Internship Report > Worklog > Week 2 Worklog

Week 2 Worklog

Week 2 Objectives:

Backend: Integrate Enterprise-grade authentication via Amazon Cognito User Pools into Spring Security. Build the UserProfile module.
Frontend: Implement the complete authentication flow — from the Login screen using secure PKCE (Proof Key for Code Exchange) through token storage and state management.
Establish secure token lifecycle management, including automatic refresh and revocation handling.

Tasks to be carried out this week:

Day	Task	Start Date	Completion Date	Reference Material
2	- Study AWS Cognito User Pools concepts + User Pool configuration: password policies, app clients, PKCE + ID Token vs Access Token — difference and proper usage + Cognito JWT claims: `sub`, `cognito:groups`, `token_use`	01/13/2026	01/13/2026	https://docs.aws.amazon.com/cognito/
3	- Implement Spring Security JWT configuration + Add `spring-security-oauth2-resource-server` dependency + Configure `SecurityConfig`: stateless sessions, CSRF disabled, CORS enabled + Set Cognito issuer-uri in `application.properties` + Write custom `OAuth2TokenValidator` — reject tokens where `token_use != "access"`	01/14/2026	01/14/2026	https://docs.spring.io/spring-security/
3	- Implement role extraction from JWT + Read `cognito:groups` claim → convert to Spring `ROLE_<GROUP>` authorities + Configure `@PreAuthorize("hasRole('ADMIN')")` for admin endpoints + Define authorization rules: public endpoints, authenticated, admin-only	01/14/2026	01/14/2026
4	- Build UserProfile entity & repository + Fields: `cognitoId (UNIQUE)`, `email (UNIQUE)`, `username`, `name`, `gender`, `birthdate`, `phoneNumber`, `picture`, `emailVerified` + `UserProfileRepository` extends `JpaRepository`	01/15/2026	01/15/2026
4	- Build UserProfileService & UserProfileController + `POST /user/sync` — upsert profile from Cognito claims (IDOR-safe: `cognitoSub` from JWT `sub`) + `GET /user/{id}`, `PUT /user/{id}`, `DELETE /user/{id}`	01/15/2026	01/15/2026
5	- Build Frontend `LoginScreen` + Single “Sign in with AWS Cognito” button + Initiate PKCE flow via `expo-auth-session` + `expo-web-browser` + Handle redirect callback: exchange code → tokens + Decode ID Token with `jwt-decode` to extract user claims	01/16/2026	01/16/2026	https://docs.expo.dev/guides/authentication/
6	- Build authSlice (Redux) and token storage + State: `isAuthenticated`, `user`, `token`, `refreshToken`, `hasCompletedOnboarding` + Actions: `login`, `logout`, `completeOnboarding`, `updateUserProfile` + Persist tokens to `expo-secure-store` (mobile) / `localStorage` (web) via `utils/storage.ts` - Wire Axios request interceptor: auto-attach `Authorization: Bearer <token>`	01/17/2026	01/17/2026

Week 2 Achievements:

Backend — Security:
- Spring Security fully configured with Amazon Cognito as the JWT issuer, implementing Enterprise-grade RBAC (Role-Based Access Control).
- Custom OAuth2TokenValidator blocks ID tokens — only Access Tokens accepted at the API layer.
- Role-based access control works: ROLE_ADMIN group from cognito:groups correctly mapped to grant admin privileges.
- All security rules defined: public health check, authenticated user routes, admin-only /admin/** routes.
Backend — UserProfile module:
- POST /user/sync correctly upserts user from Cognito JWT claims without IDOR vulnerability.
- Full CRUD (GET, PUT, DELETE) on /user/{id} with proper authorization checks.
- UserProfile entity persisted to PostgreSQL via JPA.
Frontend — Authentication:
- LoginScreen renders correctly; tapping the button securely opens Cognito Hosted UI in the system browser.
- PKCE code exchange works end-to-end via expo-auth-session, completely eliminating the need for client-side Secret Keys.
- authSlice correctly toggles isAuthenticated; RootNavigator redirects to the right stack.
- Axios interceptor auto-attaches Bearer token and manages Token Lifecycle (automatic background refresh and forced logout on revocation).

AWS Knowledge Learned:

Studied Cognito User Pools in detail: app clients, callback URLs, logout URLs, OAuth scopes, and token lifetime tradeoffs for a mobile application.
Understood the PKCE flow end to end, including code_verifier, code_challenge, and S256, and why it is essential for public clients.
Distinguished ID token and access token in a real API context, reinforcing that backend authorization must rely on access token claims rather than ID token data.
Learned a robust JWT validation path: iss, aud, exp, nbf, token_use, and signature validation through Cognito JWKs.
Practiced mapping cognito:groups into internal app roles like ROLE_ADMIN and ROLE_USER to support secure RBAC.
Understood refresh-token storage boundaries for mobile clients, especially secure storage, rotation handling, and forced logout on invalid refresh.
Reinforced the importance of using the immutable sub claim as the stable user identity across all backend modules.

In summary, week 2 connected AWS identity concepts directly to the authentication and authorization model of the project.

Next Week Plan:

Backend: Build the common infrastructure layer — GlobalExceptionHandler, CorsConfig. Implement the GoalType module (first business module).
Frontend: Build navigation foundation — RootNavigator, AuthStack, MainTabs with custom tab bar, OnboardingStack.