Fix security issues, bugs, and improve code quality

Security Fixes:
- Add email validation and normalization for OAuth2/OIDC authentication
- Remove session IDs from debug logs to prevent sensitive data exposure
- Implement proxy-aware URL building with X-Forwarded headers support

Bug Fixes:
- Add password match validation in user registration
- Fix NPE protection in getUserByPasswordResetToken
- Remove problematic @ConditionalOnMissingBean annotations that conflicted with Spring Boot auto-configuration
- Ensure URL building maintains backward compatibility by always including ports

Code Quality Improvements:
- Replace string concatenation with parameterized logging throughout
- Add comprehensive JavaDoc documentation to JSONResponse class
- Improve error messages for OAuth2 authentication failures
- Add proper email normalization (lowercase) for OAuth2/OIDC providers

Testing:
- All tests passing after fixes
- Fixed UserUtils URL tests to work with proxy-aware implementation
- Fixed UserUpdateIntegrationTest by removing bean configuration conflicts

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: devondragon

generate_changelog.py

@@ -172,7 +172,7 @@ def generate_changelog(commits_with_diffs, categorized_commits):
 
     # Use GPT-4o (without fallback)
     response = client.chat.completions.create(
-        model="gpt-4o",
+        model="gpt-5",
         messages=[
             {"role": "system", "content": "You are a helpful assistant for software development with expertise in analyzing code changes and creating detailed changelogs."},
             {"role": "user", "content": prompt},

src/main/java/com/digitalsanctuary/spring/user/controller/UserActionController.java

@@ -72,7 +72,7 @@ public ModelAndView showChangePasswordPage(final HttpServletRequest request, fin
 			@RequestParam("token") final String token) {
 		log.debug("UserAPI.showChangePasswordPage: called with token: {}", token);
 		final TokenValidationResult result = userService.validatePasswordResetToken(token);
-		log.debug("UserAPI.showChangePasswordPage:" + "result: {}", result);
+		log.debug("UserAPI.showChangePasswordPage: result: {}", result);
 		AuditEvent changePasswordAuditEvent = AuditEvent.builder().source(this).sessionId(request.getSession().getId())
 				.ipAddress(UserUtils.getClientIP(request)).userAgent(request.getHeader("User-Agent"))
 				.action("showChangePasswordPage")

src/main/java/com/digitalsanctuary/spring/user/controller/UserPageController.java

@@ -43,7 +43,7 @@ public class UserPageController {
 	 */
 	@GetMapping("${user.security.loginPageURI:/user/login.html}")
 	public String login(@AuthenticationPrincipal DSUserDetails userDetails, HttpSession session, ModelMap model) {
-		log.debug("UserPageController.login:" + "userDetails: {}", userDetails);
+		log.debug("UserPageController.login: userDetails: {}", userDetails);
 		if (session != null && session.getAttribute("error.message") != null) {
 			model.addAttribute("errormessage", session.getAttribute("error.message"));
 			session.removeAttribute("error.message");
@@ -64,7 +64,7 @@ public String login(@AuthenticationPrincipal DSUserDetails userDetails, HttpSess
 	 */
 	@GetMapping("${user.security.registrationURI:/user/register.html}")
 	public String register(@AuthenticationPrincipal DSUserDetails userDetails, HttpSession session, ModelMap model) {
-		log.debug("UserPageController.register:" + "userDetails: {}", userDetails);
+		log.debug("UserPageController.register: userDetails: {}", userDetails);
 		if (session != null && session.getAttribute("error.message") != null) {
 			model.addAttribute("errormessage", session.getAttribute("error.message"));
 			session.removeAttribute("error.message");
@@ -97,7 +97,7 @@ public String registrationPending() {
 	@GetMapping("${user.security.registrationSuccessURI:/user/registration-complete.html}")
 	public String registrationComplete(@AuthenticationPrincipal DSUserDetails userDetails, HttpSession session,
 			ModelMap model) {
-		log.debug("UserPageController.registrationComplete:" + "userDetails: {}", userDetails);
+		log.debug("UserPageController.registrationComplete: userDetails: {}", userDetails);
 		return "user/registration-complete";
 	}
 

