on(DeviceLoadEvent e) {
getDevicesByUserId(e.userId());
log.info("Loaded devices for user ID {} into cache", e.userId());
}
}
/**
* Service for caching device queries using Spring Cache abstraction. Reduces database load for
* frequently accessed device data.
*/
@Slf4j
@AllArgsConstructor
@Service
class DeviceCacheService {
private final DeviceRepository deviceRepository;
/**
* Retrieves a device by its ID from cache. Cache is invalidated when the device is updated.
*
* @param deviceId the ID of the device to retrieve
* @return the device if found
* @throws DeviceNotFoundException if the device is not found
*/
@Cacheable(
value = "deviceByIdCache",
key = "#deviceId"
)
public Device getDeviceById(Long deviceId) {
return deviceRepository.findById(deviceId)
.orElseThrow(() -> new DeviceNotFoundException(deviceId));
}
/**
* Retrieves all devices for a specific user from cache
*
* @param userId the ID of the user whose devices are to be retrieved
* @return list of devices owned by the user
*/
@Cacheable(
value = "devicesByUserIdCache",
key = "#userId"
)
public List<Device> getDevicesByUserId(Long userId) {
return deviceRepository.findAllByUserId(userId);
}
/**
* Retrieves all devices in the system from cache, with pagination
*
* @return list of all devices
*/
@Cacheable(
value = "allDevicesCache",
key = "#pageable.pageNumber + '-' + #pageable.pageSize"
)
public Page<Device> getAllDevices(Pageable pageable) {
return deviceRepository.findAll(pageable);
}
}

44
src/main/java/dev/ivfrost/hydro_backend/devices/internal/DeviceUtil.java Normal file
View File

@@ -0,0 +1,44 @@
package dev.ivfrost.hydro_backend.devices.internal;
import dev.ivfrost.hydro_backend.devices.DeviceResponse;
import java.util.List;
import org.springframework.stereotype.Component;
@Component
class DeviceUtil {
private DeviceUtil() {
}
/**
* Converts a Device entity to a DeviceResponse DTO.
*
* @param device the device entity
* @return the device response DTO
*/
public static DeviceResponse convertDeviceToResponse(Device device) {
if (device == null) {
return null;
}
// Extract userId from user object (user is lazily loaded but ID is already known)
return new DeviceResponse(device.getId(), device.getFriendlyName(), device.getLocation(),
device.getFirmware(),
device.getTechnicalName(), device.getIp(), device.getCreatedAt(), device.getUpdatedAt(),
device.getLinkedAt(), device.getLastSeen(), device.getUserId(),
device.getDisplayOrder());
}
/**
* Converts a list of Device entities to a list of DeviceResponse DTOs.
*
* @param devices the list of device entities
* @return the list of device response DTOs
*/
public static List<DeviceResponse> convertDevicesToResponse(List<Device> devices) {
if (devices == null) {
return List.of();
}
return devices.stream().map(DeviceUtil::convertDeviceToResponse).toList();
}
}

30
src/main/java/dev/ivfrost/hydro_backend/devices/internal/EncoderService.java Normal file
View File

@@ -0,0 +1,30 @@
package dev.ivfrost.hydro_backend.devices.internal;
import dev.ivfrost.hydro_backend.exception.HmacEncodingException;
import java.util.Base64;
import java.util.function.BiFunction;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import org.springframework.stereotype.Service;
@Service
public class EncoderService {
public BiFunction<String, String, String> hmacSha512Encoder() {
return (secretKey, toBeEncoded) -> {
try {
if (toBeEncoded == null || toBeEncoded.isEmpty()) {
throw new IllegalArgumentException("Input string to be encoded cannot be null or empty");
}
Mac mac = Mac.getInstance("HmacSHA512");
SecretKeySpec secretKeySpec = new SecretKeySpec(secretKey.getBytes(), "HmacSHA512");
mac.init(secretKeySpec);
byte[] hmac = mac.doFinal(toBeEncoded.getBytes());
return Base64.getEncoder().encodeToString(hmac);
} catch (Exception e) {
throw new HmacEncodingException("Error while encoding string using HMAC-SHA512");
}
};
}
}

24
src/main/java/dev/ivfrost/hydro_backend/devices/internal/adapter/DeviceLinkProviderImpl.java Normal file
View File

@@ -0,0 +1,24 @@
package dev.ivfrost.hydro_backend.devices.internal.adapter;
import dev.ivfrost.hydro_backend.devices.DeviceLinkProvider;
import dev.ivfrost.hydro_backend.devices.DeviceLinkRequest;
import dev.ivfrost.hydro_backend.devices.internal.DeviceService;
import lombok.AllArgsConstructor;
import org.springframework.stereotype.Service;
@AllArgsConstructor
@Service
public class DeviceLinkProviderImpl implements DeviceLinkProvider {
private final DeviceService deviceService;
@Override
public void linkDevice(DeviceLinkRequest req, Long userId) {
deviceService.linkDevice(req, userId, false);
}
@Override
public void unlinkDevice(DeviceLinkRequest req, Long userId) {
deviceService.linkDevice(req, userId, true);
}
}

21
src/main/java/dev/ivfrost/hydro_backend/devices/internal/adapter/DeviceTopicProviderImpl.java Normal file
View File

@@ -0,0 +1,21 @@
package dev.ivfrost.hydro_backend.devices.internal.adapter;
import dev.ivfrost.hydro_backend.devices.internal.DeviceService;
import dev.ivfrost.hydro_backend.users.DeviceTopicProvider;
import java.util.List;
import org.springframework.stereotype.Service;
@Service
class DeviceTopicProviderImpl implements DeviceTopicProvider {
private final DeviceService deviceService;
public DeviceTopicProviderImpl(DeviceService deviceService) {
this.deviceService = deviceService;
}
@Override
public List<String> getTopicsForUser(Long userId) {
return deviceService.getUserDeviceTopics(userId);
}
}

28
src/main/java/dev/ivfrost/hydro_backend/devices/internal/adapter/UserDeviceProviderImpl.java Normal file
View File

@@ -0,0 +1,28 @@
package dev.ivfrost.hydro_backend.devices.internal.adapter;
import dev.ivfrost.hydro_backend.devices.DeviceResponse;
import dev.ivfrost.hydro_backend.devices.DeviceUpdateRequest;
import dev.ivfrost.hydro_backend.devices.internal.DeviceService;
import dev.ivfrost.hydro_backend.users.UserDeviceProvider;
import java.util.List;
import org.springframework.stereotype.Component;
@Component
class UserDeviceProviderImpl implements UserDeviceProvider {
private final DeviceService deviceService;
UserDeviceProviderImpl(DeviceService deviceService) {
this.deviceService = deviceService;
}
@Override
public List<DeviceResponse> getUserDevices(Long userId) {
return deviceService.getDevicesByUserId(userId);
}
@Override
public DeviceResponse updateUserDevice(DeviceUpdateRequest req) {
return deviceService.updateDeviceDetails(req);
}
}

19
src/main/java/dev/ivfrost/hydro_backend/dto/ApiResponse.java
View File

@@ -1,19 +0,0 @@
package dev.ivfrost.hydro_backend.dto;
import lombok.AllArgsConstructor;
import lombok.Data;
import lombok.NoArgsConstructor;
import org.springframework.http.HttpStatus;
@AllArgsConstructor
@NoArgsConstructor
@Data
public class ApiResponse<T> {
private int status;
private String message;
private T data;
public static <T> ApiResponse<T> build(HttpStatus status, String message, T data) {
return new ApiResponse<>(status.value(), message, data);
}
}

12
src/main/java/dev/ivfrost/hydro_backend/dto/AuthResponse.java
View File

@@ -1,12 +0,0 @@
package dev.ivfrost.hydro_backend.dto;
import lombok.AllArgsConstructor;
import lombok.Getter;
@Getter
@AllArgsConstructor
public class AuthResponse {
private final String token;
private final String refreshToken;
private final String message;
}

15
src/main/java/dev/ivfrost/hydro_backend/dto/DeviceLinkRequest.java
View File

@@ -1,15 +0,0 @@
package dev.ivfrost.hydro_backend.dto;
import jakarta.persistence.Column;
import lombok.AllArgsConstructor;
import lombok.Data;
import lombok.NoArgsConstructor;
@Data
@NoArgsConstructor
@AllArgsConstructor
public class DeviceLinkRequest {
@Column(length = 44, nullable = false)
private String hash;
}

21
src/main/java/dev/ivfrost/hydro_backend/dto/DeviceProvisionRequest.java
View File

@@ -1,21 +0,0 @@
package dev.ivfrost.hydro_backend.dto;
import jakarta.validation.constraints.Size;
import lombok.AllArgsConstructor;
import lombok.Data;
import lombok.NoArgsConstructor;
@Data
@NoArgsConstructor
@AllArgsConstructor
public class DeviceProvisionRequest {
@Size(max = 20, min = 4)
private String firmware;
@Size(max = 40, min = 4)
private String technicalName;
@Size(max = 100, min = 4)
private String macAddress;
}

28
src/main/java/dev/ivfrost/hydro_backend/dto/DeviceResponse.java
View File

@@ -1,28 +0,0 @@
package dev.ivfrost.hydro_backend.dto;
import dev.ivfrost.hydro_backend.entity.User;
import jakarta.validation.constraints.Pattern;
import jakarta.validation.constraints.Size;
import lombok.AllArgsConstructor;
import lombok.Data;
import lombok.NoArgsConstructor;
import java.time.Instant;
@NoArgsConstructor
@AllArgsConstructor
@Data
public class DeviceResponse {
private Long id;
private String name;
private String location;
private String firmware;
private String technicalName;
private String ip;
private Instant createdAt;
private Instant updatedAt;
private Instant linkedAt;
private Instant lastSeen;
private User user;
private Integer displayOrder;
}

