Enhance security and IP detection in Spring User Framework

- Improve OAuth2 error handling: replaced exposed exception details with
  generic user-friendly messages, added proper internal logging
- Enhance IP detection: support for additional headers (X-Real-IP,
  CF-Connecting-IP, True-Client-IP) commonly used by CDNs and load balancers
- Add comprehensive DTO validation with GlobalValidationExceptionHandler
- Remove security vulnerabilities from authentication entry point

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: devondragon

FIXES.md

@@ -39,21 +39,25 @@
 
 ## Security & API Issues (Priority 2)
 
-### 8. Add DTO validation annotations
+### 8. Add DTO validation annotations ✅ COMPLETED
 - **Issue**: UserDto and PasswordDto lack bean validation
 - **Fix**: Add @NotBlank, @Email, password constraints, create @ControllerAdvice
+- **Status**: Fixed - added validation annotations to UserDto and PasswordDto fields, created GlobalValidationExceptionHandler for consistent API error responses
 
-### 9. Fix CSRF property typo
+### 9. Fix CSRF property typo ✅ COMPLETED
 - **Issue**: Property name contains odd "d" - 'disableCSRFdURIs'
 - **Fix**: Rename to 'disableCSRFURIs'
+- **Status**: Fixed - corrected property name in WebSecurityConfig, configuration metadata, properties files, and test configuration
 
-### 10. Improve error message handling
+### 10. Improve error message handling ✅ COMPLETED
 - **Issue**: CustomOAuth2AuthenticationEntryPoint exposes exception details
 - **Fix**: Use generic user messages, log details internally
+- **Status**: Fixed - replaced exposed exception messages with generic user-friendly messages, detailed exceptions logged internally for debugging, removed debug print statements
 
-### 11. Enhance IP detection
+### 11. Enhance IP detection ✅ COMPLETED
 - **Issue**: Only honors X-Forwarded-For header
 - **Fix**: Support X-Real-IP, CF-Connecting-IP, True-Client-IP
+- **Status**: Fixed - enhanced UserUtils.getClientIP() to check multiple headers in order of preference (X-Forwarded-For, X-Real-IP, CF-Connecting-IP, True-Client-IP) with proper validation and fallback
 
 ## Web/Security Config (Priority 3)
 

src/main/java/com/digitalsanctuary/spring/user/dto/PasswordDto.java

@@ -1,5 +1,7 @@
 package com.digitalsanctuary.spring.user.dto;
 
+import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.Size;
 import lombok.Data;
 
 /**
@@ -10,9 +12,12 @@
 public class PasswordDto {
 
 	/** The old password. */
+	@NotBlank(message = "Current password is required")
 	private String oldPassword;
 
 	/** The new password. */
+	@NotBlank(message = "New password is required")
+	@Size(min = 8, max = 128, message = "Password must be between 8 and 128 characters")
 	private String newPassword;
 
 	/** The token. */

src/main/java/com/digitalsanctuary/spring/user/dto/UserDto.java

@@ -1,5 +1,8 @@
 package com.digitalsanctuary.spring.user.dto;
 
+import jakarta.validation.constraints.Email;
+import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.Size;
 import lombok.Data;
 
 /**
@@ -10,18 +13,28 @@
 public class UserDto {
 
 	/** The first name. */
+	@NotBlank(message = "First name is required")
+	@Size(max = 50, message = "First name must not exceed 50 characters")
 	private String firstName;
 
 	/** The last name. */
+	@NotBlank(message = "Last name is required")
+	@Size(max = 50, message = "Last name must not exceed 50 characters")
 	private String lastName;
 
 	/** The password. */
+	@NotBlank(message = "Password is required")
+	@Size(min = 8, max = 128, message = "Password must be between 8 and 128 characters")
 	private String password;
 
 	/** The matching password. */
+	@NotBlank(message = "Password confirmation is required")
 	private String matchingPassword;
 
 	/** The email. */
+	@NotBlank(message = "Email is required")
+	@Email(message = "Please provide a valid email address")
+	@Size(max = 100, message = "Email must not exceed 100 characters")
 	private String email;
 