src/main/java/com/digitalsanctuary/spring/user/service/DSOAuth2UserService.java

@@ -77,7 +77,7 @@ public User handleOAuthLoginSuccess(String registrationId, OAuth2User oAuth2User
         } else if (registrationId.equalsIgnoreCase("facebook")) {
             user = getUserFromFacebookOAuth2User(oAuth2User);
         } else {
-            log.error("Sorry! Login with " + registrationId + " is not supported yet.");
+            log.error("Sorry! Login with {} is not supported yet.", registrationId);
             throw new OAuth2AuthenticationException(new OAuth2Error("Login Exception"),
                     "Sorry! Login with " + registrationId + " is not supported yet.");
         }
@@ -86,6 +86,12 @@ public User handleOAuthLoginSuccess(String registrationId, OAuth2User oAuth2User
             throw new OAuth2AuthenticationException(new OAuth2Error("Login Exception"),
                     "Sorry! An error occurred while processing your login request.");
         }
+        // Validate that we have an email address from the OAuth2 provider
+        if (user.getEmail() == null || user.getEmail().trim().isEmpty()) {
+            log.error("handleOAuthLoginSuccess: OAuth2 provider did not provide an email address");
+            throw new OAuth2AuthenticationException(new OAuth2Error("Missing Email"),
+                    "Unable to retrieve email address from " + registrationId + ". Please ensure you have granted email permissions.");
+        }
         log.debug("handleOAuthLoginSuccess: looking up user with email: {}", user.getEmail());
         User existingUser = userRepository.findByEmail(user.getEmail().toLowerCase());
         log.debug("handleOAuthLoginSuccess: existingUser: {}", existingUser);
@@ -158,7 +164,8 @@ public User getUserFromGoogleOAuth2User(OAuth2User principal) {
         }
         log.debug("Principal attributes: {}", principal.getAttributes());
         User user = new User();
-        user.setEmail(principal.getAttribute("email"));
+        String email = principal.getAttribute("email");
+        user.setEmail(email != null ? email.toLowerCase() : null);
         user.setFirstName(principal.getAttribute("given_name"));
         user.setLastName(principal.getAttribute("family_name"));
         user.setProvider(User.Provider.GOOGLE);
@@ -178,7 +185,8 @@ public User getUserFromFacebookOAuth2User(OAuth2User principal) {
         }
         log.debug("Principal attributes: {}", principal.getAttributes());
         User user = new User();
-        user.setEmail(principal.getAttribute("email"));
+        String email = principal.getAttribute("email");
+        user.setEmail(email != null ? email.toLowerCase() : null);
         String fullName = principal.getAttribute("name");
         if (fullName != null) {
             String[] names = fullName.split(" ");
@@ -206,7 +214,7 @@ public OAuth2User loadUser(OAuth2UserRequest userRequest) throws OAuth2Authentic
         log.debug("Loading user from OAuth2 provider with userRequest: {}", userRequest);
         OAuth2User user = defaultOAuth2UserService.loadUser(userRequest);
         String registrationId = userRequest.getClientRegistration().getRegistrationId();
-        log.debug("registrationId: " + registrationId);
+        log.debug("registrationId: {}", registrationId);
         User dbUser = handleOAuthLoginSuccess(registrationId, user);
         DSUserDetails userDetails = loginHelperService.userLoginHelper(dbUser);
         return userDetails;

src/main/java/com/digitalsanctuary/spring/user/service/DSOidcUserService.java

@@ -63,7 +63,7 @@ public User handleOidcLoginSuccess(String registrationId, OidcUser oidcUser) {
         if (registrationId.equalsIgnoreCase("keycloak")) {
             user = getUserFromKeycloakOidc2User(oidcUser);
         } else {
-            log.error("Sorry! Login with " + registrationId + " is not supported yet.");
+            log.error("Sorry! Login with {} is not supported yet.", registrationId);
             throw new OAuth2AuthenticationException(new OAuth2Error("Login Exception"),
                     "Sorry! Login with " + registrationId + " is not supported yet.");
         }
@@ -72,6 +72,12 @@ public User handleOidcLoginSuccess(String registrationId, OidcUser oidcUser) {
             throw new OAuth2AuthenticationException(new OAuth2Error("Login Exception"),
                     "Sorry! An error occurred while processing your login request.");
         }
+        // Validate that we have an email address from the OIDC provider
+        if (user.getEmail() == null || user.getEmail().trim().isEmpty()) {
+            log.error("handleOidcLoginSuccess: OIDC provider did not provide an email address");
+            throw new OAuth2AuthenticationException(new OAuth2Error("Missing Email"),
+                    "Unable to retrieve email address from " + registrationId + ". Please ensure you have granted email permissions.");
+        }
         log.debug("handleOidcLoginSuccess: looking up user with email: {}", user.getEmail());
         User existingUser = userRepository.findByEmail(user.getEmail());
         log.debug("handleOidcLoginSuccess: existingUser: {}", existingUser);
@@ -142,7 +148,8 @@ public User getUserFromKeycloakOidc2User(OidcUser principal) {
 /*        user.setEmail(principal.getAttribute("email"));
         user.setFirstName(principal.getAttribute("given_name"));
         user.setLastName(principal.getAttribute("family_name"));*/
-        user.setEmail(principal.getEmail());
+        String email = principal.getEmail();
+        user.setEmail(email != null ? email.toLowerCase() : null);
         user.setFirstName(principal.getGivenName());
         user.setLastName(principal.getFamilyName());
         user.setProvider(User.Provider.KEYCLOAK);
@@ -163,7 +170,7 @@ public OidcUser loadUser(OidcUserRequest userRequest) throws OAuth2Authenticatio
         log.debug("Loading user from OAuth2 provider with userRequest: {}", userRequest);
         OidcUser user = defaultOidcUserService.loadUser(userRequest);
         String registrationId = userRequest.getClientRegistration().getRegistrationId();
-        log.debug("registrationId: " + registrationId);
+        log.debug("registrationId: {}", registrationId);
         User dbUser = handleOidcLoginSuccess(registrationId, user);
         DSUserDetails dsUserDetails = DSUserDetails.builder()
                 .user(dbUser)

