bump springboot 4

build.gradle

@@ -1,7 +1,7 @@
 plugins {
     id 'java'
-    id 'org.springframework.boot' version '3.5.+'
-    id 'io.spring.dependency-management' version '1.1.+'
+    id 'org.springframework.boot' version '4.0.1'
+    id 'io.spring.dependency-management' version '1.1.7'
 }
 
 group = 'com.danielbohry'
@@ -25,15 +25,18 @@ dependencies {
     implementation 'org.springframework.boot:spring-boot-starter-web'
     implementation 'org.springframework.boot:spring-boot-starter-security'
     implementation 'org.springframework.boot:spring-boot-starter-actuator'
-    implementation 'io.jsonwebtoken:jjwt:0.9.1'
-    implementation 'com.google.guava:guava:31.1-jre'
+
+    implementation 'io.jsonwebtoken:jjwt-api:0.12.6'
+    runtimeOnly 'io.jsonwebtoken:jjwt-impl:0.12.6'
+    runtimeOnly 'io.jsonwebtoken:jjwt-jackson:0.12.6'
+    implementation 'com.google.guava:guava:33.4.0-jre'
     implementation 'org.apache.commons:commons-lang3:3.19.0'
-    implementation 'javax.xml.bind:jaxb-api:2.4.0-b180830.0359'
+    implementation 'jakarta.xml.bind:jakarta.xml.bind-api:4.0.2'
 
     compileOnly 'org.projectlombok:lombok'
     annotationProcessor 'org.projectlombok:lombok'
     testImplementation 'org.springframework.boot:spring-boot-starter-test'
-    testImplementation 'org.mockito:mockito-core:4.0.0'
+    testImplementation 'org.mockito:mockito-core:5.14.2'
 }
 
 tasks.named('test') {

src/main/java/com/danielbohry/authservice/config/SecurityConfig.java

@@ -34,7 +34,7 @@ public class SecurityConfig {
             .authorizeHttpRequests(requests -> requests
                 .requestMatchers("/actuator/health", "/actuator/info", "/actuator/prometheus", "/api/register", "/api/authenticate").permitAll()
                 .requestMatchers("/", "/index.html", "/css/**", "/js/**", "/images/**").permitAll()
-                .requestMatchers("/api/users", "api/authorize").authenticated()
+                .requestMatchers("/api/users", "/api/authorize").authenticated()
                 .anyRequest().authenticated()
             )
             .sessionManagement(manager -> manager.sessionCreationPolicy(STATELESS))
@@ -50,14 +50,13 @@ public class SecurityConfig {
 
     @Bean
     public AuthenticationProvider authenticationProvider() {
-        DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
-        authProvider.setUserDetailsService(userService.userDetailsService());
+        DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider(userService.userDetailsService());
         authProvider.setPasswordEncoder(passwordEncoder());
         return authProvider;
     }
 
     @Bean
-    public AuthenticationManager authenticationManager(AuthenticationConfiguration config) throws Exception {
+    public AuthenticationManager authenticationManager(AuthenticationConfiguration config) {
         return config.getAuthenticationManager();
     }
 

src/main/java/com/danielbohry/authservice/service/auth/JwtService.java

@@ -3,7 +3,12 @@ package com.danielbohry.authservice.service.auth;
 import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.ExpiredJwtException;
 import io.jsonwebtoken.Jwts;
-import io.jsonwebtoken.SignatureAlgorithm;
+import io.jsonwebtoken.security.Keys;
+
+import javax.crypto.SecretKey;
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.security.core.GrantedAuthority;
@@ -32,6 +37,16 @@ public class JwtService {
 
     private static final List<String> ROLE_PRIORITY = List.of("ADMIN", "SERVICE", "VPN");
 
+    private SecretKey getSigningKey() {
+        try {
+            MessageDigest digest = MessageDigest.getInstance("SHA-256");
+            byte[] keyBytes = digest.digest(secret.getBytes(StandardCharsets.UTF_8));
+            return Keys.hmacShaKeyFor(keyBytes);
+        } catch (NoSuchAlgorithmException e) {
+            throw new RuntimeException("SHA-256 algorithm not available", e);
+        }
+    }
+
     public String extractUsername(String token) {
         return extractClaim(token, Claims::getSubject);
     }
@@ -66,11 +81,13 @@ public class JwtService {
 
     private Authentication generateToken(Map<String, Object> claims, UserDetails userDetails) {
         Date expirationDate = new Date(currentTimeMillis() + 1000 * 60 * 60 * hoursByRole(claims));
-        String token = Jwts.builder().setClaims(claims)
-                .setSubject(userDetails.getUsername())
-                .setIssuedAt(new Date(currentTimeMillis()))
-                .setExpiration(expirationDate)
-                .signWith(SignatureAlgorithm.HS256, secret).compact();
+        String token = Jwts.builder()
+                .claims(claims)
+                .subject(userDetails.getUsername())
+                .issuedAt(new Date(currentTimeMillis()))
+                .expiration(expirationDate)
+                .signWith(getSigningKey())
+                .compact();
 
         return new Authentication(token,
                 expirationDate.toInstant(),
@@ -82,9 +99,10 @@ public class JwtService {
     private Claims extractAllClaims(String token) {
         try {
             return Jwts.parser()
-                    .setSigningKey(secret)
-                    .parseClaimsJws(token)
-                    .getBody();
+                    .verifyWith(getSigningKey())
+                    .build()
+                    .parseSignedClaims(token)
+                    .getPayload();
         } catch (ExpiredJwtException e) {
             log.warn("Expired JWT token [{}]", e.getClaims());
             return e.getClaims();

src/main/resources/application.yml

@@ -2,10 +2,9 @@ server:
   port: ${port:8080}
 
 spring:
-  data:
-    mongodb:
-      uri: ${mongo:}
-      database: ${database:auth}
+  mongodb:
+    database: ${database:auth}
+    uri: ${mongo:}
 
 jwt:
   secret: ${jwt_secret}