harden user filters

src/main/java/com/petshop/backend/controller/UserController.java

@@ -27,7 +27,7 @@ public class UserController {
     @GetMapping
     public ResponseEntity<Page<UserResponse>> getAllUsers(
             @RequestParam(required = false) String q,
-            @RequestParam(required = false) User.Role role,
+            @RequestParam(required = false) String role,
             Pageable pageable) {
         return ResponseEntity.ok(userService.getAllUsers(q, role, pageable));
     }

src/main/java/com/petshop/backend/security/JwtAuthenticationFilter.java

@@ -2,6 +2,7 @@ package com.petshop.backend.security;
 
 import com.petshop.backend.entity.User;
 import com.petshop.backend.repository.UserRepository;
+import io.jsonwebtoken.JwtException;
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
@@ -41,7 +42,13 @@ public class JwtAuthenticationFilter extends OncePerRequestFilter {
         }
 
         jwt = authHeader.substring(7);
-        Long userId = jwtUtil.extractUserId(jwt);
+        Long userId;
+        try {
+            userId = jwtUtil.extractUserId(jwt);
+        } catch (JwtException | IllegalArgumentException ex) {
+            writeUnauthorized(response, "Invalid or expired token");
+            return;
+        }
 
         if (userId != null && SecurityContextHolder.getContext().getAuthentication() == null) {
             User user = userRepository.findById(userId).orElse(null);

src/main/java/com/petshop/backend/service/UserService.java

@@ -13,6 +13,9 @@ import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
 import org.springframework.web.server.ResponseStatusException;
 
+import java.util.Locale;
+
+import static org.springframework.http.HttpStatus.BAD_REQUEST;
 import static org.springframework.http.HttpStatus.CONFLICT;
 
 @Service
@@ -28,15 +31,16 @@ public class UserService {
         this.userBusinessLinkageService = userBusinessLinkageService;
     }
 
-    public Page<UserResponse> getAllUsers(String query, User.Role role, Pageable pageable) {
+    public Page<UserResponse> getAllUsers(String query, String role, Pageable pageable) {
+        User.Role parsedRole = parseRole(role);
         Page<User> users;
         boolean hasQuery = query != null && !query.trim().isEmpty();
-        if (hasQuery && role != null) {
-            users = userRepository.searchUsersByRole(query, role, pageable);
+        if (hasQuery && parsedRole != null) {
+            users = userRepository.searchUsersByRole(query, parsedRole, pageable);
         } else if (hasQuery) {
             users = userRepository.searchUsers(query, pageable);
-        } else if (role != null) {
-            users = userRepository.findByRole(role, pageable);
+        } else if (parsedRole != null) {
+            users = userRepository.findByRole(parsedRole, pageable);
         } else {
             users = userRepository.findAll(pageable);
         }
@@ -147,4 +151,16 @@ public class UserService {
         String trimmed = value.trim();
         return trimmed.isEmpty() ? null : trimmed;
     }
+
+    private User.Role parseRole(String role) {
+        String normalizedRole = trimToNull(role);
+        if (normalizedRole == null) {
+            return null;
+        }
+        try {
+            return User.Role.valueOf(normalizedRole.toUpperCase(Locale.ROOT));
+        } catch (IllegalArgumentException ex) {
+            throw new ResponseStatusException(BAD_REQUEST, "Invalid value for parameter: role");
+        }
+    }
 }