[PR] refactor(auth): align JWT claim parsing across microservices and amber [texera]

Sun, 03 May 2026 21:16:03 -0700 


Yicong-Huang opened a new pull request, #4896:
URL: https://github.com/apache/texera/pull/4896

   ### What changes were proposed in this PR?
   
   Two JWT parsing paths drifted apart, and the codebase had two `JwtConsumer` 
instances built with byte-identical config:
   
   - `common/auth/JwtParser` (microservices) read 5 claims and dropped 
`googleAvatar` — even though `JwtAuth.jwtClaims` writes it on every token.
   - `amber/.../UserAuthenticator` read those 5 plus `comment`, 
`accountCreation` — neither of which the issuer ever writes, so always `null` 
in real tokens. Also dropped `googleAvatar`.
   
   Consolidate into a single `JwtParser.claimsToSessionUser(JwtClaims): 
SessionUser` in `common/auth`. Make `JwtParser.parseToken` reuse 
`JwtAuth.jwtConsumer` (one consumer instance left in the codebase). Rewrite 
`UserAuthenticator.authenticate` as a 1-line delegate so amber and the 
microservices produce identical `SessionUser` objects from the same token.
   
   `UserAuthenticator` itself stays in amber — it's a Dropwizard 1.3 
`Authenticator[JwtContext, SessionUser]` adapter for the toastshaman library. 
Once amber's Dropwizard upgrade unblocks the move to the common 
`JwtAuthFilter`, this whole adapter goes away.
   
   Side robustness fix: jose4j returns `Long` for integer claims after JSON 
round-trip but `setClaim` keeps `Integer` in memory. Widening `userId` via 
`getClaimValue("userId", classOf[Number]).intValue()` makes directly-built and 
parsed claims behave the same.
   
   ### Any related issues, documentation, discussions?
   
   Closes #4895
   
   ### How was this PR tested?
   
   `JwtParserSpec` (new, 4 cases): asserts every issued claim is populated 
(including `googleAvatar`), the non-issued `User` slots stay `null`, an 
end-to-end round-trip via `JwtAuth.jwtToken -> JwtParser.parseToken` 
reconstructs the user, and a structurally invalid token returns empty.
   
   `sbt Auth/test` 11/11 green; `AccessControlService`, `ConfigService`, 
`FileService`, `ComputingUnitManagingService`, `WorkflowExecutionService` all 
compile clean; `Auth/scalafmtCheckAll` and `Auth/scalafixAll --check` clean.
   
   ### Was this PR authored or co-authored using generative AI tooling?
   
   Generated-by: Claude Code (Opus 4.7)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to