pplate/plate-auth
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(sprint-0): panel-review-v2 blockers — scoped security chain, fail-closed CORS, no @ComponentScan, drop dead RefreshToken

Browse Source 
Review-v2 (Sprint-0-Plan-Review-v2) blockers:
- B1: SecurityConfig chain now securityMatcher-scoped to plate-auth endpoints so it cannot hijack the consuming app's routes
- B2: removed @ComponentScan from auto-config; explicit @Import of @Configuration + @Service/@RestController classes
- B4: CORS fails closed (same-origin) when allowed-origins empty instead of defaulting to '*'
- B5: removed dead RefreshToken entity + repo; v0.1 uses stateless JWT refresh (rotation deferred to v0.3)
- W-A: documented OnboardingHook transaction contract

Verified: mvn -pl plate-auth-starter compile succeeds.
This commit is contained in:
Patrick Plate
2026-06-24 20:22:36 +02:00
parent 9d314a49c6
commit b43ab5e02c
6 changed files with 117 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CHANGELOG.md
+15
View File
@@ -4,6 +4,21 @@ All notable changes to this project will be documented in this file.
## [Unreleased]
### Security / Correctness — Review-v2 blockers fixed
- **B1:** `SecurityConfig` `SecurityFilterChain` is now `securityMatcher`-scoped to plate-auth's own
endpoints (`/api/auth/**`, `/api/invitations/**`, `/api/access-requests/**`, `/api/admin/**`, `/api/me`,
`/api/memberships/**`). Previously an unscoped `@Order(-100)` chain with `anyRequest().authenticated()`
would hijack the consuming app's own routes. (panel B1)
- **B2:** Removed `@ComponentScan(basePackages="de.platesoft.auth")` from `PlateAuthAutoConfiguration`
(auto-configuration anti-pattern per Spring Boot guidance). Replaced with explicit `@Import` of the
concrete `@Configuration` classes + `@Service`/`@RestController` components. (panel B2)
- **B4:** CORS now fails closed by default. Empty `plate.auth.cors.allowed-origins` disables CORS for
plate-auth endpoints (same-origin only) instead of defaulting to `allowedOriginPatterns("*")`. (panel B4)
- **B5:** Removed dead `RefreshToken` entity + `RefreshTokenRepository`. v0.1 issues stateless JWT refresh
tokens (per the documented threat model); rotation/family-tracking is deferred to v0.3. (panel B5)
- **W-A:** Documented the `OnboardingHook` transaction contract (hooks run inside the exchange
transaction; keep them fast + idempotent).
### Added
- Initial project scaffold (W1)
- Maven parent POM with `${revision}` CI-friendly versioning