Add commets, more detail on config and entity.

741700bc · Abdul Rahman · 99e3c60d · 741700bc · 741700bc
Commit 741700bc authored 8 months ago by Abdul Rahman
2 changed files
--- a/src/main/java/com/crio/springsecuritydemo/config/security/SecurityConfig.java
+++ b/src/main/java/com/crio/springsecuritydemo/config/security/SecurityConfig.java
@@ -28,10 +28,16 @@ public class SecurityConfig {
    @Bean
    SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception {

+        /**
+        * CSRF, when enabled will not let you make requests from any client except for the whitelisted clients.
+        * It is sometimes disabled while testing so that requests can be made from localhost and Postman.
+        * CSRF can be disabled in Basic Auth as it sends the username and password in the heaaders.
+        */
        httpSecurity.csrf(csrf -> csrf.disable());

        httpSecurity.authenticationProvider(authenticationProvider());

+        //Filter all requests except for /login and /register
        httpSecurity.authorizeHttpRequests(configurer -> configurer
                .requestMatchers("/login", "/register")
                .permitAll()

--- a/src/main/java/com/crio/springsecuritydemo/model/User.java
+++ b/src/main/java/com/crio/springsecuritydemo/model/User.java
@@ -21,6 +21,22 @@ import lombok.NoArgsConstructor;
 @AllArgsConstructor
 @Builder
 @Document(collection = "users")
+/**
+ * This class represents a User in the application.
+ * 
+ * The class implements the UserDetails interface from Spring Security, 
+ * which is necessary for Spring Security to know how to authenticate and authorize 
+ * a user in the system.
+ * 
+ * By implementing UserDetails, we provide essential user information such as:
+ * - Username (typically email or ID)
+ * - Authorities (roles or permissions)
+ * - Account status (locked, enabled, expired, etc.)
+ * 
+ * This allows Spring Security to manage authentication, session management, and
+ * security checks effectively. It also helps in securely storing user credentials
+ * and roles within the security context.
+ */
 public class User implements UserDetails {

    @Id
@@ -30,31 +46,56 @@ public class User implements UserDetails {
    private String password;
    private Role role;

+    /*
+     * Returns the user's roles or authorities.
+     * In this example, the user's role is converted into a SimpleGrantedAuthority,
+     * which is a Spring Security representation of a role or permission.
+     */
    @Override
    public Collection<? extends GrantedAuthority> getAuthorities() {
        return List.of(new SimpleGrantedAuthority(role.name()));
    }

+    /*
+     * Returns the username or unique identifier for the user.
+     * Typically, this would be the user's email or username that was used to log in.
+     */
    @Override
    public String getUsername() {
        return email;
    }

+     /*
+     * Indicates whether the user's account has expired.
+     * In this case, it always returns true, meaning the account is not expired.
+     */
    @Override
    public boolean isAccountNonExpired() {
        return true;
    }

+     /*
+     * Checks if the user's account is locked (e.g., due to multiple failed login attempts).
+     * Returning true means the account is not locked and the user can log in.
+     */
    @Override
    public boolean isAccountNonLocked() {
        return true;
    }

+     /*
+     * Indicates whether the user's credentials (password) have expired.
+     * In this case, it always returns true, meaning the credentials are not expired.
+     */
    @Override
    public boolean isCredentialsNonExpired() {
        return true;
    }

+     /*
+     * Indicates whether the user's account is enabled and can be used for authentication.
+     * Returning true means the account is enabled, and the user is allowed to log in.
+     */
    @Override
    public boolean isEnabled() {
        return true;