14
src/main/java/dev/ivfrost/hydro_backend/dto/DeviceUpdateRequest.java
View File

@@ -1,14 +0,0 @@
package dev.ivfrost.hydro_backend.dto;
import lombok.AllArgsConstructor;
import lombok.Data;
import lombok.NoArgsConstructor;
@Data
@NoArgsConstructor
@AllArgsConstructor
public class DeviceUpdateRequest {
private String name;
private Integer displayOrder;
}

13
src/main/java/dev/ivfrost/hydro_backend/dto/MqttCredentialsResponse.java
View File

@@ -1,13 +0,0 @@
package dev.ivfrost.hydro_backend.dto;
import lombok.AllArgsConstructor;
import lombok.Data;
import lombok.NoArgsConstructor;
@Data
@AllArgsConstructor
@NoArgsConstructor
public class MqttCredentialsResponse {
public String username;
public String password;
}

20
src/main/java/dev/ivfrost/hydro_backend/dto/PasswordResetRequest.java
View File

@@ -1,20 +0,0 @@
package dev.ivfrost.hydro_backend.dto;
import jakarta.validation.constraints.Email;
import jakarta.validation.constraints.Size;
import lombok.AllArgsConstructor;
import lombok.Data;
@Data
@AllArgsConstructor
public class PasswordResetRequest {
@Email(message = "Invalid email format")
private final String email;
@Size(min = 11, max = 11, message = "Recovery code must be exactly 11 characters long")
private final String recoveryCode;
@Size(min = 8, max = 60, message = "Password must be between 8 and 60 characters long")
private final String newPassword;
}

24
src/main/java/dev/ivfrost/hydro_backend/dto/ResetPasswordRequest.java
View File

@@ -1,24 +0,0 @@
package dev.ivfrost.hydro_backend.dto;
import jakarta.validation.constraints.Email;
import jakarta.validation.constraints.NotBlank;
import jakarta.validation.constraints.Size;
import lombok.AllArgsConstructor;
import lombok.Data;
@Data
@AllArgsConstructor
public class ResetPasswordRequest {
@NotBlank
@Email
String email;
@NotBlank
@Size(min = 16, max = 16)
String recoveryCode;
@NotBlank
@Size(min = 8, max = 60)
String newPassword;
}

22
src/main/java/dev/ivfrost/hydro_backend/dto/UserLoginRequest.java
View File

@@ -1,22 +0,0 @@
package dev.ivfrost.hydro_backend.dto;
import com.fasterxml.jackson.annotation.JsonProperty;
import jakarta.persistence.Column;
import jakarta.validation.constraints.Email;
import jakarta.validation.constraints.Size;
import lombok.AllArgsConstructor;
import lombok.Data;
import lombok.NoArgsConstructor;
@Data
@NoArgsConstructor
@AllArgsConstructor
public class UserLoginRequest {
@Email
@Size(min = 5, max = 60)
private String email;
@Size(min = 8, max = 60)
private String password;
}

34
src/main/java/dev/ivfrost/hydro_backend/dto/UserRegisterRequest.java
View File

@@ -1,34 +0,0 @@
package dev.ivfrost.hydro_backend.dto;
import jakarta.validation.constraints.Email;
import jakarta.validation.constraints.NotBlank;
import jakarta.validation.constraints.Size;
import lombok.AllArgsConstructor;
import lombok.Data;
import lombok.NoArgsConstructor;
@Data
@NoArgsConstructor
@AllArgsConstructor
public class UserRegisterRequest {
@NotBlank
@Email
@Size(min = 5, max = 60)
private String email;
@NotBlank
@Size(min = 5, max = 20)
private String username;
@NotBlank
@Size(min = 6, max = 40)
private String fullName;
@NotBlank
@Size(min = 8, max = 60)
private String password;
@Size(min = 2, max = 2)
private String preferredLanguage;
}

11
src/main/java/dev/ivfrost/hydro_backend/dto/UserRegisterResponse.java
View File

@@ -1,11 +0,0 @@
package dev.ivfrost.hydro_backend.dto;
import lombok.AllArgsConstructor;
import lombok.Data;
@AllArgsConstructor
@Data
public class UserRegisterResponse {
String[] recoveryCodes;
}

44
src/main/java/dev/ivfrost/hydro_backend/dto/UserResponse.java
View File

@@ -1,44 +0,0 @@
package dev.ivfrost.hydro_backend.dto;
import com.fasterxml.jackson.databind.JsonNode;
import dev.ivfrost.hydro_backend.entity.User;
import lombok.AllArgsConstructor;
import lombok.Data;
import lombok.NoArgsConstructor;
import java.time.Instant;
import java.util.List;
@NoArgsConstructor
@AllArgsConstructor
@Data
public class UserResponse {
private Long id;
private String username;
private String fullName;
private String email;
private String profilePictureUrl;
private String phoneNumber;
private String address;
private Instant createdAt;
private Instant updatedAt;
private Instant lastLogin;
private User.Role role;
private String preferredLanguage;
private JsonNode settings;
private List<DeviceResponse> devices;
}

39
src/main/java/dev/ivfrost/hydro_backend/dto/UserUpdateRequest.java
View File

@@ -1,39 +0,0 @@
package dev.ivfrost.hydro_backend.dto;
import com.fasterxml.jackson.annotation.JsonProperty;
import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import jakarta.validation.constraints.Email;
import jakarta.validation.constraints.Pattern;
import jakarta.validation.constraints.Size;
import lombok.AllArgsConstructor;
import lombok.Data;
@Data
@AllArgsConstructor
public class UserUpdateRequest {
@Size(min = 5, max = 20)
private String username;
@Size(min = 4, max = 40)
private String fullName;
@Email(message = "Invalid email format")
@Size(min = 8, max = 50)
private String email;
@Size(max = 255)
private String profilePictureUrl;
@Pattern(regexp = "^\\+?[0-9\\-\\s]{7,20}$", message = "Invalid phone number format")
@Size(max = 20)
private String phoneNumber;
@Size(max = 100)
private String address;
@Size(min = 2, max = 2)
private String preferredLanguage = "es";
private JsonNode settings = new ObjectMapper().createObjectNode();
}

77
src/main/java/dev/ivfrost/hydro_backend/entity/Device.java
View File

@@ -1,77 +0,0 @@
package dev.ivfrost.hydro_backend.entity;
import jakarta.persistence.*;
import jakarta.validation.constraints.Pattern;
import jakarta.validation.constraints.Size;
import lombok.AllArgsConstructor;
import lombok.Data;
import lombok.NoArgsConstructor;
import org.hibernate.annotations.UpdateTimestamp;
import java.time.Instant;
// Non-nullable: firmware, technicalName
@Data
@NoArgsConstructor
@AllArgsConstructor
@Table(name = "devices")
@Entity
public class Device {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
private Long id;
@Size(max = 17, min = 17)
@Column(nullable = false, name = "mac_address", unique = true)
private String macAddress;
@Size(min = 1, max = 40)
@Column(nullable = true)
private String name; // User defined name
@Size(max = 20)
@Column(length = 20)
private String location; // Latest known location
@Size(max = 20)
@Column(nullable = false)
private String firmware; // Firmware version
@Size(max = 40)
@Column(name = "technical_name", nullable = false)
private String technicalName; // Technical name
@Column(length = 44, unique = true)
private String hash; // Unique device hash for verification
@Pattern(regexp = "^((25[0-5]|2[0-4]\\d|[01]?\\d\\d?)\\.){3}(25[0-5]|2[0-4]\\d|[01]?\\d\\d?)$")
@Size(max = 15)
@Column(nullable = true)
private String ip;
@Column(name = "created_at")
private Instant createdAt; // Timestamp when the device was created
@UpdateTimestamp
@Column(name = "updated_at")
private Instant updatedAt;
private Instant linkedAt;
private Instant lastSeen;
@ManyToOne(fetch = FetchType.LAZY)
@JoinColumn(name = "user_id")
private User user;
@Column(name = "display_order")
private Integer displayOrder; // User-defined order for display purposes
@PrePersist
protected void onCreate() {
Instant now = Instant.now();
this.createdAt = now;
}
}

29
src/main/java/dev/ivfrost/hydro_backend/entity/MqttCredentials.java
View File

@@ -1,29 +0,0 @@
package dev.ivfrost.hydro_backend.entity;
import jakarta.persistence.*;
import jakarta.validation.constraints.Size;
import lombok.AllArgsConstructor;
import lombok.Data;
import lombok.NoArgsConstructor;
@NoArgsConstructor
@AllArgsConstructor
@Data
@Entity
public class MqttCredentials {
@GeneratedValue(strategy = GenerationType.IDENTITY)
@Id
private Long id;
@Size(min = 5, max = 20)
@Column(nullable = false, unique = true)
private String username;
@Column(length = 44, nullable = false)
private String password;
@OneToOne(fetch = FetchType.LAZY)
@JoinColumn(name = "user_id", nullable = false)
private User user;
}

