feat: Add BETA role checks and include user roles

Enable method security and require BETA role for Google Drive endpoints. Explicitly allow only specific auth endpoints and add @PreAuthorize("hasRole('BETA')") to GoogleDriveController methods. Extend UserResponse with roles and canUseGoogleIntegration and update AuthMapper to populate roles and detect BETA membership. Add handler for AccessDeniedException to return 403. Update integration and unit tests to assert roles/canUseGoogleIntegration and to create a beta role/login flow for Google Drive tests.

Author: vitorhugo-java

src/main/java/com/jobtracker/config/SecurityConfig.java

@@ -4,6 +4,7 @@
 import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpMethod;
 import org.springframework.security.config.Customizer;
+import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
@@ -15,6 +16,7 @@
 
 @Configuration
 @EnableWebSecurity
+@EnableMethodSecurity
 public class SecurityConfig {
 
     private final JwtAuthenticationFilter jwtAuthenticationFilter;
@@ -38,15 +40,20 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
                 .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                 .authorizeHttpRequests(auth -> auth
                         .requestMatchers(HttpMethod.OPTIONS, "/**").permitAll()
-                        .requestMatchers("/api/v1/auth/**").permitAll()
+                        .requestMatchers(
+                                "/api/v1/auth/register",
+                                "/api/v1/auth/login",
+                                "/api/v1/auth/refresh",
+                                "/api/v1/auth/forgot-password",
+                                "/api/v1/auth/reset-password",
+                                "/api/v1/auth/logout").permitAll()
                         .requestMatchers(HttpMethod.GET, "/api/v1/google-drive/oauth/callback").permitAll()
                         .requestMatchers("/v3/api-docs/**", "/swagger-ui/**", "/swagger-ui.html").permitAll()
                         // Actuator is served on a dedicated management port (8081) that is never
                         // exposed to the host; security is enforced via Docker network isolation.
                         .requestMatchers("/actuator/**").permitAll()
                         // ROLE_USER endpoints: all remaining application APIs under /api/v1/**
-                        // (e.g. /api/v1/auth/me, /api/v1/applications/**, /api/v1/gamification/**,
-                        // /api/v1/dashboard/**, /api/v1/account/**).
+                        // (including /api/v1/auth/me and /api/v1/auth/me/**).
                         .requestMatchers("/api/v1/**").hasRole("USER")
                         .anyRequest().authenticated())
                 .addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class)

src/main/java/com/jobtracker/controller/GoogleDriveController.java

@@ -13,6 +13,7 @@
 import jakarta.validation.Valid;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 
 import java.io.IOException;
@@ -36,6 +37,7 @@ public GoogleDriveController(GoogleDriveOAuthService googleDriveOAuthService, Go
             responses = @ApiResponse(responseCode = "200", description = "Authorization URL generated",
                     content = @Content(schema = @Schema(implementation = GoogleDriveOAuthStartResponse.class)))
     )
+    @PreAuthorize("hasRole('BETA')")
     @PostMapping("/oauth/start")
     public ResponseEntity<GoogleDriveOAuthStartResponse> startOauth() {
         return ResponseEntity.ok(googleDriveOAuthService.startAuthorization());
@@ -55,39 +57,45 @@ public void oauthCallback(@RequestParam(required = false) String state,
             responses = @ApiResponse(responseCode = "200", description = "Current Google Drive integration status",
                     content = @Content(schema = @Schema(implementation = GoogleDriveStatusResponse.class)))
     )
+    @PreAuthorize("hasRole('BETA')")
     @GetMapping("/status")
     public ResponseEntity<GoogleDriveStatusResponse> getStatus() {
         return ResponseEntity.ok(googleDriveService.getStatus());
     }
 
     @Operation(summary = "Disconnect Google Drive")
+    @PreAuthorize("hasRole('BETA')")
     @DeleteMapping("/connection")
     public ResponseEntity<MessageResponse> disconnect() {
         return ResponseEntity.ok(googleDriveOAuthService.disconnect());
     }
 
