Merge pull request #262 from devondragon/issue-260-auth-event-dev-login

fix(auth): publish auth event from authWithoutPassword + add DevLoginAutoConfiguration

Author: devondragon

CLAUDE.md

@@ -42,6 +42,7 @@ com.digitalsanctuary.spring.user
 ├── api/              # REST endpoints (UserAPI)
 ├── audit/            # Audit logging system
 ├── controller/       # MVC controllers for HTML pages
+├── dev/              # Dev login auto-configuration (local profile only)
 ├── dto/              # Data transfer objects
 ├── event/            # Spring application events
 ├── exceptions/       # Custom exceptions
@@ -110,6 +111,7 @@ All configuration uses `user.*` prefix in application.yml. Key property groups:
 - `user.roles-and-privileges` - Role-to-privilege mapping (applied on startup)
 - `user.role-hierarchy` - Role inheritance (e.g., ROLE_ADMIN > ROLE_MANAGER)
 - `user.gdpr.*` - GDPR features (enabled, exportBeforeDeletion, consentTracking)
+- `user.dev.*` - Dev login (autoLoginEnabled, loginRedirectUrl) — requires `local` profile
 - `user.purgetokens.cron.*` - Token cleanup schedule
 - `user.session.invalidation.warn-threshold` - Performance warning threshold
 - `user.actuallyDeleteAccount` - Hard delete vs disable

CONFIG.md

@@ -105,6 +105,35 @@ WebAuthn requires two additional tables: `user_entities` and `user_credentials`.
 - Passkey labels are limited to 64 characters.
 - When a user account is deleted, all associated WebAuthn credentials and user entities are automatically cleaned up via the `UserPreDeleteEvent` listener. The database schema also uses `ON DELETE CASCADE` as a safety net.
 
+## Dev Login Settings
+
+Provides a reusable "login as" controller for local development, so consuming applications don't need to write boilerplate dev-login controllers. **This feature is disabled by default and requires both a property flag and the `local` Spring profile to activate.**
+
+- **Auto-Login Enabled (`user.dev.auto-login-enabled`)**: Master toggle for the dev login feature. Defaults to `false`. Must be set to `true` **and** the `local` Spring profile must be active for the endpoints to be registered.
+- **Login Redirect URL (`user.dev.login-redirect-url`)**: The URL to redirect to after a successful dev login. Defaults to `/`.
+
+**Example configuration:**
+```yaml
+# application-local.yml (only active with spring.profiles.active=local)
+user:
+  dev:
+    auto-login-enabled: true
+    login-redirect-url: /dashboard
+```
+
+**Endpoints** (only available when enabled with the `local` profile):
+
+| Endpoint | Method | Description |
+|----------|--------|-------------|
+| `/dev/login-as/{email}` | GET | Authenticate as the specified user and redirect |
+| `/dev/users` | GET | List all enabled user emails |
+
+**Important Notes:**
+- The `local` Spring profile **must** be active. Without it, the controller and warning beans are never registered regardless of the property value.
+- When enabled, `/dev/**` is automatically added to the unprotected URI list and CSRF-ignored URIs in `WebSecurityConfig`.
+- A prominent WARN-level banner is logged on startup when dev login is active.
+- **NEVER enable this in production.** It bypasses all password authentication.
+
 ## Mail Configuration
 
 - **From Address (`spring.mail.fromAddress`)**: The email address used as the sender in outgoing emails.

