Improve tests and output documentation

Author: Sporiff

src/docs/auth.adoc

@@ -15,7 +15,8 @@ The `auth` endpoint exposes operations for authenticating against the API.
 POST /api/auth/login
 ----
 
-Authenticates a user with `username` and `password`. These values must match the values of the user's account.
+Authenticates a user with `username` and `password`.
+These values must match the values of the user's account.
 
 operation::auth-token[snippets='request-fields,curl-request,response-fields,http-response']
 

src/docs/subscriptions.adoc

@@ -2,7 +2,8 @@
 :doctype: book
 :sectlinks:
 
-The `subscriptions` endpoint exposes operations taken on subscriptions. A subscriptionEntity represents two things:
+The `subscriptions` endpoint exposes operations taken on subscriptions.
+A subscriptionEntity represents two things:
 
 1. A podcast feed
 2. The relationship between a user and a podcast feed
@@ -18,9 +19,10 @@ POST /api/v1/users
 [[actions-subscriptions-create]]
 === Create subscriptions
 
-When a user adds a subscription to the system, a corresponding `subscriptionEntity` object is fetched or created depending on whether a matching subscriptionEntity is present. A link is then created between the user and the subscriptionEntity.
+When a user adds a subscription to the system, a corresponding `subscriptionEntity` object is fetched or created depending on whether a matching subscriptionEntity is present.
+A link is then created between the user and the subscriptionEntity.
 
-operation::subscriptions-bulk-create-mixed[snippets='request-fields,curl-request,response-fields,http-response']
+operation::subscriptions-bulk-create-mixed[snippets='request-headers,request-fields,curl-request,response-fields,http-response']
 
 ==== Responses
 
@@ -39,9 +41,10 @@ include::{snippets}/subscriptions-bulk-create-mixed/http-response.adoc[]
 [[actions-subscriptions-list]]
 === List subscriptions
 
-When a user fetches a list of subscriptions, their own subscriptions are returned. The subscriptions of other users are not returned.
+When a user fetches a list of subscriptions, their own subscriptions are returned.
+The subscriptions of other users are not returned.
 
-operation::subscriptions-list[snippets='query-parameters,curl-request,response-fields,http-response']
+operation::subscriptions-list[snippets='request-headers,query-parameters,curl-request,response-fields,http-response']
 
 ==== Include unsubscribed
 
@@ -50,13 +53,16 @@ operation::subscriptions-list-with-unsubscribed[snippets='curl-request,http-resp
 [[actions-subscriptionEntity-fetch]]
 === Fetch a single subscriptionEntity
 
-Returns the details of a single subscriptionEntity for the  authenticated user. Returns `404` if the user has no subscriptionEntity entry for the feed in question.
+Returns the details of a single subscriptionEntity for the authenticated user.
+Returns `404` if the user has no subscriptionEntity entry for the feed in question.
 
-operation::subscriptionEntity-get[snippets='path-parameters,curl-request,response-fields,http-response']
+operation::subscriptionEntity-get[snippets='request-headers,path-parameters,curl-request,response-fields,http-response']
 
 [[actions-subscriptionEntity-update]]
 === Unsubscribe from a feed
 
-Unsubscribes the authenticated user from a feed. This action updates the user subscriptionEntity record to mark the subscriptionEntity as inactive. It does not delete the subscriptionEntity record.
+Unsubscribes the authenticated user from a feed.
+This action updates the user subscriptionEntity record to mark the subscriptionEntity as inactive.
+It does not delete the subscriptionEntity record.
 
-operation::subscriptionEntity-unsubscribe[snippets='path-parameters,curl-request,response-fields,http-response']
+operation::subscriptionEntity-unsubscribe[snippets='request-headers,path-parameters,curl-request,response-fields,http-response']

src/docs/users.adoc

@@ -2,29 +2,12 @@
 :doctype: book
 :sectlinks:
 
-The `users` endpoint exposes operations taken on user accounts. Users may update and delete their own user record, but only admins may update and alter the records of other users.
+The `users` endpoint exposes operations taken on user accounts.
+Users may update and delete their own user record, but only admins may update and alter the records of other users.
 
 [[actions-users]]
 == Actions
 
-[[actions-users-create]]
-=== Create a user
-
-[source,httprequest]
-----
-POST /api/v1/users
-----
-
-Creates a new user in the system.
-
-operation::users-create[snippets='request-fields,curl-request,response-fields,http-response']
-
-==== Invalid fields
-
-Passing an invalid field (such as an improperly formatted email address) throws a validation error.
-
-operation::users-create-bad-request[snippets='curl-request,http-response']
-
 [[actions-users-get]]
 === Get all users
 
@@ -34,5 +17,6 @@ GET /api/v1/users
 ----
 
 Fetches a paginated list of users from the system.
+This action is restricted to users with `ADMIN` permissions.
 