 	/** The role. */

src/main/java/com/digitalsanctuary/spring/user/exception/GlobalValidationExceptionHandler.java

@@ -0,0 +1,49 @@
+package com.digitalsanctuary.spring.user.exception;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.validation.FieldError;
+import org.springframework.web.bind.MethodArgumentNotValidException;
+import org.springframework.web.bind.annotation.ControllerAdvice;
+import org.springframework.web.bind.annotation.ExceptionHandler;
+
+import lombok.extern.slf4j.Slf4j;
+
+/**
+ * Global exception handler for validation errors. This class handles validation exceptions
+ * and returns appropriate error responses for API endpoints.
+ */
+@Slf4j
+@ControllerAdvice
+public class GlobalValidationExceptionHandler {
+
+	/**
+	 * Handles validation errors from @Valid annotations on request bodies.
+	 *
+	 * @param ex the MethodArgumentNotValidException
+	 * @return a ResponseEntity containing validation error details
+	 */
+	@ExceptionHandler(MethodArgumentNotValidException.class)
+	public ResponseEntity<Map<String, Object>> handleValidationExceptions(MethodArgumentNotValidException ex) {
+		log.warn("Validation error occurred: {}", ex.getMessage());
+		
+		Map<String, Object> response = new HashMap<>();
+		Map<String, String> errors = new HashMap<>();
+		
+		ex.getBindingResult().getAllErrors().forEach((error) -> {
+			String fieldName = ((FieldError) error).getField();
+			String errorMessage = error.getDefaultMessage();
+			errors.put(fieldName, errorMessage);
+		});
+		
+		response.put("success", false);
+		response.put("code", 400);
+		response.put("message", "Validation failed");
+		response.put("errors", errors);
+		
+		return ResponseEntity.status(HttpStatus.BAD_REQUEST).body(response);
+	}
+}

src/main/java/com/digitalsanctuary/spring/user/security/CustomOAuth2AuthenticationEntryPoint.java

@@ -43,15 +43,16 @@ public CustomOAuth2AuthenticationEntryPoint(AuthenticationFailureHandler failure
     @Override
     public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException,
                                                                                                                           ServletException {
-        log.debug("CustomOAuth2AuthenticationEntryPoint.commence:" + "called with authException: {}", authException);
-        System.out.println("CustomOAuth2AuthenticationEntryPoint.commence() called with authException: " + authException);
+        // Log detailed exception information internally for debugging
+        log.warn("OAuth2 authentication failed: {}", authException.getMessage(), authException);
+        
         if (authException instanceof OAuth2AuthenticationException && failureHandler != null) {
             // Use the failure handler to handle the exception and perform the redirect
             failureHandler.onAuthenticationFailure(request, response, authException);
         } else {
-            // For other exceptions, redirect to the login page
-            System.out.println("CustomOAuth2AuthenticationEntryPoint.commence() setting error.message: " + authException.getMessage());
-            request.getSession().setAttribute("error.message", authException.getMessage());
+            // For other exceptions, redirect to the login page with a generic error message
+            String userFriendlyMessage = "Authentication failed. Please try again.";
+            request.getSession().setAttribute("error.message", userFriendlyMessage);
             response.sendRedirect(redirectURL);
         }
     }

src/main/java/com/digitalsanctuary/spring/user/security/WebSecurityConfig.java

@@ -64,7 +64,7 @@ public class WebSecurityConfig {
 	@Value("#{'${user.security.unprotectedURIs}'.split(',')}")
 	private String[] unprotectedURIsArray;
 
-	@Value("#{'${user.security.disableCSRFdURIs}'.split(',')}")
+	@Value("#{'${user.security.disableCSRFURIs}'.split(',')}")
 	private String[] disableCSRFURIsArray;
 
