Chapter 8: Code for checking groups in UserController#requirePermissions fails with NPE if token (that is not Basic) authentication is used

[jumarko]

After implementing the code for adding and checking groups from the opening of Chapter 8.1, my app is failing with this NPE:

java.lang.NullPointerException: Cannot invoke "java.util.List.iterator()" because "groups" is null
	at com.manning.apisecurityinaction.controllers.UserController.lambda$requirePermissions$1(UserController.java:123)

This is because the code in requirePermissions method doesn't count with the possibility for the request attribute "groups" not being present at all (null).

However, the implementation shown in the book only calls request.attribute("groups", ...) in UserController#authenticate. That method is solely used for Basic authentication though (it returns very early if non-basic auth is used.

Since I'm using OAuth Token authentication (as implemented in chapter 7), it's failing for me. Did I miss something or it's implemented later in the book? Or is it just not supposed to be used with token authentication at the moment?