-operation::users-list[snippets='curl-request,response-fields,http-response']
+operation::users-list[snippets='request-headers,query-parameters,curl-request,response-fields,http-response']

src/main/java/org/openpodcastapi/opa/auth/ApiAuthController.java

@@ -4,7 +4,7 @@
 import jakarta.validation.constraints.NotNull;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.log4j.Log4j2;
-import org.openpodcastapi.opa.config.JwtService;
+import org.openpodcastapi.opa.security.JwtService;
 import org.openpodcastapi.opa.security.TokenService;
 import org.openpodcastapi.opa.user.UserEntity;
 import org.openpodcastapi.opa.user.UserRepository;

src/main/java/org/openpodcastapi/opa/config/JwtAuthenticationFilter.java

@@ -68,12 +68,6 @@ private static UsernamePasswordAuthenticationToken getUsernamePasswordAuthentica
     protected void doFilterInternal(HttpServletRequest req, @Nonnull HttpServletResponse res, @Nonnull FilterChain chain)
             throws ServletException, IOException {
 
-        // Don't apply the check on the auth endpoints
-        if (req.getRequestURI().startsWith("/api/auth/") || req.getRequestURI().startsWith("/docs")) {
-            chain.doFilter(req, res);
-            return;
-        }
-
         String header = req.getHeader(HttpHeaders.AUTHORIZATION);
         SecretKey key = Keys.hmacShaKeyFor(jwtSecret.getBytes(StandardCharsets.UTF_8));
 

src/main/java/org/openpodcastapi/opa/config/SecurityConfig.java

@@ -25,14 +25,32 @@ public class SecurityConfig {
     private final JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint;
     private final JwtAccessDeniedHandler jwtAccessDeniedHandler;
 
+    private final String[] publicPages = {
+            "/",
+            "/login",
+            "/logout-confirm",
+            "/register",
+            "/docs",
+            "/docs/**",
+            "/css/**",
+            "/js/**",
+            "/images/**",
+            "/favicon.ico",
+    };
+
+    private final String[] publicEndpoints = {
+            "/api/auth/**"
+    };
+
     @Bean
     public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
         http
-                .csrf(csrf -> csrf.ignoringRequestMatchers("/api/**"))
+                .csrf(csrf -> csrf.ignoringRequestMatchers("/api/**", "/docs", "/docs/**"))
                 .sessionManagement(sm -> sm
                         .sessionCreationPolicy(SessionCreationPolicy.STATELESS)) // Stateless session
                 .authorizeHttpRequests(auth -> auth
-                        .requestMatchers("/", "/login", "/logout-confirm", "/register", "/docs**", "/css/**", "/js/**", "/images/**", "/favicon.ico", "/api/auth/**").permitAll()
+                        .requestMatchers(publicPages).permitAll()
+                        .requestMatchers(publicEndpoints).permitAll()
                         .requestMatchers("/api/v1/**").authenticated()
                         .anyRequest().authenticated())
                 .addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class)

src/main/java/org/openpodcastapi/opa/config/WebConfig.java

@@ -20,7 +20,7 @@ public void addResourceHandlers(ResourceHandlerRegistry registry) {
 
         registry
                 .addResourceHandler("/docs/**")
-                .addResourceLocations("classpath:/docs/");
+                .addResourceLocations("classpath:/static/docs/");
     }
 
     @Bean

…npodcastapi/opa/docs/DocsController.java …tapi/opa/controllers/DocsController.javasrc/main/java/org/openpodcastapi/opa/docs/DocsController.java renamed to src/main/java/org/openpodcastapi/opa/controllers/DocsController.java src/main/java/org/openpodcastapi/opa/docs/DocsController.java renamed to src/main/java/org/openpodcastapi/opa/controllers/DocsController.java

@@ -1,9 +1,11 @@
-package org.openpodcastapi.opa.docs;
+package org.openpodcastapi.opa.controllers;
 
+import lombok.extern.log4j.Log4j2;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
 
 @Controller
+@Log4j2
 public class DocsController {
 
     @GetMapping("/docs")

…pi/opa/ui/controller/HomeController.java …tapi/opa/controllers/HomeController.javasrc/main/java/org/openpodcastapi/opa/ui/controller/HomeController.java renamed to src/main/java/org/openpodcastapi/opa/controllers/HomeController.java src/main/java/org/openpodcastapi/opa/ui/controller/HomeController.java renamed to src/main/java/org/openpodcastapi/opa/controllers/HomeController.java

@@ -1,4 +1,4 @@
-package org.openpodcastapi.opa.ui.controller;
+package org.openpodcastapi.opa.controllers;
 
 import lombok.RequiredArgsConstructor;
 import lombok.extern.log4j.Log4j2;

…/opa/ui/controller/UiAuthController.java …pi/opa/controllers/UiAuthController.javasrc/main/java/org/openpodcastapi/opa/ui/controller/UiAuthController.java renamed to src/main/java/org/openpodcastapi/opa/controllers/UiAuthController.java src/main/java/org/openpodcastapi/opa/ui/controller/UiAuthController.java renamed to src/main/java/org/openpodcastapi/opa/controllers/UiAuthController.java

@@ -1,4 +1,4 @@
-package org.openpodcastapi.opa.ui.controller;
+package org.openpodcastapi.opa.controllers;
 
 import jakarta.validation.Valid;
 import lombok.RequiredArgsConstructor;