     @Operation(summary = "Update Google Drive root folder")
+    @PreAuthorize("hasRole('BETA')")
     @PutMapping("/root-folder")
     public ResponseEntity<GoogleDriveStatusResponse> updateRootFolder(
             @Valid @RequestBody GoogleDriveRootFolderRequest request) {
         return ResponseEntity.ok(googleDriveService.updateRootFolder(request));
     }
 
     @Operation(summary = "Register a Google Docs base resume")
+    @PreAuthorize("hasRole('BETA')")
     @PostMapping("/base-resumes")
     public ResponseEntity<GoogleDriveBaseResumeResponse> addBaseResume(
             @Valid @RequestBody GoogleDriveBaseResumeRequest request) {
         return ResponseEntity.status(HttpStatus.CREATED).body(googleDriveService.addBaseResume(request));
     }
 
     @Operation(summary = "Delete a configured base resume")
+    @PreAuthorize("hasRole('BETA')")
     @DeleteMapping("/base-resumes/{baseResumeId}")
     public ResponseEntity<MessageResponse> deleteBaseResume(@PathVariable UUID baseResumeId) {
         googleDriveService.deleteBaseResume(baseResumeId);
         return ResponseEntity.ok(new MessageResponse("Base resume deleted successfully"));
     }
 
     @Operation(summary = "Copy a base resume into an application folder")
+    @PreAuthorize("hasRole('BETA')")
     @PostMapping("/applications/{applicationId}/resume-copies")
     public ResponseEntity<GoogleDriveResumeCopyResponse> copyBaseResume(
             @PathVariable UUID applicationId,

src/main/java/com/jobtracker/dto/auth/UserResponse.java

@@ -3,6 +3,7 @@
 import io.swagger.v3.oas.annotations.media.Schema;
 
 import java.time.LocalTime;
+import java.util.Set;
 import java.util.UUID;
 
 @Schema(description = "Authenticated user profile")
@@ -14,5 +15,9 @@ public record UserResponse(
         @Schema(description = "User email address", example = "john@example.com")
         String email,
         @Schema(description = "Preferred daily reminder time", example = "19:00:00")
-        LocalTime reminderTime
+        LocalTime reminderTime,
+        @Schema(description = "Granted application roles", example = "[\"USER\", \"BETA\"]")
+        Set<String> roles,
+        @Schema(description = "Whether the user can access Google integration features", example = "true")
+        boolean canUseGoogleIntegration
 ) {}

src/main/java/com/jobtracker/exception/GlobalExceptionHandler.java

@@ -4,6 +4,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
@@ -62,6 +63,12 @@ public ResponseEntity<Map<String, Object>> handleRateLimitExceeded(RequestNotPer
         return buildResponse(HttpStatus.TOO_MANY_REQUESTS, "Too many requests. Please try again later.");
     }
 
+    @ExceptionHandler(AccessDeniedException.class)
+    public ResponseEntity<Map<String, Object>> handleAccessDenied(AccessDeniedException ex) {
+        log.warn("event=ACCESS_DENIED message={}", ex.getMessage());
+        return buildResponse(HttpStatus.FORBIDDEN, "Access denied");
+    }
+
     @ExceptionHandler(MethodArgumentNotValidException.class)
     public ResponseEntity<Map<String, Object>> handleValidation(MethodArgumentNotValidException ex) {
         Map<String, String> fieldErrors = new HashMap<>();

src/main/java/com/jobtracker/mapper/AuthMapper.java

@@ -2,12 +2,26 @@
 
 import com.jobtracker.dto.auth.UserResponse;
 import com.jobtracker.entity.User;
+import com.jobtracker.entity.enums.RoleName;
 import org.springframework.stereotype.Component;
 