README.md

@@ -103,6 +103,7 @@ Check out the [Spring User Framework Demo Application](https://github.com/devond
   - Configuration-driven features
   - Comprehensive documentation
   - Demo application for reference
+  - Built-in dev login controller for quick user switching during local development
 
 - **GDPR Compliance** (opt-in)
   - Data export (Right of Access - Article 15)
@@ -709,6 +710,38 @@ To enable SSO:
                 jwk-set-uri: ${DS_SPRING_USER_KEYCLOAK_PROVIDER_JWK_SET_URI}
    ```
 
+### Dev Login (Local Development)
+
+The framework includes a built-in dev login controller that lets developers quickly switch between user accounts without entering passwords. This eliminates the need for consuming applications to write boilerplate dev-login controllers.
+
+**Setup:**
+
+1. Activate the `local` Spring profile (e.g., `spring.profiles.active=local`)
+2. Enable dev login in your configuration:
+
+```yaml
+# application-local.yml
+user:
+  dev:
+    auto-login-enabled: true
+    login-redirect-url: /dashboard  # optional, defaults to /
+```
+
+**Endpoints** (only available when enabled with the `local` profile):
+
+| Endpoint | Method | Description |
+|----------|--------|-------------|
+| `/dev/login-as/{email}` | GET | Authenticate as the specified user and redirect |
+| `/dev/users` | GET | List all enabled user emails (JSON) |
+
+**Example usage during development:**
+- Visit `http://localhost:8080/dev/users` to see available accounts
+- Visit `http://localhost:8080/dev/login-as/admin@example.com` to instantly log in as that user
+
+**Security:** This feature requires **both** `user.dev.auto-login-enabled=true` **and** the `local` Spring profile to be active. A prominent warning banner is logged on startup when dev login is active. **Never enable this in production.**
+
+See the [Configuration Guide](CONFIG.md) for all dev login settings.
+
 ## Extensibility
 
 The framework is designed to be extended without modifying the core code.

src/main/java/com/digitalsanctuary/spring/user/dev/DevLoginConfigProperties.java

@@ -0,0 +1,35 @@
+package com.digitalsanctuary.spring.user.dev;
+
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.context.annotation.PropertySource;
+import org.springframework.stereotype.Component;
+import lombok.Data;
+
+/**
+ * Configuration properties for the dev login feature.
+ * <p>
+ * This enables a quick "login as" endpoint for local development, removing the need
+ * for consuming applications to write boilerplate dev-login controllers.
+ * </p>
+ * <p>
+ * <strong>SECURITY WARNING:</strong> This feature should only be enabled in local/dev
+ * environments. It allows authentication without a password via a simple GET request.
+ * </p>
+ */
+@Data
+@Component
+@PropertySource("classpath:config/dsspringuserconfig.properties")
+@ConfigurationProperties(prefix = "user.dev")
+public class DevLoginConfigProperties {
+
+    /**
+     * Whether the dev auto-login feature is enabled. Defaults to false.
+     * Must be explicitly set to true AND the "local" profile must be active.
+     */
+    private boolean autoLoginEnabled = false;
+
+    /**
+     * The URL to redirect to after a successful dev login. Defaults to "/".
+     */
+    private String loginRedirectUrl = "/";
+}