127
src/main/java/dev/ivfrost/hydro_backend/entity/User.java
View File

@@ -1,127 +0,0 @@
package dev.ivfrost.hydro_backend.entity;
import com.fasterxml.jackson.annotation.JsonProperty;
import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import dev.ivfrost.hydro_backend.converter.JsonNodeConverter;
import jakarta.persistence.*;
import jakarta.validation.constraints.Email;
import jakarta.validation.constraints.Size;
import lombok.Data;
import lombok.AllArgsConstructor;
import lombok.NoArgsConstructor;
import org.hibernate.annotations.CreationTimestamp;
import org.hibernate.annotations.JdbcTypeCode;
import org.hibernate.annotations.UpdateTimestamp;
import org.hibernate.type.SqlTypes;
import java.time.Instant;
import java.util.ArrayList;
import java.util.List;
@Data
@NoArgsConstructor
@AllArgsConstructor
@Table(name = "users")
@Entity
public class User {
public static enum Role {
USER,
ADMIN
}
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
private Long id;
@Size(min = 5, max = 20)
@Column(unique = true, nullable = false)
private String username;
// Password is write-only to prevent it from being serialized in responses
@JsonProperty(access = JsonProperty.Access.WRITE_ONLY)
@Size(min = 12, max = 60)
@Column(nullable = false)
private String password;
@Size(min = 4, max = 40)
@Column(name = "full_name", nullable = false)
private String fullName;
@Email(message = "Invalid email format")
@Size(min = 8, max = 50)
@Column(unique = true, nullable = false)
private String email;
@Column(name = "profile_pic")
@Size(max = 255)
private String profilePictureUrl;
@Size(max = 20)
@Column(name = "phone_number")
private String phoneNumber;
@Size(max = 100)
@Column(columnDefinition = "text")
private String address;
@CreationTimestamp
@Column(name = "created_at", nullable = false, updatable = false)
private Instant createdAt;
@UpdateTimestamp
@Column(name = "updated_at", nullable = false)
private Instant updatedAt;
@Column(name = "deleted_at", nullable = true)
private Instant deletedAt;
@Column(name = "last_login")
private Instant lastLogin;
@Column(name = "is_active", nullable = false)
private boolean isActive = true;
@Enumerated(EnumType.STRING)
@Column(nullable = false)
private Role role = Role.USER;
@Size(min = 2, max = 2)
@Column(name = "preferred_language", nullable = false)
private String preferredLanguage = "es";
@Convert(converter = JsonNodeConverter.class)
@JdbcTypeCode(SqlTypes.JSON)
@Column(name = "settings", columnDefinition = "jsonb")
private JsonNode settings = new ObjectMapper().createObjectNode();
@Column(columnDefinition = "text")
private String notes;
@OneToMany(fetch = FetchType.LAZY)
@JoinColumn(name = "user_id")
private List<Device> devices = new ArrayList<>();
@Column(name = "is_deleted", nullable = false)
private boolean isDeleted = false;
// Enforce preferredLanguage to be a 2-letter ISO code in lowercase
public void setPreferredLanguage(String preferredLanguage) {
if (preferredLanguage == null || preferredLanguage.length() != 2) {
throw new IllegalArgumentException("Preferred language must be a 2-letter ISO code.");
}
this.preferredLanguage = preferredLanguage.toLowerCase();
}
@PrePersist
protected void onCreate() {
if (profilePictureUrl == null) profilePictureUrl = "";
if (phoneNumber == null) phoneNumber = "";
if (address == null) address = "";
if (lastLogin == null) lastLogin = Instant.now();
if (settings == null) settings = new ObjectMapper().createObjectNode();
if (notes == null) notes = "";
if (devices == null) devices = new ArrayList<>();
}
}

34
src/main/java/dev/ivfrost/hydro_backend/entity/UserToken.java
View File

@@ -1,34 +0,0 @@
package dev.ivfrost.hydro_backend.entity;
import jakarta.persistence.*;
import lombok.Data;
import java.time.LocalDateTime;
@Data
@Entity
@Table(name = "tokens")
public class UserToken {
public static enum TokenType {
RECOVERY_CODE,
}
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
private Long id;
@Column(nullable = false, length = 44)
private String token;
@Enumerated(EnumType.STRING)
@Column(nullable = false, length = 20)
private TokenType type;
@Column(name = "expiry_date", nullable = true)
private LocalDateTime expiryDate;
@ManyToOne
@JoinColumn(name = "user_id", nullable = false)
private User user;
}

7
src/main/java/dev/ivfrost/hydro_backend/exception/AuthWrongPasswordException.java
View File

@@ -1,7 +0,0 @@
package dev.ivfrost.hydro_backend.exception;
public class AuthWrongPasswordException extends RuntimeException {
public AuthWrongPasswordException(String email) {
super("Wrong password for user with email: " + email);
}
}

7
src/main/java/dev/ivfrost/hydro_backend/exception/DeviceFetchException.java
View File

@@ -2,7 +2,8 @@ package dev.ivfrost.hydro_backend.exception;
public class DeviceFetchException extends RuntimeException {
public DeviceFetchException(String message) {
super(message);
}
public DeviceFetchException(String message) {
super(message);
}
}

7
src/main/java/dev/ivfrost/hydro_backend/exception/DeviceLinkException.java
View File

@@ -2,7 +2,8 @@ package dev.ivfrost.hydro_backend.exception;
public class DeviceLinkException extends RuntimeException {
public DeviceLinkException(String hash) {
super("Device with hash " + hash + " is already linked to a user.");
}
public DeviceLinkException(String message) {
super(message);
}
}

14
src/main/java/dev/ivfrost/hydro_backend/exception/DeviceNotFoundException.java
View File

@@ -1,11 +1,13 @@
package dev.ivfrost.hydro_backend.exception;
public class DeviceNotFoundException extends RuntimeException {
public DeviceNotFoundException(Long deviceId) {
super("Device with ID " + deviceId + " not found.");
}
public DeviceNotFoundException(String hash) {
super("Device with hash " + hash + " not found.");
}
public DeviceNotFoundException(Long deviceId) {
super("Device with ID " + deviceId + " not found.");
}
public DeviceNotFoundException(String message) {
super(message);
}
}

13
src/main/java/dev/ivfrost/hydro_backend/exception/DuplicateMacAddressException.java Normal file
View File

@@ -0,0 +1,13 @@
package dev.ivfrost.hydro_backend.exception;
public class DuplicateMacAddressException extends RuntimeException {
public DuplicateMacAddressException(String macAddress) {
super("Device with MAC address '" + macAddress + "' already exists");
}
public DuplicateMacAddressException(String macAddress, Throwable cause) {
super("Device with MAC address '" + macAddress + "' already exists", cause);
}
}

11
src/main/java/dev/ivfrost/hydro_backend/exception/EncryptionException.java Normal file
View File

@@ -0,0 +1,11 @@
package dev.ivfrost.hydro_backend.exception;
/**
* Custom exception for encryption/decryption errors
*/
public class EncryptionException extends RuntimeException {
public EncryptionException(String message) {
super(message);
}
}

8
src/main/java/dev/ivfrost/hydro_backend/exception/ExpiredVerificationToken.java
View File

@@ -1,7 +1,9 @@
package dev.ivfrost.hydro_backend.exception;
public class ExpiredVerificationToken extends RuntimeException {
public ExpiredVerificationToken(String message) {
super(message);
}
public ExpiredVerificationToken(String message) {
super(message);
}
}

9
src/main/java/dev/ivfrost/hydro_backend/exception/HmacEncodingException.java Normal file
View File

@@ -0,0 +1,9 @@
package dev.ivfrost.hydro_backend.exception;
public class HmacEncodingException extends RuntimeException {
public HmacEncodingException(String s) {
super(s);
}
}

9
src/main/java/dev/ivfrost/hydro_backend/exception/RecoveryTokenMismatchException.java
View File

@@ -1,8 +1,9 @@
package dev.ivfrost.hydro_backend.exception;
public class RecoveryTokenMismatchException extends RuntimeException {
public RecoveryTokenMismatchException(String message) {
super(message);
}
}
public RecoveryTokenMismatchException(String message) {
super(message);
}
}

8
src/main/java/dev/ivfrost/hydro_backend/exception/RecoveryTokenNotFoundException.java
View File

@@ -1,7 +1,9 @@
package dev.ivfrost.hydro_backend.exception;
public class RecoveryTokenNotFoundException extends RuntimeException {
public RecoveryTokenNotFoundException(String message) {
super(message);
}
public RecoveryTokenNotFoundException(String message) {
super(message);
}
}

10
src/main/java/dev/ivfrost/hydro_backend/exception/TokenNotFoundException.java
View File

@@ -1,9 +1,11 @@
package dev.ivfrost.hydro_backend.exception;
import dev.ivfrost.hydro_backend.entity.UserToken;
import dev.ivfrost.hydro_backend.tokens.internal.Token;
public class TokenNotFoundException extends RuntimeException {
public TokenNotFoundException(UserToken.TokenType type) {
super("Token of type " + type + " not found or invalid.");
}
public TokenNotFoundException(Token.TokenType type) {
super("Token of type " + type + " not found or invalid.");
}
}

8
src/main/java/dev/ivfrost/hydro_backend/exception/UserDeletedException.java
View File

@@ -1,8 +0,0 @@
package dev.ivfrost.hydro_backend.exception;
public class UserDeletedException extends RuntimeException {
public UserDeletedException(Long userId) {
super("User with ID " + userId + " is deleted.");
}
}

9
src/main/java/dev/ivfrost/hydro_backend/exception/UserDisabledException.java Normal file
View File

@@ -0,0 +1,9 @@
package dev.ivfrost.hydro_backend.exception;
public class UserDisabledException extends RuntimeException {
public UserDisabledException(Long userId) {
super("User with ID " + userId + " is disabled.");
}
}

8
src/main/java/dev/ivfrost/hydro_backend/exception/UserNotAuthenticatedException.java
View File

