fix: address PR review feedback for passwordless account support

- Guard passwordless registration when WebAuthn is unavailable (L1)
- Invalidate sessions on password removal for security (L2)
- Reject null password in registerNewUserAccount (L3)
- Replace @Autowired field with ObjectProvider constructor injection (L4)
- Remove unused role field from PasswordlessRegistrationDto (L5)
- Change passkeysCount from int to long (L6)
- Add webAuthnEnabled to AuthMethodsResponse (L7)
- Verify savePasswordHistory in setInitialPassword test (L8)

Author: devondragon

src/main/java/com/digitalsanctuary/spring/user/api/UserAPI.java

@@ -4,7 +4,7 @@
 import java.util.Locale;
 import java.util.Optional;
 import jakarta.validation.Valid;
-import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.ApplicationEventPublisher;
 import org.springframework.context.MessageSource;
@@ -66,9 +66,7 @@ public class UserAPI {
 	private final MessageSource messages;
 	private final ApplicationEventPublisher eventPublisher;
 	private final PasswordPolicyService passwordPolicyService;
-
-	@Autowired(required = false)
-	private WebAuthnCredentialManagementService webAuthnCredentialManagementService;
+	private final ObjectProvider<WebAuthnCredentialManagementService> webAuthnCredentialManagementServiceProvider;
 
 	@Value("${user.security.registrationPendingURI}")
 	private String registrationPendingURI;
@@ -360,18 +358,19 @@ public ResponseEntity<JSONResponse> getAuthMethods(@AuthenticationPrincipal DSUs
 			return buildErrorResponse("User not found", 1, HttpStatus.BAD_REQUEST);
 		}
 
+		WebAuthnCredentialManagementService webAuthnService = webAuthnCredentialManagementServiceProvider.getIfAvailable();
 		boolean hasPasskeys = false;
-		int passkeysCount = 0;
-		if (webAuthnCredentialManagementService != null) {
-			long count = webAuthnCredentialManagementService.getCredentialCount(user);
-			hasPasskeys = count > 0;
-			passkeysCount = (int) count;
+		long passkeysCount = 0;
+		if (webAuthnService != null) {
+			passkeysCount = webAuthnService.getCredentialCount(user);
+			hasPasskeys = passkeysCount > 0;
 		}
 
 		AuthMethodsResponse authMethods = AuthMethodsResponse.builder()
 				.hasPassword(userService.hasPassword(user))
 				.hasPasskeys(hasPasskeys)
 				.passkeysCount(passkeysCount)
+				.webAuthnEnabled(webAuthnService != null)
 				.provider(user.getProvider())
 				.build();
 
@@ -388,6 +387,9 @@ public ResponseEntity<JSONResponse> getAuthMethods(@AuthenticationPrincipal DSUs
 	@PostMapping("/registration/passwordless")
 	public ResponseEntity<JSONResponse> registerPasswordlessAccount(@Valid @RequestBody PasswordlessRegistrationDto dto,
 			HttpServletRequest request) {
+		if (webAuthnCredentialManagementServiceProvider.getIfAvailable() == null) {
+			return buildErrorResponse("Passwordless registration is not available", 1, HttpStatus.BAD_REQUEST);
+		}
 		try {
 			User registeredUser = userService.registerPasswordlessAccount(dto);
 			publishRegistrationEvent(registeredUser, request);

src/main/java/com/digitalsanctuary/spring/user/dto/AuthMethodsResponse.java

@@ -24,7 +24,10 @@ public class AuthMethodsResponse {
 	private boolean hasPasskeys;
 
 	/** The number of passkeys registered. */
-	private int passkeysCount;
+	private long passkeysCount;
+
+	/** Whether WebAuthn is enabled on the server. */
+	private boolean webAuthnEnabled;
 
 	/** The user's authentication provider. */
 	private User.Provider provider;

src/main/java/com/digitalsanctuary/spring/user/dto/PasswordlessRegistrationDto.java

@@ -33,6 +33,4 @@ public class PasswordlessRegistrationDto {
 	@Size(max = 100, message = "Email must not exceed 100 characters")
 	private String email;
 
-	/** The role. */
-	private Integer role;
 }

src/main/java/com/digitalsanctuary/spring/user/service/UserService.java

@@ -224,6 +224,8 @@ public String getValue() {
 
 	private final PasswordHistoryRepository passwordHistoryRepository;
 
+	private final SessionInvalidationService sessionInvalidationService;
+
 	/** The send registration verification email flag. */
 	@Value("${user.registration.sendVerificationEmail:false}")
 	private boolean sendRegistrationVerificationEmail;
@@ -249,8 +251,13 @@ public User registerNewUserAccount(final UserDto newUserDto) {
 		TimeLogger timeLogger = new TimeLogger(log, "UserService.registerNewUserAccount");
 		log.debug("UserService.registerNewUserAccount: called with userDto: {}", newUserDto);
 
+		if (newUserDto.getPassword() == null) {
+			throw new IllegalArgumentException(
+					"Password is required for standard registration. Use registerPasswordlessAccount() for passwordless accounts.");
+		}
+
 		// Validate password match only if both are provided
-		if (newUserDto.getPassword() != null && newUserDto.getMatchingPassword() != null
+		if (newUserDto.getMatchingPassword() != null
 				&& !newUserDto.getPassword().equals(newUserDto.getMatchingPassword())) {
 			throw new IllegalArgumentException("Passwords do not match");
 		}
@@ -495,6 +502,7 @@ public void removeUserPassword(User user) {
 		user.setPassword(null);
 		userRepository.save(user);
 		passwordHistoryRepository.deleteByUser(user);
+		sessionInvalidationService.invalidateUserSessions(user);
 		log.info("Password removed for user: {}", user.getEmail());
 	}
 

src/test/java/com/digitalsanctuary/spring/user/service/UserServiceTest.java

@@ -42,6 +42,7 @@
 import com.digitalsanctuary.spring.user.dto.UserDto;
 import com.digitalsanctuary.spring.user.event.UserPreDeleteEvent;
 import com.digitalsanctuary.spring.user.exceptions.UserAlreadyExistException;
+import com.digitalsanctuary.spring.user.persistence.model.PasswordHistoryEntry;
 import com.digitalsanctuary.spring.user.persistence.model.PasswordResetToken;
 import com.digitalsanctuary.spring.user.persistence.model.Role;
 import com.digitalsanctuary.spring.user.persistence.model.User;
@@ -87,6 +88,8 @@ public class UserServiceTest {
     private AuthorityService authorityService;
     @Mock
     private PasswordHistoryRepository passwordHistoryRepository;
+    @Mock
+    private SessionInvalidationService sessionInvalidationService;
     @InjectMocks
     private UserService userService;
     private User testUser;
@@ -691,6 +694,7 @@ void shouldRemovePasswordAndClearHistory() {
             assertThat(testUser.getPassword()).isNull();
             verify(userRepository).save(testUser);
             verify(passwordHistoryRepository).deleteByUser(testUser);
+            verify(sessionInvalidationService).invalidateUserSessions(testUser);
         }
     }
 
@@ -715,6 +719,7 @@ void shouldSetInitialPasswordWhenNoPassword() {
             assertThat(testUser.getPassword()).isEqualTo(encodedPassword);
             verify(passwordEncoder).encode(rawPassword);
             verify(userRepository).save(testUser);
+            verify(passwordHistoryRepository).save(any(PasswordHistoryEntry.class));
         }
 
         @Test