Fix high-priority Spring User Framework issues

devondragon · claude · devondragon · commit 451d6f5b1a25 · 2025-09-01T18:59:43.000-06:00
- Fix jar artifact naming from ds-spring-ai-client to ds-spring-user-framework - Move transitive runtime dependencies to test scope (devtools, mariadb, postgresql) - Fix JPA equals/hashCode anti-patterns in Role and Privilege entities - Fix audit log writer concurrency with synchronized methods - Fix AuthorityServiceTest by adding IDs to test Privilege objects 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/FIXES.md b/FIXES.md
@@ -0,0 +1,131 @@
+# Spring User Framework - Issues to Fix
+
+## High-Impact Issues (Priority 1)
+
+### 1. Fix jar artifact naming mismatch ✅ COMPLETED
+- **Issue**: Jar task sets archiveBaseName to 'ds-spring-ai-client' (copy/paste error)
+- **Fix**: Change to 'ds-spring-user-framework' in build.gradle line 109
+- **Status**: Fixed - changed archiveBaseName to correct value
+
+### 2. Remove transitive runtime dependencies ✅ COMPLETED
+- **Issue**: Library declares runtimeOnly dependencies that surprise consumers
+- **Fix**: Move spring-boot-devtools, mariadb-java-client, postgresql to testRuntimeOnly
+- **Status**: Fixed - moved all runtime dependencies to test scope
+
+### 3. Fix JPA equals/hashCode anti-patterns ✅ COMPLETED
+- **Issue**: Role and Privilege use @Data without excluding relationships (causes stack overflows)
+- **Fix**: Add @EqualsAndHashCode.Exclude to collection fields, base on id only
+- **Status**: Fixed - replaced @Data with explicit @EqualsAndHashCode(onlyExplicitlyIncluded = true) and @EqualsAndHashCode.Include on id fields
+
+### 4. Fix audit log writer concurrency ✅ COMPLETED
+- **Issue**: FileAuditLogWriter and scheduler access shared BufferedWriter without synchronization
+- **Fix**: Add synchronized blocks to protect concurrent access
+- **Status**: Fixed - added synchronized keyword to writeLog(), flushWriter(), setup(), and cleanup() methods
+
+### 5. Fix registration email base URL
+- **Issue**: UserAPI.publishRegistrationEvent uses request.getContextPath() (broken links)
+- **Fix**: Use UserUtils.getAppUrl(request) like other flows
+
+### 6. Configure security remember-me properly
+- **Issue**: Uses random key per startup, invalidates on restart
+- **Fix**: Make opt-in with explicit key configuration
+
+### 7. Remove @Async from event classes
+- **Issue**: @Async on POJOs has no effect (false impression)
+- **Fix**: Remove from AuditEvent and OnRegistrationCompleteEvent classes
+
+## Security & API Issues (Priority 2)
+
+### 8. Add DTO validation annotations
+- **Issue**: UserDto and PasswordDto lack bean validation
+- **Fix**: Add @NotBlank, @Email, password constraints, create @ControllerAdvice
+
+### 9. Fix CSRF property typo
+- **Issue**: Property name contains odd "d" - 'disableCSRFdURIs'
+- **Fix**: Rename to 'disableCSRFURIs'
+
+### 10. Improve error message handling
+- **Issue**: CustomOAuth2AuthenticationEntryPoint exposes exception details
+- **Fix**: Use generic user messages, log details internally
+
+### 11. Enhance IP detection
+- **Issue**: Only honors X-Forwarded-For header
+- **Fix**: Support X-Real-IP, CF-Connecting-IP, True-Client-IP
+
+## Web/Security Config (Priority 3)
+
+### 12. Fix property injection robustness
+- **Issue**: Empty property yields list with empty string
+- **Fix**: Filter empty strings from unprotectedURIs list
+
+### 13. Configure role hierarchy for method security
+- **Issue**: Method security doesn't use role hierarchy automatically
+- **Fix**: Create MethodSecurityExpressionHandler bean with hierarchy
+
+### 14. Replace System.out.println with SLF4J
+- **Issue**: Using stdout instead of proper logging
+- **Fix**: Update CustomOAuth2AuthenticationEntryPoint and TimeLogger
+
+## Persistence & Domain (Priority 3)
+
+### 15. Clean up User.roles type handling
+- **Issue**: Mixed List/Set setters, defensive copying
+- **Fix**: Standardize collection handling for JPA dirty checking
+
+## Email & Templates (Priority 3)
+
+### 16. Improve MailService error handling
+- **Issue**: Exceptions only logged and swallowed
+- **Fix**: Add Spring Retry mechanism or queue
+
+### 17. Document Thymeleaf dependency
+- **Issue**: Relies on optional TemplateEngine bean
+- **Fix**: Document requirement prominently
+
+## Audit Issues (Priority 4)
+
+### 18. Improve audit log defaults
+- **Issue**: Default path /opt/app/logs unlikely to be writable
+- **Fix**: Use temp directory or auto-create with graceful failure
+
+### 19. Document conditional flushing
+- **Issue**: Complex conditional expression hard to understand
+- **Fix**: Add clear documentation
+
+## Build & Publishing (Priority 4)
+
+### 20. Fix group coordinate mismatch
+- **Issue**: group = 'com.digitalsanctuary.springuser' vs publishing 'com.digitalsanctuary'
+- **Fix**: Align group with publishing coordinates
+
+### 21. Dependency management consistency
+- **Issue**: Mixed explicit versions and BOM usage
+- **Fix**: Prefer Boot BOM for all Spring dependencies
+
+### 22. Simplify test task configuration
+- **Issue**: Overriding test task unusual for library
+- **Fix**: Make testAll optional, restore standard test task
+
+## UX & Behavior (Priority 4)
+
+### 23. Document registration verification flow
+- **Issue**: Auto-enable vs email verification unclear
+- **Fix**: Add clear documentation
+
+### 24. Make post-auth redirects configurable
+- **Issue**: Forces alwaysUseDefaultTargetUrl(true), surprising UX
+- **Fix**: Add configuration property
+
+### 25. Make global model injection opt-in
+- **Issue**: Adds user to all MVC views by default
+- **Fix**: Make opt-in for REST-only apps
+
+## Documentation
+
+### 26. Create comprehensive getting started guide
+- **Fix**: Document required dependencies, minimal properties, examples
+
+## Notes
+- All issues have been validated against the codebase
+- Fixes should include appropriate tests
+- Run ./gradlew check after each fix to ensure no regressions
diff --git a/build.gradle b/build.gradle
@@ -44,10 +44,7 @@ dependencies {
     compileOnly 'org.thymeleaf.extras:thymeleaf-extras-springsecurity6:3.1.3.RELEASE'
     compileOnly 'nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect:3.4.0'
 