@@ -1,7 +1,9 @@
package dev.ivfrost.hydro_backend.exception;
public class UserNotAuthenticatedException extends Exception {
public UserNotAuthenticatedException(String message) {
super(message);
}
public UserNotAuthenticatedException(String message) {
super(message);
}
}

16
src/main/java/dev/ivfrost/hydro_backend/exception/UserNotFoundException.java
View File

@@ -1,13 +1,13 @@
package dev.ivfrost.hydro_backend.exception;
import jakarta.validation.constraints.Size;
public class UserNotFoundException extends RuntimeException {
public UserNotFoundException(Long userId) {
super("User with ID " + userId + " not found.");
}
public UserNotFoundException(String email) {
super("User with email '" + email + "' not found.");
}
public UserNotFoundException(Long userId) {
super("User with ID " + userId + " not found.");
}
public UserNotFoundException(String email) {
super("User with email '" + email + "' not found.");
}
}

8
src/main/java/dev/ivfrost/hydro_backend/exception/UsernameTakenException.java
View File

@@ -1,7 +1,9 @@
package dev.ivfrost.hydro_backend.exception;
public class UsernameTakenException extends RuntimeException {
public UsernameTakenException(String username) {
super("Username '" + username + "' is already taken.");
}
public UsernameTakenException(String username) {
super("Username '" + username + "' is already taken.");
}
}

13
src/main/java/dev/ivfrost/hydro_backend/repository/DeviceRepository.java
View File

@@ -1,13 +0,0 @@
package dev.ivfrost.hydro_backend.repository;
import dev.ivfrost.hydro_backend.entity.Device;
import org.springframework.data.jpa.repository.JpaRepository;
import java.util.List;
import java.util.Optional;
public interface DeviceRepository extends JpaRepository<Device, Long> {
Optional<Device> findByHash(String hash);
List<Device> findAllByUserId(Long userId);
}

12
src/main/java/dev/ivfrost/hydro_backend/repository/MqttCredentialsRepository.java
View File

@@ -1,12 +0,0 @@
package dev.ivfrost.hydro_backend.repository;
import dev.ivfrost.hydro_backend.entity.MqttCredentials;
import org.springframework.data.jpa.repository.JpaRepository;
import java.util.Optional;
public interface MqttCredentialsRepository extends JpaRepository<MqttCredentials, Long> {
boolean existsByUserId(Long userId);
Optional<MqttCredentials> findByUserId(Long userId);
}

21
src/main/java/dev/ivfrost/hydro_backend/repository/UserRepository.java
View File

@@ -1,21 +0,0 @@
package dev.ivfrost.hydro_backend.repository;
import dev.ivfrost.hydro_backend.entity.User;
import jakarta.validation.constraints.Email;
import jakarta.validation.constraints.Size;
import org.springframework.data.jpa.repository.JpaRepository;
import org.springframework.data.jpa.repository.Query;
import java.util.Optional;
public interface UserRepository extends JpaRepository<User, Long> {
Optional<User> findByUsername(String username);
Optional<User> findByEmail(String email);
@Query("SELECT u FROM User u LEFT JOIN FETCH u.devices WHERE u.id = :id")
Optional<User> findByIdWithDevices(Long id);
boolean existsByUsername(String username);
boolean existsByEmail(String email);
}

10
src/main/java/dev/ivfrost/hydro_backend/repository/UserTokenRepository.java
View File

@@ -1,10 +0,0 @@
package dev.ivfrost.hydro_backend.repository;
import dev.ivfrost.hydro_backend.entity.UserToken;
import org.springframework.data.jpa.repository.JpaRepository;
import java.util.Optional;
public interface UserTokenRepository extends JpaRepository<UserToken, Long> {
Optional<UserToken> findByTokenAndType(String token, UserToken.TokenType type);
}

100
src/main/java/dev/ivfrost/hydro_backend/security/JWTFilter.java
View File

@@ -1,100 +0,0 @@
package dev.ivfrost.hydro_backend.security;
import com.auth0.jwt.exceptions.JWTVerificationException;
import com.auth0.jwt.interfaces.Claim;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import lombok.AllArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.io.IOException;
import java.util.Map;
@Slf4j
@AllArgsConstructor
@Component
public class JWTFilter extends OncePerRequestFilter {
private final UserDetailsService userDetailsService;
private final JWTUtil jwtUtil;
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
String path = request.getRequestURI();
log.info("JWTFilter processing path: {}", path);
// Bypass filter for authentication and validation endpoints
if (path.startsWith("/v1/users/auth/") || path.equals("/v1/users") ||
path.equals("/v1/users/recover") || path.equals("/v1/users/password/reset") ||
path.startsWith("/v1/validation") || path.startsWith("/v1/users/verify") ||
path.equals("/v1/validation/recovery-code")) {
log.info("Bypassing JWTFilter for path: {}", path);
filterChain.doFilter(request, response);
return;
}
// Extract Authorization header
String authHeader = request.getHeader("Authorization");
log.info("Authorization header: {}", authHeader);
// Check for Bearer token
if (authHeader != null && !authHeader.isBlank() && authHeader.startsWith("Bearer ")) {
// Extract JWT token
String jwt = authHeader.substring(7);
log.info("Extracted JWT: {}", jwt);
if (jwt == null || jwt.isBlank()) {
log.warn("JWT is blank or null");
response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Invalid JWT Token in Bearer Header");
return;
}
try {
// Validate token and retrieve claims
Map<String, Claim> claims = jwtUtil.validateTokenAndRetrieveClaims(jwt);
log.info("JWT claims: {}", claims);
String username = claims.get("username").asString();
String role = claims.get("role") != null ? claims.get("role").asString() : null;
log.info("JWT username: {}, role: {}", username, role);
// Load User Details
UserDetails userDetails = userDetailsService.loadUserByUsername(username);
log.info("Loaded userDetails: {}", userDetails);
log.info("User authorities: {}", userDetails.getAuthorities());
// Use authorities from userDetails (database), not JWT
UsernamePasswordAuthenticationToken authToken =
new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
// Set authentication in security context
if (SecurityContextHolder.getContext().getAuthentication() == null) {
SecurityContextHolder.getContext().setAuthentication(authToken);
log.info("Authentication set in security context for user: {}", username);
} else {
log.info("Authentication already present in security context");
}
} catch (JWTVerificationException e) {
log.error("JWT verification failed", e);
response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Invalid JWT Token in Bearer Header");
} catch (Exception e) {
log.error("Unexpected error in JWTFilter", e);
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Authentication failed");
}
} else {
log.info("No Bearer token found in Authorization header");
}
// Continue filter chain
filterChain.doFilter(request, response);
}
}

65
src/main/java/dev/ivfrost/hydro_backend/security/JWTUtil.java
View File

@@ -1,65 +0,0 @@
package dev.ivfrost.hydro_backend.security;
import com.auth0.jwt.JWT;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTCreationException;
import com.auth0.jwt.exceptions.JWTVerificationException;
import com.auth0.jwt.interfaces.Claim;
import com.auth0.jwt.interfaces.DecodedJWT;
import dev.ivfrost.hydro_backend.entity.User;
import lombok.RequiredArgsConstructor;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;
import java.util.Date;
import java.util.Map;
@Component
public class JWTUtil {
// Inject JWT secret from application properties
@Value("${jwt.secret}")
private String jwtSecret;
@Value("${jwt.expiration-ms}")
private Long jwtExpirationMs;
@Value("${jwt.refresh-expiration-ms}")
private Long jwtRefreshExpirationMs;
// Create JWT token using the injected secret
public String generateToken(User user) throws JWTCreationException {
return JWT.create()
.withSubject("User Details")
.withClaim("username", user.getUsername())
.withClaim("email", user.getEmail())
.withClaim("role", user.getRole().toString())
.withClaim("preferredLanguage", user.getPreferredLanguage())
.withExpiresAt(new Date(System.currentTimeMillis() + jwtExpirationMs))
.withIssuedAt(new Date())
.withIssuer("HydroBackend")
.sign(Algorithm.HMAC256(jwtSecret));
}
// Create JWT refresh token using the injected secret and longer expiration
public String generateRefreshToken(User user) throws JWTCreationException {
return JWT.create()
.withSubject("User Details")
.withClaim("username", user.getUsername())
.withClaim("email", user.getEmail())
.withClaim("role", user.getRole().toString())
.withClaim("preferredLanguage", user.getPreferredLanguage())
.withExpiresAt(new Date(System.currentTimeMillis() + jwtRefreshExpirationMs))
.withIssuedAt(new Date())
.withIssuer("HydroBackend")
.sign(Algorithm.HMAC256(jwtSecret));
}
public Map<String, Claim> validateTokenAndRetrieveClaims(String token) throws JWTVerificationException {
DecodedJWT jwt = JWT.require(Algorithm.HMAC256(jwtSecret))
.withSubject("User Details")
.withIssuer("HydroBackend")
.build()
.verify(token);
return jwt.getClaims();
}
}

52
src/main/java/dev/ivfrost/hydro_backend/security/MyUserDetails.java
View File

@@ -1,52 +0,0 @@
package dev.ivfrost.hydro_backend.security;
import dev.ivfrost.hydro_backend.entity.User;
import lombok.AllArgsConstructor;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import java.util.Collection;
import java.util.Collections;
@AllArgsConstructor
public class MyUserDetails implements UserDetails {
private final User user;
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return Collections.singletonList(
new SimpleGrantedAuthority("ROLE_" + user.getRole().name()));
}
@Override
public String getPassword() {
return user.getPassword();
}
@Override
public String getUsername() {
return String.valueOf(user.getId());
}
@Override
public boolean isEnabled() {
return !user.isDeleted() && user.isActive();
}
@Override
public boolean isAccountNonExpired() {
return true;
}
@Override
public boolean isAccountNonLocked() {
return true;
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
}

