fix(webauthn): address PR #259 review feedback

- Use @Modifying @query for true single-statement bulk DELETE in
  deleteByUserEntity(), replacing the Spring Data derived method that
  issued N+1 SQL under the hood
- Add throw new IllegalStateException("Utility class") to
  WebAuthnTransportUtils constructor (consistent with UserUtils)
- Use Collectors.toUnmodifiableList/Set() in WebAuthnTransportUtils to
  match declared Javadoc contract
- Add WebAuthnTransportUtilsTest covering null/empty inputs, whitespace
  trimming, multiple values, and unmodifiability
- Add shouldTrimLabelBeforeStoring test to verify the renameCredential
  trim fix actually reaches the repository layer

Author: devondragon

src/main/java/com/digitalsanctuary/spring/user/persistence/repository/WebAuthnCredentialRepository.java

@@ -2,10 +2,12 @@
 
 import java.util.List;
 import java.util.Optional;
-import org.springframework.data.jpa.repository.Lock;
 import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.data.jpa.repository.Lock;
+import org.springframework.data.jpa.repository.Modifying;
 import org.springframework.data.jpa.repository.Query;
 import org.springframework.data.repository.query.Param;
+import org.springframework.transaction.annotation.Transactional;
 import jakarta.persistence.LockModeType;
 import com.digitalsanctuary.spring.user.persistence.model.WebAuthnCredential;
 import com.digitalsanctuary.spring.user.persistence.model.WebAuthnUserEntity;
@@ -69,9 +71,12 @@ public interface WebAuthnCredentialRepository extends JpaRepository<WebAuthnCred
 	Optional<WebAuthnCredential> findByIdWithUser(@Param("credentialId") String credentialId);
 
 	/**
-	 * Delete all credentials for a WebAuthn user entity in a single batch operation.
+	 * Delete all credentials for a WebAuthn user entity in a single bulk DELETE statement.
 	 *
 	 * @param userEntity the WebAuthn user entity whose credentials should be deleted
 	 */
-	void deleteByUserEntity(WebAuthnUserEntity userEntity);
+	@Transactional
+	@Modifying
+	@Query("DELETE FROM WebAuthnCredential c WHERE c.userEntity = :userEntity")
+	void deleteByUserEntity(@Param("userEntity") WebAuthnUserEntity userEntity);
 }

src/main/java/com/digitalsanctuary/spring/user/util/WebAuthnTransportUtils.java

@@ -25,7 +25,7 @@
 public final class WebAuthnTransportUtils {
 
 	private WebAuthnTransportUtils() {
-		// utility class
+		throw new IllegalStateException("Utility class");
 	}
 
 	/**
@@ -39,7 +39,7 @@ public static List<String> parseTransportStrings(String transports) {
 			return Collections.emptyList();
 		}
 		return Arrays.stream(transports.split(",")).map(String::trim).filter(s -> !s.isEmpty())
-				.collect(Collectors.toList());
+				.collect(Collectors.toUnmodifiableList());
 	}
 
 	/**
@@ -63,6 +63,6 @@ public static Set<AuthenticatorTransport> parseTransports(String transports) {
 				log.warn("Unknown AuthenticatorTransport '{}', skipping", value);
 				return null;
 			}
-		}).filter(Objects::nonNull).collect(Collectors.toSet());
+		}).filter(Objects::nonNull).collect(Collectors.toUnmodifiableSet());
 	}
 }

src/test/java/com/digitalsanctuary/spring/user/service/WebAuthnCredentialManagementServiceTest.java

@@ -125,6 +125,19 @@ void shouldRenameCredentialSuccessfully() {
 			verify(credentialQueryRepository).renameCredential("cred-123", "Work Laptop", testUser.getId());
 		}
 
+		@Test
+		@DisplayName("should trim whitespace from label before storing")
+		void shouldTrimLabelBeforeStoring() {
+			// Given
+			when(credentialQueryRepository.renameCredential("cred-123", "Work Laptop", testUser.getId())).thenReturn(1);
+
+			// When
+			service.renameCredential("cred-123", "  Work Laptop  ", testUser);
+
+			// Then — trimmed value reaches the repository, not the padded original
+			verify(credentialQueryRepository).renameCredential("cred-123", "Work Laptop", testUser.getId());
+		}
+
 		@Test
 		@DisplayName("should throw when credential not found")
 		void shouldThrowWhenCredentialNotFound() {

src/test/java/com/digitalsanctuary/spring/user/util/WebAuthnTransportUtilsTest.java

