Change JwtScopeService methods access to private

fpankretic · fpankretic · commit 8999c16400a2 · 2025-12-17T11:01:18.000+01:00
diff --git a/infobip-openapi-mcp-core/pom.xml b/infobip-openapi-mcp-core/pom.xml
@@ -13,6 +13,7 @@
 	<properties>
         <jakarta-servlet.version>6.1.0</jakarta-servlet.version>
 		<swagger-parser.version>2.1.36</swagger-parser.version>
+        <nimbus-jwt.version>10.6</nimbus-jwt.version>
 	</properties>
 
 	<dependencies>
diff --git a/infobip-openapi-mcp-core/src/main/java/com/infobip/openapi/mcp/auth/ScopeProperties.java b/infobip-openapi-mcp-core/src/main/java/com/infobip/openapi/mcp/auth/ScopeProperties.java
@@ -6,7 +6,7 @@
 /**
  * Scope discovery properties for OpenAPI MCP Server.
  *
- * @param enabled                Enable OAuth scope discovery. Default is false.
+ * @param enabled                Enable OAuth scope discovery. Default is true.
  * @param scopeExtensions        Scope extensions to read scopes from. Default is an empty string.
  * @param mandatoryScopes        Mandatory scopes that must be present. Scopes should be comma-separated.
  *                               Default is an empty string.
@@ -19,15 +19,15 @@
 @Validated
 @ConfigurationProperties(prefix = ScopeProperties.PREFIX)
 public record ScopeProperties(
-        boolean enabled, String scopeExtensions, String mandatoryScopes, ScopeAlgorithm calculateMinimalScopes) {
+        Boolean enabled, String scopeExtensions, String mandatoryScopes, ScopeAlgorithm calculateMinimalScopes) {
 
     public static final String PREFIX = OAuthProperties.PREFIX + ".scope-discovery";
 
     /**
      * Constructor with defaults for optional properties.
      */
     public ScopeProperties {
-        if (!enabled) {
+        if (enabled == null) {
             enabled = true;
         }
 
diff --git a/infobip-openapi-mcp-core/src/main/java/com/infobip/openapi/mcp/auth/scope/JwtScopeService.java b/infobip-openapi-mcp-core/src/main/java/com/infobip/openapi/mcp/auth/scope/JwtScopeService.java
@@ -2,12 +2,14 @@
 
 import com.nimbusds.jwt.JWTClaimsSet;
 import com.nimbusds.jwt.JWTParser;
+import org.jspecify.annotations.Nullable;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
 import java.text.ParseException;
 import java.util.Arrays;
 import java.util.HashSet;
 import java.util.Set;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 
 /**
  * Service for prechecking JWT token scopes before forwarding to the authorization server.
@@ -43,24 +45,41 @@ public JwtScopeService(ScopeDiscoveryService scopeDiscoveryService) {
         this.scopeDiscoveryService = scopeDiscoveryService;
     }
 
+    /**
+     * Verifies that the token from authorization header is jwt token and contains all required scopes.
+     * Tokens must be prefixed with "Bearer". Bearer prefix is case-insensitive and leading/trailing
+     * whitespace around the token is ignored. Uses the "scope" claim, which is expected to be a
+     * space-separated string as per RFC 6749.
+     *
+     * @param authHeader The Authorization header value
+     * @return True if all required scopes are present, false otherwise
+     */
+    public boolean verifyScopes(String authHeader) {
+        var tokenScopes = decodeAndExtractScopesFromJwtToken(authHeader);
+        var requiredScopes = scopeDiscoveryService.getDiscoveredScopes();
+        return tokenScopes.containsAll(requiredScopes);
+    }
+
     /**
      * Decodes a JWT token from the Authorization header. Tokens must be prefixed with "Bearer".
      * Bearer prefix is case-insensitive and leading/trailing whitespace around the token is ignored.
      *
      * @param authHeader The Authorization header value
-     * @return The decoded JWT claims, or null if decoding fails
+     * @return A set of scopes extracted from the token, or an empty set if decoding fails
      */
-    public JWTClaimsSet decodeJwtToken(String authHeader) {
+    private Set<String> decodeAndExtractScopesFromJwtToken(String authHeader) {
         if (authHeader == null || !authHeader.regionMatches(true, 0, "Bearer ", 0, 7)) {
-            return null;
+            return Set.of();
         }
 
         var token = authHeader.substring(7).trim();
         try {
-            return JWTParser.parse(token).getJWTClaimsSet();
-        } catch (Exception e) {
-            return null;
+            var claimsSet = JWTParser.parse(token).getJWTClaimsSet();
+            return extractScopes(claimsSet);
+        } catch (ParseException e) {
+            LOGGER.debug("No 'scope' claim found in JWT token.", e);
         }
+        return Set.of();
     }
 
     /**
@@ -70,29 +89,17 @@ public JWTClaimsSet decodeJwtToken(String authHeader) {
      * @param claims The JWT claims
      * @return A set of scopes extracted from the "scope" claim
      */
-    public Set<String> extractScopes(JWTClaimsSet claims) {
-        var scopes = new HashSet<String>();
+    private Set<String> extractScopes(@Nullable JWTClaimsSet claims) throws ParseException {
+        if (claims == null) {
+            return Set.of();
+        }
 
-        try {
-            var scopeString = claims.getStringClaim("scope");
-            if (scopeString != null && !scopeString.isBlank()) {
-                scopes.addAll(Arrays.asList(scopeString.split(" ")));
-            }
-        } catch (ParseException e) {
-            LOGGER.debug("No 'scope' claim found in JWT token.", e);
+        var scopeString = claims.getStringClaim("scope");
+        if (scopeString != null && !scopeString.isBlank()) {
+            return new HashSet<>(Arrays.asList(scopeString.split(" ")));
         }
 
-        return scopes;
+        return Set.of();
     }
 
-    /**
-     * Verifies that the token scopes include all required scopes.
-     *
-     * @param tokenScopes The scopes extracted from the JWT token
-     * @return True if all required scopes are present, false otherwise
-     */
-    public boolean verifyScopes(Set<String> tokenScopes) {
-        var requiredScopes = scopeDiscoveryService.getDiscoveredScopes();
-        return tokenScopes.containsAll(requiredScopes);
-    }
 }
diff --git a/infobip-openapi-mcp-core/src/main/java/com/infobip/openapi/mcp/auth/web/InitialAuthenticationFilter.java b/infobip-openapi-mcp-core/src/main/java/com/infobip/openapi/mcp/auth/web/InitialAuthenticationFilter.java
@@ -106,13 +106,9 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
 
         if (jwtScopeService.isPresent()) {
             var jwtService = jwtScopeService.get();
-            var tokenClaims = jwtService.decodeJwtToken(authHeader);
-            if (tokenClaims != null) {
-                var scopes = jwtService.extractScopes(tokenClaims);
-                if (!jwtService.verifyScopes(scopes)) {
-                    writeWwwAuthenticateResponse(request, response, HttpStatus.FORBIDDEN);
-                    return;
-                }
+            if (!jwtService.verifyScopes(authHeader)) {
+                writeWwwAuthenticateResponse(request, response, HttpStatus.FORBIDDEN);
+                return;
             }
         }
 
diff --git a/pom.xml b/pom.xml
@@ -49,7 +49,6 @@
         <mockito.version>5.20.0</mockito.version>
         <assertj.version>3.27.6</assertj.version>
         <wiremock.version>3.13.1</wiremock.version>
-        <nimbus-jwt.version>10.6</nimbus-jwt.version>
     </properties>
 
     <dependencyManagement>