326
src/main/java/dev/ivfrost/hydro_backend/service/DeviceService.java
View File

@@ -1,326 +0,0 @@
// language: java
package dev.ivfrost.hydro_backend.service;
import dev.ivfrost.hydro_backend.dto.*;
import dev.ivfrost.hydro_backend.entity.Device;
import dev.ivfrost.hydro_backend.entity.MqttCredentials;
import dev.ivfrost.hydro_backend.entity.User;
import dev.ivfrost.hydro_backend.exception.DeviceFetchException;
import dev.ivfrost.hydro_backend.exception.DeviceLinkException;
import dev.ivfrost.hydro_backend.exception.DeviceNotFoundException;
import dev.ivfrost.hydro_backend.repository.DeviceRepository;
import dev.ivfrost.hydro_backend.repository.MqttCredentialsRepository;
import dev.ivfrost.hydro_backend.util.DeviceDtoUtil;
import jakarta.transaction.Transactional;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Service;
import java.util.Comparator;
import java.util.List;
import java.util.Objects;
import java.util.stream.Collectors;
@Service
public class DeviceService {
private final DeviceRepository deviceRepository;
private final MqttCredentialsRepository mqttCredentialsRepository;
private final EncoderService encoderService;
private final String privateKey;
private final UserService userService;
public DeviceService(
DeviceRepository deviceRepository,
MqttCredentialsRepository mqttCredentialsRepository,
EncoderService encoderService,
@Value("${device.secret}") String privateKey,
UserService userService) {
this.deviceRepository = deviceRepository;
this.mqttCredentialsRepository = mqttCredentialsRepository;
this.encoderService = encoderService;
this.privateKey = privateKey;
if (this.privateKey == null || this.privateKey.isEmpty()) {
throw new IllegalStateException("Environment variable DEVICE_SECRET is not set.");
}
this.userService = userService;
}
/**
* Provisions a new device and generates an ownership hash using the database ID.
*
* @param req the device provision request DTO
* @return the provisioned device response DTO
*/
@Transactional
public DeviceResponse provisionDevice(DeviceProvisionRequest req) {
Device device = convertRequestToDevice(req);
// Persist to get generated ID
Device savedDevice = deviceRepository.save(device);
// Compute and set hash based on generated ID
String hash = encoderService.hmacSha256Encoder().apply(privateKey, savedDevice.getId().toString());
savedDevice.setHash(hash);
// Persist updated record with hash
return DeviceDtoUtil.convertDeviceToResponse(deviceRepository.save(savedDevice));
}
/**
* Links an unlinked device to a user; creates MQTT credentials if user's first device; sets device order.
*
* @param req the device link request DTO
* @param userId the ID of the user to link the device to (null for authenticated user)
* @throws DeviceLinkException if the device is already linked
* @throws DeviceNotFoundException if the device is not found
*/
@Transactional
public void linkDevice(DeviceLinkRequest req, Long userId) {
// Determine the user (either from provided ID or current authentication context)
User user = (userId != null)
? userService.getUserByIdWithoutDevices(userId)
: userService.getCurrentUserWithoutDevices();
// Find the device by hash
Device device = deviceRepository.findByHash(req.getHash())
.orElseThrow(() -> new DeviceNotFoundException(req.getHash()));
// Check if device is already linked
if (device.getUser() != null) {
throw new DeviceLinkException(req.getHash());
}
ensureMqttCredentialsForUser(user);
// Link device to user
device.setUser(user);
// Set device order to be the highest order + 1 for initial display at the bottom of the list
device.setDisplayOrder(calculateDeviceDisplayOrder(user));
deviceRepository.save(device);
}
/**
* Overloaded method for device linking requests coming from authenticated users.
*
* @param req the device link request DTO
* @throws DeviceLinkException if the device is already linked
* @throws DeviceNotFoundException if the device is not found
*/
@Transactional
public void linkDevice(DeviceLinkRequest req) {
linkDevice(req, null);
}
/**
* Unlinks a device from the currently authenticated user.
*
* @param deviceId the ID of the device to unlink
* @throws DeviceNotFoundException if the device is not found
* @throws IllegalArgumentException if the device does not belong to the authenticated user
*/
@Transactional
public void unlinkDevice(Long deviceId) {
Device device = deviceRepository.findById(deviceId)
.orElseThrow(() -> new DeviceNotFoundException(deviceId));
User currentUser = userService.getCurrentUserWithoutDevices();
if (!Objects.equals(device.getUser(), currentUser)) {
throw new IllegalArgumentException("Device does not belong to the authenticated user");
}
device.setUser(null);
deviceRepository.save(device);
}
/**
* Retrieves existing MQTT credentials for the currently authenticated user.
* The password is returned as stored in the database (hash generated from user ID and private key).
*
* @return the MQTT credentials response DTO
* @throws IllegalArgumentException if credentials are not found for the user
*/
public MqttCredentialsResponse getMqttCredentials() {
User user = userService.getCurrentUserWithoutDevices();
MqttCredentials mqttCredentials = mqttCredentialsRepository.findByUserId(user.getId())
.orElseThrow(() -> new IllegalArgumentException("MQTT credentials not found for user"));
// Return the password as stored in the database
return new MqttCredentialsResponse(mqttCredentials.getUsername(), mqttCredentials.getPassword());
}
/**
* Retrieves devices owned by the currently authenticated user.
*
* @return a list of device response DTOs
* @throws DeviceFetchException if no devices are found for the user
*/
public List<DeviceResponse> getUserDevices() {
User user = userService.getCurrentUser();
if (user.getDevices() == null || user.getDevices().isEmpty()) {
throw new DeviceFetchException("No devices found for user");
}
return user.getDevices()
.stream()
.map(DeviceDtoUtil::convertDeviceToResponse)
.sorted(Comparator.comparing(DeviceResponse::getDisplayOrder))
.collect(Collectors.toList());
}
/**
* Retrieves devices owned by a specific user, by user ID (Admin only).
*
* @param userId the ID of the user whose devices are to be retrieved
* @return a list of device response DTOs
* @throws DeviceFetchException if no devices are found for the user
*/
public List<DeviceResponse> getUserDevicesById(Long userId) {
User user = userService.getUserById(userId);
if (user.getDevices() == null || user.getDevices().isEmpty()) {
throw new DeviceFetchException("No devices found for user");
}
return user
.getDevices()
.stream()
.map(DeviceDtoUtil::convertDeviceToResponse)
.sorted(Comparator.comparing(DeviceResponse::getDisplayOrder))
.collect(Collectors.toList());
}
/**
* Retrieves all devices provisioned in the system (Admin only).
*
* @return a list of all device response DTOs
* @throws DeviceFetchException if no devices are found
*/
public List<DeviceResponse> getAllDevices() {
List<Device> devices = deviceRepository.findAll();
if (devices.isEmpty()) {
throw new DeviceFetchException("No devices found");
}
return DeviceDtoUtil.convertDevicesToResponse(devices);
}
/**
* Updates fields of a specific device by its ID.
* Admins can additionally update the technical name and firmware version.
*
* @param deviceId the ID of the device to update
* @param req the device update request DTO
* @param technicalName (Admin only) the new technical name for the device
* @param firmware (Admin only) the new firmware version for the device
* @return the updated device response DTO
* @throws DeviceNotFoundException if the device is not found
* @throws IllegalArgumentException if the device does not belong to the authenticated user
*/
public DeviceResponse updateDeviceById(
Long deviceId, DeviceUpdateRequest req, String technicalName, String firmware) {
Device device = deviceRepository.findById(deviceId)
.orElseThrow(() -> new DeviceNotFoundException(deviceId));
// If either technicalName or firmware is null, it's a user request; verify ownership
if (technicalName == null || firmware == null) {
User currentUser = userService.getCurrentUserWithoutDevices();
if (!Objects.equals(device.getUser(), currentUser)) {
throw new IllegalArgumentException("Device does not belong to the authenticated user");
}
}
if (technicalName != null && !technicalName.isEmpty()) {
device.setTechnicalName(technicalName);
}
if (firmware != null && !firmware.isEmpty()) {
device.setFirmware(firmware);
}
if (req.getName() != null && !req.getName().isEmpty()) {
device.setName(req.getName());
}
if (req.getDisplayOrder() != null && req.getDisplayOrder() >= 0) {
device.setDisplayOrder(req.getDisplayOrder());
}
return DeviceDtoUtil.convertDeviceToResponse(deviceRepository.save(device));
}
/**
* Overloaded method for updating a device by its ID for authenticated users.
* Users can only update the user-defined name and display order of their own devices.
*
* @param deviceId the ID of the device to update
* @param req the device update request DTO
* @return the updated device response DTO
*/
public DeviceResponse updateUserDeviceById(Long deviceId, DeviceUpdateRequest req) {
return updateDeviceById(deviceId, req, null, null);
}
/**
* Delete a device by its ID (Admin only).
*
* @param deviceId the ID of the device to delete
* @throws DeviceNotFoundException if the device is not found
*/
public void deleteDeviceById(Long deviceId) {
Device device = deviceRepository.findById(deviceId).orElseThrow(() -> new DeviceNotFoundException(deviceId));
deviceRepository.delete(device);
}
/*--------------------------*/
/* Helper Methods */
/*--------------------------*/
/**
* Converts a DeviceProvisionRequest DTO to a Device entity.
*
* @param req the device provision request DTO
* @return the device entity
*/
private Device convertRequestToDevice(DeviceProvisionRequest req) {
Device device = new Device();
device.setTechnicalName(req.getTechnicalName());
device.setFirmware(req.getFirmware());
device.setMacAddress(req.getMacAddress());
return device;
}
/**
* Converts MqttCredentials entity to MqttCredentialsResponse DTO.
*
* @param mqttCredentials the MQTT credentials entity
* @return the MQTT credentials response DTO
*/
private MqttCredentialsResponse convertMqttCredentialsToResponse(MqttCredentials mqttCredentials) {
return new MqttCredentialsResponse(mqttCredentials.getUsername(), mqttCredentials.getPassword());
}
/**
* Ensures MQTT credentials exist for the user, creating them if not present.
*
* @param user the user to check/create credentials for
*/
private void ensureMqttCredentialsForUser(User user) {
if (!mqttCredentialsRepository.existsByUserId(user.getId())) {
String encodedPassword = encoderService.hmacSha256Encoder().apply(privateKey, user.getId().toString());
MqttCredentials mqttCredentials = new MqttCredentials();
mqttCredentials.setUsername(user.getUsername());
mqttCredentials.setPassword(encodedPassword);
mqttCredentials.setUser(user);
mqttCredentialsRepository.save(mqttCredentials);
}
}
/**
* Calculates the next display order for a user's devices.
*
* @param user the user whose devices are being ordered
* @return the next display order
*/
private int calculateDeviceDisplayOrder(User user) {
return user.getDevices() != null && !user.getDevices().isEmpty()
? user.getDevices().stream()
.mapToInt(Device::getDisplayOrder)
.max()
.orElse(0) + 1
: 1;
}
}

