refactor: migrate @ConfigurationProperties from @component to @EnableConfigurationProperties (#264)

* refactor(config): migrate @ConfigurationProperties from @component to @EnableConfigurationProperties

Remove @component and @propertysource from DevLoginConfigProperties and
WebAuthnConfigProperties so they are passive data holders per Spring Boot
convention. Registration is now handled by dedicated @configuration
classes with @EnableConfigurationProperties:

- DevLoginAutoConfiguration: guards with @Profile("local") and
  @ConditionalOnProperty, owns @propertysource
- WebAuthnAutoConfiguration: always active (WebSecurityConfig requires
  the properties), owns @propertysource

Closes #263

* fix(review): address PR #264 review feedback

- Rename DevLoginAutoConfiguration → DevLoginConfiguration and
  WebAuthnAutoConfiguration → WebAuthnConfiguration to avoid implying
  Spring Boot SPI semantics (these are component-scanned, not
  SPI-registered via AutoConfiguration.imports)
- Remove @propertysource from DevLoginConfiguration: the annotation
  cannot influence its own @ConditionalOnProperty evaluation (condition
  is checked before @propertysource is processed), and defaults are
  already available via WebAuthnConfiguration which unconditionally
  loads dsspringuserconfig.properties

Author: devondragon

src/main/java/com/digitalsanctuary/spring/user/dev/DevLoginConfigProperties.java

@@ -1,8 +1,6 @@
 package com.digitalsanctuary.spring.user.dev;
 
 import org.springframework.boot.context.properties.ConfigurationProperties;
-import org.springframework.context.annotation.PropertySource;
-import org.springframework.stereotype.Component;
 import lombok.Data;
 
 /**
@@ -17,8 +15,6 @@
  * </p>
  */
 @Data
-@Component
-@PropertySource("classpath:config/dsspringuserconfig.properties")
 @ConfigurationProperties(prefix = "user.dev")
 public class DevLoginConfigProperties {
 

src/main/java/com/digitalsanctuary/spring/user/dev/DevLoginConfiguration.java

@@ -0,0 +1,27 @@
+package com.digitalsanctuary.spring.user.dev;
+
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Profile;
+
+/**
+ * Configuration that registers {@link DevLoginConfigProperties}.
+ * <p>
+ * Activates only when the {@code local} profile is active and
+ * {@code user.dev.auto-login-enabled=true}. Individual dev-login components
+ * ({@link DevLoginController}, {@link DevLoginStartupWarning}) carry their own
+ * guards for defense-in-depth.
+ * </p>
+ * <p>
+ * Note: this class is registered via component scan (not Spring Boot SPI), so
+ * default property values are provided by {@code WebAuthnConfiguration}, which
+ * unconditionally loads {@code classpath:config/dsspringuserconfig.properties}.
+ * </p>
+ */
+@Configuration
+@Profile("local")
+@ConditionalOnProperty(name = "user.dev.auto-login-enabled", havingValue = "true", matchIfMissing = false)
+@EnableConfigurationProperties(DevLoginConfigProperties.class)
+public class DevLoginConfiguration {
+}

src/main/java/com/digitalsanctuary/spring/user/security/WebAuthnConfigProperties.java

@@ -2,16 +2,12 @@
 
 import java.util.Set;
 import org.springframework.boot.context.properties.ConfigurationProperties;
-import org.springframework.context.annotation.PropertySource;
-import org.springframework.stereotype.Component;
 import lombok.Data;
 
 /**
  * Configuration properties for WebAuthn (Passkey) authentication.
  */
 @Data
-@Component
-@PropertySource("classpath:config/dsspringuserconfig.properties")
 @ConfigurationProperties(prefix = "user.webauthn")
 public class WebAuthnConfigProperties {
 

src/main/java/com/digitalsanctuary/spring/user/security/WebAuthnConfiguration.java

@@ -0,0 +1,20 @@
+package com.digitalsanctuary.spring.user.security;
+
+import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.PropertySource;
+
+/**
+ * Configuration that registers {@link WebAuthnConfigProperties}.
+ * <p>
+ * This configuration is always active because {@code WebSecurityConfig} requires
+ * {@link WebAuthnConfigProperties} regardless of whether WebAuthn is enabled.
+ * Individual WebAuthn components carry their own
+ * {@code @ConditionalOnProperty(name = "user.webauthn.enabled")} guards.
+ * </p>
+ */
+@Configuration
+@PropertySource("classpath:config/dsspringuserconfig.properties")
+@EnableConfigurationProperties(WebAuthnConfigProperties.class)
+public class WebAuthnConfiguration {
+}