User Service π€
The User Service is responsible for managing user profiles and addresses in the ShopVerse platform.
It acts as the single source of truth for user-related data and is consumed by other services such as Auth Service and Order Service.
π― Responsibilitiesβ
The User Service handles:
- User profile creation and management
- Secure storage of user credentials (hashed passwords)
- Address management (CRUD)
- Providing user details to Auth Service (internal APIs)
- Enforcing ownership and access control for user data
π§ Why a Separate User Service?β
Separating user management from authentication ensures:
- Clear separation between identity and authentication
- Reduced security risk
- Easier data evolution (profile fields, addresses, preferences)
- Independent scaling of user-related workloads
Auth Service does not own user data β it only authenticates.
ποΈ High-Level Architectureβ
π Security Modelβ
-
Requests come through API Gateway
-
Gateway injects trusted headers:
X-User-EmailX-User-Role
-
User Service authenticates requests using a custom filter
-
Authorization enforced via RBAC
No JWT parsing happens inside the User Service.
π User Creation Flowβ
ποΈ Data Modelβ
User Entityβ
idfullNameemail(unique)phoneNopassword(BCrypt hashed)role(ADMIN / CUSTOMER)createdAtupdatedAt
Address Entityβ
iduserIdstreetcitystatepincodecreatedAt
Each user can have multiple addresses.
π‘ Internal APIs (Used by Auth Service)β
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/internal/users/auth/{email} | Fetch user for authentication |
These endpoints are not exposed to clients.
π Public APIs (via Gateway)β
| Method | Endpoint | Role | Description |
|---|---|---|---|
| GET | /api/users/me | USER | Get current user profile |
| PUT | /api/users/me | USER | Update profile |
| GET | /api/users | ADMIN | Get all users |
| DELETE | /api/users/{id} | ADMIN | Delete user |
π Address Management APIsβ
| Method | Endpoint | Description |
|---|---|---|
| POST | /api/users/addresses | Add address |
| GET | /api/users/addresses | List addresses |
| PUT | /api/users/addresses/{id} | Update address |
| DELETE | /api/users/addresses/{id} | Delete address |
Ownership is strictly enforced using X-User-Email.
π‘οΈ Authorization Rulesβ
- Users can only access their own data
- Admins can access all users
- Address operations are ownership-validated
- Unauthorized access returns
403 Forbidden
βοΈ Key Componentsβ
UserControllerβ User profile APIsAddressControllerβ Address APIsUserServiceβ Core business logicAddressServiceβ Address ownership logicUserRepositoryβ JPA repositoryGatewayHeaderAuthenticationFilterβ Security filterGlobalExceptionHandlerβ Standardized error responses
β οΈ Failure Scenariosβ
β User Not Foundβ
- Returns
404 Not Found
β Unauthorized Accessβ
- Returns
403 Forbidden
β Duplicate Emailβ
- Prevented at DB & service layer
π Scalability Considerationsβ
- Stateless service
- Database indexed on
email - Can be horizontally scaled
- Independent of Auth token logic
π§ͺ Testing Strategyβ
- Unit tests for service logic
- Integration tests for ownership checks
- Security tests for role validation
- Negative tests for unauthorized access
π Summaryβ
The User Service ensures:
- Clean separation of user data and authentication
- Secure ownership enforcement
- Centralized user management
- Scalability and maintainability
It plays a critical role in ShopVerseβs security and data consistency.