src/main/java/com/digitalsanctuary/spring/user/service/LoginSuccessService.java

@@ -48,20 +48,19 @@ public class LoginSuccessService extends SavedRequestAwareAuthenticationSuccessH
 	public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication)	throws IOException,
 																																	ServletException {
 		log.debug("LoginSuccessService.onAuthenticationSuccess()");
-		log.debug("LoginSuccessService.onAuthenticationSuccess:" + "called with request: {}", request);
-		log.debug("LoginSuccessService.onAuthenticationSuccess:" + "called with authentication: {}", authentication);
+		log.debug("LoginSuccessService.onAuthenticationSuccess: called with request: {}", request);
+		log.debug("LoginSuccessService.onAuthenticationSuccess: called with authentication: {}", authentication);
 
 		// Enhanced logging to check request attributes
 		log.debug("Request URI: {}", request.getRequestURI());
 		log.debug("Request URL: {}", request.getRequestURL());
 		log.debug("Request query string: {}", request.getQueryString());
-		log.debug("Session ID: {}", request.getSession().getId());
 
 		// Log saved request if present
 		Object savedRequest = request.getSession().getAttribute("SPRING_SECURITY_SAVED_REQUEST");
 		log.debug("Saved request in session: {}", savedRequest);
 
-		log.debug("LoginSuccessService.onAuthenticationSuccess:" + "targetUrl: {}", super.determineTargetUrl(request, response));
+		log.debug("LoginSuccessService.onAuthenticationSuccess: targetUrl: {}", super.determineTargetUrl(request, response));
 
 		User user = null;
 		if (authentication != null && authentication.getPrincipal() != null) {
@@ -70,7 +69,7 @@ public void onAuthenticationSuccess(HttpServletRequest request, HttpServletRespo
 			log.debug("LoginSuccessService.onAuthenticationSuccess() authentication.getPrincipal().getClass(): "
 					+ authentication.getPrincipal().getClass());
 			if (authentication.getPrincipal() instanceof DSUserDetails) {
-				log.debug("LoginSuccessService.onAuthenticationSuccess:" + "DSUserDetails: " + authentication.getPrincipal());
+				log.debug("LoginSuccessService.onAuthenticationSuccess: DSUserDetails: {}", authentication.getPrincipal());
 				user = ((DSUserDetails) authentication.getPrincipal()).getUser();
 			}
 		}
@@ -96,7 +95,7 @@ public void onAuthenticationSuccess(HttpServletRequest request, HttpServletRespo
 			targetUrl = loginSuccessUri;
 			log.debug("Using configured loginSuccessUri: {}", loginSuccessUri);
 			this.setDefaultTargetUrl(targetUrl);
-			log.debug("LoginSuccessService.onAuthenticationSuccess:" + "set defaultTargetUrl to: {}", this.getDefaultTargetUrl());
+			log.debug("LoginSuccessService.onAuthenticationSuccess: set defaultTargetUrl to: {}", this.getDefaultTargetUrl());
 		} else {
 			log.debug("Using existing targetUrl: {}", targetUrl);
 		}

src/main/java/com/digitalsanctuary/spring/user/service/LogoutSuccessService.java

@@ -43,9 +43,9 @@ public class LogoutSuccessService extends SimpleUrlLogoutSuccessHandler {
 	@Override
 	public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication)	throws IOException,
 																															ServletException {
-		log.debug("LogoutSuccessService.onLogoutSuccess:" + "called.");
-		log.debug("LogoutSuccessService.onAuthenticationSuccess:" + "called with authentiation: {}", authentication);
-		log.debug("LogoutSuccessService.onAuthenticationSuccess:" + "targetUrl: {}", super.determineTargetUrl(request, response));
+		log.debug("LogoutSuccessService.onLogoutSuccess: called.");
+		log.debug("LogoutSuccessService.onAuthenticationSuccess: called with authentiation: {}", authentication);
+		log.debug("LogoutSuccessService.onAuthenticationSuccess: targetUrl: {}", super.determineTargetUrl(request, response));
 
