🔑implement inter-service API key authentication with circuit breaker

Author: Adnane Miliari

apiKey-manager/src/main/java/dev/nano/apikey/ApiKeyEntity.java

@@ -17,13 +17,13 @@
 public class ApiKeyEntity {
     @Id
     @SequenceGenerator(
-            name = "customer_sequence",
-            sequenceName = "customer_sequence",
+            name = "api_key_sequence",
+            sequenceName = "api_key_sequence",
             allocationSize = 1
     )
     @GeneratedValue(
             strategy = GenerationType.SEQUENCE,
-            generator = "customer_sequence"
+            generator = "api_key_sequence"
     )
     @Column(
             name = "id",

apiKey-manager/src/main/java/dev/nano/apikey/ApiKeyRepository.java

@@ -3,6 +3,7 @@
 import dev.nano.application.ApplicationName;
 import org.springframework.data.jpa.repository.JpaRepository;
 import org.springframework.data.jpa.repository.Query;
+import org.springframework.data.repository.query.Param;
 
 import java.util.Optional;
 
@@ -12,9 +13,9 @@ public interface ApiKeyRepository extends JpaRepository<ApiKeyEntity, Long> {
         INNER JOIN ApplicationEntity ap
         ON ak.id = ap.apiKey.id
         WHERE ak.key = :key
-        AND ap.applicationName = :appName
+        AND ap.applicationName = :applicationName
     """)
-    Optional<ApiKeyEntity> findByKeyAndApplicationName(String key, ApplicationName applicationName);
+    Optional<ApiKeyEntity> findByKeyAndApplicationName(@Param("key") String key, @Param("applicationName") ApplicationName applicationName);
 
     @Query("""
         SELECT

apiKey-manager/src/main/java/dev/nano/apikey/ApiKeyService.java

@@ -1,9 +1,11 @@
 package dev.nano.apikey;
 
 import dev.nano.application.ApplicationName;
+import org.springframework.transaction.annotation.Transactional;
 
 public interface ApiKeyService {
     String save(ApiKeyRequest apiKeyRequest);
     void revokeApi(String key);
+    @Transactional(readOnly = true)
     boolean isAuthorized(String apiKey, ApplicationName applicationName);
 }

apiKey-manager/src/main/java/dev/nano/apikey/ApiKeyServiceImpl.java

@@ -5,7 +5,9 @@
 import dev.nano.application.ApplicationRepository;
 import dev.nano.exceptionhandler.core.ResourceNotFoundException;
 import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
 import org.springframework.stereotype.Service;
+import org.springframework.transaction.annotation.Transactional;
 
 import java.time.LocalDateTime;
 import java.util.List;
@@ -18,6 +20,7 @@
 
 @Service
 @RequiredArgsConstructor
+@Slf4j
 public class ApiKeyServiceImpl implements ApiKeyService {
     private static final Integer EXPIRATION_DAYS = 30;
     private final ApiKeyRepository apiKeyRepository;
@@ -77,10 +80,13 @@ public void revokeApi(String key) {
     }
 
     @Override
+    @Transactional(readOnly = true)
     public boolean isAuthorized(String apiKey, ApplicationName applicationName) {
+        log.info("Attempting to authorize API Key: {} for Application: {}", apiKey, applicationName);
         Optional<ApiKeyEntity> optionalApiKey = apiKeyRepository.findByKeyAndApplicationName(apiKey, applicationName);
 
         if(optionalApiKey.isEmpty()) {
+            log.warn("API Key {} not found for application {}. Returning false.", apiKey, applicationName);
             return false;
         }
 

apiKey-manager/src/main/java/dev/nano/application/ApplicationEntity.java

@@ -15,13 +15,13 @@
 public class ApplicationEntity {
     @Id
     @SequenceGenerator(
-            name = "customer_sequence",
-            sequenceName = "customer_sequence",
+            name = "application_sequence",
+            sequenceName = "application_sequence",
             allocationSize = 1
     )
     @GeneratedValue(
             strategy = GenerationType.SEQUENCE,
-            generator = "customer_sequence"
+            generator = "application_sequence"
     )
     @Column(
             name = "id",

