Updating user info with JWT on spring security app

Question

I am working on a simple REST API using spring security with a JWT Filter. However, I am a little bit confused with how to update user info.

After loggin in I get a JWT that I use to make request on other endpoints. But how do I create a controller that create or update data? I have my user table and my preferences table they are one to one related. If I make a request like "/create/preferences" what do I put in the body in order for me to create a preference link to this user making the call to the api?

   
   @PostMapping("/user/preferences")
   public ResponseEntity<Preferences> getUserPreferences() {
       /*
what to put here
*/
       return new ResponseEntity<>(HttpStatus.OK);
   }

Do I have to get the user from the token? Then I can create a preference object with this user id?

Thanks in advance

Your JWT contains your user. You can get the user from JWT. See this for what a JWT contains: https://jwt.io/ — KnockingHeads, Feb 17 '23 at 09:38
Yes I understand this but in my request can I parse the token in order to get the id of my user? In terms of security how it is? — El Pandario, Feb 17 '23 at 09:50
Yes. You can find a JWTToken utlity class on internet and parse your user from the claim in the JWT. Ref: https://github.com/koushikkothagal/spring-security-jwt/blob/master/src/main/java/io/javabrains/springsecurityjwt/util/JwtUtil.java — KnockingHeads, Feb 17 '23 at 09:53
So would it be secured to read the id of the user from the token to call my DB with this ID and make changes with it? — El Pandario, Feb 17 '23 at 16:06
Ideally, JWT is for authentication only. Once the user is authenticated, you can do any operation just like a normal user would do. — KnockingHeads, Feb 20 '23 at 06:43

score 0 · Answer 1 · answered Feb 17 '23 at 09:06

@RestController
@RequestMapping("/users")
public class UserController {

    @Autowired
    private UserService userService;

    @PutMapping("/{id}")
    public ResponseEntity<?> updateUser(@PathVariable Long id, @RequestBody User user) {
        // Use Spring Security to get the authenticated user from the security context
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        User authenticatedUser = (User) authentication.getPrincipal();

        // Verify that the authenticated user is the same as the user being updated
        if (!authenticatedUser.getId().equals(id)) {
            return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
        }

        // Update the user information
        user.setId(id);
        userService.updateUser(user);

        return ResponseEntity.ok().build();
    }
}

What do you think about this? UserService would be responsible for actually updating the user in the database. The controller simply handles the request, authenticates the user with JWT, and checks that the authenticated user is authorized to make the update.

You can change the ResponseEntity type as you like.

The thing I am wondering is that is there a way to get the user from the token? — El Pandario, Feb 17 '23 at 09:17
Not sure about that, sorry. If it was helpful, please don't forget to upvote. — Art, Feb 17 '23 at 09:29

Updating user info with JWT on spring security app

1 Answers1