Add path role inheritance

[AoElite]

This pull request enhances the ApiBuilder in Javalin to support defining default route roles for endpoint groups. The main improvement is the ability to specify roles at the group (path) level, which are then automatically applied to all endpoints defined within that group, unless overridden. This change streamlines role management for grouped routes and reduces repetitive code.

Endpoint group role management:

• Added a new overload for the path method that accepts a RouteRole... roles parameter, allowing default roles to be set for all endpoints within a group. Internally, a new routeRoleDeque is used to manage role context for nested groups. [1] [2]

Automatic role propagation to handlers:

• Updated all HTTP verb methods (get, post, put, patch, delete, head, query), so that if roles are not explicitly provided, the roles in the current group context are automatically applied. This is achieved by calling a new routeRolesInScope() helper.

These changes make it easier and less error-prone to manage security roles for grouped endpoints in Javalin applications.

[codecov]

Codecov Report

❌ Patch coverage is 74.35897% with 10 lines in your changes missing coverage. Please review.
✅ Project coverage is 86.29%. Comparing base (edfb887) to head (81f9e78).
⚠️ Report is 2 commits behind head on master.

Files with missing lines	Patch %	Lines
...rc/main/java/io/javalin/apibuilder/ApiBuilder.java	74.35%	9 Missing and 1 partial ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##             master    #2553      +/-   ##
============================================
- Coverage     86.39%   86.29%   -0.10%     
- Complexity     1525     1535      +10     
============================================
  Files           156      156              
  Lines          4409     4445      +36     
  Branches        537      542       +5     
============================================
+ Hits           3809     3836      +27     
- Misses          366      374       +8     
- Partials        234      235       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[AoElite]

I'm not sure what Codecov is complaining about—the changes look fine to me.

Anyway, here's a usage example of the PR changes. You can still do the following:

path("/admin", () -> {
    get("/branches", adminRouter::listBranches, Role.ADMIN);
    get("/branches/{branch}", adminRouter::getBranch, Role.ADMIN);
    patch("/branches/{branch}", adminRouter::updateBranch, Role.ADMIN);
    post("/branches/{branch}/upload/{type}", adminRouter::uploadLoader, Role.ADMIN);
});

However, you can now optionally do this instead, allowing roles to be inherited from the path if any are specified:

path("/admin", () -> {
    get("/branches", adminRouter::listBranches);
    get("/branches/{branch}", adminRouter::getBranch);
    patch("/branches/{branch}", adminRouter::updateBranch);
    post("/branches/{branch}/upload/{type}", adminRouter::uploadLoader);
}, Role.ADMIN);

Makes working with roles much cleaner.

[tipsy]

augment review

[augmentcode]

🤖 Augment PR Summary

Summary: This PR adds role inheritance to Javalin’s static ApiBuilder so grouped routes can define default roles once and have them applied automatically.

Changes:

• Introduces a new path(String, EndpointGroup, RouteRole...) overload to define roles at the path-group level.
• Adds a ThreadLocal routeRoleDeque to track active role scopes across nested path(...) groups.
• Updates all HTTP verb helpers (get, post, put, patch, delete, head, query) to apply roles from the current scope when roles aren’t explicitly provided.
• Extends the same role propagation behavior to WebSockets (ws) and SSE (sse) registrations.
• Updates crud(...) registration so generated endpoints inherit the current role scope in addition to any roles passed to crud.
• Adds routeRolesInScope(...) helper to merge scoped roles with endpoint-specified roles.
• Adds a new unit test (TestApiBuilderRouteRoles) verifying inheritance and nested group composition.

Technical Notes: Path/role scope state is managed via ThreadLocal deques and is unwound using try/finally to ensure cleanup even on exceptions.

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. 2 suggestions posted.

Comment augment review to trigger a new review at any time.

[augmentcode]

The group-level roles are merged with any endpoint-provided roles via routeRolesInScope(...), so endpoints can add roles but can’t replace/remove inherited ones. Consider clarifying this merge/inheritance behavior in the Javadoc here to avoid confusion around “override” semantics.

Severity: low

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}

[augmentcode]

It looks like the routeRoleDeque.get().isEmpty() early-return path in routeRolesInScope(...) may be uncovered (matching the Codecov note). Consider adding a small apiBuilder test that registers a route without any surrounding path(..., roles) and asserts the resulting role set is unchanged/empty as expected.

Severity: low

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}

[tipsy]

@AoElite wouldn't passing the role before the route groups read nicer?

path("/api", Role.AUTHENTICATED) {
    path("/admin", Role.ADMIN) {
        ...
    }
}

path("/api", {
    path("/admin", {
        ...
    }, Role.ADMIN)
}, Role.AUTHENTICATED)

[AoElite]

@tipsy I've made changes to align more on what you wanted. You now specify the roles before the endpoint with a collection.

[tipsy]

Thanks @AoElite !

The current approach modifies every HTTP verb method in ApiBuilder to call routeRolesInScope(), which is ~40 methods touched for a single concern. Since all verb methods funnel through staticInstance(), we could instead intercept at addEndpoint with a thin decorator around JavalinDefaultRoutingApi. Have staticInstance() return the decorator when roles are in scope, and it merges scoped roles into the Roles metadata via endpoint.withMetadata(new Roles(merged)).

Also: the PR description says endpoints can "override" inherited roles, but it seems the implementation only accumulates — an endpoint inside a scoped path always gets the parent roles plus its own. The original path() method is missing try/finally cleanup for the deque, which this PR could fix while it's in there?

[tipsy]

Looks good @AoElite, thanks !