 	@Value("${user.security.loginPageURI}")

src/main/java/com/digitalsanctuary/spring/user/util/UserUtils.java

@@ -15,16 +15,39 @@ private UserUtils() {
 	}
 
 	/**
-	 * Get the client's IP address.
+	 * Get the client's IP address by checking various headers commonly used by proxies, load balancers, and CDNs.
+	 * 
+	 * Checks headers in order of preference:
+	 * 1. X-Forwarded-For (standard proxy header)
+	 * 2. X-Real-IP (nginx and other reverse proxies)
+	 * 3. CF-Connecting-IP (Cloudflare)
+	 * 4. True-Client-IP (Akamai, Cloudflare Enterprise)
+	 * 5. Falls back to request.getRemoteAddr()
 	 *
 	 * @param request The HttpServletRequest object.
 	 * @return The client's IP address as a String.
 	 */
 	public static String getClientIP(HttpServletRequest request) {
-		String xfHeader = request.getHeader("X-Forwarded-For");
-		if (xfHeader != null) {
-			return xfHeader.split(",")[0];
+		// Array of header names to check in order of preference
+		String[] ipHeaders = {
+			"X-Forwarded-For",
+			"X-Real-IP", 
+			"CF-Connecting-IP",
+			"True-Client-IP"
+		};
+		
+		for (String header : ipHeaders) {
+			String ip = request.getHeader(header);
+			if (ip != null && !ip.isEmpty() && !"unknown".equalsIgnoreCase(ip)) {
+				// X-Forwarded-For can contain multiple IPs, take the first one
+				if ("X-Forwarded-For".equals(header)) {
+					return ip.split(",")[0].trim();
+				}
+				return ip.trim();
+			}
 		}
+		
+		// Fall back to remote address if no proxy headers found
 		return request.getRemoteAddr();
 	}
 

src/main/resources/META-INF/additional-spring-configuration-metadata.json

@@ -106,9 +106,9 @@
       "description": "A description for 'user.security.registrationURI'"
     },
     {
-      "name": "user.security.disableCSRFdURIs",
+      "name": "user.security.disableCSRFURIs",
       "type": "java.lang.String",
-      "description": "A description for 'user.security.disableCSRFdURIs'"
+      "description": "A comma-delimited list of URIs that should not be protected by CSRF protection"
     },
     {
       "name": "user.security.registrationPendingURI",

src/main/resources/config/dsspringuserconfig.properties

@@ -57,7 +57,7 @@ user.security.unprotectedURIs=/,/index.html,/favicon.ico,/css/*,/js/*,/img/*,/us
 # A comma delimited list of URIs that should be protected by Spring Security if the defaultAction is allow.
 user.security.protectedURIs=/protected.html
 # A comma delimited list of URIs that should not be protected by CSRF protection. This may include API endpoints that need to be called without a CSRF token.
-user.security.disableCSRFdURIs=/no-csrf-test
+user.security.disableCSRFURIs=/no-csrf-test
 
 # The URI for the login page.
 user.security.loginPageURI=/user/login.html

src/test/resources/application-test.yml

@@ -90,7 +90,7 @@ user:
     defaultAction: deny # The default action for all requests.  This can be either deny or allow.
     unprotectedURIs: /,/index.html,/favicon.ico,/css/*,/js/*,/img/*,/user/registration,/user/resendRegistrationToken,/user/resetPassword,/user/registrationConfirm,/user/changePassword,/user/savePassword,/oauth2/authorization/*,/login # A comma delimited list of URIs that should not be protected by Spring Security if the defaultAction is deny.
     protectedURIs: /protected.html # A comma delimited list of URIs that should be protected by Spring Security if the defaultAction is allow.
-    disableCSRFdURIs: /no-csrf-test # A comma delimited list of URIs that should not be protected by CSRF protection. This may include API endpoints that need to be called without a CSRF token.
+    disableCSRFURIs: /no-csrf-test # A comma delimited list of URIs that should not be protected by CSRF protection. This may include API endpoints that need to be called without a CSRF token.
 
     # URIs for known user related pages. You can change these paths to your own pages if you want.
     loginPageURI: /user/login.html # The URI for the login page.