+import java.util.LinkedHashSet;
+
 @Component
 public class AuthMapper {
 
     public UserResponse toUserResponse(User user) {
-        return new UserResponse(user.getId(), user.getName(), user.getEmail(), user.getReminderTime());
+        LinkedHashSet<String> roles = user.getRoles().stream()
+                .map(role -> role.getName().name())
+                .sorted()
+                .collect(LinkedHashSet::new, LinkedHashSet::add, LinkedHashSet::addAll);
+
+        return new UserResponse(
+                user.getId(),
+                user.getName(),
+                user.getEmail(),
+                user.getReminderTime(),
+                roles,
+                roles.contains(RoleName.BETA.name()));
     }
 }

src/test/java/com/jobtracker/integration/AuthControllerIT.java

@@ -61,6 +61,8 @@ void register_shouldReturn201_setRefreshTokenCookie_andReturnAccessToken() throw
                 .andExpect(status().isCreated())
                 .andExpect(jsonPath("$.accessToken").isNotEmpty())
                 .andExpect(jsonPath("$.user.email").value("register@example.com"))
+                .andExpect(jsonPath("$.user.roles[0]").value("USER"))
+                .andExpect(jsonPath("$.user.canUseGoogleIntegration").value(false))
                 // Refresh token should NOT be in JSON body (now in HttpOnly cookie)
                 .andExpect(jsonPath("$.refreshToken").doesNotExist())
                 .andReturn();
@@ -121,6 +123,7 @@ void login_shouldReturn200_setRefreshTokenCookie_andReturnAccessToken() throws E
                 .andExpect(status().isOk())
                 .andExpect(jsonPath("$.accessToken").isNotEmpty())
                 .andExpect(jsonPath("$.user.email").value("login@example.com"))
+                .andExpect(jsonPath("$.user.canUseGoogleIntegration").value(false))
                 .andExpect(jsonPath("$.refreshToken").doesNotExist())
                 .andReturn();
 
@@ -240,7 +243,9 @@ void me_shouldReturn200_whenAuthenticated() throws Exception {
         mockMvc.perform(get("/api/v1/auth/me")
                         .header("Authorization", "Bearer " + auth.accessToken()))
                 .andExpect(status().isOk())
-                .andExpect(jsonPath("$.email").value("me@example.com"));
+                .andExpect(jsonPath("$.email").value("me@example.com"))
+                .andExpect(jsonPath("$.roles[0]").value("USER"))
+                .andExpect(jsonPath("$.canUseGoogleIntegration").value(false));
     }
 
     @Test

src/test/java/com/jobtracker/integration/GoogleDriveControllerIT.java

@@ -7,12 +7,16 @@
 import com.jobtracker.entity.GoogleDriveBaseResume;
 import com.jobtracker.entity.GoogleDriveConnection;
 import com.jobtracker.entity.JobApplication;
+import com.jobtracker.entity.Role;
+import com.jobtracker.entity.User;
+import com.jobtracker.entity.enums.RoleName;
 import com.jobtracker.repository.ApplicationRepository;
 import com.jobtracker.repository.GoogleDriveBaseResumeRepository;
 import com.jobtracker.repository.GoogleDriveConnectionRepository;
 import com.jobtracker.repository.GoogleDriveOAuthStateRepository;
 import com.jobtracker.repository.PasswordResetTokenRepository;
 import com.jobtracker.repository.RefreshTokenRepository;
+import com.jobtracker.repository.RoleRepository;
 import com.jobtracker.repository.UserAchievementRepository;
 import com.jobtracker.repository.UserGamificationRepository;
 import com.jobtracker.repository.UserRepository;
@@ -32,6 +36,7 @@
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Optional;
+import java.util.Set;
 import java.util.UUID;
 
 import static org.assertj.core.api.Assertions.assertThat;
@@ -56,9 +61,11 @@ class GoogleDriveControllerIT extends AbstractIntegrationTest {
     @Autowired private GoogleDriveConnectionRepository googleDriveConnectionRepository;
     @Autowired private GoogleDriveBaseResumeRepository googleDriveBaseResumeRepository;
     @Autowired private GoogleDriveOAuthStateRepository googleDriveOAuthStateRepository;
+    @Autowired private RoleRepository roleRepository;
     @Autowired private FakeGoogleDriveApiClient googleDriveApiClient;
 
-    private String accessToken;
+    private String betaAccessToken;
+    private String nonBetaAccessToken;
 
