fix(review): address PR #262 review feedback

Security:
- WebSecurityConfig now checks environment.matchesProfiles("local")
  before adding /dev/** to unprotected and CSRF-ignored URIs, matching
  the controller's own @Profile("local") guard

Code quality:
- DevLoginController: replace sendRedirect()+null return with
  ResponseEntity.status(FOUND).header("Location", ...) — cleaner,
  no IOException, no HttpServletResponse dependency
- DevLoginController: use UserRepository.findAllByEnabledTrue() instead
  of findAll().filter() to filter at the database level
- DevLoginController: use .toList() instead of Collectors.toList()
- WebSecurityConfig: rename disableCSRFURIsArray → baseDisableCSRFURIs
- DevLoginStartupWarning: fix {{email}} typo → {email} in log message

Tests:
- UserServiceTest: remove dead authCaptor variable
- DevLoginControllerTest: update for new loginAs() signature
- DevLoginControllerTest: update listUsers() to use findAllByEnabledTrue()
- DevLoginIntegrationTest: strengthen shouldListEnabledUsers() to assert
  email content, not just array type

Deferred (follow-up issue): DevLoginConfigProperties registered via
@component; architectural consistency with WebAuthnConfigProperties
needs a broader discussion before changing.

Author: devondragon

src/main/java/com/digitalsanctuary/spring/user/dev/DevLoginController.java

@@ -1,8 +1,6 @@
 package com.digitalsanctuary.spring.user.dev;
 
-import java.io.IOException;
 import java.util.List;
-import java.util.stream.Collectors;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.context.annotation.Profile;
 import org.springframework.http.HttpStatus;
@@ -15,7 +13,6 @@
 import com.digitalsanctuary.spring.user.persistence.repository.UserRepository;
 import com.digitalsanctuary.spring.user.service.UserService;
 import com.digitalsanctuary.spring.user.util.JSONResponse;
-import jakarta.servlet.http.HttpServletResponse;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 
@@ -45,16 +42,13 @@ public class DevLoginController {
 
     /**
      * Logs in as the specified user by email without requiring a password.
-     * After successful authentication, redirects to the configured redirect URL.
+     * After successful authentication, returns a redirect response to the configured URL.
      *
-     * @param email    the email of the user to log in as
-     * @param response the HTTP servlet response for redirect
-     * @return a ResponseEntity with error details if authentication fails
-     * @throws IOException if the redirect fails
+     * @param email the email of the user to log in as
+     * @return a redirect response on success, or an error response with 404/403 status
      */
     @GetMapping("/login-as/{email}")
-    public ResponseEntity<JSONResponse> loginAs(@PathVariable String email, HttpServletResponse response)
-            throws IOException {
+    public ResponseEntity<JSONResponse> loginAs(@PathVariable String email) {
         log.warn("Dev login attempt for user: {}", email);
 
         User user = userService.findUserByEmail(email);
@@ -74,8 +68,9 @@ public ResponseEntity<JSONResponse> loginAs(@PathVariable String email, HttpServ
         userService.authWithoutPassword(user);
         log.warn("Dev login successful for user: {}", email);
 
-        response.sendRedirect(devLoginConfigProperties.getLoginRedirectUrl());
-        return null;
+        return ResponseEntity.status(HttpStatus.FOUND)
+                .header("Location", devLoginConfigProperties.getLoginRedirectUrl())
+                .build();
     }
 
     /**
@@ -85,10 +80,11 @@ public ResponseEntity<JSONResponse> loginAs(@PathVariable String email, HttpServ
      */
     @GetMapping("/users")
     public ResponseEntity<JSONResponse> listUsers() {
-        List<String> enabledEmails = userRepository.findAll().stream().filter(User::isEnabled).map(User::getEmail)
-                .collect(Collectors.toList());
+        List<String> enabledEmails = userRepository.findAllByEnabledTrue().stream()
+                .map(User::getEmail)
+                .toList();
 
