feat(dev): add DevLoginAutoConfiguration for local development

Add a reusable dev-login auto-configuration so consuming apps don't
need to write boilerplate dev-login controllers. The feature is guarded
by both @Profile("local") and @ConditionalOnProperty to ensure it can
never activate in production.

- DevLoginConfigProperties: user.dev.auto-login-enabled, login-redirect-url
- DevLoginController: GET /dev/login-as/{email}, GET /dev/users
- DevLoginStartupWarning: WARN banner on startup when active
- WebSecurityConfig: conditionally add /dev/** to unprotected and
  CSRF-ignored URIs
- Property defaults in dsspringuserconfig.properties
- Unit tests (DevLoginControllerTest)
- Integration tests (DevLoginIntegrationTest, DevLoginDisabledTest)

Relates to #260

Author: devondragon

src/main/java/com/digitalsanctuary/spring/user/dev/DevLoginConfigProperties.java

@@ -0,0 +1,35 @@
+package com.digitalsanctuary.spring.user.dev;
+
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.context.annotation.PropertySource;
+import org.springframework.stereotype.Component;
+import lombok.Data;
+
+/**
+ * Configuration properties for the dev login feature.
+ * <p>
+ * This enables a quick "login as" endpoint for local development, removing the need
+ * for consuming applications to write boilerplate dev-login controllers.
+ * </p>
+ * <p>
+ * <strong>SECURITY WARNING:</strong> This feature should only be enabled in local/dev
+ * environments. It allows authentication without a password via a simple GET request.
+ * </p>
+ */
+@Data
+@Component
+@PropertySource("classpath:config/dsspringuserconfig.properties")
+@ConfigurationProperties(prefix = "user.dev")
+public class DevLoginConfigProperties {
+
+    /**
+     * Whether the dev auto-login feature is enabled. Defaults to false.
+     * Must be explicitly set to true AND the "local" profile must be active.
+     */
+    private boolean autoLoginEnabled = false;
+
+    /**
+     * The URL to redirect to after a successful dev login. Defaults to "/".
+     */
+    private String loginRedirectUrl = "/";
+}

src/main/java/com/digitalsanctuary/spring/user/dev/DevLoginController.java

@@ -0,0 +1,94 @@
+package com.digitalsanctuary.spring.user.dev;
+
+import java.io.IOException;
+import java.util.List;
+import java.util.stream.Collectors;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.context.annotation.Profile;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+import com.digitalsanctuary.spring.user.persistence.model.User;
+import com.digitalsanctuary.spring.user.persistence.repository.UserRepository;
+import com.digitalsanctuary.spring.user.service.UserService;
+import com.digitalsanctuary.spring.user.util.JSONResponse;
+import jakarta.servlet.http.HttpServletResponse;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+
+/**
+ * Development-only controller providing quick login-as functionality.
+ * <p>
+ * This controller is only active when the "local" Spring profile is active AND
+ * {@code user.dev.auto-login-enabled} is set to {@code true}. It allows developers
+ * to quickly switch between user accounts without entering passwords.
+ * </p>
+ * <p>
+ * <strong>SECURITY WARNING:</strong> This controller must NEVER be enabled in
+ * production environments. It bypasses all password authentication.
+ * </p>
+ */
+@Slf4j
+@RestController
+@RequestMapping("/dev")
+@RequiredArgsConstructor
+@Profile("local")
+@ConditionalOnProperty(name = "user.dev.auto-login-enabled", havingValue = "true", matchIfMissing = false)
+public class DevLoginController {
+
+    private final UserService userService;
+    private final UserRepository userRepository;
+    private final DevLoginConfigProperties devLoginConfigProperties;
+
+    /**
+     * Logs in as the specified user by email without requiring a password.
+     * After successful authentication, redirects to the configured redirect URL.
+     *
+     * @param email    the email of the user to log in as
+     * @param response the HTTP servlet response for redirect
+     * @return a ResponseEntity with error details if authentication fails
+     * @throws IOException if the redirect fails
+     */
+    @GetMapping("/login-as/{email}")
+    public ResponseEntity<JSONResponse> loginAs(@PathVariable String email, HttpServletResponse response)
+            throws IOException {
+        log.warn("Dev login attempt for user: {}", email);
+
+        User user = userService.findUserByEmail(email);
+        if (user == null) {
+            log.warn("Dev login failed: user not found for email: {}", email);
+            return ResponseEntity.status(HttpStatus.NOT_FOUND)
+                    .body(JSONResponse.builder().success(false).message("User not found: " + email).code(404).build());
+        }
+
+        if (!user.isEnabled()) {
+            log.warn("Dev login failed: user is disabled: {}", email);
+            return ResponseEntity.status(HttpStatus.FORBIDDEN)
+                    .body(JSONResponse.builder().success(false).message("User is disabled: " + email).code(403)
+                            .build());
+        }
+
+        userService.authWithoutPassword(user);
+        log.warn("Dev login successful for user: {}", email);
+
+        response.sendRedirect(devLoginConfigProperties.getLoginRedirectUrl());
+        return null;
+    }
+
+    /**
+     * Lists all enabled user emails available for dev login.
+     *
+     * @return a JSONResponse containing the list of enabled user emails
+     */
+    @GetMapping("/users")
+    public ResponseEntity<JSONResponse> listUsers() {
+        List<String> enabledEmails = userRepository.findAll().stream().filter(User::isEnabled).map(User::getEmail)
+                .collect(Collectors.toList());
+
+        return ResponseEntity.ok(JSONResponse.builder().success(true).message("Found " + enabledEmails.size()
+                + " enabled users").data(enabledEmails).build());
+    }
+}