     @BeforeEach
     void setUp() throws Exception {
@@ -79,20 +86,52 @@ void setUp() throws Exception {
                 .andReturn();
 
         AuthResponse auth = objectMapper.readValue(result.getResponse().getContentAsString(), AuthResponse.class);
-        accessToken = auth.accessToken();
+        nonBetaAccessToken = auth.accessToken();
+
+        User user = userRepository.findByEmail("driveuser@example.com").orElseThrow();
+        Role betaRole = roleRepository.findByName(RoleName.BETA)
+                .orElseGet(() -> {
+                    Role role = new Role();
+                    role.setName(RoleName.BETA);
+                    return roleRepository.save(role);
+                });
+        user.setRoles(Set.of(
+                user.getRoles().stream().findFirst().orElseThrow(),
+                betaRole));
+        userRepository.save(user);
+
+        MvcResult loginResult = mockMvc.perform(post("/api/v1/auth/login")
+                        .contentType(MediaType.APPLICATION_JSON)
+                        .content("""
+                                {
+                                  "email": "driveuser@example.com",
+                                  "password": "pass1234"
+                                }
+                                """))
+                .andReturn();
+
+        AuthResponse betaAuth = objectMapper.readValue(loginResult.getResponse().getContentAsString(), AuthResponse.class);
+        betaAccessToken = betaAuth.accessToken();
     }
 
     @Test
     void startOauth_shouldReturnAuthorizationUrl() throws Exception {
         mockMvc.perform(post("/api/v1/google-drive/oauth/start")
-                        .header("Authorization", "Bearer " + accessToken))
+                        .header("Authorization", "Bearer " + betaAccessToken))
                 .andExpect(status().isOk())
                 .andExpect(jsonPath("$.authorizationUrl").value(org.hamcrest.Matchers.containsString("https://accounts.google.com/o/oauth2/v2/auth")))
                 .andExpect(jsonPath("$.state").isNotEmpty())
                 .andExpect(jsonPath("$.redirectUri").value("http://localhost:8080/api/v1/google-drive/oauth/callback"))
                 .andExpect(jsonPath("$.scopes[0]").value("https://www.googleapis.com/auth/drive"));
     }
 
+    @Test
+    void startOauth_shouldReturn403_whenUserDoesNotHaveBetaRole() throws Exception {
+        mockMvc.perform(post("/api/v1/google-drive/oauth/start")
+                        .header("Authorization", "Bearer " + nonBetaAccessToken))
+                .andExpect(status().isForbidden());
+    }
+
     @Test
     void oauthCallback_shouldPersistConnectionAndRedirectToFrontend() throws Exception {
         googleDriveApiClient.tokens = new GoogleDriveApiClient.OAuthTokens(
@@ -105,7 +144,7 @@ void oauthCallback_shouldPersistConnectionAndRedirectToFrontend() throws Excepti
                 new GoogleDriveApiClient.GoogleDriveAccountProfile("perm-123", "connected@example.com", "Drive User");
 
         MvcResult startResult = mockMvc.perform(post("/api/v1/google-drive/oauth/start")
-                        .header("Authorization", "Bearer " + accessToken))
+                        .header("Authorization", "Bearer " + betaAccessToken))
                 .andExpect(status().isOk())
                 .andReturn();
 
@@ -135,7 +174,7 @@ void updateRootFolder_shouldReturnUpdatedStatus() throws Exception {
                 ));
 
         mockMvc.perform(put("/api/v1/google-drive/root-folder")
-                        .header("Authorization", "Bearer " + accessToken)
+                        .header("Authorization", "Bearer " + betaAccessToken)
                         .contentType(MediaType.APPLICATION_JSON)
                         .content("{\"folderIdOrUrl\":\"folder-123\"}"))
                 .andExpect(status().isOk())
@@ -150,7 +189,7 @@ void disconnect_shouldRemoveConnectionAndReturnMessage() throws Exception {
         assertThat(googleDriveConnectionRepository.findAll()).hasSize(1);
 
         mockMvc.perform(delete("/api/v1/google-drive/connection")
-                        .header("Authorization", "Bearer " + accessToken))
+                        .header("Authorization", "Bearer " + betaAccessToken))
                 .andExpect(status().isOk())
                 .andExpect(jsonPath("$.message").value("Google Drive connection removed"));
 