-        return ResponseEntity.ok(JSONResponse.builder().success(true).message("Found " + enabledEmails.size()
-                + " enabled users").data(enabledEmails).build());
+        return ResponseEntity.ok(JSONResponse.builder().success(true)
+                .message("Found " + enabledEmails.size() + " enabled users").data(enabledEmails).build());
     }
 }

src/main/java/com/digitalsanctuary/spring/user/dev/DevLoginStartupWarning.java

@@ -20,7 +20,7 @@ public class DevLoginStartupWarning {
     public void logWarning() {
         log.warn("========================================================");
         log.warn("  DEV LOGIN IS ACTIVE");
-        log.warn("  Passwordless authentication is enabled at /dev/login-as/{{email}}");
+        log.warn("  Passwordless authentication is enabled at /dev/login-as/{email}");
         log.warn("  DO NOT enable this in production!");
         log.warn("========================================================");
     }

src/main/java/com/digitalsanctuary/spring/user/persistence/repository/UserRepository.java

@@ -1,5 +1,6 @@
 package com.digitalsanctuary.spring.user.persistence.repository;
 
+import java.util.List;
 import org.springframework.data.jpa.repository.JpaRepository;
 import com.digitalsanctuary.spring.user.persistence.model.User;
 
@@ -16,6 +17,13 @@ public interface UserRepository extends JpaRepository<User, Long> {
 	 */
 	User findByEmail(String email);
 
+	/**
+	 * Find all enabled users.
+	 *
+	 * @return list of enabled users
+	 */
+	List<User> findAllByEnabledTrue();
+
 	/**
 	 * Delete.
 	 *

src/main/java/com/digitalsanctuary/spring/user/security/WebSecurityConfig.java

@@ -10,6 +10,7 @@
 import org.springframework.context.ApplicationEventPublisher;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.core.env.Environment;
 import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler;
 import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler;
 import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
@@ -123,6 +124,7 @@ public class WebSecurityConfig {
 	private final DSOAuth2UserService dsOAuth2UserService;
 	private final DSOidcUserService dsOidcUserService;
 	private final WebAuthnConfigProperties webAuthnConfigProperties;
+	private final Environment environment;
 
 	/**
 	 *
@@ -151,9 +153,9 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
 				.deleteCookies("JSESSIONID"));
 
 		// If we have URIs to disable CSRF validation on, do so here
-		String[] disableCSRFURIsArray = getDisableCSRFURIsArray();
-		List<String> csrfIgnoreList = new ArrayList<>(Arrays.asList(disableCSRFURIsArray));
-		if (devAutoLoginEnabled) {
+		String[] baseDisableCSRFURIs = getDisableCSRFURIsArray();
+		List<String> csrfIgnoreList = new ArrayList<>(Arrays.asList(baseDisableCSRFURIs));
+		if (devAutoLoginEnabled && environment.matchesProfiles("local")) {
 			csrfIgnoreList.add("/dev/**");
 		}
 		if (!csrfIgnoreList.isEmpty()) {
@@ -264,7 +266,7 @@ private List<String> getUnprotectedURIsList() {
 		unprotectedURIs.add(registrationSuccessURI);
 		unprotectedURIs.add(forgotPasswordPendingURI);
 		unprotectedURIs.add(forgotPasswordChangeURI);
-		if (devAutoLoginEnabled) {
+		if (devAutoLoginEnabled && environment.matchesProfiles("local")) {
 			unprotectedURIs.add("/dev/**");
 		}
 		unprotectedURIs.removeAll(Collections.emptyList());

src/test/java/com/digitalsanctuary/spring/user/dev/DevLoginControllerTest.java

@@ -2,7 +2,6 @@
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.never;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
@@ -21,7 +20,6 @@
 import com.digitalsanctuary.spring.user.test.annotations.ServiceTest;
 import com.digitalsanctuary.spring.user.test.builders.UserTestDataBuilder;
 import com.digitalsanctuary.spring.user.util.JSONResponse;
-import jakarta.servlet.http.HttpServletResponse;
 
 @ServiceTest
 class DevLoginControllerTest {
@@ -49,33 +47,31 @@ void setUp() {
 
     @Test
     @DisplayName("loginAs - should authenticate and redirect for valid enabled user")
-    void shouldAuthenticateAndRedirectWhenValidUser() throws Exception {
+    void shouldAuthenticateAndRedirectWhenValidUser() {
         // Given
         when(userService.findUserByEmail("dev@test.com")).thenReturn(enabledUser);
         when(devLoginConfigProperties.getLoginRedirectUrl()).thenReturn("/dashboard");
-        HttpServletResponse response = mock(HttpServletResponse.class);
 
