Yicong-Huang opened a new issue, #4895: URL: https://github.com/apache/texera/issues/4895
### Task Summary Two JWT parsing paths currently produce different SessionUser objects from the same token: - `org.apache.texera.auth.JwtParser` (used by `JwtAuthFilter` in 4 microservices and a couple of resource-level callers in amber) reads 5 claims (`subject`, `email`, `userId`, `googleId`, `role`) and drops `googleAvatar` even though `JwtAuth.jwtClaims` writes it into every issued token. - `org.apache.texera.web.auth.UserAuthenticator` (used by amber's toastshaman-based filter) reads the same 5 + reads `comment` and `accountCreation` claims that the issuer never writes, so they are always `null` in practice. It also drops `googleAvatar`. There are also two `JwtConsumer` instances (`JwtParser`'s private one and `JwtAuth.jwtConsumer`) built with byte-identical builder chains. They share the same secret and the same clock-skew/exp/sub config — pure duplication. Refactor: 1. Extract a single `JwtParser.claimsToSessionUser(JwtClaims): SessionUser` that reads all 6 issued claims (including `googleAvatar`). 2. Make `JwtParser.parseToken` use `JwtAuth.jwtConsumer` instead of building its own. Delete the internal copy. 3. Rewrite `UserAuthenticator.authenticate(JwtContext)` to a one-liner that delegates to `JwtParser.claimsToSessionUser(context.getJwtClaims)`. Drop the dead `comment` / `accountCreation` reads. ### Task Type - [x] Refactor / Cleanup -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
