This project is a starter project for creating a rest api server with jwt based security. It has the following functions.
- Allow registration with a basic auth, backed with a postgres database. Since JPA is being used you can replace the database with other ones.
- Allow registered users login and receive a JWT token and a refresh token.
- JWT Tokens have can be used until expiration which can be set using a configuration file.
- Refresh tokens can only be used once.
- After receiving the token, users can access secured endpoint using the token.
- Social login with GitHub, you can easily add new social login provider.
- Email verification for email and password login.
- Password reset flow using email.
- CSRF protection suitable for SPA frontends
- Addition of context cookie for preventing stolen JWTs.
This kind of scenario is very common, so this starter will be a good starting point for such applications. When the necessity arises we can remove the basic auth and jwt minting from our application and configure an external authorization server.
There are two frontends which are still a work in progress, one using react and the other using angular.
First of all we need to generate a key pair. There are may ways to do this. One example with openssl is as follows.
# create rsa key pair
openssl genrsa -out keypair.pem 2048
# extract public key
openssl rsa -in keypair.pem -pubout -out public.pem
# create private key in PKCS\#8 format
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in keypair.pem -out private.pemThen place the public.pem and private.pem files under the directory
backend\src\main\resources\certs.
After setting this up the application can be run as a typical spring boot project.
Remember that you need java 21 for this project. If you are not using sdkman, check it out it is a good tool.
./gradlew bootRun