Skip to content

B3: Wire JWT role enforcement in service layer #59

Description

@dvdthecoder

Summary

JWT is required by the OpenAPI spec and declared in SecurityConfig, but no endpoint actually checks the caller's role before mutating data. SpiceDB permissions are defined but never enforced.

Tasks

  • Extract caller identity from JWT in each service method (user ID, roles)
  • Add SpiceDB permission check before: create, update, delete, approve operations
  • Enforce: only CAA can approve UasType
  • Enforce: only Operator admin can add/remove Pilots
  • Enforce: only the owning Pilot can submit a FlightPlan
  • Return 403 with clear message when permission denied
  • Add test: unauthorized caller gets 403

Acceptance criteria

  • No mutating operation proceeds without a JWT role check
  • SpiceDB checkPermission called before each state change
  • mvn test passes with auth tests

Depends on

  • A3, A4, A5, A6

Branch

rb-03-refimpl

Metadata

Metadata

Assignees

No one assigned

    Labels

    business-logicDomain business logicphase:3-refimplPhase 3: Reference implementation refactorrebaselinePart of repo rebaseline effort

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions