refactor(security): extract WebAuthn ObjectPostProcessor into helper method (#261)

* refactor(security): extract WebAuthn ObjectPostProcessor into helper method

Replace inline anonymous ObjectPostProcessor in setupWebAuthn() with an
extracted private method webAuthnSuccessHandlerPostProcessor(). This
removes fully-qualified type names, reduces nesting, and aligns with
the concise method-extraction style used elsewhere in WebSecurityConfig.

Closes #255

* docs(security): improve JavaDoc return description on webAuthnSuccessHandlerPostProcessor

Address PR review feedback: the previous @return tag added no information
beyond the method name. Updated to describe what the post processor does.

Author: devondragon

src/main/java/com/digitalsanctuary/spring/user/security/WebSecurityConfig.java

@@ -17,6 +17,7 @@
 import org.springframework.security.authentication.AuthenticationEventPublisher;
 import org.springframework.security.authentication.DefaultAuthenticationEventPublisher;
 import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
+import org.springframework.security.config.ObjectPostProcessor;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.core.session.SessionRegistry;
@@ -26,6 +27,7 @@
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.session.HttpSessionEventPublisher;
+import org.springframework.security.web.webauthn.authentication.WebAuthnAuthenticationFilter;
 import com.digitalsanctuary.spring.user.roles.RolesAndPrivilegesConfig;
 import com.digitalsanctuary.spring.user.service.DSOAuth2UserService;
 import com.digitalsanctuary.spring.user.service.DSOidcUserService;
@@ -224,15 +226,22 @@ private void setupWebAuthn(HttpSecurity http) throws Exception {
 
 		http.webAuthn(webAuthn -> webAuthn.rpName(webAuthnConfigProperties.getRpName()).rpId(webAuthnConfigProperties.getRpId())
 				.allowedOrigins(normalizedAllowedOrigins)
-				.withObjectPostProcessor(
-						new org.springframework.security.config.ObjectPostProcessor<org.springframework.security.web.webauthn.authentication.WebAuthnAuthenticationFilter>() {
-							@Override
-							public <O extends org.springframework.security.web.webauthn.authentication.WebAuthnAuthenticationFilter> O postProcess(
-									O filter) {
-								filter.setAuthenticationSuccessHandler(new WebAuthnAuthenticationSuccessHandler(userDetailsService));
-								return filter;
-							}
-						}));
+				.withObjectPostProcessor(webAuthnSuccessHandlerPostProcessor()));
+	}
+
+	/**
+	 * Creates an ObjectPostProcessor that sets our custom WebAuthn success handler on the WebAuthnAuthenticationFilter.
+	 *
+	 * @return an ObjectPostProcessor that injects a custom authentication success handler
+	 */
+	private ObjectPostProcessor<WebAuthnAuthenticationFilter> webAuthnSuccessHandlerPostProcessor() {
+		return new ObjectPostProcessor<WebAuthnAuthenticationFilter>() {
+			@Override
+			public <O extends WebAuthnAuthenticationFilter> O postProcess(O filter) {
+				filter.setAuthenticationSuccessHandler(new WebAuthnAuthenticationSuccessHandler(userDetailsService));
+				return filter;
+			}
+		};
 	}
 
 	// Commenting this out to try adding /error to the unprotected URIs list instead