29
src/main/java/dev/ivfrost/hydro_backend/service/EncoderService.java
View File

@@ -1,29 +0,0 @@
package dev.ivfrost.hydro_backend.service;
import org.springframework.stereotype.Service;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.util.Base64;
import java.util.function.BiFunction;
@Service
public class EncoderService {
public BiFunction<String, String, String> hmacSha256Encoder() {
return (secretKey, toBeEncoded) -> {
try {
if (toBeEncoded == null || toBeEncoded.isEmpty()) {
throw new IllegalArgumentException("Input string to be encoded cannot be null or empty");
}
Mac mac = Mac.getInstance("HmacSHA256");
SecretKeySpec secretKeySpec = new SecretKeySpec(secretKey.getBytes(), "HmacSHA256");
mac.init(secretKeySpec);
byte[] hmac = mac.doFinal(toBeEncoded.getBytes());
return Base64.getEncoder().encodeToString(hmac);
} catch (Exception e) {
throw new HmacEncodingException("Error while encoding string using HMAC-SHA256");
}
};
}
}

7
src/main/java/dev/ivfrost/hydro_backend/service/HmacEncodingException.java
View File

@@ -1,7 +0,0 @@
package dev.ivfrost.hydro_backend.service;
public class HmacEncodingException extends RuntimeException {
public HmacEncodingException(String s) {
super(s);
}
}

31
src/main/java/dev/ivfrost/hydro_backend/service/MyUserDetailsService.java
View File

@@ -1,31 +0,0 @@
package dev.ivfrost.hydro_backend.service;
import dev.ivfrost.hydro_backend.entity.User;
import dev.ivfrost.hydro_backend.repository.UserRepository;
import dev.ivfrost.hydro_backend.security.MyUserDetails;
import lombok.AllArgsConstructor;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;
import java.util.Optional;
@AllArgsConstructor
@Service
public class MyUserDetailsService implements UserDetailsService {
private final UserRepository userRepository;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
Optional<User> userOpt = userRepository.findByUsername(username);
if (userOpt.isEmpty()) {
throw new UsernameNotFoundException("User not found: " + username);
}
User user = userOpt.get();
return new MyUserDetails(user);
}
}

