Passport-Based Auth Gateway

JWT validationPassport patternIdempotency keys

In a microservices architecture, every service shouldn't independently validate JWTs — it's expensive, error-prone, and creates tight coupling. You'll build an Auth Gateway that:

1. Sits between the API Gateway and backend services

2. Validates the JWT once

3. Extracts user claims and creates a passport (a base64-encoded JSON blob)

4. Attaches the passport as an X-Passport header to all downstream requests

5. Downstream services trust the passport without re-validating

Endpoints

- POST /v1/auth/signup — Hash password with bcrypt, generate JWT, support idempotency keys

- POST /v1/auth/login — Verify credentials, return JWT

- ANY /v1/proxy/*path — Validate JWT, create passport, proxy to upstream

The Passport

```json

{ "user_id": "user_123", "email": "user@example.com", "subscription": "free", "country": "IN", "platform": "android", "token_status": "valid", "issued_at": 1710000000 }

Base64 encoded → X-Passport: eyJ1c2VyX2lkIjoi...

Constraints

●JWT secret is a shared HMAC key (HS256)

●JWT expiry: 24 hours

●Passwords must be hashed with bcrypt (cost factor 10)

●Idempotency key: same key within 5 minutes returns the original response

●Invalid/expired JWT → 401 Unauthorized (do NOT proxy)

●Passport must include issued_at timestamp

Hints

Test Cases (10)

1. Signup with valid data

Returns 201 with JWT and user_id

2. Signup with duplicate email

Returns 409 Conflict

3. Signup with same idempotency key twice

Returns same response both times

4. Login with correct credentials

Returns 200 with valid JWT

5. Login with wrong password

Returns 401

6. Proxy with valid JWT

Upstream receives X-Passport header

7. Proxy with expired JWT

Returns 401, no upstream call

8. Proxy with no Authorization header

Returns 401

9. Decode X-Passport from upstream

Contains correct user claims

10. X-Proxy-State header

Correctly encoded segment key

Solution

Loading editor...

Test Results

Click "Run Tests" to execute your solution