src/main/java/com/digitalsanctuary/spring/user/dev/DevLoginController.java

@@ -0,0 +1,90 @@
+package com.digitalsanctuary.spring.user.dev;
+
+import java.util.List;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.context.annotation.Profile;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+import com.digitalsanctuary.spring.user.persistence.model.User;
+import com.digitalsanctuary.spring.user.persistence.repository.UserRepository;
+import com.digitalsanctuary.spring.user.service.UserService;
+import com.digitalsanctuary.spring.user.util.JSONResponse;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+
+/**
+ * Development-only controller providing quick login-as functionality.
+ * <p>
+ * This controller is only active when the "local" Spring profile is active AND
+ * {@code user.dev.auto-login-enabled} is set to {@code true}. It allows developers
+ * to quickly switch between user accounts without entering passwords.
+ * </p>
+ * <p>
+ * <strong>SECURITY WARNING:</strong> This controller must NEVER be enabled in
+ * production environments. It bypasses all password authentication.
+ * </p>
+ */
+@Slf4j
+@RestController
+@RequestMapping("/dev")
+@RequiredArgsConstructor
+@Profile("local")
+@ConditionalOnProperty(name = "user.dev.auto-login-enabled", havingValue = "true", matchIfMissing = false)
+public class DevLoginController {
+
+    private final UserService userService;
+    private final UserRepository userRepository;
+    private final DevLoginConfigProperties devLoginConfigProperties;
+
+    /**
+     * Logs in as the specified user by email without requiring a password.
+     * After successful authentication, returns a redirect response to the configured URL.
+     *
+     * @param email the email of the user to log in as
+     * @return a redirect response on success, or an error response with 404/403 status
+     */
+    @GetMapping("/login-as/{email}")
+    public ResponseEntity<JSONResponse> loginAs(@PathVariable String email) {
+        log.warn("Dev login attempt for user: {}", email);
+
+        User user = userService.findUserByEmail(email);
+        if (user == null) {
+            log.warn("Dev login failed: user not found for email: {}", email);
+            return ResponseEntity.status(HttpStatus.NOT_FOUND)
+                    .body(JSONResponse.builder().success(false).message("User not found: " + email).code(404).build());
+        }
+
+        if (!user.isEnabled()) {
+            log.warn("Dev login failed: user is disabled: {}", email);
+            return ResponseEntity.status(HttpStatus.FORBIDDEN)
+                    .body(JSONResponse.builder().success(false).message("User is disabled: " + email).code(403)
+                            .build());
+        }
+
+        userService.authWithoutPassword(user);
+        log.warn("Dev login successful for user: {}", email);
+
+        return ResponseEntity.status(HttpStatus.FOUND)
+                .header("Location", devLoginConfigProperties.getLoginRedirectUrl())
+                .build();
+    }
+
+    /**
+     * Lists all enabled user emails available for dev login.
+     *
+     * @return a JSONResponse containing the list of enabled user emails
+     */
+    @GetMapping("/users")
+    public ResponseEntity<JSONResponse> listUsers() {
+        List<String> enabledEmails = userRepository.findAllByEnabledTrue().stream()
+                .map(User::getEmail)
+                .toList();
+
+        return ResponseEntity.ok(JSONResponse.builder().success(true)
+                .message("Found " + enabledEmails.size() + " enabled users").data(enabledEmails).build());
+    }
+}

src/main/java/com/digitalsanctuary/spring/user/dev/DevLoginStartupWarning.java

@@ -0,0 +1,27 @@
+package com.digitalsanctuary.spring.user.dev;
+
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.context.annotation.Profile;
+import org.springframework.stereotype.Component;
+import jakarta.annotation.PostConstruct;
+import lombok.extern.slf4j.Slf4j;
+
+/**
+ * Logs a prominent warning on startup when the dev login feature is active.
+ * This ensures developers are aware that passwordless authentication is enabled.
+ */
+@Slf4j
+@Component
+@Profile("local")
+@ConditionalOnProperty(name = "user.dev.auto-login-enabled", havingValue = "true", matchIfMissing = false)
+public class DevLoginStartupWarning {
+
+    @PostConstruct
+    public void logWarning() {
+        log.warn("========================================================");
+        log.warn("  DEV LOGIN IS ACTIVE");
+        log.warn("  Passwordless authentication is enabled at /dev/login-as/{email}");
+        log.warn("  DO NOT enable this in production!");
+        log.warn("========================================================");
+    }
+}

src/main/java/com/digitalsanctuary/spring/user/persistence/repository/UserRepository.java

@@ -1,5 +1,6 @@
 package com.digitalsanctuary.spring.user.persistence.repository;
 
+import java.util.List;
 import org.springframework.data.jpa.repository.JpaRepository;
 import com.digitalsanctuary.spring.user.persistence.model.User;
 
@@ -16,6 +17,13 @@ public interface UserRepository extends JpaRepository<User, Long> {
 	 */
 	User findByEmail(String email);
 