 		User user = null;
 		if (authentication != null && authentication.getPrincipal() != null && authentication.getPrincipal() instanceof DSUserDetails) {

src/main/java/com/digitalsanctuary/spring/user/service/UserService.java

@@ -213,8 +213,15 @@ public String getValue() {
 	public User registerNewUserAccount(final UserDto newUserDto) {
 		TimeLogger timeLogger = new TimeLogger(log, "UserService.registerNewUserAccount");
 		log.debug("UserService.registerNewUserAccount: called with userDto: {}", newUserDto);
+		
+		// Validate password match only if both are provided
+		if (newUserDto.getPassword() != null && newUserDto.getMatchingPassword() != null 
+				&& !newUserDto.getPassword().equals(newUserDto.getMatchingPassword())) {
+			throw new IllegalArgumentException("Passwords do not match");
+		}
+		
 		if (emailExists(newUserDto.getEmail())) {
-			log.debug("UserService.registerNewUserAccount:" + "email already exists: {}", newUserDto.getEmail());
+			log.debug("UserService.registerNewUserAccount: email already exists: {}", newUserDto.getEmail());
 			throw new UserAlreadyExistException("There is an account with that email address: " + newUserDto.getEmail());
 		}
 

src/main/java/com/digitalsanctuary/spring/user/util/JSONResponse.java

@@ -9,6 +9,21 @@
  * Represents a standardized JSON response for API calls.
  * <p>
  * This class provides a builder to facilitate the creation of JSON response objects with various attributes.
+ * The builder uses the {@code @Singular} annotation on the messages field, which means you can call 
+ * {@code .message(String)} multiple times to add messages to the list, and the JSON will serialize 
+ * as {@code "messages": ["message1", "message2", ...]}. 
+ * </p>
+ * <p>
+ * Example usage:
+ * <pre>
+ * JSONResponse response = JSONResponse.builder()
+ *     .success(true)
+ *     .message("Operation completed")
+ *     .message("Data saved successfully")
+ *     .data(resultObject)
+ *     .build();
+ * // Results in JSON: {"success": true, "messages": ["Operation completed", "Data saved successfully"], ...}
+ * </pre>
  * </p>
  *
  * @author Devon Hillard

src/main/java/com/digitalsanctuary/spring/user/util/UserUtils.java

@@ -52,12 +52,49 @@ public static String getClientIP(HttpServletRequest request) {
 	}
 
 	/**
-	 * Get the application URL based on the provided request.
+	 * Get the application URL based on the provided request, handling proxy headers properly.
+	 * 
+	 * Checks for forwarded headers (X-Forwarded-Proto, X-Forwarded-Host, X-Forwarded-Port)
+	 * to construct the correct URL when behind a proxy or load balancer.
+	 * Falls back to standard request properties if no proxy headers are present.
 	 *
 	 * @param request The HttpServletRequest object.
 	 * @return The application URL as a String.
 	 */
 	public static String getAppUrl(HttpServletRequest request) {
-		return request.getScheme() + "://" + request.getServerName() + ":" + request.getServerPort() + request.getContextPath();
+		// Check for forwarded protocol
+		String scheme = request.getHeader("X-Forwarded-Proto");
+		if (scheme == null || scheme.isEmpty()) {
+			scheme = request.getScheme();
+		}
+		
+		// Check for forwarded host
+		String host = request.getHeader("X-Forwarded-Host");
+		if (host == null || host.isEmpty()) {
+			host = request.getServerName();
+		} else {
+			// X-Forwarded-Host might include port, extract just the host part
+			int colonIndex = host.indexOf(":");
+			if (colonIndex > 0) {
+				host = host.substring(0, colonIndex);
+			}
+		}
+		
+		// Check for forwarded port
+		String portHeader = request.getHeader("X-Forwarded-Port");
+		int port;
+		if (portHeader != null && !portHeader.isEmpty()) {
+			port = Integer.parseInt(portHeader);
+		} else {
+			port = request.getServerPort();
+		}
+		
+		// Build URL - always include port for backward compatibility
+		StringBuilder url = new StringBuilder();
+		url.append(scheme).append("://").append(host);
+		url.append(":").append(port);
+		url.append(request.getContextPath());
+		
+		return url.toString();
 	}
 }