fix: address PR review feedback for password history and tests

devondragon · claude · devondragon · commit 0f4ca43c53eb · 2025-09-22T19:31:51.000-06:00
- Fix password history off-by-one error in cleanUpPasswordHistory() - Keep historyCount + 1 entries to ensure proper password reuse prevention - With historyCount=3, now keeps [current, prev1, prev2, prev3] - Prevents immediate reuse of the Nth previous password - Fix UserAPIUnitTest NPE from unstubbed PasswordPolicyService mock - Add stub to return empty list (no validation errors) for all registration tests - Add Collections import for the stub return value - Ensures tests don't fail with NullPointerException on .isEmpty() call These changes address critical issues identified in code review: 1. Password history was only preventing reuse of historyCount-1 passwords 2. Unit tests were failing due to unstubbed mock returning null 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/src/main/java/com/digitalsanctuary/spring/user/service/UserService.java b/src/main/java/com/digitalsanctuary/spring/user/service/UserService.java
@@ -308,8 +308,11 @@ private void cleanUpPasswordHistory(User user) {
 		}
 
 		List<PasswordHistoryEntry> entries = passwordHistoryRepository.findByUserOrderByEntryDateDesc(user);
-		if (entries.size() > historyCount) {
-			List<PasswordHistoryEntry> toDelete = entries.subList(historyCount, entries.size());
+		// Keep historyCount + 1 entries: the current password plus historyCount previous passwords
+		// This ensures we actually prevent reuse of the last historyCount passwords
+		int maxEntries = historyCount + 1;
+		if (entries.size() > maxEntries) {
+			List<PasswordHistoryEntry> toDelete = entries.subList(maxEntries, entries.size());
 			passwordHistoryRepository.deleteAll(toDelete);
 			log.debug("Cleaned up {} old password history entries for user: {}", toDelete.size(), user.getEmail());
 		}
diff --git a/src/test/java/com/digitalsanctuary/spring/user/api/UserAPIUnitTest.java b/src/test/java/com/digitalsanctuary/spring/user/api/UserAPIUnitTest.java
@@ -46,6 +46,7 @@
 import org.springframework.web.bind.annotation.RestControllerAdvice;
 import org.springframework.http.HttpStatus;
 
+import java.util.Collections;
 import java.util.Locale;
 
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
@@ -143,6 +144,8 @@ void registerUserAccount_success_withVerificationEmail() throws Exception {
                     .build();
 
             when(userService.registerNewUserAccount(any(UserDto.class))).thenReturn(newUser);
+            when(passwordPolicyService.validate(any(), anyString(), anyString(), any(Locale.class)))
+                    .thenReturn(Collections.emptyList());
 
             // When & Then
             MvcResult result = mockMvc.perform(post("/user/registration")
@@ -182,6 +185,8 @@ void registerUserAccount_success_withAutoLogin() throws Exception {
                     .build();
 
             when(userService.registerNewUserAccount(any(UserDto.class))).thenReturn(newUser);
+            when(passwordPolicyService.validate(any(), anyString(), anyString(), any(Locale.class)))
+                    .thenReturn(Collections.emptyList());
 
             // When & Then
             mockMvc.perform(post("/user/registration")
@@ -202,6 +207,8 @@ void registerUserAccount_userAlreadyExists() throws Exception {
             // Given
             when(userService.registerNewUserAccount(any(UserDto.class)))
                     .thenThrow(new UserAlreadyExistException("User already exists"));
+            when(passwordPolicyService.validate(any(), anyString(), anyString(), any(Locale.class)))
+                    .thenReturn(Collections.emptyList());
 
             // When & Then
             mockMvc.perform(post("/user/registration")
@@ -252,6 +259,8 @@ void registerUserAccount_unexpectedError() throws Exception {
             // Given
             when(userService.registerNewUserAccount(any(UserDto.class)))
                     .thenThrow(new RuntimeException("Database error"));
+            when(passwordPolicyService.validate(any(), anyString(), anyString(), any(Locale.class)))
+                    .thenReturn(Collections.emptyList());
 
             // When & Then
             mockMvc.perform(post("/user/registration")

Original file line number	Diff line number	Diff line change
`@@ -308,8 +308,11 @@ private void cleanUpPasswordHistory(User user) {`
`308`	`308`	`}`
`309`	`309`
`310`	`310`	`List<PasswordHistoryEntry> entries = passwordHistoryRepository.findByUserOrderByEntryDateDesc(user);`
`311`		`- if (entries.size() > historyCount) {`
`312`		`- List<PasswordHistoryEntry> toDelete = entries.subList(historyCount, entries.size());`
	`311`	`+ // Keep historyCount + 1 entries: the current password plus historyCount previous passwords`
	`312`	`+ // This ensures we actually prevent reuse of the last historyCount passwords`
	`313`	`+ int maxEntries = historyCount + 1;`
	`314`	`+ if (entries.size() > maxEntries) {`
	`315`	`+ List<PasswordHistoryEntry> toDelete = entries.subList(maxEntries, entries.size());`
`313`	`316`	`passwordHistoryRepository.deleteAll(toDelete);`
`314`	`317`	`log.debug("Cleaned up {} old password history entries for user: {}", toDelete.size(), user.getEmail());`
`315`	`318`	`}`