Release 1.1.0 adds security to the Microservice architecture. It includes
- A Filter at the API Gateway to allow/deny requests to all services
- JWT based Authentication
- Two Factor Authentication.
The filter at the Gateway looks for an authentication token. If it is not found, it denies the request. If it is found it validates the token. With it all services behind the gateway are secured by user authentication. This is only a starting point. Routes where security isn't necessary(ie: Login, or create a user) would require logic to be allowed to proceed.
Two Factor Authentication is first comprised of logging in with an email and a password. Once successful, a random digit code will be emailed to that email address and the users metadata updated with that code. On the next request the logging in user would need to provide the code received in the email. Once validated the user would be issued a token good for a specified(in JWUtil.java) amount of time.
Password hashing is the only thing left out which will be built on this branch.