         // When
-        ResponseEntity<JSONResponse> result = devLoginController.loginAs("dev@test.com", response);
+        ResponseEntity<JSONResponse> result = devLoginController.loginAs("dev@test.com");
 
         // Then
         verify(userService).authWithoutPassword(enabledUser);
-        verify(response).sendRedirect("/dashboard");
-        assertThat(result).isNull();
+        assertThat(result.getStatusCode()).isEqualTo(HttpStatus.FOUND);
+        assertThat(result.getHeaders().getFirst("Location")).isEqualTo("/dashboard");
+        assertThat(result.getBody()).isNull();
     }
 
     @Test
     @DisplayName("loginAs - should return 404 for unknown user")
-    void shouldReturn404WhenUserNotFound() throws Exception {
+    void shouldReturn404WhenUserNotFound() {
         // Given
         when(userService.findUserByEmail("unknown@test.com")).thenReturn(null);
-        HttpServletResponse response = mock(HttpServletResponse.class);
 
         // When
-        ResponseEntity<JSONResponse> result = devLoginController.loginAs("unknown@test.com", response);
+        ResponseEntity<JSONResponse> result = devLoginController.loginAs("unknown@test.com");
 
         // Then
-        assertThat(result).isNotNull();
         assertThat(result.getStatusCode()).isEqualTo(HttpStatus.NOT_FOUND);
         assertThat(result.getBody()).isNotNull();
         assertThat(result.getBody().isSuccess()).isFalse();
@@ -84,28 +80,25 @@ void shouldReturn404WhenUserNotFound() throws Exception {
 
     @Test
     @DisplayName("loginAs - should return 403 for disabled user")
-    void shouldReturn403WhenUserDisabled() throws Exception {
+    void shouldReturn403WhenUserDisabled() {
         // Given
         when(userService.findUserByEmail("disabled@test.com")).thenReturn(disabledUser);
-        HttpServletResponse response = mock(HttpServletResponse.class);
 
         // When
-        ResponseEntity<JSONResponse> result = devLoginController.loginAs("disabled@test.com", response);
+        ResponseEntity<JSONResponse> result = devLoginController.loginAs("disabled@test.com");
 
         // Then
-        assertThat(result).isNotNull();
         assertThat(result.getStatusCode()).isEqualTo(HttpStatus.FORBIDDEN);
         assertThat(result.getBody()).isNotNull();
         assertThat(result.getBody().isSuccess()).isFalse();
         verify(userService, never()).authWithoutPassword(any());
     }
 
     @Test
-    @DisplayName("listUsers - should return enabled user emails")
+    @DisplayName("listUsers - should return only enabled user emails")
     void shouldReturnEnabledUserEmails() {
         // Given
-        List<User> allUsers = Arrays.asList(enabledUser, disabledUser);
-        when(userRepository.findAll()).thenReturn(allUsers);
+        when(userRepository.findAllByEnabledTrue()).thenReturn(Arrays.asList(enabledUser));
 
         // When
         ResponseEntity<JSONResponse> result = devLoginController.listUsers();

src/test/java/com/digitalsanctuary/spring/user/dev/DevLoginIntegrationTest.java

@@ -2,6 +2,7 @@
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.hamcrest.Matchers.hasItem;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@@ -105,6 +106,7 @@ void shouldListEnabledUsers() throws Exception {
         mockMvc.perform(get("/dev/users"))
                 .andExpect(status().isOk())
                 .andExpect(jsonPath("$.success").value(true))
-                .andExpect(jsonPath("$.data").isArray());
+                .andExpect(jsonPath("$.data").isArray())
+                .andExpect(jsonPath("$.data", hasItem("dev-test@test.com")));
     }
 }

src/test/java/com/digitalsanctuary/spring/user/service/UserServiceTest.java

@@ -479,9 +479,6 @@ void authWithoutPassword_authenticatesValidUser() {
                 SecurityContext securityContext = mock(SecurityContext.class);
                 mockedSecurityHolder.when(SecurityContextHolder::getContext).thenReturn(securityContext);
 
-                // Capture the authentication set on the context and return it on getAuthentication()
-                ArgumentCaptor<Authentication> authCaptor = ArgumentCaptor.forClass(Authentication.class);
-
                 // Use thenAnswer to capture and store the authentication set
                 final Authentication[] storedAuth = new Authentication[1];
                 org.mockito.Mockito.doAnswer(invocation -> {