pplate/plate-auth
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
feature/sprint-0/review-v2-fixes
plate-auth/CHANGELOG.md
T
Patrick Plate b43ab5e02c fix(sprint-0): panel-review-v2 blockers — scoped security chain, fail-closed CORS, no @ComponentScan, drop dead RefreshToken 
Review-v2 (Sprint-0-Plan-Review-v2) blockers:
- B1: SecurityConfig chain now securityMatcher-scoped to plate-auth endpoints so it cannot hijack the consuming app's routes
- B2: removed @ComponentScan from auto-config; explicit @Import of @Configuration + @Service/@RestController classes
- B4: CORS fails closed (same-origin) when allowed-origins empty instead of defaulting to '*'
- B5: removed dead RefreshToken entity + repo; v0.1 uses stateless JWT refresh (rotation deferred to v0.3)
- W-A: documented OnboardingHook transaction contract

Verified: mvn -pl plate-auth-starter compile succeeds.
2026-06-24 20:22:36 +02:00

29 lines
1.6 KiB
Markdown
Raw Permalink Blame History

# Changelog
All notable changes to this project will be documented in this file.
## [Unreleased]
### Security / Correctness — Review-v2 blockers fixed
- **B1:** `SecurityConfig` `SecurityFilterChain` is now `securityMatcher`-scoped to plate-auth's own
endpoints (`/api/auth/**`, `/api/invitations/**`, `/api/access-requests/**`, `/api/admin/**`, `/api/me`,
`/api/memberships/**`). Previously an unscoped `@Order(-100)` chain with `anyRequest().authenticated()`
would hijack the consuming app's own routes. (panel B1)
- **B2:** Removed `@ComponentScan(basePackages="de.platesoft.auth")` from `PlateAuthAutoConfiguration`
(auto-configuration anti-pattern per Spring Boot guidance). Replaced with explicit `@Import` of the
concrete `@Configuration` classes + `@Service`/`@RestController` components. (panel B2)
- **B4:** CORS now fails closed by default. Empty `plate.auth.cors.allowed-origins` disables CORS for
plate-auth endpoints (same-origin only) instead of defaulting to `allowedOriginPatterns("*")`. (panel B4)
- **B5:** Removed dead `RefreshToken` entity + `RefreshTokenRepository`. v0.1 issues stateless JWT refresh
tokens (per the documented threat model); rotation/family-tracking is deferred to v0.3. (panel B5)
- **W-A:** Documented the `OnboardingHook` transaction contract (hooks run inside the exchange
transaction; keep them fast + idempotent).
### Added
- Initial project scaffold (W1)
- Maven parent POM with `${revision}` CI-friendly versioning
- `plate-auth-starter` module skeleton
- `@platesoft/auth` npm package skeleton (tsup + ESM/CJS dual build)
- Gitea Actions CI + release pipelines
- Apache-2.0 LICENSE
Reference in New Issue View Git Blame Copy Permalink