src/main/java/com/digitalsanctuary/spring/user/dev/DevLoginStartupWarning.java

@@ -0,0 +1,27 @@
+package com.digitalsanctuary.spring.user.dev;
+
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.context.annotation.Profile;
+import org.springframework.stereotype.Component;
+import jakarta.annotation.PostConstruct;
+import lombok.extern.slf4j.Slf4j;
+
+/**
+ * Logs a prominent warning on startup when the dev login feature is active.
+ * This ensures developers are aware that passwordless authentication is enabled.
+ */
+@Slf4j
+@Component
+@Profile("local")
+@ConditionalOnProperty(name = "user.dev.auto-login-enabled", havingValue = "true", matchIfMissing = false)
+public class DevLoginStartupWarning {
+
+    @PostConstruct
+    public void logWarning() {
+        log.warn("========================================================");
+        log.warn("  DEV LOGIN IS ACTIVE");
+        log.warn("  Passwordless authentication is enabled at /dev/login-as/{{email}}");
+        log.warn("  DO NOT enable this in production!");
+        log.warn("========================================================");
+    }
+}

src/main/java/com/digitalsanctuary/spring/user/security/WebSecurityConfig.java

@@ -113,6 +113,9 @@ public class WebSecurityConfig {
 	@Value("${user.security.rememberMe.key:#{null}}")
 	private String rememberMeKey;
 
+	@Value("${user.dev.auto-login-enabled:false}")
+	private boolean devAutoLoginEnabled;
+
 	private final UserDetailsService userDetailsService;
 	private final LoginSuccessService loginSuccessService;
 	private final LogoutSuccessService logoutSuccessService;
@@ -149,9 +152,13 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
 
 		// If we have URIs to disable CSRF validation on, do so here
 		String[] disableCSRFURIsArray = getDisableCSRFURIsArray();
-		if (disableCSRFURIsArray.length > 0) {
+		List<String> csrfIgnoreList = new ArrayList<>(Arrays.asList(disableCSRFURIsArray));
+		if (devAutoLoginEnabled) {
+			csrfIgnoreList.add("/dev/**");
+		}
+		if (!csrfIgnoreList.isEmpty()) {
 			http.csrf(csrf -> {
-				csrf.ignoringRequestMatchers(disableCSRFURIsArray);
+				csrf.ignoringRequestMatchers(csrfIgnoreList.toArray(new String[0]));
 			});
 		}
 