+	/**
+	 * Find all enabled users.
+	 *
+	 * @return list of enabled users
+	 */
+	List<User> findAllByEnabledTrue();
+
 	/**
 	 * Delete.
 	 *

src/main/java/com/digitalsanctuary/spring/user/security/WebSecurityConfig.java

@@ -10,6 +10,7 @@
 import org.springframework.context.ApplicationEventPublisher;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.core.env.Environment;
 import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler;
 import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler;
 import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
@@ -115,13 +116,17 @@ public class WebSecurityConfig {
 	@Value("${user.security.rememberMe.key:#{null}}")
 	private String rememberMeKey;
 
+	@Value("${user.dev.auto-login-enabled:false}")
+	private boolean devAutoLoginEnabled;
+
 	private final UserDetailsService userDetailsService;
 	private final LoginSuccessService loginSuccessService;
 	private final LogoutSuccessService logoutSuccessService;
 	private final RolesAndPrivilegesConfig rolesAndPrivilegesConfig;
 	private final DSOAuth2UserService dsOAuth2UserService;
 	private final DSOidcUserService dsOidcUserService;
 	private final WebAuthnConfigProperties webAuthnConfigProperties;
+	private final Environment environment;
 
 	/**
 	 *
@@ -150,10 +155,14 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
 				.deleteCookies("JSESSIONID"));
 
 		// If we have URIs to disable CSRF validation on, do so here
-		String[] disableCSRFURIsArray = getDisableCSRFURIsArray();
-		if (disableCSRFURIsArray.length > 0) {
+		String[] baseDisableCSRFURIs = getDisableCSRFURIsArray();
+		List<String> csrfIgnoreList = new ArrayList<>(Arrays.asList(baseDisableCSRFURIs));
+		if (devAutoLoginEnabled && environment.matchesProfiles("local")) {
+			csrfIgnoreList.add("/dev/**");
+		}
+		if (!csrfIgnoreList.isEmpty()) {
 			http.csrf(csrf -> {
-				csrf.ignoringRequestMatchers(disableCSRFURIsArray);
+				csrf.ignoringRequestMatchers(csrfIgnoreList.toArray(new String[0]));
 			});
 		}
 
@@ -266,6 +275,9 @@ private List<String> getUnprotectedURIsList() {
 		unprotectedURIs.add(registrationSuccessURI);
 		unprotectedURIs.add(forgotPasswordPendingURI);
 		unprotectedURIs.add(forgotPasswordChangeURI);
+		if (devAutoLoginEnabled && environment.matchesProfiles("local")) {
+			unprotectedURIs.add("/dev/**");
+		}
 		unprotectedURIs.removeAll(Collections.emptyList());
 		return unprotectedURIs;
 	}

src/main/java/com/digitalsanctuary/spring/user/service/UserService.java

@@ -10,6 +10,7 @@
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.ApplicationEventPublisher;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.authentication.event.InteractiveAuthenticationSuccessEvent;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.context.SecurityContextHolder;
@@ -554,6 +555,12 @@ public void authWithoutPassword(User user) {
 		// Store security context in session
 		storeSecurityContextInSession();
 
+		// Publish authentication event for listeners (session profile, brute-force reset)
+		Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+		if (authentication != null) {
+			eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent(authentication, this.getClass()));
+		}
+
 		log.debug("UserService.authWithoutPassword: authenticated user: {}", user.getEmail());
 	}
 

src/main/resources/config/dsspringuserconfig.properties

@@ -124,6 +124,11 @@ user.security.password.history-count=3
 # Percentage of similarity allowed with username/email
 user.security.password.similarity-threshold=70
 
+# Dev Login Configuration (disabled by default; opt-in feature for local development only)
+# When enabled with the "local" profile, provides /dev/login-as/{email} for passwordless dev login.
+user.dev.auto-login-enabled=false
+user.dev.login-redirect-url=/
+
 # WebAuthn / Passkey Configuration (disabled by default; opt-in feature)
 user.webauthn.enabled=false
 user.webauthn.rpId=localhost