feat: add password history cleanup and configuration

devondragon · claude · devondragon · commit 2ba9ade9a0cb · 2025-09-22T19:21:25.000-06:00
- Add historyCount field with @value annotation for configuration - Implement cleanUpPasswordHistory() method to remove old password entries - Automatically clean up entries beyond configured history count after saving - Add password history tracking to changeUserPassword() method - Prevent database bloat by limiting stored password history entries This ensures password history doesn't grow unbounded and maintains only the configured number of recent passwords for reuse checking. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/src/main/java/com/digitalsanctuary/spring/user/service/UserService.java b/src/main/java/com/digitalsanctuary/spring/user/service/UserService.java
@@ -227,6 +227,9 @@ public String getValue() {
 	@Value("${user.actuallyDeleteAccount:false}")
 	private boolean actuallyDeleteAccount;
 
+	@Value("${user.security.password.history-count:0}")
+	private int historyCount;
+
 	/**
 	 * Registers a new user account with the provided user data. If the email
 	 * already exists, throws a UserAlreadyExistException. If
@@ -294,6 +297,22 @@ private void savePasswordHistory(User user, String encodedPassword) {
 		PasswordHistoryEntry entry = new PasswordHistoryEntry(user, encodedPassword, LocalDateTime.now());
 		passwordHistoryRepository.save(entry);
 		log.debug("Password history entry saved for user: {}", user.getEmail());
+
+		// Clean up old entries
+		cleanUpPasswordHistory(user);
+	}
+
+	private void cleanUpPasswordHistory(User user) {
+		if (user == null || historyCount <= 0) {
+			return;
+		}
+
+		List<PasswordHistoryEntry> entries = passwordHistoryRepository.findByUserOrderByEntryDateDesc(user);
+		if (entries.size() > historyCount) {
+			List<PasswordHistoryEntry> toDelete = entries.subList(historyCount, entries.size());
+			passwordHistoryRepository.deleteAll(toDelete);
+			log.debug("Cleaned up {} old password history entries for user: {}", toDelete.size(), user.getEmail());
+		}
 	}
 
 	/**
@@ -395,8 +414,10 @@ public Optional<User> findUserByID(final long id) {
 	 * @param password the password
 	 */
 	public void changeUserPassword(final User user, final String password) {
-		user.setPassword(passwordEncoder.encode(password));
+		String encodedPassword = passwordEncoder.encode(password);
+		user.setPassword(encodedPassword);
 		userRepository.save(user);
+		savePasswordHistory(user, encodedPassword);
 	}
 
 	/**