@@ -0,0 +1,127 @@
+package com.digitalsanctuary.spring.user.util;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+import java.lang.reflect.Constructor;
+import java.lang.reflect.InvocationTargetException;
+import java.util.List;
+import java.util.Set;
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Nested;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.NullAndEmptySource;
+import org.springframework.security.web.webauthn.api.AuthenticatorTransport;
+
+@DisplayName("WebAuthnTransportUtils Tests")
+class WebAuthnTransportUtilsTest {
+
+	@Nested
+	@DisplayName("Utility Class Construction")
+	class ConstructionTests {
+
+		@Test
+		@DisplayName("should throw IllegalStateException when instantiated via reflection")
+		void shouldThrowOnInstantiation() throws Exception {
+			Constructor<WebAuthnTransportUtils> constructor = WebAuthnTransportUtils.class.getDeclaredConstructor();
+			constructor.setAccessible(true);
+			assertThatThrownBy(() -> {
+				try {
+					constructor.newInstance();
+				} catch (InvocationTargetException e) {
+					throw e.getCause();
+				}
+			}).isInstanceOf(IllegalStateException.class).hasMessage("Utility class");
+		}
+	}
+
+	@Nested
+	@DisplayName("parseTransportStrings")
+	class ParseTransportStringsTests {
+
+		@ParameterizedTest
+		@NullAndEmptySource
+		@DisplayName("should return empty list for null or empty input")
+		void shouldReturnEmptyForNullOrEmpty(String input) {
+			assertThat(WebAuthnTransportUtils.parseTransportStrings(input)).isEmpty();
+		}
+
+		@Test
+		@DisplayName("should parse single transport")
+		void shouldParseSingleTransport() {
+			assertThat(WebAuthnTransportUtils.parseTransportStrings("usb")).containsExactly("usb");
+		}
+
+		@Test
+		@DisplayName("should parse multiple transports")
+		void shouldParseMultipleTransports() {
+			List<String> result = WebAuthnTransportUtils.parseTransportStrings("usb,nfc,ble");
+			assertThat(result).containsExactlyInAnyOrder("usb", "nfc", "ble");
+		}
+
+		@Test
+		@DisplayName("should trim whitespace from each transport")
+		void shouldTrimWhitespace() {
+			List<String> result = WebAuthnTransportUtils.parseTransportStrings(" usb , nfc ");
+			assertThat(result).containsExactlyInAnyOrder("usb", "nfc");
+		}
+
+		@Test
+		@DisplayName("should filter empty entries from leading/trailing commas")
+		void shouldFilterEmptyEntries() {
+			assertThat(WebAuthnTransportUtils.parseTransportStrings(",usb,")).containsExactly("usb");
+		}
+
+		@Test
+		@DisplayName("should return unmodifiable list")
+		void shouldReturnUnmodifiableList() {
+			List<String> result = WebAuthnTransportUtils.parseTransportStrings("usb");
+			assertThatThrownBy(() -> result.add("nfc")).isInstanceOf(UnsupportedOperationException.class);
+		}
+	}
+
+	@Nested
+	@DisplayName("parseTransports")
+	class ParseTransportsTests {
+
+		@ParameterizedTest
+		@NullAndEmptySource
+		@DisplayName("should return empty set for null or empty input")
+		void shouldReturnEmptyForNullOrEmpty(String input) {
+			assertThat(WebAuthnTransportUtils.parseTransports(input)).isEmpty();
+		}
+
+		@Test
+		@DisplayName("should parse single transport value")
+		void shouldParseSingleTransport() {
+			String value = AuthenticatorTransport.USB.getValue();
+			Set<AuthenticatorTransport> result = WebAuthnTransportUtils.parseTransports(value);
+			assertThat(result).containsExactly(AuthenticatorTransport.USB);
+		}
+
+		@Test
+		@DisplayName("should parse multiple transport values")
+		void shouldParseMultipleTransports() {
+			String input = AuthenticatorTransport.USB.getValue() + "," + AuthenticatorTransport.NFC.getValue();
+			Set<AuthenticatorTransport> result = WebAuthnTransportUtils.parseTransports(input);
+			assertThat(result).containsExactlyInAnyOrder(AuthenticatorTransport.USB, AuthenticatorTransport.NFC);
+		}
+
+		@Test
+		@DisplayName("should trim whitespace from each transport value")
+		void shouldTrimWhitespace() {
+			String input = " " + AuthenticatorTransport.USB.getValue() + " ";
+			Set<AuthenticatorTransport> result = WebAuthnTransportUtils.parseTransports(input);
+			assertThat(result).containsExactly(AuthenticatorTransport.USB);
+		}
+
+		@Test
+		@DisplayName("should return unmodifiable set")
+		void shouldReturnUnmodifiableSet() {
+			String validValue = AuthenticatorTransport.USB.getValue();
+			Set<AuthenticatorTransport> result = WebAuthnTransportUtils.parseTransports(validValue);
+			assertThatThrownBy(() -> result.add(AuthenticatorTransport.NFC))
+					.isInstanceOf(UnsupportedOperationException.class);
+		}
+	}
+}