@@ -160,7 +199,7 @@ void disconnect_shouldRemoveConnectionAndReturnMessage() throws Exception {
     @Test
     void disconnect_shouldSucceedEvenWithNoExistingConnection() throws Exception {
         mockMvc.perform(delete("/api/v1/google-drive/connection")
-                        .header("Authorization", "Bearer " + accessToken))
+                        .header("Authorization", "Bearer " + betaAccessToken))
                 .andExpect(status().isOk())
                 .andExpect(jsonPath("$.message").value("Google Drive connection removed"));
     }
@@ -177,7 +216,7 @@ void addBaseResume_shouldPersistResumeAndReturn201() throws Exception {
                 ));
 
         mockMvc.perform(post("/api/v1/google-drive/base-resumes")
-                        .header("Authorization", "Bearer " + accessToken)
+                        .header("Authorization", "Bearer " + betaAccessToken)
                         .contentType(MediaType.APPLICATION_JSON)
                         .content("{\"documentIdOrUrl\":\"doc-abc\"}"))
                 .andExpect(status().isCreated())
@@ -200,7 +239,7 @@ void addBaseResume_shouldRejectNonGoogleDocsFile() throws Exception {
                 ));
 
         mockMvc.perform(post("/api/v1/google-drive/base-resumes")
-                        .header("Authorization", "Bearer " + accessToken)
+                        .header("Authorization", "Bearer " + betaAccessToken)
                         .contentType(MediaType.APPLICATION_JSON)
                         .content("{\"documentIdOrUrl\":\"pdf-file\"}"))
                 .andExpect(status().isBadRequest());
@@ -213,7 +252,7 @@ void deleteBaseResume_shouldRemoveResumeAndReturn200() throws Exception {
         googleDriveBaseResumeRepository.save(resume);
 
         mockMvc.perform(delete("/api/v1/google-drive/base-resumes/" + resume.getId())
-                        .header("Authorization", "Bearer " + accessToken))
+                        .header("Authorization", "Bearer " + betaAccessToken))
                 .andExpect(status().isOk())
                 .andExpect(jsonPath("$.message").value("Base resume deleted successfully"));
 
@@ -223,7 +262,7 @@ void deleteBaseResume_shouldRemoveResumeAndReturn200() throws Exception {
     @Test
     void deleteBaseResume_shouldReturn404ForUnknownId() throws Exception {
         mockMvc.perform(delete("/api/v1/google-drive/base-resumes/" + UUID.randomUUID())
-                        .header("Authorization", "Bearer " + accessToken))
+                        .header("Authorization", "Bearer " + betaAccessToken))
                 .andExpect(status().isNotFound());
     }
 
@@ -249,7 +288,7 @@ void copyResume_shouldCreateFolderAndCopyDocument() throws Exception {
                 ));
 
         mockMvc.perform(post("/api/v1/google-drive/applications/" + application.getId() + "/resume-copies")
-                        .header("Authorization", "Bearer " + accessToken)
+                        .header("Authorization", "Bearer " + betaAccessToken)
                         .contentType(MediaType.APPLICATION_JSON)
                         .content("{\"baseResumeId\":\"" + resume.getId() + "\"}"))
                 .andExpect(status().isCreated())
@@ -273,7 +312,7 @@ void copyResume_shouldReturn400WhenNoRootFolderConfigured() throws Exception {
         application = applicationRepository.save(application);
 
         mockMvc.perform(post("/api/v1/google-drive/applications/" + application.getId() + "/resume-copies")
-                        .header("Authorization", "Bearer " + accessToken)
+                        .header("Authorization", "Bearer " + betaAccessToken)
                         .contentType(MediaType.APPLICATION_JSON)
                         .content("{\"baseResumeId\":\"" + resume.getId() + "\"}"))
                 .andExpect(status().isBadRequest());