@@ -257,6 +264,9 @@ private List<String> getUnprotectedURIsList() {
 		unprotectedURIs.add(registrationSuccessURI);
 		unprotectedURIs.add(forgotPasswordPendingURI);
 		unprotectedURIs.add(forgotPasswordChangeURI);
+		if (devAutoLoginEnabled) {
+			unprotectedURIs.add("/dev/**");
+		}
 		unprotectedURIs.removeAll(Collections.emptyList());
 		return unprotectedURIs;
 	}

src/main/resources/config/dsspringuserconfig.properties

@@ -124,6 +124,11 @@ user.security.password.history-count=3
 # Percentage of similarity allowed with username/email
 user.security.password.similarity-threshold=70
 
+# Dev Login Configuration (disabled by default; opt-in feature for local development only)
+# When enabled with the "local" profile, provides /dev/login-as/{email} for passwordless dev login.
+user.dev.auto-login-enabled=false
+user.dev.login-redirect-url=/
+
 # WebAuthn / Passkey Configuration (disabled by default; opt-in feature)
 user.webauthn.enabled=false
 user.webauthn.rpId=localhost

src/test/java/com/digitalsanctuary/spring/user/dev/DevLoginControllerTest.java

@@ -0,0 +1,121 @@
+package com.digitalsanctuary.spring.user.dev;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+import java.util.Arrays;
+import java.util.List;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Test;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import com.digitalsanctuary.spring.user.persistence.model.User;
+import com.digitalsanctuary.spring.user.persistence.repository.UserRepository;
+import com.digitalsanctuary.spring.user.service.UserService;
+import com.digitalsanctuary.spring.user.test.annotations.ServiceTest;
+import com.digitalsanctuary.spring.user.test.builders.UserTestDataBuilder;
+import com.digitalsanctuary.spring.user.util.JSONResponse;
+import jakarta.servlet.http.HttpServletResponse;
+
+@ServiceTest
+class DevLoginControllerTest {
+
+    @Mock
+    private UserService userService;
+
+    @Mock
+    private UserRepository userRepository;
+
+    @Mock
+    private DevLoginConfigProperties devLoginConfigProperties;
+
+    @InjectMocks
+    private DevLoginController devLoginController;
+
+    private User enabledUser;
+    private User disabledUser;
+
+    @BeforeEach
+    void setUp() {
+        enabledUser = UserTestDataBuilder.aUser().withEmail("dev@test.com").verified().build();
+        disabledUser = UserTestDataBuilder.aUser().withEmail("disabled@test.com").disabled().build();
+    }
+
+    @Test
+    @DisplayName("loginAs - should authenticate and redirect for valid enabled user")
+    void shouldAuthenticateAndRedirectWhenValidUser() throws Exception {
+        // Given
+        when(userService.findUserByEmail("dev@test.com")).thenReturn(enabledUser);
+        when(devLoginConfigProperties.getLoginRedirectUrl()).thenReturn("/dashboard");
+        HttpServletResponse response = mock(HttpServletResponse.class);
+
+        // When
+        ResponseEntity<JSONResponse> result = devLoginController.loginAs("dev@test.com", response);
+
+        // Then
+        verify(userService).authWithoutPassword(enabledUser);
+        verify(response).sendRedirect("/dashboard");
+        assertThat(result).isNull();
+    }
+
+    @Test
+    @DisplayName("loginAs - should return 404 for unknown user")
+    void shouldReturn404WhenUserNotFound() throws Exception {
+        // Given
+        when(userService.findUserByEmail("unknown@test.com")).thenReturn(null);
+        HttpServletResponse response = mock(HttpServletResponse.class);
+
+        // When
+        ResponseEntity<JSONResponse> result = devLoginController.loginAs("unknown@test.com", response);
+
+        // Then
+        assertThat(result).isNotNull();
+        assertThat(result.getStatusCode()).isEqualTo(HttpStatus.NOT_FOUND);
+        assertThat(result.getBody()).isNotNull();
+        assertThat(result.getBody().isSuccess()).isFalse();
+        verify(userService, never()).authWithoutPassword(any());
+    }
+
+    @Test
+    @DisplayName("loginAs - should return 403 for disabled user")
+    void shouldReturn403WhenUserDisabled() throws Exception {
+        // Given
+        when(userService.findUserByEmail("disabled@test.com")).thenReturn(disabledUser);
+        HttpServletResponse response = mock(HttpServletResponse.class);
+
+        // When
+        ResponseEntity<JSONResponse> result = devLoginController.loginAs("disabled@test.com", response);
+
+        // Then
+        assertThat(result).isNotNull();
+        assertThat(result.getStatusCode()).isEqualTo(HttpStatus.FORBIDDEN);
+        assertThat(result.getBody()).isNotNull();
+        assertThat(result.getBody().isSuccess()).isFalse();
+        verify(userService, never()).authWithoutPassword(any());
+    }
+
+    @Test
+    @DisplayName("listUsers - should return enabled user emails")
+    void shouldReturnEnabledUserEmails() {
+        // Given
+        List<User> allUsers = Arrays.asList(enabledUser, disabledUser);
+        when(userRepository.findAll()).thenReturn(allUsers);
+
+        // When
+        ResponseEntity<JSONResponse> result = devLoginController.listUsers();
+
+        // Then
+        assertThat(result.getStatusCode()).isEqualTo(HttpStatus.OK);
+        assertThat(result.getBody()).isNotNull();
+        assertThat(result.getBody().isSuccess()).isTrue();
+        @SuppressWarnings("unchecked")
+        List<String> emails = (List<String>) result.getBody().getData();
+        assertThat(emails).containsExactly("dev@test.com");
+    }
+}

