b43ab5e02c
fix(sprint-0): panel-review-v2 blockers — scoped security chain, fail-closed CORS, no @ComponentScan, drop dead RefreshToken
...
Review-v2 (Sprint-0-Plan-Review-v2) blockers:
- B1: SecurityConfig chain now securityMatcher-scoped to plate-auth endpoints so it cannot hijack the consuming app's routes
- B2: removed @ComponentScan from auto-config; explicit @Import of @Configuration + @Service/@RestController classes
- B4: CORS fails closed (same-origin) when allowed-origins empty instead of defaulting to '*'
- B5: removed dead RefreshToken entity + repo; v0.1 uses stateless JWT refresh (rotation deferred to v0.3)
- W-A: documented OnboardingHook transaction contract
Verified: mvn -pl plate-auth-starter compile succeeds.
2026-06-24 20:22:36 +02:00
9d314a49c6
test(w7): greenfield consumer integration test
...
CI / build (push) Failing after 33s
Release / publish-maven (push) Failing after 25s
Release / publish-npm (push) Failing after 1m7s
Integration test module (it/) simulates a zero-code consumer of plate-auth-starter:
- TestConsumerApplication: minimal @SpringBootApplication
- AuthBootstrapIT: verifies all required beans are present + PermissiveOrgValidator default
- ExchangeFlowIT: full exchange flow (valid envelope → tokens, tampered sig → 401, replay → 401)
- PlateAuthFlywayMigrationIT: V1-V6 migration test (CI-only, requires Docker/Testcontainers)
Also adds:
- SecurityConfig: extracted from auto-config to separate @Configuration for proper bean ordering
- PlateAuthExceptionHandler: SecurityException → 401, IllegalArgument → 400
- PlateAuthFlywayConfig: @ConditionalOnProperty(plate.auth.flyway.enabled) for test flexibility
- @AutoConfigurationPackage for entity scanning from starter JAR
- @Order(-100) on SecurityFilterChain for priority over defaults
- CORS: allowedOriginPatterns(*) when no origins configured (dev-friendly)
All 5 tests green locally (2 Docker-dependent skipped without CI env).
2026-06-24 16:11:38 +02:00
a2e4393d05
feat(w5): dual Flyway history (V1-V6)
...
Migrations in db/migration/auth/ with separate flyway_schema_history_auth table:
- V1: users + user_identities (with provider/subject unique constraint)
- V2: memberships (polymorphic org_type/org_id, unique per user+org)
- V3: invitations (64-char token, status lifecycle)
- V4: access_requests (requester → reviewer workflow)
- V5: Microsoft tenant_id partial index on user_identities
- V6: login_events + refresh_tokens + revinfo actor_user_id column
PlateAuthFlywayConfig runs a second Flyway bean against flyway_schema_history_auth,
independent of consumer's own flyway_schema_history. Runs at bean init (before JPA).
2026-06-24 15:48:00 +02:00
63c953d9b9
feat(w2): auth core entities + Google OAuth + JWT + NextAuth bridge
...
Extracted from InspectFlow Sprint 14.1-14.2, repackaged to de.platesoft.auth.*:
- Entities: User, UserIdentity, Membership, Invitation, AccessRequest, LoginEvent, RefreshToken
- Enums: Role, OrgType, MembershipRole, MembershipStatus, InvitationStatus, AccessRequestStatus, LoginProvider
- Services: JwtService, ExchangeService, MembershipService, LoginEventService
- Filter: JwtAuthenticationFilter
- Controller: OAuthController (POST /api/auth/exchange)
- Config: PlateAuthAutoConfiguration, PlateAuthProperties (plate.auth.* namespace)
- Repositories: all auth-related JPA repositories
- SPI: OrgValidator, OrgDisplayNameResolver, InvitationMailer, AccessRequestMailer, OnboardingHook
- SPI defaults: PermissiveOrgValidator (WARN per call), LoggingInvitationMailer,
LoggingAccessRequestMailer, DefaultOrgDisplayNameResolver, NoOpOnboardingHook
- DTOs: ExchangePayload, TokenResponse
- Security: BCrypt encoder, stateless session, CORS from PlateAuthProperties
- META-INF/spring AutoConfiguration.imports registered
All @Value refs replaced with PlateAuthProperties injection.
No references to de.platesoft.inspectflow.* remain.
2026-06-24 15:46:54 +02:00
973c82f304
feat(w1): maven skeleton + CI scaffold
...
- Parent POM: de.platesoft:plate-auth-parent with ${revision} CI-friendly versioning
- plate-auth-starter module: Spring Boot 4.1.0 starter deps (web, jpa, security, validation, jwt, flyway, envers)
- @platesoft/auth npm package skeleton: tsup bundler, conditional exports, TypeScript strict
- Gitea Actions: ci.yml (on push/PR) + release.yml (on v* tag)
- distributionManagement pointing to Gitea Package Registry (Maven + npm)
- Apache-2.0 LICENSE, README with quickstart, CHANGELOG, .editorconfig, .gitignore
- pnpm workspace with packages/auth
- Maven BUILD SUCCESS verified locally
2026-06-24 15:40:17 +02:00
Patrick Plate