Fix code review issues and improve security

- Fix NPE in getUserByPasswordResetToken by adding null checks
- Normalize emails to lowercase for consistent database lookups
- Fix MailService to use consistent constructor injection
- Add @ToString.Exclude to password fields to prevent logging sensitive data
- Add password match validation with custom annotation @PasswordMatches
- Update configuration metadata with correct types and missing properties
- Add comprehensive tests for password validation

These changes improve null safety, prevent sensitive data exposure in logs,
ensure data consistency, and provide better IDE support through corrected
configuration metadata.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: devondragon

build.gradle

@@ -69,6 +69,7 @@ dependencies {
     testImplementation 'org.springframework.boot:spring-boot-starter-thymeleaf'
     testImplementation 'org.springframework.security:spring-security-test'
     testImplementation 'org.springframework.retry:spring-retry'
+    testImplementation 'jakarta.validation:jakarta.validation-api:3.1.1'
     testImplementation 'com.h2database:h2:2.3.232'
 
     // Runtime dependencies moved to test scope for library

src/main/java/com/digitalsanctuary/spring/user/dto/PasswordDto.java

@@ -3,6 +3,7 @@
 import jakarta.validation.constraints.NotBlank;
 import jakarta.validation.constraints.Size;
 import lombok.Data;
+import lombok.ToString;
 
 /**
  * A new password dto. This object is used for password form actions (change password, forgot password token, save
@@ -12,10 +13,12 @@
 public class PasswordDto {
 
 	/** The old password. */
+	@ToString.Exclude
 	@NotBlank(message = "Current password is required")
 	private String oldPassword;
 
 	/** The new password. */
+	@ToString.Exclude
 	@NotBlank(message = "New password is required")
 	@Size(min = 8, max = 128, message = "Password must be between 8 and 128 characters")
 	private String newPassword;

src/main/java/com/digitalsanctuary/spring/user/dto/UserDto.java

@@ -1,15 +1,18 @@
 package com.digitalsanctuary.spring.user.dto;
 
+import com.digitalsanctuary.spring.user.validation.PasswordMatches;
 import jakarta.validation.constraints.Email;
 import jakarta.validation.constraints.NotBlank;
 import jakarta.validation.constraints.Size;
 import lombok.Data;
+import lombok.ToString;
 
 /**
  * A user dto. This object is used for handling user related form data (registration, forms passing in email addresses,
  * etc...).
  */
 @Data
+@PasswordMatches
 public class UserDto {
 
 	/** The first name. */
@@ -23,11 +26,13 @@ public class UserDto {
 	private String lastName;
 
 	/** The password. */
+	@ToString.Exclude
 	@NotBlank(message = "Password is required")
 	@Size(min = 8, max = 128, message = "Password must be between 8 and 128 characters")
 	private String password;
 
 	/** The matching password. */
+	@ToString.Exclude
 	@NotBlank(message = "Password confirmation is required")
 	private String matchingPassword;
 

src/main/java/com/digitalsanctuary/spring/user/mail/MailService.java

@@ -1,7 +1,6 @@
 package com.digitalsanctuary.spring.user.mail;
 
 import java.util.Map;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.mail.MailException;
 import org.springframework.mail.javamail.JavaMailSender;
@@ -24,23 +23,24 @@
 public class MailService {
 
 	/** The mail sender. */
-	private JavaMailSender mailSender;
+	private final JavaMailSender mailSender;
+
+	/** The mail content builder. */
+	private final MailContentBuilder mailContentBuilder;
 
 	/** The from address. */
 	@Value("${user.mail.fromAddress}")
 	private String fromAddress;
 
-	/** The mail content builder. */
-	@Autowired
-	MailContentBuilder mailContentBuilder;
-
 	/**
 	 * Instantiates a new mail service.
 	 *
 	 * @param mailSender the mail sender
+	 * @param mailContentBuilder the mail content builder
 	 */
-	public MailService(JavaMailSender mailSender) {
+	public MailService(JavaMailSender mailSender, MailContentBuilder mailContentBuilder) {
 		this.mailSender = mailSender;
+		this.mailContentBuilder = mailContentBuilder;
 	}
 
 	/**

src/main/java/com/digitalsanctuary/spring/user/service/UserService.java

@@ -223,7 +223,7 @@ public User registerNewUserAccount(final UserDto newUserDto) {
 		user.setFirstName(newUserDto.getFirstName());
 		user.setLastName(newUserDto.getLastName());
 		user.setPassword(passwordEncoder.encode(newUserDto.getPassword()));
-		user.setEmail(newUserDto.getEmail());
+		user.setEmail(newUserDto.getEmail().toLowerCase());
 		user.setRoles(Arrays.asList(roleRepository.findByName(USER_ROLE_NAME)));
 
 		// If we are not sending a verification email
@@ -295,7 +295,10 @@ public void deleteOrDisableUser(final User user) {
 	 * @return the user
 	 */
 	public User findUserByEmail(final String email) {
-		return userRepository.findByEmail(email);
+		if (email == null) {
+			return null;
+		}
+		return userRepository.findByEmail(email.toLowerCase());
 	}
 
 	/**
@@ -315,7 +318,14 @@ public PasswordResetToken getPasswordResetToken(final String token) {
 	 * @return the user by password reset token
 	 */
 	public Optional<User> getUserByPasswordResetToken(final String token) {
-		return Optional.ofNullable(passwordTokenRepository.findByToken(token).getUser());
+		if (token == null) {
+			return Optional.empty();
+		}
+		PasswordResetToken passwordResetToken = passwordTokenRepository.findByToken(token);
+		if (passwordResetToken == null) {
+			return Optional.empty();
+		}
+		return Optional.ofNullable(passwordResetToken.getUser());
 	}
 
 	/**

src/main/java/com/digitalsanctuary/spring/user/validation/PasswordMatches.java

@@ -0,0 +1,41 @@
+package com.digitalsanctuary.spring.user.validation;
+
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+import jakarta.validation.Constraint;
+import jakarta.validation.Payload;
+
+/**
+ * Validation annotation to verify that the password and matchingPassword fields match.
+ * This is a class-level constraint that should be applied to DTOs containing password confirmation fields.
+ */
+@Target({ElementType.TYPE, ElementType.ANNOTATION_TYPE})
+@Retention(RetentionPolicy.RUNTIME)
+@Constraint(validatedBy = PasswordMatchesValidator.class)
+@Documented
+public @interface PasswordMatches {
+    
+    /**
+     * The error message to display when passwords do not match.
+     * 
+     * @return the error message
+     */
+    String message() default "Passwords do not match";
+    
+    /**
+     * Validation groups.
+     * 
+     * @return the groups
+     */
+    Class<?>[] groups() default {};
+    
+    /**
+     * Additional payload data.
+     * 
+     * @return the payload
+     */
+    Class<? extends Payload>[] payload() default {};
+}

src/main/java/com/digitalsanctuary/spring/user/validation/PasswordMatchesValidator.java

@@ -0,0 +1,47 @@
+package com.digitalsanctuary.spring.user.validation;
+
+import com.digitalsanctuary.spring.user.dto.UserDto;
+import jakarta.validation.ConstraintValidator;
+import jakarta.validation.ConstraintValidatorContext;
+
+/**
+ * Validator implementation for the PasswordMatches constraint.
+ * Validates that the password and matchingPassword fields in a UserDto are equal.
+ */
+public class PasswordMatchesValidator implements ConstraintValidator<PasswordMatches, Object> {
+    
+    /**
+     * Initializes the validator.
+     * 
+     * @param constraintAnnotation the annotation instance
+     */
+    @Override
+    public void initialize(PasswordMatches constraintAnnotation) {
+        // No initialization needed
+    }
+    
+    /**
+     * Validates that the password and matchingPassword fields match.
+     * 
+     * @param obj the object to validate
+     * @param context the constraint validator context
+     * @return true if the passwords match or if either field is null (to allow other validators to handle null checks),
+     *         false otherwise
+     */
+    @Override
+    public boolean isValid(Object obj, ConstraintValidatorContext context) {
+        if (!(obj instanceof UserDto)) {
+            // If not a UserDto, consider it valid (this validator doesn't apply)
+            return true;
+        }
+        
+        UserDto user = (UserDto) obj;
+        
+        // If either password is null, let the @NotBlank validators handle it
+        if (user.getPassword() == null || user.getMatchingPassword() == null) {
+            return true;
+        }
+        
+        return user.getPassword().equals(user.getMatchingPassword());
+    }
+}