src/test/java/com/digitalsanctuary/spring/user/dev/DevLoginDisabledTest.java

@@ -0,0 +1,50 @@
+package com.digitalsanctuary.spring.user.dev;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.ApplicationContext;
+import org.springframework.test.context.TestPropertySource;
+import org.springframework.test.web.servlet.MockMvc;
+import com.digitalsanctuary.spring.user.test.annotations.IntegrationTest;
+
+@IntegrationTest
+@TestPropertySource(properties = "user.dev.auto-login-enabled=false")
+@DisplayName("Dev Login Disabled Integration Tests")
+class DevLoginDisabledTest {
+
+    @Autowired
+    private ApplicationContext applicationContext;
+
+    @Autowired
+    private MockMvc mockMvc;
+
+    @Test
+    @DisplayName("should NOT register DevLoginController when disabled")
+    void shouldNotRegisterDevLoginControllerBean() {
+        assertThat(applicationContext.getBeanNamesForType(DevLoginController.class)).isEmpty();
+    }
+
+    @Test
+    @DisplayName("should NOT register DevLoginStartupWarning when disabled")
+    void shouldNotRegisterDevLoginStartupWarningBean() {
+        assertThat(applicationContext.getBeanNamesForType(DevLoginStartupWarning.class)).isEmpty();
+    }
+
+    @Test
+    @DisplayName("should not allow access to dev login endpoint when disabled")
+    void shouldNotAllowAccessToDevLoginEndpoint() throws Exception {
+        // When disabled, the /dev/** paths are not added to the unprotected list,
+        // so with defaultAction=deny they require authentication (302 redirect to login)
+        mockMvc.perform(get("/dev/login-as/user@test.com")).andExpect(status().is3xxRedirection());
+    }
+
+    @Test
+    @DisplayName("should not allow access to dev users endpoint when disabled")
+    void shouldNotAllowAccessToDevUsersEndpoint() throws Exception {
+        mockMvc.perform(get("/dev/users")).andExpect(status().is3xxRedirection());
+    }
+}