Complete additional high-priority framework fixes

- Fix registration email base URL in UserAPI.publishRegistrationEvent
- Configure security remember-me as opt-in with explicit key requirement
- Remove misleading @async annotations from event POJO classes

These changes improve email link generation, security configuration,
and remove confusing annotations that have no effect on POJOs.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: devondragon

FIXES.md

@@ -22,17 +22,20 @@
 - **Fix**: Add synchronized blocks to protect concurrent access
 - **Status**: Fixed - added synchronized keyword to writeLog(), flushWriter(), setup(), and cleanup() methods
 
-### 5. Fix registration email base URL
+### 5. Fix registration email base URL ✅ COMPLETED
 - **Issue**: UserAPI.publishRegistrationEvent uses request.getContextPath() (broken links)
 - **Fix**: Use UserUtils.getAppUrl(request) like other flows
+- **Status**: Fixed - updated publishRegistrationEvent to use UserUtils.getAppUrl(request) for complete URL construction
 
-### 6. Configure security remember-me properly
+### 6. Configure security remember-me properly ✅ COMPLETED
 - **Issue**: Uses random key per startup, invalidates on restart
 - **Fix**: Make opt-in with explicit key configuration
+- **Status**: Fixed - added user.security.rememberMe.enabled and user.security.rememberMe.key properties, remember-me is now only enabled when explicitly configured
 
-### 7. Remove @Async from event classes
+### 7. Remove @Async from event classes ✅ COMPLETED
 - **Issue**: @Async on POJOs has no effect (false impression)
 - **Fix**: Remove from AuditEvent and OnRegistrationCompleteEvent classes
+- **Status**: Fixed - removed @Async annotation and import from both AuditEvent and OnRegistrationCompleteEvent classes
 
 ## Security & API Issues (Priority 2)
 

src/main/java/com/digitalsanctuary/spring/user/api/UserAPI.java

@@ -257,7 +257,7 @@ private void logoutUser(HttpServletRequest request) {
 	 * @param request the HTTP servlet request
 	 */
 	private void publishRegistrationEvent(User user, HttpServletRequest request) {
-		String appUrl = request.getContextPath();
+		String appUrl = UserUtils.getAppUrl(request);
 		eventPublisher.publishEvent(new OnRegistrationCompleteEvent(user, request.getLocale(), appUrl));
 	}
 

src/main/java/com/digitalsanctuary/spring/user/audit/AuditEvent.java

@@ -2,7 +2,6 @@
 
 import java.util.Date;
 import org.springframework.context.ApplicationEvent;
-import org.springframework.scheduling.annotation.Async;
 import com.digitalsanctuary.spring.user.persistence.model.User;
 import lombok.Builder;
 import lombok.EqualsAndHashCode;
@@ -12,7 +11,6 @@
  * The AuditEvent class is used to record security audit events and actions. It can be created and sent from any code, and is captured by the
  * AuditEventListener for handling and persistence.
  */
-@Async
 @Getter
 @EqualsAndHashCode(callSuper = false)
 public class AuditEvent extends ApplicationEvent {

src/main/java/com/digitalsanctuary/spring/user/event/OnRegistrationCompleteEvent.java

@@ -2,7 +2,6 @@
 
 import java.util.Locale;
 import org.springframework.context.ApplicationEvent;
-import org.springframework.scheduling.annotation.Async;
 import com.digitalsanctuary.spring.user.persistence.model.User;
 import lombok.Builder;
 import lombok.Data;
@@ -12,7 +11,6 @@
  * The OnRegistrationCompleteEvent class is triggered when a user registers. We are using to send the registration verification email, if enabled,
  * asynchronously. You can also listen for this event and perform any other post-registration processing desired.
  */
-@Async
 @Data
 @EqualsAndHashCode(callSuper = false)
 public class OnRegistrationCompleteEvent extends ApplicationEvent {

src/main/java/com/digitalsanctuary/spring/user/security/WebSecurityConfig.java

@@ -109,6 +109,12 @@ public class WebSecurityConfig {
 	@Value("${user.security.bcryptStrength}")
 	private int bcryptStrength = 10;
 
+	@Value("${user.security.rememberMe.enabled:false}")
+	private boolean rememberMeEnabled;
+
+	@Value("${user.security.rememberMe.key:#{null}}")
+	private String rememberMeKey;
+
 
 	private final UserDetailsService userDetailsService;
 	private final LoginSuccessService loginSuccessService;
@@ -133,8 +139,14 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
 		log.debug("WebSecurityConfig.configure: enhanced unprotectedURIs: {}", unprotectedURIs.toString());
 
 		http.formLogin(
-				formLogin -> formLogin.loginPage(loginPageURI).loginProcessingUrl(loginActionURI).successHandler(loginSuccessService).permitAll())
-				.rememberMe(withDefaults());
+				formLogin -> formLogin.loginPage(loginPageURI).loginProcessingUrl(loginActionURI).successHandler(loginSuccessService).permitAll());
+
+		// Configure remember-me only if explicitly enabled and key is provided
+		if (rememberMeEnabled && rememberMeKey != null && !rememberMeKey.trim().isEmpty()) {
+			http.rememberMe(rememberMe -> rememberMe
+					.key(rememberMeKey)
+					.userDetailsService(userDetailsService));
+		}
 
 		http.logout(logout -> logout.logoutUrl(logoutActionURI).logoutSuccessUrl(logoutSuccessURI).invalidateHttpSession(true)
 				.deleteCookies("JSESSIONID"));