-    // Other dependencies
-    runtimeOnly 'org.springframework.boot:spring-boot-devtools'
-    runtimeOnly 'org.mariadb.jdbc:mariadb-java-client:3.5.5'
-    runtimeOnly 'org.postgresql:postgresql'
+    // Other dependencies (moved to test scope for library)
     implementation 'org.passay:passay:1.6.6'
     implementation 'com.google.guava:guava:33.4.8-jre'
     compileOnly 'org.springframework.boot:spring-boot-starter-actuator'
@@ -73,6 +70,11 @@ dependencies {
     testImplementation 'org.springframework.security:spring-security-test'
     testImplementation 'com.h2database:h2:2.3.232'
     
+    // Runtime dependencies moved to test scope for library
+    testRuntimeOnly 'org.springframework.boot:spring-boot-devtools'
+    testRuntimeOnly 'org.mariadb.jdbc:mariadb-java-client:3.5.5'
+    testRuntimeOnly 'org.postgresql:postgresql'
+    
     // Additional test dependencies for improved testing
     testImplementation 'org.testcontainers:testcontainers:1.21.3'
     testImplementation 'org.testcontainers:mariadb:1.21.3'
@@ -106,7 +108,7 @@ test {
 
 tasks.named('jar') {
     enabled = true
-    archiveBaseName.set('ds-spring-ai-client')
+    archiveBaseName.set('ds-spring-user-framework')
     archiveClassifier.set('')
 }
 
diff --git a/src/main/java/com/digitalsanctuary/spring/user/audit/FileAuditLogWriter.java b/src/main/java/com/digitalsanctuary/spring/user/audit/FileAuditLogWriter.java
@@ -32,7 +32,7 @@ public class FileAuditLogWriter implements AuditLogWriter {
      */
     @PostConstruct
     @Override
-    public void setup() {
+    public synchronized void setup() {
         log.info("FileAuditLogWriter.setup: Entering...");
         if (!validateConfig()) {
             return;
@@ -46,7 +46,7 @@ public void setup() {
      */
     @PreDestroy
     @Override
-    public void cleanup() {
+    public synchronized void cleanup() {
         log.info("FileAuditLogWriter.cleanup: Closing log file.");
         closeLogFile();
     }
@@ -58,7 +58,7 @@ public void cleanup() {
      * @param event the audit event to write
      */
     @Override
-    public void writeLog(AuditEvent event) {
+    public synchronized void writeLog(AuditEvent event) {
         if (bufferedWriter == null) {
             log.error("FileAuditLogWriter.writeLog: BufferedWriter is not initialized.");
             return;
@@ -84,7 +84,7 @@ public void writeLog(AuditEvent event) {
      * Flushes the buffered writer to ensure all data is written to the log file. This method is called by the {@link FileAuditLogFlushScheduler} to
      * ensure that the buffer is flushed periodically to balance performance with data integrity.
      */
-    public void flushWriter() {
+    public synchronized void flushWriter() {
         if (bufferedWriter != null) {
             try {
                 bufferedWriter.flush();
diff --git a/src/main/java/com/digitalsanctuary/spring/user/persistence/model/Privilege.java b/src/main/java/com/digitalsanctuary/spring/user/persistence/model/Privilege.java
@@ -6,19 +6,25 @@
 import jakarta.persistence.GenerationType;
 import jakarta.persistence.Id;
 import jakarta.persistence.ManyToMany;
-import lombok.Data;
+import lombok.EqualsAndHashCode;
+import lombok.Getter;
+import lombok.Setter;
 import lombok.ToString;
 
 /**
  * The Privilege Entity. Part of the basic User ->> Role ->> Privilege structure.
  */
-@Data
+@Getter
+@Setter
+@EqualsAndHashCode(onlyExplicitlyIncluded = true)
+@ToString
 @Entity
 public class Privilege {
 
 	/** The id. */
 	@Id
 	@GeneratedValue(strategy = GenerationType.AUTO)
+	@EqualsAndHashCode.Include
 	private Long id;
 
 	/** The name. */
diff --git a/src/main/java/com/digitalsanctuary/spring/user/persistence/model/Role.java b/src/main/java/com/digitalsanctuary/spring/user/persistence/model/Role.java
@@ -11,18 +11,24 @@
 import jakarta.persistence.JoinColumn;
 import jakarta.persistence.JoinTable;
 import jakarta.persistence.ManyToMany;
-import lombok.Data;
+import lombok.EqualsAndHashCode;
+import lombok.Getter;
+import lombok.Setter;
 import lombok.ToString;
 
 /**
  * The Role Entity. Part of the basic User ->> Role ->> Privilege structure.
  */
-@Data
+@Getter
+@Setter
+@EqualsAndHashCode(onlyExplicitlyIncluded = true)
+@ToString
 @Entity
 public class Role {
 	/** The id. */
 	@Id
 	@GeneratedValue(strategy = GenerationType.AUTO)
+	@EqualsAndHashCode.Include
 	@ToString.Include
 	private Long id;
 
diff --git a/src/test/java/com/digitalsanctuary/spring/user/service/AuthorityServiceTest.java b/src/test/java/com/digitalsanctuary/spring/user/service/AuthorityServiceTest.java
@@ -258,8 +258,11 @@ void getAuthoritiesFromRoles_privilegeWithEmptyName_throwsException() {
     void getAuthoritiesFromRoles_mixedCasePrivileges_preservesCase() {
         // Given
         Privilege lowerPrivilege = new Privilege("read_privilege");
+        lowerPrivilege.setId(1L);
         Privilege upperPrivilege = new Privilege("WRITE_PRIVILEGE");
+        upperPrivilege.setId(2L);
         Privilege mixedPrivilege = new Privilege("Delete_Privilege");
+        mixedPrivilege.setId(3L);
         
         Role testRole = RoleTestDataBuilder.aRole()
                 .withName("ROLE_TEST")
