Developer Guide / Auth & Gateway

Auth & Gateway

How requests are authenticated across services.

Authentication is centralised at the gateway. A JWT is validated once, and downstream services trust identity headers forwarded to them — they do not re-validate the token.

How it works

JWT authentication sequence: client logs in via the gateway to the auth service which issues a JWT; subsequent requests carry the JWT, validated at the gateway which injects X-User-* headers before forwarding downstream.
Authentication flow — the auth service issues a JWT on login. On every later request the gateway validates the token once and forwards trusted X-User-* headers to downstream services.
  1. A client signs in through the auth service and receives a JWT.
  2. Every API call goes to the gateway with the JWT.
  3. The gateway's JwtAuthFilter validates the token.
  4. On success the gateway forwards the request to the target service with X-User-* headers.
  5. Downstream services read those headers for identity and authorisation.
magicvarsh-gateway/src/main/java/com/portal/gateway/filter/JwtAuthFilter.java

Public routes

Login, registration and the public page viewer are explicitly excluded from JWT filtering in the gateway configuration, so unauthenticated visitors can reach them.

magicvarsh-gateway/src/main/resources/application.yml
!
Because services trust gateway-supplied headers, services must not be exposed directly to the host. Keep all external traffic flowing through the gateway.

Two-factor authentication

A TOTP service supports time-based one-time passwords for accounts that enable two-factor sign-in.