feat(EM-40): Implement JWT-Based Authentication with Token Management

[devin-ai-integration]

feat(EM-40): Add libs/ftgo-jwt module with JWT token management

Summary

Adds a new libs/ftgo-jwt/ shared library module providing JWT token generation, validation, parsing, refresh, and a Spring Security authentication filter. Builds on the ftgo-security foundation from EM-39.

Key components:

• JwtTokenProvider — token generation with custom claims, validation (expired/malformed/invalid-signature), parsing
• JwtTokenRefreshService — refresh tokens within a configurable threshold window, preserving custom claims
• JwtAuthenticationFilter — OncePerRequestFilter that extracts Bearer tokens and sets SecurityContext authentication
• JwtAutoConfiguration — Spring Boot auto-config gated on ftgo.jwt.secret property
• JwtProperties — configurable secret, expiration, refresh threshold, issuer, header, prefix
• JJWT 0.12.5 added to gradle/libs.versions.toml (version, libraries, bundle)

Updates since last revision

• Fixed claims ordering bug: Reordered .claims(claims) to be called before .subject() / .issuer() / .issuedAt() / .expiration() in JwtTokenProvider.generateToken(). This ensures registered claims always take precedence and are never silently overwritten by a custom claims map in JJWT 0.12.x.

Review & Testing Checklist for Human

• No build or test execution has occurred: The root Gradle wrapper is v4.10.2 (Java 8) and cannot compile Java 17 code. The module is not registered in root settings.gradle (per task constraints), so CI will skip the build with a warning. You must manually verify compilation and all tests pass by either adding ftgo-jwt to settings.gradle temporarily or building standalone with Gradle 7+.
• Filter not auto-registered in security chain: JwtAuthenticationFilter is created as a bean but never added to the SecurityFilterChain via http.addFilterBefore(...). Consumers must manually wire it. Confirm this is the intended integration pattern or if auto-registration should be added.
• Secret handling inconsistency: README says "base64-encoded secret key" but code uses raw getBytes(UTF_8) without Base64 decoding. Clarify expected format or add Base64 decoding.
• Unchecked cast in getRoles(): @SuppressWarnings("unchecked") cast from Object to List<String>. If JSON deserialization produces non-String elements, this could throw ClassCastException at runtime.

Test Plan

1. Add ftgo-jwt to root settings.gradle (or build standalone with Gradle 7+)
2. Run ./gradlew :libs:ftgo-jwt:test — verify all 5 test classes pass
3. Create a test Spring Boot app with ftgo-jwt dependency, configure ftgo.jwt.secret, generate/validate tokens
4. Verify JwtAuthenticationFilter correctly sets SecurityContext when valid Bearer token is present
5. Test token refresh near expiry, confirm custom claims are preserved

Notes

• Module follows exact conventions from ftgo-security (build.gradle, auto-config, properties)
• CI workflow ci-libs.yml not updated with ftgo-jwt job (out of scope per task constraints)
• Comprehensive unit tests: 5 test classes, 50+ test methods covering generation, validation, parsing, refresh, filter, auto-config
• Existing monolith lint check (compileJava) passes — version catalog changes do not break the existing build

---

Link to Devin run: https://app.devin.ai/sessions/0e3e6b3db2db423d89cf2902f736f9e7
Requested by: @abj453demo

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring