Authentication is centralised at the gateway. A JWT is validated once, and downstream services trust identity headers forwarded to them — they do not re-validate the token.
How it works
X-User-* headers to downstream services.- A client signs in through the auth service and receives a JWT.
- Every API call goes to the gateway with the JWT.
- The gateway's
JwtAuthFiltervalidates the token. - On success the gateway forwards the request to the target service with
X-User-*headers. - Downstream services read those headers for identity and authorisation.
magicvarsh-gateway/src/main/java/com/portal/gateway/filter/JwtAuthFilter.javaPublic routes
Login, registration and the public page viewer are explicitly excluded from JWT filtering in the gateway configuration, so unauthenticated visitors can reach them.
magicvarsh-gateway/src/main/resources/application.yml!
Because services trust gateway-supplied headers, services must not be exposed directly to the host. Keep all external traffic flowing through the gateway.
Two-factor authentication
A TOTP service supports time-based one-time passwords for accounts that enable two-factor sign-in.