Skip to content

fix: allow only query my own data #126

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mcruzdev merged 2 commits into from
Dec 31, 2025
Merged

fix: allow only query my own data #126

mcruzdev merged 2 commits into from
Dec 31, 2025

Conversation

@mcruzdev
Copy link
Owner

@mcruzdev mcruzdev commented Dec 7, 2025
edited
Loading

Closes #36

@mcruzdev mcruzdev self-assigned this Dec 7, 2025
@mcruzdev mcruzdev added bug Something isn't working backend labels Dec 7, 2025
@mcruzdev mcruzdev requested a review from Copilot December 7, 2025 03:54
@mcruzdev
Copy link
Owner Author

mcruzdev commented Dec 7, 2025

cc: @matheusandre1

@mcruzdev mcruzdev marked this pull request as ready for review December 7, 2025 03:54
Copilot AI reviewed Dec 7, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR implements user authentication and authorization to ensure users can only access their own data. The changes add JWT-based authentication on both frontend and backend, with user ID validation across API endpoints.

Key Changes:

  • Added Angular HTTP interceptor to attach JWT tokens to API requests
  • Implemented backend authorization checks using JWT claims to filter data by authenticated user ID
  • Updated AI service to use user-specific context for balance queries

Reviewed changes

Copilot reviewed 14 out of 14 changed files in this pull request and generated 10 comments.

Show a summary per file
File Description
timeless-api/src/main/webui/src/app/token.interceptor.ts New HTTP interceptor to attach JWT Bearer tokens to requests (except sign-in/sign-out endpoints)
timeless-api/src/main/webui/src/app/token.interceptor.spec.ts Basic test suite for the token interceptor
timeless-api/src/main/webui/src/app/timeless-api.service.ts Removed debug console.log statement
timeless-api/src/main/webui/src/app/app.config.ts Registered the token interceptor in the HTTP client configuration
timeless-api/src/main/resources/application.properties Enabled SQL logging for dev environment
timeless-api/src/main/java/dev/matheuscruz/presentation/UserResource.java Added JWT claim injection and user authorization checks, but with implementation issues
timeless-api/src/main/java/dev/matheuscruz/presentation/SignInResource.java Added @permitAll annotation to allow unauthenticated access
timeless-api/src/main/java/dev/matheuscruz/presentation/RecordResource.java Added @RolesAllowed, JWT claim injection, and user-scoped queries for records
timeless-api/src/main/java/dev/matheuscruz/presentation/MessageResource.java Updated AI service call to pass user ID for context
timeless-api/src/main/java/dev/matheuscruz/infra/queue/SQS.java Updated AI service call to include user ID parameter
timeless-api/src/main/java/dev/matheuscruz/infra/ai/tools/GetBalanceTool.java Modified to accept user ID parameter for user-specific balance queries
timeless-api/src/main/java/dev/matheuscruz/infra/ai/TextAiService.java Updated prompt and method signature to include user ID variable
timeless-api/src/main/java/dev/matheuscruz/domain/RecordRepository.java Updated query method to filter records by user ID
site/index.html Updated call-to-action button text from "Join the Waitlist" to "Register Now"

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@mcruzdev
fix: allow access only my own data
eb6d05f 
Signed-off-by: Matheus Cruz <matheuscruz.dev@gmail.com>
@mcruzdev
fix: fix compilation
d7e9a11 
Signed-off-by: Matheus Cruz <matheuscruz.dev@gmail.com>
@mcruzdev mcruzdev merged commit 74e1c76 into main Dec 31, 2025
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@mcruzdev mcruzdev

Labels

backend bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Improve the security allowing to see only own data

2 participants

@mcruzdev