394
src/main/java/dev/ivfrost/hydro_backend/service/UserService.java
View File

@@ -1,394 +0,0 @@
package dev.ivfrost.hydro_backend.service;
import dev.ivfrost.hydro_backend.entity.UserToken;
import dev.ivfrost.hydro_backend.exception.*;
import dev.ivfrost.hydro_backend.dto.*;
import dev.ivfrost.hydro_backend.entity.User;
import dev.ivfrost.hydro_backend.repository.UserTokenRepository;
import dev.ivfrost.hydro_backend.repository.UserRepository;
import dev.ivfrost.hydro_backend.security.JWTUtil;
import dev.ivfrost.hydro_backend.util.DeviceDtoUtil;
import dev.ivfrost.hydro_backend.util.RecoveryCodeUtil;
import jakarta.transaction.Transactional;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.stereotype.Service;
import java.time.LocalDateTime;
import java.time.ZoneOffset;
import java.util.Collections;
import java.util.List;
@Service
public class UserService {
private final UserRepository userRepository;
private final UserTokenRepository userTokenRepository;
private final PasswordEncoder passwordEncoder;
private final EncoderService encoderService;
private final JWTUtil jwtUtil;
@Value("${security-code.secret}")
private String securityCodeSecret;
public UserService(UserRepository userRepository, UserTokenRepository userTokenRepository, PasswordEncoder passwordEncoder, EncoderService encoderService, JWTUtil jwtUtil) {
this.userRepository = userRepository;
this.userTokenRepository = userTokenRepository;
this.passwordEncoder = passwordEncoder;
this.encoderService = encoderService;
this.jwtUtil = jwtUtil;
}
/**
* Adds a new user with a specified role (admin only).
* Recovery codes are generated and the user is prompted to save them securely.
* @param req the user registration request DTO
* @param role the role to assign to the user
* @throws UsernameTakenException if the username is already taken
* @return the user registration response containing recovery codes
*/
@Transactional
public UserRegisterResponse addUser(UserRegisterRequest req, User.Role role) {
if (userRepository.findByUsername(req.getUsername()).isPresent()) {
throw new UsernameTakenException(req.getUsername());
}
User user = convertRequestToUser(req);
user.setRole(role != null ? role : User.Role.USER); // Default to USER role if not specified
userRepository.save(user);
String[] recoveryCodes = RecoveryCodeUtil.generateRecoveryCodes(5);
for (String code : recoveryCodes) {
String encodedCode = encoderService.hmacSha256Encoder().apply(securityCodeSecret, code);
UserToken token = new UserToken();
token.setType(UserToken.TokenType.RECOVERY_CODE);
token.setToken(encodedCode);
token.setExpiryDate(null);
token.setUser(user);
userTokenRepository.save(token);
}
return new UserRegisterResponse(recoveryCodes);
}
/**
* Adds a new user with the default USER role (for self-registration).
* Recovery codes are generated and the user is prompted to save them securely.
* The first registered user is assigned the ADMIN role
* @param req the user registration request DTO
* @throws UsernameTakenException if the username is already taken
* @return the user registration response containing recovery codes
*/
@Transactional
public UserRegisterResponse addUser(UserRegisterRequest req) {
boolean isFirstUser = userRepository.count() == 0;
User.Role role = isFirstUser ? User.Role.ADMIN : User.Role.USER; // First user is ADMIN, others are USER
return addUser(req, role);
}
/**
* Authenticates a user by email and password, returning a JWT token and refresh token if successful.
* @param req the user login request DTO
* @return the authentication response containing the JWT token and refresh token
* @throws UserNotFoundException if the user is not found
* @throws AuthWrongPasswordException if the password is incorrect
*/
public AuthResponse authenticateUser(UserLoginRequest req) {
User user = userRepository.findByEmail(req.getEmail())
.orElseThrow(() -> new UserNotFoundException(req.getEmail()));
if (!passwordEncoder.matches(req.getPassword(), user.getPassword())) {
throw new AuthWrongPasswordException(req.getEmail());
}
user.setLastLogin(LocalDateTime.now().atZone(ZoneOffset.UTC).toInstant());
user.setActive(true);
userRepository.save(user);
return buildAuthResponse(user, "JWT token and refresh token generated successfully.");
}
/**
* Refreshes the JWT token and rotates the refresh token for the currently authenticated user.
* @return the authentication response containing the new JWT token and refresh token
* @throws UserNotFoundException if the user is not found
*/
public AuthResponse refreshTokens() throws UserNotFoundException {
User user = getCurrentUserWithoutDevices();
return buildAuthResponse(user, "JWT token and refresh token refreshed successfully.");
}
/**
* Retrieves the currently authenticated user without devices (for performance).
* @return the authenticated user entity
* @throws UserNotFoundException if the user is not found
*/
public User getCurrentUserWithoutDevices() {
Long userId = getCurrentUserId();
return userRepository.findById(userId)
.orElseThrow(() -> new UserNotFoundException(userId));
}
/**
* Retrieves the currently authenticated user with devices, or null if not authenticated.
* @return the authenticated user entity with devices, or null if not authenticated
*/
public User getCurrentUser() {
if (!isUserAuthenticated()) {
return null;
}
try {
Long userId = getCurrentUserId();
return userRepository.findByIdWithDevices(userId).orElse(null);
} catch (Exception e) {
return null;
}
}
/**
* Retrieves the profile of the currently authenticated user as a response DTO.
* @return the user response DTO, or null if not authenticated
*/
public UserResponse getCurrentUserProfile() {
return convertUserToResponse(getCurrentUser());
}
/**
* Retrieves a user by their unique ID (admin only, without devices).
* @param userId the ID of the user to retrieve
* @return the user entity
* @throws UserNotFoundException if the user is not found
*/
public User getUserByIdWithoutDevices(Long userId) {
return userRepository.findById(userId).orElseThrow(() -> new UserNotFoundException(userId));
}
/**
* Retrieves a user by their unique ID with devices (admin only).
* @param userId the ID of the user to retrieve
* @return the user entity with devices
* @throws UserNotFoundException if the user is not found
*/
public User getUserById(Long userId) {
return userRepository.findByIdWithDevices(userId).orElseThrow(() -> new UserNotFoundException(userId));
}
/**
* Retrieves a user profile by their unique ID as a response DTO (admin only).
* @param userId the ID of the user to retrieve
* @return the user response DTO
* @throws UserNotFoundException if the user is not found
*/
public UserResponse getUserProfileById(Long userId) throws UserNotFoundException {
User user = getUserById(userId);
return convertUserToResponse(user);
}
/**
* Deletes the currently authenticated user (soft delete).
* @throws IllegalStateException if no authenticated user is found
*/
public void deleteCurrentUser() throws IllegalStateException {
Long userId = getCurrentUserId();
deleteUserById(userId);
}
/**
* Deletes a user by their unique ID (admin only, soft delete).
* @param userId the ID of the user to delete
* @throws UserDeletedException if the user is already deleted
* @throws UserNotFoundException if the user is not found
*/
public void deleteUserById(Long userId) {
User user = userRepository.findById(userId).orElseThrow(() -> new UserNotFoundException(userId));
if (user.isDeleted()) {
throw new UserDeletedException(userId);
}
user.setDeleted(true);
userRepository.save(user);
}
/**
* Resets the user's password using a recovery code provided to the user on registration.
* @param req the password reset request DTO containing the user email, recovery code and new password
* @throws RecoveryTokenNotFoundException if the recovery token is not found
* @throws UserNotFoundException if the user is not found
* @throws UserDeletedException if the user is deleted
*/
@Transactional
public void resetPassword(PasswordResetRequest req) {
String encodedCode = encoderService.hmacSha256Encoder().apply(securityCodeSecret, req.getRecoveryCode());
UserToken recoveryToken = userTokenRepository
.findByTokenAndType(encodedCode, UserToken.TokenType.RECOVERY_CODE)
.orElseThrow(() -> new RecoveryTokenNotFoundException("Invalid recovery code."));
User user = recoveryToken.getUser();
if (user == null) {
throw new UserNotFoundException("User associated with the token not found.");
}
if (user.isDeleted()) {
throw new UserDeletedException(user.getId());
}
if (!user.getEmail().equals(req.getEmail())) {
throw new RecoveryTokenMismatchException("Recovery code does not match the provided email.");
}
user.setPassword(passwordEncoder.encode(req.getNewPassword()));
userRepository.save(user);
// Invalidate the used token
userTokenRepository.delete(recoveryToken);
}
/**
* Update the currently authenticated user's account settings.
* @param req the user update request DTO containing the fields to update
* @return the updated user response DTO
* @throws IllegalStateException if no authenticated user is found
* @throws UserNotFoundException if the user is not found
* @throws UserDeletedException if the user is deleted
*/
@Transactional
public UserResponse updateCurrentUser(UserUpdateRequest req) {
Long userId = getCurrentUserId();
User user = userRepository.findById(userId).orElseThrow(() -> new UserNotFoundException(userId));
if (user.isDeleted()) {
throw new UserDeletedException(userId);
}
if (req.getFullName() != null && !req.getFullName().isBlank()) {
user.setFullName(req.getFullName());
}
if (req.getEmail() != null && !req.getEmail().isBlank()) {
user.setEmail(req.getEmail());
}
if (req.getPhoneNumber() != null) {
user.setPhoneNumber(req.getPhoneNumber());
}
if (req.getAddress() != null) {
user.setAddress(req.getAddress());
}
if (req.getProfilePictureUrl() != null) {
user.setProfilePictureUrl(req.getProfilePictureUrl());
}
if (req.getPreferredLanguage() != null && !req.getPreferredLanguage().isBlank()) {
user.setPreferredLanguage(req.getPreferredLanguage());
}
if (req.getSettings() != null) {
user.setSettings(req.getSettings());
}
userRepository.save(user);
return convertUserToResponse(user);
}
/*--------------------------*/
/* Helper Methods */
/*--------------------------*/
/**
* Builds an AuthResponse with both tokens and a message.
* @param user the user entity
* @param message the message to include
* @return the AuthResponse containing both tokens and the message
*/
private AuthResponse buildAuthResponse(User user, String message) {
String token = generateToken(user);
String refreshToken = generateRefreshToken(user);
return new AuthResponse(token, refreshToken, message);
}
/**
* Checks if a user is authenticated in the security context.
* @return true if a user is authenticated, false otherwise
*/
private boolean isUserAuthenticated() {
SecurityContext context = SecurityContextHolder.getContext();
return context.getAuthentication() != null && context.getAuthentication().isAuthenticated();
}
/**
* Retrieves the ID of the currently authenticated user from the security context.
* @return the user ID
* @throws IllegalStateException if no authenticated user is found
*/
private Long getCurrentUserId() {
if (isUserAuthenticated()) {
String name = SecurityContextHolder.getContext().getAuthentication().getName();
if ("anonymousUser".equals(name)) {
throw new IllegalStateException("No authenticated user found in security context.");
}
return Long.parseLong(name);
} else {
throw new IllegalStateException("No authenticated user found in security context.");
}
}
/**
* Converts a UserRegisterRequest DTO to a User entity.
* @param req the user registration request DTO
* @return the user entity
*/
private User convertRequestToUser(UserRegisterRequest req) {
String encodedPassword = passwordEncoder.encode(req.getPassword()); // Bcrypt password encoding
User user = new User();
user.setUsername(req.getUsername());
user.setPassword(encodedPassword);
user.setEmail(req.getEmail());
user.setFullName(req.getFullName());
user.setPreferredLanguage(req.getPreferredLanguage());
return user;
}
/**
* Converts a User entity to a UserResponse DTO.
* @param user the user entity
* @return the user response DTO
*/
private UserResponse convertUserToResponse(User user) {
if (user == null) {
return null;
}
UserResponse response = new UserResponse();
response.setId(user.getId());
response.setUsername(user.getUsername());
response.setFullName(user.getFullName());
response.setEmail(user.getEmail());
response.setProfilePictureUrl(user.getProfilePictureUrl());
response.setPhoneNumber(user.getPhoneNumber());
response.setAddress(user.getAddress());
response.setCreatedAt(user.getCreatedAt());
response.setUpdatedAt(user.getUpdatedAt());
response.setLastLogin(user.getLastLogin());
response.setRole(user.getRole());
response.setPreferredLanguage(user.getPreferredLanguage());
response.setSettings(user.getSettings());
List<DeviceResponse> userDevices = user.getDevices() != null ?
DeviceDtoUtil.convertDevicesToResponse(user.getDevices()) :
Collections.emptyList();
response.setDevices(userDevices);
return response;
}
/**
* Generates a JWT token for a given user.
* @param user the user entity
* @return a String containing the JWT token
* @throws UserDeletedException if the user is deleted
*/
private String generateToken(User user) {
if (user.isDeleted()) {
throw new UserDeletedException(user.getId());
}
return jwtUtil.generateToken(user);
}
/**
* Generates a refresh JWT token for a given user.
* @param user the user entity
* @return a String containing the refresh JWT token
* @throws UserDeletedException if the user is deleted
*/
private String generateRefreshToken(User user) {
if (user.isDeleted()) {
throw new UserDeletedException(user.getId());
}
return jwtUtil.generateRefreshToken(user);
}
}

35
src/main/java/dev/ivfrost/hydro_backend/service/UserTokenService.java
View File

@@ -1,35 +0,0 @@
package dev.ivfrost.hydro_backend.service;
import dev.ivfrost.hydro_backend.entity.UserToken;
import dev.ivfrost.hydro_backend.exception.RecoveryTokenMismatchException;
import dev.ivfrost.hydro_backend.exception.RecoveryTokenNotFoundException;
import dev.ivfrost.hydro_backend.repository.UserTokenRepository;
import lombok.Data;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Service;
@Data
@Service
public class UserTokenService {
private final UserTokenRepository userTokenRepository;
private final EncoderService encoderService;
@Value("${security-code.secret}")
private String securityCodeSecret;
public UserTokenService(UserTokenRepository userTokenRepository, EncoderService encoderService) {
this.userTokenRepository = userTokenRepository;
this.encoderService = encoderService;
}
public boolean isRecoveryCodeValid(String rawCode, String email) {
String encodedCode = encoderService.hmacSha256Encoder().apply(securityCodeSecret, rawCode);
UserToken userToken = userTokenRepository.findByTokenAndType(encodedCode, UserToken.TokenType.RECOVERY_CODE)
.orElseThrow(() -> new RecoveryTokenNotFoundException("Recovery code not found"));
if (!userToken.getUser().getEmail().equals(email)) {
throw new RecoveryTokenMismatchException("Recovery code does not match the provided email");
}
return true;
}
}

58
src/main/java/dev/ivfrost/hydro_backend/tokens/DeviceSecretConverter.java Normal file
View File