apiKey-manager/src/main/resources/db/data.sql

@@ -1,26 +1,41 @@
 -- First insert API Keys and store their IDs
 INSERT INTO api_keys (id, key, client, description, created_date, expiration_date, enabled, never_expires, approved,
                       revoked)
-SELECT nextval('api_key_sequence'), key, client, description, CURRENT_TIMESTAMP, CURRENT_TIMESTAMP + INTERVAL '365 days', enabled, never_expires, approved, revoked
+SELECT nextval('api_key_sequence'), t.key_value, t.client, t.description, CURRENT_TIMESTAMP, CURRENT_TIMESTAMP + INTERVAL '365 days', t.enabled, t.never_expires, t.approved, t.revoked
 FROM (
-    VALUES
-    ('ecom-frontend-key-2024', 'E-commerce Frontend', 'API Key for frontend application', true, false, true, false),
-    ('mobile-app-key-2024', 'Mobile Application', 'API Key for mobile app', true, false, true, false),
-    ('admin-dashboard-key-2024', 'Admin Dashboard', 'API Key for admin dashboard', true, true, true, false)
-    ) AS t(key, client, description, enabled, never_expires, approved, revoked);
+         VALUES
+             ('ecom-frontend-key-2024', 'E-commerce Frontend', 'API Key for frontend application', true, false, true, false),
+             ('mobile-app-key-2024', 'Mobile Application', 'API Key for mobile app', true, false, true, false),
+             ('admin-dashboard-key-2024', 'Admin Dashboard', 'API Key for admin dashboard', true, true, true, false),
+             -- Internal traffic key (never exposed publicly)
+             ('internal-service-key', 'Internal Service', 'API Key for inter-service calls', true, true, true, false)
+     ) AS t(key_value, client, description, enabled, never_expires, approved, revoked);
 
--- Then insert Applications using the actual API key IDs
+-- Then insert Applications using the actual API key IDs by looking up the key value
 INSERT INTO applications (id, application_name, enabled, approved, revoked, api_key_id)
 SELECT nextval('application_sequence'),
-       app_name,
+       t.app_name,
        true,
        true,
        false,
-       ak.id
-FROM (VALUES ('CUSTOMER', 1), ('CUSTOMER', 2), ('CUSTOMER', 3),
-             ('PRODUCT', 1), ('PRODUCT', 2), ('PRODUCT', 3),
-             ('ORDER', 1), ('ORDER', 2), ('ORDER', 3),
-             ('PAYMENT', 1), ('PAYMENT', 3),
-             ('NOTIFICATION', 3)
-      ) AS t(app_name, key_order)
-      JOIN api_keys ak ON ak.id = (SELECT id FROM api_keys ORDER BY id LIMIT 1 OFFSET (t.key_order - 1));
+       (SELECT ak.id FROM api_keys ak WHERE ak.key = t.api_key_name)
+FROM (VALUES ('CUSTOMER', 'ecom-frontend-key-2024'),
+             ('CUSTOMER', 'mobile-app-key-2024'),
+             ('CUSTOMER', 'admin-dashboard-key-2024'),
+             ('PRODUCT', 'ecom-frontend-key-2024'),
+             ('PRODUCT', 'mobile-app-key-2024'),
+             ('PRODUCT', 'admin-dashboard-key-2024'),
+             ('ORDER', 'ecom-frontend-key-2024'),
+             ('ORDER', 'mobile-app-key-2024'),
+             ('ORDER', 'admin-dashboard-key-2024'),
+             ('PAYMENT', 'ecom-frontend-key-2024'),
+             ('PAYMENT', 'admin-dashboard-key-2024'),
+             ('NOTIFICATION', 'admin-dashboard-key-2024'),
+             -- Grant the internal-service-key to every microservice that consumes internal APIs
+             ('CUSTOMER', 'internal-service-key'),
+             ('PRODUCT', 'internal-service-key'),
+             ('ORDER', 'internal-service-key'), -- This line specifically authorizes 'internal-service-key' for the 'ORDER' application
+             ('PAYMENT', 'internal-service-key'),
+             ('NOTIFICATION', 'internal-service-key'),
+             ('APIKEY_MANAGER', 'internal-service-key')
+     ) AS t(app_name, api_key_name);

common/src/main/resources/shared-application-default.yml

@@ -19,7 +19,7 @@ management:
 
 spring:
   datasource:
-    url: jdbc:postgresql://localhost:5432/${spring.application.name}
+    url: jdbc:postgresql://localhost:5433/${spring.application.name}
     username: postgres
     password: password
   jpa:
@@ -61,3 +61,28 @@ jwt:
   auth:
     converter:
       principle-attribute: preferred_username
+
+resilience4j:
+  circuitbreaker:
+    instances:
+      productService:
+        sliding-window-type: count_based
+        sliding-window-size: 5
+        minimum-number-of-calls: 5
+        failure-rate-threshold: 50
+        wait-duration-in-open-state: 30s
+      orderService:
+        sliding-window-type: count_based
+        sliding-window-size: 5
+        minimum-number-of-calls: 5
+        failure-rate-threshold: 50
+        wait-duration-in-open-state: 30s
+  retry:
+    instances:
+      orderService:
+        max-attempts: 3
+        wait-duration: 1000ms
+  timelimiter:
+    instances:
+      orderService:
+        timeout-duration: 3s

feign-clients/src/main/java/dev/nano/clients/apiKeyManager/ApplicationName.java

@@ -9,7 +9,7 @@
 public interface ApiKeyManagerClient {
 
     @GetMapping("{apiKey}/applications/{applicationName}/authorization")
-    ApiKeyManagerResponse isKeyAuthorizedForApplication(
+    boolean isKeyAuthorizedForApplication(
             @PathVariable("apiKey") String apiKey,
             @PathVariable("applicationName") String applicationName);