package com.saas.shared.security; import io.jsonwebtoken.Claims; import io.jsonwebtoken.Jwts; import io.jsonwebtoken.SignatureAlgorithm; import io.jsonwebtoken.security.Keys; import jakarta.annotation.PostConstruct; import org.springframework.beans.factory.annotation.Value; import org.springframework.security.core.Authentication; import org.springframework.stereotype.Component; import javax.crypto.SecretKey; import java.nio.charset.StandardCharsets; import java.security.MessageDigest; import java.util.Date; @Component public class JwtTokenProvider { private static final int MINIMUM_SECRET_LENGTH = 32; @Value("${jwt.secret}") private String jwtSecret; @Value("${jwt.expiration}") private long jwtExpiration; @PostConstruct public void validateSecretOnStartup() { getSigningKey(); } private SecretKey getSigningKey() { if (jwtSecret == null || jwtSecret.length() < MINIMUM_SECRET_LENGTH) { throw new IllegalStateException( String.format("JWT secret must be at least %d characters long. Current length: %d. " + "Generate a secure secret using: openssl rand -base64 32", MINIMUM_SECRET_LENGTH, jwtSecret != null ? jwtSecret.length() : 0) ); } try { MessageDigest digest = MessageDigest.getInstance("SHA-512"); byte[] hashedKey = digest.digest(jwtSecret.getBytes(StandardCharsets.UTF_8)); return Keys.hmacShaKeyFor(hashedKey); } catch (Exception e) { throw new RuntimeException("Failed to generate signing key", e); } } public String generateToken(Authentication authentication, String tenantId, String schemaName, String userType) { UserPrincipal userPrincipal = (UserPrincipal) authentication.getPrincipal(); Date now = new Date(); Date expiryDate = new Date(now.getTime() + jwtExpiration); System.out.println("🔑 JWT GENERATION - userId: " + userPrincipal.getId() + ", tenantId: " + tenantId + ", schemaName: " + schemaName + ", userType: " + userType); String token = Jwts.builder() .setSubject(userPrincipal.getId().toString()) .claim("tenantId", tenantId) .claim("schemaName", schemaName) .claim("userType", userType) .claim("email", userPrincipal.getEmail()) .setIssuedAt(now) .setExpiration(expiryDate) .signWith(getSigningKey(), SignatureAlgorithm.HS512) .compact(); System.out.println("✅ JWT TOKEN CREATED - Length: " + token.length()); return token; } public String getUserIdFromToken(String token) { Claims claims = Jwts.parser() .verifyWith(getSigningKey()) .build() .parseSignedClaims(token) .getPayload(); return claims.getSubject(); } public String getTenantIdFromToken(String token) { Claims claims = Jwts.parser() .verifyWith(getSigningKey()) .build() .parseSignedClaims(token) .getPayload(); return claims.get("tenantId", String.class); } public String getSchemaNameFromToken(String token) { Claims claims = Jwts.parser() .verifyWith(getSigningKey()) .build() .parseSignedClaims(token) .getPayload(); String schemaName = claims.get("schemaName", String.class); System.out.println("🔍 JWT Claims - schemaName: " + schemaName + ", tenantId: " + claims.get("tenantId") + ", userType: " + claims.get("userType")); return schemaName; } public String getUserTypeFromToken(String token) { Claims claims = Jwts.parser() .verifyWith(getSigningKey()) .build() .parseSignedClaims(token) .getPayload(); return claims.get("userType", String.class); } public boolean validateToken(String authToken) { try { Jwts.parser() .verifyWith(getSigningKey()) .build() .parseSignedClaims(authToken); return true; } catch (Exception ex) { return false; } } }