@@ -0,0 +1,58 @@
package dev.ivfrost.hydro_backend.tokens;
import jakarta.persistence.AttributeConverter;
import jakarta.persistence.Converter;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;
/**
* JPA converter that automatically encrypts recovery secrets when storing to database and decrypts
* when retrieving from database.
*/
@Slf4j
@RequiredArgsConstructor
@Converter
@Component
public class DeviceSecretConverter implements AttributeConverter<String, String> {
private final EncryptionUtil encryptionUtil;
@Value("${device.secret}")
private String deviceSecret;
@Override
public String convertToDatabaseColumn(String attribute) {
if (attribute == null) {
return null;
}
checkInitialized();
String encrypted = encryptionUtil.encrypt(attribute, deviceSecret);
log.info("DEBUG CONVERTER - Encrypting '{}' -> '{}'", attribute, encrypted);
return encrypted;
}
@Override
public String convertToEntityAttribute(String dbData) {
if (dbData == null) {
return null;
}
checkInitialized();
String decrypted = encryptionUtil.decrypt(dbData, deviceSecret);
log.info("DEBUG CONVERTER - Decrypting '{}' -> '{}'", dbData, decrypted);
return decrypted;
}
private void checkInitialized() {
if (encryptionUtil == null) {
log.error("EncryptionUtil not initialized - cannot encrypt");
throw new IllegalStateException("EncryptionUtil not initialized - cannot encrypt");
}
if (deviceSecret == null) {
log.error("Recovery secret not initialized - cannot encrypt");
throw new IllegalStateException("Device secret not initialized - cannot encrypt");
}
}
}

68
src/main/java/dev/ivfrost/hydro_backend/tokens/EncryptionUtil.java Normal file
View File

@@ -0,0 +1,68 @@
package dev.ivfrost.hydro_backend.tokens;
import java.security.SecureRandom;
import java.util.Base64;
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.springframework.security.crypto.codec.Hex;
import org.springframework.stereotype.Component;
@Slf4j
@Component
@RequiredArgsConstructor
public class EncryptionUtil {
private static final SecureRandom secureRandom = new SecureRandom();
private static final String ALGORITHM = "AES";
public static String generateRandomString(int length) {
byte[] randomBytes = new byte[length];
secureRandom.nextBytes(randomBytes);
return Base64.getUrlEncoder().withoutPadding().encodeToString(randomBytes).substring(0, length);
}
/**
* Encrypts data deterministically using AES ECB mode. Same input + same secret = same output
* (required for DB queries).
*/
public String encrypt(String raw, String secret) {
try {
byte[] keyBytes = deriveKey(secret);
SecretKeySpec keySpec = new SecretKeySpec(keyBytes, ALGORITHM);
Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, keySpec);
byte[] encrypted = cipher.doFinal(raw.getBytes());
return new String(Hex.encode(encrypted));
} catch (Exception e) {
throw new RuntimeException("Encryption failed", e);
}
}
/**
* Decrypts data.
*/
public String decrypt(String encrypted, String secret) {
try {
byte[] keyBytes = deriveKey(secret);
SecretKeySpec keySpec = new SecretKeySpec(keyBytes, ALGORITHM);
Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
cipher.init(Cipher.DECRYPT_MODE, keySpec);
byte[] decrypted = cipher.doFinal(Hex.decode(encrypted));
return new String(decrypted);
} catch (Exception e) {
throw new RuntimeException("Decryption failed", e);
}
}
/**
* Derives a 16-byte AES key from the secret.
*/
private byte[] deriveKey(String secret) {
byte[] secretBytes = secret.getBytes();
byte[] key = new byte[16];
System.arraycopy(secretBytes, 0, key, 0, Math.min(secretBytes.length, 16));
return key;
}
}

194
src/main/java/dev/ivfrost/hydro_backend/tokens/JWTUtil.java Normal file
View File

@@ -0,0 +1,194 @@
package dev.ivfrost.hydro_backend.tokens;
import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTCreator;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTCreationException;
import com.auth0.jwt.exceptions.JWTDecodeException;
import com.auth0.jwt.exceptions.JWTVerificationException;
import com.auth0.jwt.interfaces.Claim;
import com.auth0.jwt.interfaces.DecodedJWT;
import dev.ivfrost.hydro_backend.users.UserMqttTokenPayload;
import dev.ivfrost.hydro_backend.users.UserTokenPayload;
import java.io.File;
import java.io.IOException;
import java.nio.file.Files;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.interfaces.RSAPrivateKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.util.List;
import java.util.Map;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;
@Slf4j
@RequiredArgsConstructor
@Component
public class JWTUtil {
private static final String AUTH_TOKEN_SUBJECT = "UserDetails";
private static final String ISSUER = "HydroAPI";
@Value("${jwt.secret}")
private String jwtSecret;
@Value("${jwt.access.expiration.ms}")
private Long jwtAccessExpirationMs;
@Value("${jwt.refresh.expiration.ms}")
private Long jwtRefreshExpirationMs;
@Value("${mqtt.jwt.private.key.path}")
private String mqttJwtPrivateKeyPath;
@Value("${mqtt.jwt.expiration-ms}")
private Long mqttJwtExpirationMs;
// Build JWT token for authentication
public JWTCreator.Builder buildAccessToken(UserTokenPayload payload) throws JWTCreationException {
List<String> roles = (payload.roles() == null) ? List.of() : payload.roles()
.stream()
.map(String::toUpperCase)
.toList();
return JWT.create()
.withSubject(AUTH_TOKEN_SUBJECT)
.withClaim("username", payload.username())
.withClaim("email", payload.email())
.withClaim("roles", roles)
.withClaim("preferredLanguage", payload.preferredLanguage())
.withIssuer(ISSUER);
}
// Sign auth JWT token with HMAC using SHA-512
private String signAccessToken(JWTCreator.Builder builder, Long expirationMs)
throws JWTCreationException {
try {
Instant now = Instant.now();
Instant expiresAt = now.plus(expirationMs, ChronoUnit.MILLIS);
return builder
.withIssuedAt(now)
.withExpiresAt(expiresAt)
.sign(getAuthAlgorithm());
} catch (JWTCreationException e) {
log.error("Error signing auth token", e);
throw e;
}
}
// Create auth JWT token
public String generateAccessToken(UserTokenPayload payload) {
JWTCreator.Builder builder;
try {
builder = buildAccessToken(payload);
} catch (JWTCreationException e) {
log.error("Error building JWT token", e);
throw e;
}
return signAccessToken(builder, jwtAccessExpirationMs);
}
private Algorithm getAuthAlgorithm() {
byte[] secretBytes = jwtSecret.getBytes();
return Algorithm.HMAC512(secretBytes);
}
private Algorithm getMqttAlgorithm() {
RSAPrivateKey privateKey = loadPrivateKeyFromFile(mqttJwtPrivateKeyPath);
return Algorithm.RSA256(null, privateKey);
}
// Build JWT token for MQTT authentication
public JWTCreator.Builder buildMqttToken(UserMqttTokenPayload payload)
throws JWTCreationException {
log.debug("Building MQTT token for userId: {}, topics: {}", payload.userId(), payload.topics());
return JWT.create()
.withSubject(payload.userId().toString())
.withClaim("subs", payload.topics())
.withClaim("publ", payload.topics())
.withIssuer(ISSUER);
}
// Sign auth MQTT JWT token with RSA using SHA-256
private String signMqttToken(JWTCreator.Builder builder, Long expirationMs)
throws JWTCreationException {
try {
Instant now = Instant.now();
Instant expiresAt = now.plus(expirationMs, ChronoUnit.MILLIS);
return builder
.withIssuedAt(now)
.withExpiresAt(expiresAt)
.sign(getMqttAlgorithm());
} catch (JWTCreationException e) {
log.error("Error signing MQTT token", e);
throw e;
}
}
// Create long-lived auth refresh JWT token for obtaining new short-lived tokens
public String generateRefreshToken(UserTokenPayload payload) {
JWTCreator.Builder builder = buildAccessToken(payload);
return signAccessToken(builder, jwtRefreshExpirationMs);
}
// Create a short-lived MQTT auth JWT token
public String generateMqttToken(UserMqttTokenPayload payload) {
JWTCreator.Builder builder;
try {
builder = buildMqttToken(payload);
} catch (JWTCreationException e) {
log.error("Error building MQTT JWT token", e);
throw e;
}
return signMqttToken(builder, mqttJwtExpirationMs);
}
public Map<String, Claim> validateTokenAndRetrieveClaims(String token)
throws JWTVerificationException, IllegalArgumentException {
if (token == null || token.isBlank()) {
throw new IllegalArgumentException("Token cannot be null or blank");
}
DecodedJWT jwt;
try {
jwt = JWT.require(getAuthAlgorithm())
.withSubject(AUTH_TOKEN_SUBJECT)
.withIssuer(ISSUER)
.build()
.verify(token);
} catch (JWTDecodeException e) {
log.error("Invalid JWT format: {}", e.getMessage());
throw new JWTVerificationException("Invalid JWT token format", e);
} catch (JWTVerificationException e) {
log.error("Error verifying JWT token: {}", e.getMessage());
throw e;
}
return jwt.getClaims();
}
public Instant getAccessTokenExpiryDate() {
return Instant.now().plus(jwtAccessExpirationMs, ChronoUnit.MILLIS);
}
public Instant getRefreshTokenExpiryDate() {
return Instant.now().plus(jwtRefreshExpirationMs, ChronoUnit.MILLIS);
}
private RSAPrivateKey loadPrivateKeyFromFile(String path) {
if (path == null || path.isBlank()) {
throw new IllegalArgumentException("Private key file path cannot be null or blank");
}
File keyFile = new File(path);
if (!keyFile.exists() || !keyFile.isFile()) {
throw new IllegalArgumentException("Invalid private key file path: " + path);
}
try {
byte[] keyBytes = Files.readAllBytes(keyFile.toPath());
KeyFactory keyFactory = KeyFactory.getInstance("RSA");
PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(keyBytes);
return (RSAPrivateKey) keyFactory.generatePrivate(keySpec);
} catch (IOException | NoSuchAlgorithmException | InvalidKeySpecException e) {
throw new RuntimeException(e);
}
}
}

Some files were not shown because too many files have changed in this diff Show More