Skip to content

test: add coverage for security filter chains and PermissionService #4

Description

@trinhvandat

Problem

The two-security-chain design (SDK API-key auth vs. Admin JWT auth) and the role-based PermissionService are flagged in CLAUDE.md as sensitive areas requiring extra care, but have zero test coverage:

  • security/JwtAuthenticationFilter (Admin chain, order=2)
  • security/ApiKeyAuthenticationFilter (SDK chain, order=1)
  • security/JwtTokenProvider
  • security/CustomUserDetailsService
  • service/impl/PermissionService — the OWNER / ADMIN / VIEWER role checks that gate every mutating operation

A regression in filter chain ordering, JWT validation, or a role-check bypass would currently fail silently — nothing in the suite would catch it.

Proposed changes

  • Unit tests for JwtTokenProvider (valid/expired/malformed/tampered tokens)
  • Unit tests for PermissionService covering each role (OWNER/ADMIN/VIEWER) against each mutating action it guards
  • @WebMvcTest/MockMvc integration tests verifying:
    • Admin endpoints reject missing/invalid Bearer tokens
    • SDK endpoints reject missing/invalid X-Environment-Key
    • The two chains don't cross-authenticate (an API key can't hit admin routes, a JWT can't hit SDK routes)
  • Test for ApiKeyGenerator (format, length, uniqueness across generations)

Why this matters

This is banking-adjacent infrastructure gating multi-tenant access control. CLAUDE.md already calls this out as the highest-risk area in the codebase — it should be the first place tests land.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions