feat(w2): auth core entities + Google OAuth + JWT + NextAuth bridge

Extracted from InspectFlow Sprint 14.1-14.2, repackaged to de.platesoft.auth.*: - Entities: User, UserIdentity, Membership, Invitation, AccessRequest, LoginEvent, RefreshToken - Enums: Role, OrgType, MembershipRole, MembershipStatus, InvitationStatus, AccessRequestStatus, LoginProvider - Services: JwtService, ExchangeService, MembershipService, LoginEventService - Filter: JwtAuthenticationFilter - Controller: OAuthController (POST /api/auth/exchange) - Config: PlateAuthAutoConfiguration, PlateAuthProperties (plate.auth.* namespace) - Repositories: all auth-related JPA repositories - SPI: OrgValidator, OrgDisplayNameResolver, InvitationMailer, AccessRequestMailer, OnboardingHook - SPI defaults: PermissiveOrgValidator (WARN per call), LoggingInvitationMailer, LoggingAccessRequestMailer, DefaultOrgDisplayNameResolver, NoOpOnboardingHook - DTOs: ExchangePayload, TokenResponse - Security: BCrypt encoder, stateless session, CORS from PlateAuthProperties - META-INF/spring AutoConfiguration.imports registered All @Value refs replaced with PlateAuthProperties injection. No references to de.platesoft.inspectflow.* remain.
2026-06-24 15:46:54 +02:00
parent 973c82f304
commit 63c953d9b9
43 changed files with 1423 additions and 0 deletions
@@ -41,6 +41,10 @@
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-mail</artifactId>
        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-databind</artifactId>
+        </dependency>

        <!-- Hibernate Envers (Audit) -->
        <dependency>
@@ -0,0 +1,117 @@
+package de.platesoft.auth;
+
+import de.platesoft.auth.filter.JwtAuthenticationFilter;
+import de.platesoft.auth.service.JwtService;
+import de.platesoft.auth.spi.*;
+import de.platesoft.auth.spi.defaults.*;
+import org.springframework.boot.autoconfigure.AutoConfiguration;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.ComponentScan;
+import org.springframework.data.jpa.repository.config.EnableJpaRepositories;
+import org.springframework.scheduling.annotation.EnableAsync;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsConfigurationSource;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
+
+import java.util.List;
+
+@AutoConfiguration
+@EnableConfigurationProperties(PlateAuthProperties.class)
+@ComponentScan(basePackages = "de.platesoft.auth")
+@EnableJpaRepositories(basePackages = "de.platesoft.auth.repository")
+@EnableAsync
+@ConditionalOnProperty(prefix = "plate.auth", name = "enabled", havingValue = "true", matchIfMissing = true)
+public class PlateAuthAutoConfiguration {
+
+    // ── SPI defaults ─────────────────────────────────────────────────────────
+
+    @Bean
+    @ConditionalOnMissingBean(OrgValidator.class)
+    public OrgValidator orgValidator() {
+        return new PermissiveOrgValidator();
+    }
+
+    @Bean
+    @ConditionalOnMissingBean(OrgDisplayNameResolver.class)
+    public OrgDisplayNameResolver orgDisplayNameResolver() {
+        return new DefaultOrgDisplayNameResolver();
+    }
+
+    @Bean
+    @ConditionalOnMissingBean(InvitationMailer.class)
+    public InvitationMailer invitationMailer() {
+        return new LoggingInvitationMailer();
+    }
+
+    @Bean
+    @ConditionalOnMissingBean(AccessRequestMailer.class)
+    public AccessRequestMailer accessRequestMailer() {
+        return new LoggingAccessRequestMailer();
+    }
+
+    @Bean
+    @ConditionalOnMissingBean(OnboardingHook.class)
+    public OnboardingHook onboardingHook() {
+        return new NoOpOnboardingHook();
+    }
+
+    // ── Security ─────────────────────────────────────────────────────────────
+
+    @Bean
+    @ConditionalOnMissingBean(PasswordEncoder.class)
+    public PasswordEncoder passwordEncoder() {
+        return new BCryptPasswordEncoder();
+    }
+
+    @Bean
+    public JwtAuthenticationFilter jwtAuthenticationFilter(JwtService jwtService) {
+        return new JwtAuthenticationFilter(jwtService);
+    }
+
+    @Bean
+    public SecurityFilterChain plateAuthSecurityFilterChain(
+            HttpSecurity http,
+            JwtAuthenticationFilter jwtFilter,
+            PlateAuthProperties props) throws Exception {
+        http
+            .csrf(AbstractHttpConfigurer::disable)
+            .cors(cors -> cors.configurationSource(corsConfigurationSource(props)))
+            .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+            .authorizeHttpRequests(auth -> auth
+                .requestMatchers(
+                    "/api/auth/exchange",
+                    "/api/auth/login",
+                    "/api/auth/register",
+                    "/api/auth/refresh",
+                    "/api/auth/config",
+                    "/actuator/health"
+                ).permitAll()
+                .requestMatchers("/api/admin/**").hasAuthority("ROLE_ADMIN")
+                .anyRequest().authenticated()
+            )
+            .addFilterBefore(jwtFilter, UsernamePasswordAuthenticationFilter.class);
+        return http.build();
+    }
+
+    private CorsConfigurationSource corsConfigurationSource(PlateAuthProperties props) {
+        CorsConfiguration config = new CorsConfiguration();
+        config.setAllowedOrigins(props.getCors().getAllowedOrigins());
+        config.setAllowedMethods(List.of("GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"));
+        config.setAllowedHeaders(List.of("*"));
+        config.setAllowCredentials(true);
+        config.setMaxAge(3600L);
+        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+        source.registerCorsConfiguration("/**", config);
+        return source;
+    }
+}
@@ -0,0 +1,73 @@
+package de.platesoft.auth;
+
+import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.Size;
+import lombok.Data;
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.validation.annotation.Validated;
+
+import java.time.Duration;
+import java.util.ArrayList;
+import java.util.List;
+
+@ConfigurationProperties(prefix = "plate.auth")
+@Validated
+@Data
+public class PlateAuthProperties {
+
+    private Jwt jwt = new Jwt();
+    private Exchange exchange = new Exchange();
+    private Registration registration = new Registration();
+    private Cors cors = new Cors();
+    private Providers providers = new Providers();
+
+    @Data
+    public static class Jwt {
+        @NotBlank
+        @Size(min = 32, message = "JWT secret must be at least 32 characters")
+        private String secret;
+        private Duration accessExpiration = Duration.ofMinutes(15);
+        private Duration refreshExpiration = Duration.ofDays(30);
+        private String issuer = "plate-auth";
+    }
+
+    @Data
+    public static class Exchange {
+        @NotBlank
+        @Size(min = 32, message = "Exchange secret must be at least 32 characters")
+        private String secret;
+        private Duration maxAge = Duration.ofSeconds(60);
+        private Duration nonceTtl = Duration.ofMinutes(5);
+    }
+
+    @Data
+    public static class Registration {
+        private boolean enabled = false;
+    }
+
+    @Data
+    public static class Cors {
+        private List<String> allowedOrigins = new ArrayList<>();
+        private List<String> additionalPermitPaths = new ArrayList<>();
+    }
+
+    @Data
+    public static class Providers {
+        private ProviderToggle google = new ProviderToggle(true);
+        private ProviderToggle microsoft = new ProviderToggle(false);
+        private ProviderToggle emailMagicLink = new ProviderToggle(false);
+    }
+
+    @Data
+    public static class ProviderToggle {
+        private boolean enabled;
+
+        public ProviderToggle() {
+            this.enabled = false;
+        }
+
+        public ProviderToggle(boolean enabled) {
+            this.enabled = enabled;
+        }
+    }
+}
@@ -0,0 +1,27 @@
+package de.platesoft.auth.controller;
+
+import de.platesoft.auth.dto.TokenResponse;
+import de.platesoft.auth.service.ExchangeService;
+import jakarta.servlet.http.HttpServletRequest;
+import lombok.RequiredArgsConstructor;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.*;
+
+@RestController
+@RequestMapping("/api/auth/exchange")
+@RequiredArgsConstructor
+public class OAuthController {
+
+    private final ExchangeService exchangeService;
+
+    @PostMapping
+    public ResponseEntity<TokenResponse> exchange(
+            @RequestBody String body,
+            @RequestHeader(value = "X-Exchange-Signature", required = false) String signature,
+            HttpServletRequest request) {
+        String ip = request.getRemoteAddr();
+        String ua = request.getHeader("User-Agent");
+        TokenResponse tokens = exchangeService.verifyAndExchange(body, signature, ip, ua);
+        return ResponseEntity.ok(tokens);
+    }
+}
@@ -0,0 +1,17 @@
+package de.platesoft.auth.dto;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+
+/**
+ * Payload of the HMAC-signed exchange envelope from NextAuth signIn callback.
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public record ExchangePayload(
+    String provider,
+    String providerSubject,
+    String email,
+    String name,
+    String inviteToken,
+    String nonce,
+    long iat
+) {}
@@ -0,0 +1,7 @@
+package de.platesoft.auth.dto;
+
+public record TokenResponse(
+    String accessToken,
+    String refreshToken,
+    long expiresIn
+) {}
@@ -0,0 +1,64 @@
+package de.platesoft.auth.entity;
+
+import jakarta.persistence.*;
+import lombok.*;
+import org.hibernate.envers.Audited;
+
+import java.time.Instant;
+import java.util.UUID;
+
+@Entity
+@Table(name = "access_requests")
+@Audited
+@Getter @Setter @NoArgsConstructor @AllArgsConstructor @Builder
+public class AccessRequest {
+
+    @Id
+    @Column(columnDefinition = "uuid")
+    private UUID id;
+
+    @ManyToOne(fetch = FetchType.LAZY, optional = false)
+    @JoinColumn(name = "requester_id", nullable = false)
+    private User requester;
+
+    @Enumerated(EnumType.STRING)
+    @Column(name = "org_type", nullable = false, length = 16)
+    private OrgType orgType;
+
+    @Column(name = "org_id", nullable = false, columnDefinition = "uuid")
+    private UUID orgId;
+
+    @Enumerated(EnumType.STRING)
+    @Column(name = "requested_role", nullable = false, length = 16)
+    private MembershipRole requestedRole;
+
+    @Column(length = 500)
+    private String justification;
+
+    @Enumerated(EnumType.STRING)
+    @Column(nullable = false, length = 16)
+    private AccessRequestStatus status;
+
+    @Column(name = "reviewer_id", columnDefinition = "uuid")
+    private UUID reviewerId;
+
+    @Column(name = "decision_reason", length = 500)
+    private String decisionReason;
+
+    @Column(name = "created_at", nullable = false, updatable = false)
+    private Instant createdAt;
+
+    @Column(name = "decided_at")
+    private Instant decidedAt;
+
+    @Version
+    private Long version;
+
+    @PrePersist
+    void prePersist() {
+        if (id == null) id = UUID.randomUUID();
+        if (createdAt == null) createdAt = Instant.now();
+        if (status == null) status = AccessRequestStatus.PENDING;
+        if (requestedRole == null) requestedRole = MembershipRole.VIEWER;
+    }
+}
@@ -0,0 +1,3 @@
+package de.platesoft.auth.entity;
+
+public enum AccessRequestStatus { PENDING, APPROVED, DENIED, EXPIRED }
@@ -0,0 +1,74 @@
+package de.platesoft.auth.entity;
+
+import jakarta.persistence.*;
+import lombok.*;
+import org.hibernate.envers.Audited;
+
+import java.time.Instant;
+import java.util.UUID;
+
+@Entity
+@Table(name = "invitations")
+@Audited
+@Getter @Setter @NoArgsConstructor @AllArgsConstructor @Builder
+public class Invitation {
+
+    @Id
+    @Column(columnDefinition = "uuid")
+    private UUID id;
+
+    @Column(nullable = false, unique = true, length = 64)
+    private String token;
+
+    @Column(nullable = false, length = 255)
+    private String email;
+
+    @Enumerated(EnumType.STRING)
+    @Column(name = "org_type", nullable = false, length = 16)
+    private OrgType orgType;
+
+    @Column(name = "org_id", nullable = false, columnDefinition = "uuid")
+    private UUID orgId;
+
+    @Enumerated(EnumType.STRING)
+    @Column(nullable = false, length = 16)
+    private MembershipRole role;
+
+    @Enumerated(EnumType.STRING)
+    @Column(nullable = false, length = 16)
+    private InvitationStatus status;
+
+    @Column(name = "created_by", nullable = false, columnDefinition = "uuid")
+    private UUID createdBy;
+
+    @Column(name = "created_at", nullable = false, updatable = false)
+    private Instant createdAt;
+
+    @Column(name = "expires_at", nullable = false)
+    private Instant expiresAt;
+
+    @Column(name = "accepted_at")
+    private Instant acceptedAt;
+
+    @Column(name = "accepted_by", columnDefinition = "uuid")
+    private UUID acceptedBy;
+
+    @Column(name = "revoked_at")
+    private Instant revokedAt;
+
+    @Column(name = "revoked_by", columnDefinition = "uuid")
+    private UUID revokedBy;
+
+    @Column(length = 500)
+    private String note;
+
+    @Version
+    private Long version;
+
+    @PrePersist
+    void prePersist() {
+        if (id == null) id = UUID.randomUUID();
+        if (createdAt == null) createdAt = Instant.now();
+        if (status == null) status = InvitationStatus.PENDING;
+    }
+}
@@ -0,0 +1,3 @@
+package de.platesoft.auth.entity;
+
+public enum InvitationStatus { PENDING, ACCEPTED, REVOKED, EXPIRED }
@@ -0,0 +1,46 @@
+package de.platesoft.auth.entity;
+
+import jakarta.persistence.*;
+import lombok.*;
+
+import java.time.Instant;
+import java.util.UUID;
+
+@Entity
+@Table(name = "login_events")
+@Getter @Setter @NoArgsConstructor @AllArgsConstructor @Builder
+public class LoginEvent {
+
+    @Id
+    @GeneratedValue(strategy = GenerationType.IDENTITY)
+    private Long id;
+
+    @Column(name = "user_id", columnDefinition = "uuid")
+    private UUID userId;
+
+    @Column(nullable = false, length = 255)
+    private String email;
+
+    @Column(nullable = false, length = 32)
+    private String provider;
+
+    @Column(nullable = false, length = 32)
+    private String outcome;
+
+    @Column(name = "ip_address", length = 45)
+    private String ipAddress;
+
+    @Column(name = "user_agent", length = 512)
+    private String userAgent;
+
+    @Column(name = "correlation_id", length = 64)
+    private String correlationId;
+
+    @Column(name = "occurred_at", nullable = false)
+    private Instant occurredAt;
+
+    @PrePersist
+    void prePersist() {
+        if (occurredAt == null) occurredAt = Instant.now();
+    }
+}
@@ -0,0 +1,3 @@
+package de.platesoft.auth.entity;
+
+public enum LoginProvider { GOOGLE, MICROSOFT, EMAIL, PASSWORD }
@@ -0,0 +1,64 @@
+package de.platesoft.auth.entity;
+
+import jakarta.persistence.*;
+import lombok.*;
+import org.hibernate.envers.Audited;
+
+import java.time.Instant;
+import java.util.UUID;
+
+@Entity
+@Table(name = "memberships", uniqueConstraints = {
+    @UniqueConstraint(name = "uq_memberships_user_org", columnNames = {"user_id", "org_type", "org_id"})
+})
+@Audited
+@Getter @Setter @NoArgsConstructor @AllArgsConstructor @Builder
+public class Membership {
+
+    @Id @Column(columnDefinition = "uuid")
+    private UUID id;
+
+    @ManyToOne(fetch = FetchType.LAZY, optional = false)
+    @JoinColumn(name = "user_id", nullable = false)
+    private User user;
+
+    @Enumerated(EnumType.STRING)
+    @Column(name = "org_type", nullable = false, length = 16)
+    private OrgType orgType;
+
+    @Column(name = "org_id", nullable = false, columnDefinition = "uuid")
+    private UUID orgId;
+
+    @Enumerated(EnumType.STRING)
+    @Column(nullable = false, length = 16)
+    private MembershipRole role;
+
+    @Enumerated(EnumType.STRING)
+    @Column(nullable = false, length = 16)
+    private MembershipStatus status;
+
+    @Column(name = "granted_by", columnDefinition = "uuid")
+    private UUID grantedBy;
+
+    @Column(name = "grant_reason", length = 64)
+    private String grantReason;
+
+    @Column(name = "created_at", nullable = false, updatable = false)
+    private Instant createdAt;
+
+    @Column(name = "revoked_at")
+    private Instant revokedAt;
+
+    @Column(name = "revoked_by", columnDefinition = "uuid")
+    private UUID revokedBy;
+
+    @Version
+    private Long version;
+
+    @PrePersist
+    void prePersist() {
+        if (id == null) id = UUID.randomUUID();
+        if (createdAt == null) createdAt = Instant.now();
+        if (status == null) status = MembershipStatus.ACTIVE;
+    }
+}
@@ -0,0 +1,9 @@
+package de.platesoft.auth.entity;
+
+public enum MembershipRole {
+    OWNER,
+    ADMIN,
+    INSPECTOR,
+    VIEWER,
+    MEMBER
+}
@@ -0,0 +1,3 @@
+package de.platesoft.auth.entity;
+
+public enum MembershipStatus { ACTIVE, REVOKED, PENDING }
@@ -0,0 +1,3 @@
+package de.platesoft.auth.entity;
+
+public enum OrgType { COMPANY, CLUB, WORKSPACE }
@@ -0,0 +1,42 @@
+package de.platesoft.auth.entity;
+
+import jakarta.persistence.*;
+import lombok.*;
+import org.hibernate.envers.Audited;
+
+import java.time.Instant;
+import java.util.UUID;
+
+/**
+ * Refresh token entity for rotation tracking.
+ */
+@Entity
+@Table(name = "refresh_tokens")
+@Getter @Setter @NoArgsConstructor @AllArgsConstructor @Builder
+public class RefreshToken {
+
+    @Id
+    @Column(columnDefinition = "uuid")
+    private UUID id;
+
+    @Column(name = "user_id", nullable = false, columnDefinition = "uuid")
+    private UUID userId;
+
+    @Column(nullable = false, unique = true, length = 255)
+    private String token;
+
+    @Column(name = "expires_at", nullable = false)
+    private Instant expiresAt;
+
+    @Column(nullable = false)
+    private boolean revoked;
+
+    @Column(name = "created_at", nullable = false, updatable = false)
+    private Instant createdAt;
+
+    @PrePersist
+    void prePersist() {
+        if (id == null) id = UUID.randomUUID();
+        if (createdAt == null) createdAt = Instant.now();
+    }
+}
@@ -0,0 +1,9 @@
+package de.platesoft.auth.entity;
+
+/**
+ * Global user roles. Consumers may extend via MembershipRole for per-org roles.
+ */
+public enum Role {
+    ROLE_USER,
+    ROLE_ADMIN
+}
@@ -0,0 +1,78 @@
+package de.platesoft.auth.entity;
+
+import jakarta.persistence.*;
+import lombok.*;
+import org.hibernate.envers.Audited;
+import org.hibernate.envers.NotAudited;
+
+import java.time.OffsetDateTime;
+import java.util.UUID;
+
+@Entity
+@Table(name = "users")
+@Audited
+@Getter
+@Setter
+@NoArgsConstructor
+@AllArgsConstructor
+@Builder
+public class User {
+
+    @Id
+    @Column(nullable = false, updatable = false)
+    private UUID id;
+
+    @Column(nullable = false, unique = true)
+    private String email;
+
+    @NotAudited
+    @Column(name = "password_hash")
+    private String passwordHash;
+
+    @Column(name = "first_name", nullable = false, length = 100)
+    private String firstName;
+
+    @Column(name = "last_name", nullable = false, length = 100)
+    private String lastName;
+
+    @Enumerated(EnumType.STRING)
+    @Column(nullable = false, length = 50)
+    private Role role;
+
+    @Column(nullable = false)
+    private boolean active;
+
+    @Column(name = "default_org_id")
+    private UUID defaultOrgId;
+
+    @Column(name = "last_provider", length = 32)
+    private String lastProvider;
+
+    @Version
+    @NotAudited
+    private Long version;
+
+    @Column(name = "last_login")
+    private OffsetDateTime lastLogin;
+
+    @NotAudited
+    @Column(name = "created_at", nullable = false, updatable = false)
+    private OffsetDateTime createdAt;
+
+    @NotAudited
+    @Column(name = "updated_at", nullable = false)
+    private OffsetDateTime updatedAt;
+
+    @PrePersist
+    protected void onCreate() {
+        if (id == null) id = UUID.randomUUID();
+        createdAt = OffsetDateTime.now();
+        updatedAt = OffsetDateTime.now();
+        if (!active) active = true;
+    }
+
+    @PreUpdate
+    protected void onUpdate() {
+        updatedAt = OffsetDateTime.now();
+    }
+}
@@ -0,0 +1,55 @@
+package de.platesoft.auth.entity;
+
+import jakarta.persistence.*;
+import lombok.*;
+import org.hibernate.envers.Audited;
+
+import java.time.Instant;
+import java.util.UUID;
+
+/**
+ * Provider-agnostic identity link: one row per (provider, subject) pair, many per user.
+ */
+@Entity
+@Table(name = "user_identities", uniqueConstraints = {
+    @UniqueConstraint(name = "uq_user_identities_provider_subject", columnNames = {"provider", "subject"})
+})
+@Audited
+@Getter @Setter @NoArgsConstructor @AllArgsConstructor @Builder
+public class UserIdentity {
+
+    @Id
+    @Column(columnDefinition = "uuid")
+    private UUID id;
+
+    @ManyToOne(fetch = FetchType.LAZY, optional = false)
+    @JoinColumn(name = "user_id", nullable = false)
+    private User user;
+
+    @Column(nullable = false, length = 32)
+    private String provider;
+
+    @Column(nullable = false, length = 255)
+    private String subject;
+
+    @Column(nullable = false, length = 255)
+    private String email;
+
+    @Column(name = "tenant_id", length = 64)
+    private String tenantId;
+
+    @Column(name = "linked_at", nullable = false)
+    private Instant linkedAt;
+
+    @Column(name = "last_login_at")
+    private Instant lastLoginAt;
+
+    @Version
+    private Long version;
+
+    @PrePersist
+    void prePersist() {
+        if (id == null) id = UUID.randomUUID();
+        if (linkedAt == null) linkedAt = Instant.now();
+    }
+}
@@ -0,0 +1,47 @@
+package de.platesoft.auth.filter;
+
+import de.platesoft.auth.service.JwtService;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import java.io.IOException;
+import java.util.List;
+import java.util.UUID;
+
+@Slf4j
+@RequiredArgsConstructor
+public class JwtAuthenticationFilter extends OncePerRequestFilter {
+
+    private final JwtService jwtService;
+
+    @Override
+    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
+                                    FilterChain filterChain) throws ServletException, IOException {
+        String authHeader = request.getHeader("Authorization");
+        if (authHeader != null && authHeader.startsWith("Bearer ")) {
+            String token = authHeader.substring(7);
+            if (jwtService.isTokenValid(token)) {
+                UUID userId = jwtService.extractUserId(token);
+                String email = jwtService.extractEmail(token);
+                String role = jwtService.extractRole(token);
+
+                var auth = new UsernamePasswordAuthenticationToken(
+                        userId.toString(),
+                        null,
+                        List.of(new SimpleGrantedAuthority(role))
+                );
+                auth.setDetails(email);
+                SecurityContextHolder.getContext().setAuthentication(auth);
+            }
+        }
+        filterChain.doFilter(request, response);
+    }
+}
@@ -0,0 +1,15 @@
+package de.platesoft.auth.repository;
+
+import de.platesoft.auth.entity.AccessRequest;
+import de.platesoft.auth.entity.AccessRequestStatus;
+import de.platesoft.auth.entity.OrgType;
+import org.springframework.data.jpa.repository.JpaRepository;
+
+import java.util.List;
+import java.util.UUID;
+
+public interface AccessRequestRepository extends JpaRepository<AccessRequest, UUID> {
+    List<AccessRequest> findByOrgTypeAndOrgIdAndStatus(OrgType orgType, UUID orgId, AccessRequestStatus status);
+    List<AccessRequest> findByRequesterIdAndStatus(UUID requesterId, AccessRequestStatus status);
+    long countByRequesterIdAndStatus(UUID requesterId, AccessRequestStatus status);
+}
@@ -0,0 +1,16 @@
+package de.platesoft.auth.repository;
+
+import de.platesoft.auth.entity.Invitation;
+import de.platesoft.auth.entity.InvitationStatus;
+import de.platesoft.auth.entity.OrgType;
+import org.springframework.data.jpa.repository.JpaRepository;
+
+import java.util.List;
+import java.util.Optional;
+import java.util.UUID;
+
+public interface InvitationRepository extends JpaRepository<Invitation, UUID> {
+    Optional<Invitation> findByToken(String token);
+    List<Invitation> findByOrgTypeAndOrgIdAndStatus(OrgType orgType, UUID orgId, InvitationStatus status);
+    List<Invitation> findByEmailAndStatus(String email, InvitationStatus status);
+}
@@ -0,0 +1,7 @@
+package de.platesoft.auth.repository;
+
+import de.platesoft.auth.entity.LoginEvent;
+import org.springframework.data.jpa.repository.JpaRepository;
+
+public interface LoginEventRepository extends JpaRepository<LoginEvent, Long> {
+}
@@ -0,0 +1,16 @@
+package de.platesoft.auth.repository;
+
+import de.platesoft.auth.entity.Membership;
+import de.platesoft.auth.entity.MembershipStatus;
+import de.platesoft.auth.entity.OrgType;
+import org.springframework.data.jpa.repository.JpaRepository;
+
+import java.util.List;
+import java.util.Optional;
+import java.util.UUID;
+
+public interface MembershipRepository extends JpaRepository<Membership, UUID> {
+    Optional<Membership> findByUserIdAndOrgTypeAndOrgId(UUID userId, OrgType orgType, UUID orgId);
+    List<Membership> findByUserIdAndStatus(UUID userId, MembershipStatus status);
+    List<Membership> findByOrgTypeAndOrgIdAndStatus(OrgType orgType, UUID orgId, MembershipStatus status);
+}
@@ -0,0 +1,12 @@
+package de.platesoft.auth.repository;
+
+import de.platesoft.auth.entity.RefreshToken;
+import org.springframework.data.jpa.repository.JpaRepository;
+
+import java.util.Optional;
+import java.util.UUID;
+
+public interface RefreshTokenRepository extends JpaRepository<RefreshToken, UUID> {
+    Optional<RefreshToken> findByToken(String token);
+    void deleteByUserId(UUID userId);
+}
@@ -0,0 +1,11 @@
+package de.platesoft.auth.repository;
+
+import de.platesoft.auth.entity.UserIdentity;
+import org.springframework.data.jpa.repository.JpaRepository;
+
+import java.util.Optional;
+import java.util.UUID;
+
+public interface UserIdentityRepository extends JpaRepository<UserIdentity, UUID> {
+    Optional<UserIdentity> findByProviderAndSubject(String provider, String subject);
+}
@@ -0,0 +1,12 @@
+package de.platesoft.auth.repository;
+
+import de.platesoft.auth.entity.User;
+import org.springframework.data.jpa.repository.JpaRepository;
+
+import java.util.Optional;
+import java.util.UUID;
+
+public interface UserRepository extends JpaRepository<User, UUID> {
+    Optional<User> findByEmail(String email);
+    boolean existsByEmail(String email);
+}
@@ -0,0 +1,162 @@
+package de.platesoft.auth.service;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import de.platesoft.auth.PlateAuthProperties;
+import de.platesoft.auth.dto.ExchangePayload;
+import de.platesoft.auth.dto.TokenResponse;
+import de.platesoft.auth.entity.*;
+import de.platesoft.auth.repository.UserIdentityRepository;
+import de.platesoft.auth.repository.UserRepository;
+import de.platesoft.auth.spi.OnboardingHook;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.stereotype.Service;
+import org.springframework.transaction.annotation.Transactional;
+
+import javax.crypto.Mac;
+import javax.crypto.spec.SecretKeySpec;
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
+import java.time.Instant;
+import java.util.HexFormat;
+import java.util.UUID;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.ConcurrentMap;
+
+/**
+ * Verifies the HMAC-SHA256 exchange envelope from NextAuth and provides replay protection.
+ * The nonce store is in-memory and single-instance only (see Architecture.md § 5 note).
+ */
+@Slf4j
+@Service
+public class ExchangeService {
+
+    private final String secret;
+    private final long maxAgeSeconds;
+    private final long nonceTtlSeconds;
+    private final ObjectMapper mapper;
+    private final JwtService jwtService;
+    private final UserRepository userRepository;
+    private final UserIdentityRepository identityRepository;
+    private final OnboardingHook onboardingHook;
+    private final LoginEventService loginEventService;
+
+    private final ConcurrentMap<String, Long> seenNonces = new ConcurrentHashMap<>();
+
+    public ExchangeService(
+            PlateAuthProperties props,
+            ObjectMapper mapper,
+            JwtService jwtService,
+            UserRepository userRepository,
+            UserIdentityRepository identityRepository,
+            OnboardingHook onboardingHook,
+            LoginEventService loginEventService) {
+        this.secret = props.getExchange().getSecret();
+        this.maxAgeSeconds = props.getExchange().getMaxAge().getSeconds();
+        this.nonceTtlSeconds = props.getExchange().getNonceTtl().getSeconds();
+        this.mapper = mapper;
+        this.jwtService = jwtService;
+        this.userRepository = userRepository;
+        this.identityRepository = identityRepository;
+        this.onboardingHook = onboardingHook;
+        this.loginEventService = loginEventService;
+    }
+
+    /**
+     * Verify HMAC signature, check envelope age and nonce uniqueness,
+     * then find-or-create user and issue tokens.
+     */
+    @Transactional
+    public TokenResponse verifyAndExchange(String body, String signatureHex, String ipAddress, String userAgent) {
+        if (signatureHex == null || signatureHex.isBlank()) {
+            throw new SecurityException("Missing X-Exchange-Signature");
+        }
+        String expected = hmacSha256Hex(body);
+        if (!constantTimeEquals(expected, signatureHex)) {
+            log.warn("Exchange HMAC mismatch — possible tampering or key mismatch");
+            throw new SecurityException("Invalid exchange signature");
+        }
+
+        ExchangePayload payload;
+        try {
+            payload = mapper.readValue(body, ExchangePayload.class);
+        } catch (Exception e) {
+            throw new SecurityException("Malformed exchange payload");
+        }
+
+        long now = Instant.now().getEpochSecond();
+        if (Math.abs(now - payload.iat()) > maxAgeSeconds) {
+            throw new SecurityException("Exchange envelope expired");
+        }
+
+        Long prev = seenNonces.putIfAbsent(payload.nonce(), now);
+        if (prev != null) {
+            throw new SecurityException("Replayed nonce");
+        }
+        gcNonces(now);
+
+        // Find or create user + identity
+        User user = findOrCreateUser(payload);
+
+        // Record login event
+        loginEventService.recordSuccess(user, payload.provider(), ipAddress, userAgent);
+
+        return jwtService.issueTokensFor(user);
+    }
+
+    private User findOrCreateUser(ExchangePayload payload) {
+        var existingIdentity = identityRepository.findByProviderAndSubject(
+                payload.provider(), payload.providerSubject());
+
+        if (existingIdentity.isPresent()) {
+            UserIdentity identity = existingIdentity.get();
+            identity.setLastLoginAt(Instant.now());
+            User user = identity.getUser();
+            user.setLastProvider(payload.provider());
+            onboardingHook.onSubsequentSignIn(user, LoginProvider.valueOf(payload.provider().toUpperCase()));
+            return user;
+        }
+
+        // New user
+        User user = userRepository.findByEmail(payload.email())
+                .orElseGet(() -> userRepository.save(User.builder()
+                        .email(payload.email())
+                        .firstName(payload.name() != null ? payload.name().split(" ")[0] : "")
+                        .lastName(payload.name() != null && payload.name().contains(" ")
+                                ? payload.name().substring(payload.name().indexOf(' ') + 1) : "")
+                        .role(Role.ROLE_USER)
+                        .active(true)
+                        .lastProvider(payload.provider())
+                        .build()));
+
+        identityRepository.save(UserIdentity.builder()
+                .user(user)
+                .provider(payload.provider())
+                .subject(payload.providerSubject())
+                .email(payload.email())
+                .build());
+
+        onboardingHook.onFirstSignIn(user, LoginProvider.valueOf(payload.provider().toUpperCase()));
+        return user;
+    }
+
+    private String hmacSha256Hex(String body) {
+        try {
+            Mac mac = Mac.getInstance("HmacSHA256");
+            mac.init(new SecretKeySpec(secret.getBytes(StandardCharsets.UTF_8), "HmacSHA256"));
+            return HexFormat.of().formatHex(mac.doFinal(body.getBytes(StandardCharsets.UTF_8)));
+        } catch (Exception e) {
+            throw new IllegalStateException("HMAC computation failed", e);
+        }
+    }
+
+    /** Constant-time comparison using MessageDigest.isEqual */
+    private boolean constantTimeEquals(String a, String b) {
+        byte[] aBytes = a.getBytes(StandardCharsets.UTF_8);
+        byte[] bBytes = b.getBytes(StandardCharsets.UTF_8);
+        return MessageDigest.isEqual(aBytes, bBytes);
+    }
+
+    private void gcNonces(long now) {
+        seenNonces.entrySet().removeIf(e -> now - e.getValue() > nonceTtlSeconds);
+    }
+}
@@ -0,0 +1,96 @@
+package de.platesoft.auth.service;
+
+import de.platesoft.auth.PlateAuthProperties;
+import de.platesoft.auth.dto.TokenResponse;
+import de.platesoft.auth.entity.User;
+import io.jsonwebtoken.*;
+import io.jsonwebtoken.security.Keys;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.stereotype.Service;
+
+import javax.crypto.SecretKey;
+import java.nio.charset.StandardCharsets;
+import java.util.Date;
+import java.util.Map;
+import java.util.UUID;
+
+@Slf4j
+@Service
+public class JwtService {
+
+    private final SecretKey key;
+    private final long accessExpirationMs;
+    private final long refreshExpirationMs;
+    private final String issuer;
+
+    public JwtService(PlateAuthProperties props) {
+        this.key = Keys.hmacShaKeyFor(props.getJwt().getSecret().getBytes(StandardCharsets.UTF_8));
+        this.accessExpirationMs = props.getJwt().getAccessExpiration().toMillis();
+        this.refreshExpirationMs = props.getJwt().getRefreshExpiration().toMillis();
+        this.issuer = props.getJwt().getIssuer();
+    }
+
+    public String generateAccessToken(UUID userId, String email, String role) {
+        return Jwts.builder()
+                .issuer(issuer)
+                .subject(userId.toString())
+                .claims(Map.of("email", email, "role", role))
+                .issuedAt(new Date())
+                .expiration(new Date(System.currentTimeMillis() + accessExpirationMs))
+                .signWith(key)
+                .compact();
+    }
+
+    public String generateRefreshToken(UUID userId) {
+        return Jwts.builder()
+                .issuer(issuer)
+                .subject(userId.toString())
+                .claim("type", "refresh")
+                .id(UUID.randomUUID().toString())
+                .issuedAt(new Date())
+                .expiration(new Date(System.currentTimeMillis() + refreshExpirationMs))
+                .signWith(key)
+                .compact();
+    }
+
+    public TokenResponse issueTokensFor(User user) {
+        String access = generateAccessToken(user.getId(), user.getEmail(), user.getRole().name());
+        String refresh = generateRefreshToken(user.getId());
+        return new TokenResponse(access, refresh, accessExpirationMs / 1000);
+    }
+
+    public long getRefreshExpirationMs() {
+        return refreshExpirationMs;
+    }
+
+    public Claims extractClaims(String token) {
+        return Jwts.parser()
+                .verifyWith(key)
+                .requireIssuer(issuer)
+                .build()
+                .parseSignedClaims(token)
+                .getPayload();
+    }
+
+    public UUID extractUserId(String token) {
+        return UUID.fromString(extractClaims(token).getSubject());
+    }
+
+    public String extractEmail(String token) {
+        return extractClaims(token).get("email", String.class);
+    }
+
+    public String extractRole(String token) {
+        return extractClaims(token).get("role", String.class);
+    }
+
+    public boolean isTokenValid(String token) {
+        try {
+            extractClaims(token);
+            return true;
+        } catch (JwtException | IllegalArgumentException e) {
+            log.debug("Token validation failed: {}", e.getMessage());
+            return false;
+        }
+    }
+}
@@ -0,0 +1,42 @@
+package de.platesoft.auth.service;
+
+import de.platesoft.auth.entity.LoginEvent;
+import de.platesoft.auth.entity.User;
+import de.platesoft.auth.repository.LoginEventRepository;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.scheduling.annotation.Async;
+import org.springframework.stereotype.Service;
+
+import java.util.UUID;
+
+@Slf4j
+@Service
+@RequiredArgsConstructor
+public class LoginEventService {
+
+    private final LoginEventRepository repo;
+
+    @Async
+    public void recordSuccess(User user, String provider, String ipAddress, String userAgent) {
+        repo.save(LoginEvent.builder()
+                .userId(user.getId())
+                .email(user.getEmail())
+                .provider(provider)
+                .outcome("SUCCESS")
+                .ipAddress(ipAddress)
+                .userAgent(userAgent)
+                .build());
+    }
+
+    @Async
+    public void recordFailure(String email, String provider, String outcome, String ipAddress, String userAgent) {
+        repo.save(LoginEvent.builder()
+                .email(email)
+                .provider(provider)
+                .outcome(outcome)
+                .ipAddress(ipAddress)
+                .userAgent(userAgent)
+                .build());
+    }
+}
@@ -0,0 +1,116 @@
+package de.platesoft.auth.service;
+
+import de.platesoft.auth.entity.*;
+import de.platesoft.auth.repository.MembershipRepository;
+import de.platesoft.auth.spi.OrgValidator;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.stereotype.Service;
+import org.springframework.transaction.annotation.Transactional;
+
+import java.time.Instant;
+import java.util.List;
+import java.util.Optional;
+import java.util.UUID;
+
+@Slf4j
+@Service
+@RequiredArgsConstructor
+public class MembershipService {
+
+    private final MembershipRepository repo;
+    private final OrgValidator orgValidator;
+
+    @Transactional
+    public Membership grant(User user, OrgType orgType, UUID orgId, MembershipRole role,
+                            UUID grantedBy, String reason) {
+        // Validate org exists via SPI
+        if (!orgValidator.exists(orgType, orgId)) {
+            throw new IllegalArgumentException(
+                    "OrgValidator rejected org: " + orgType + "/" + orgId);
+        }
+
+        Optional<Membership> existing = repo.findByUserIdAndOrgTypeAndOrgId(user.getId(), orgType, orgId);
+        if (existing.isPresent()) {
+            Membership m = existing.get();
+            if (m.getStatus() == MembershipStatus.ACTIVE) {
+                if (rank(role) > rank(m.getRole())) {
+                    log.info("Upgrading membership user={} org={} {}→{}", user.getId(), orgId, m.getRole(), role);
+                    m.setRole(role);
+                }
+                return m;
+            }
+            m.setStatus(MembershipStatus.ACTIVE);
+            m.setRole(role);
+            m.setRevokedAt(null);
+            m.setRevokedBy(null);
+            m.setGrantedBy(grantedBy);
+            m.setGrantReason(reason);
+            return m;
+        }
+        return repo.save(Membership.builder()
+                .user(user)
+                .orgType(orgType)
+                .orgId(orgId)
+                .role(role)
+                .status(MembershipStatus.ACTIVE)
+                .grantedBy(grantedBy)
+                .grantReason(reason)
+                .build());
+    }
+
+    @Transactional
+    public void revoke(UUID membershipId, UUID revokedBy) {
+        Membership m = repo.findById(membershipId)
+                .orElseThrow(() -> new IllegalArgumentException("Membership not found: " + membershipId));
+        if (m.getStatus() == MembershipStatus.REVOKED) return;
+        m.setStatus(MembershipStatus.REVOKED);
+        m.setRevokedAt(Instant.now());
+        m.setRevokedBy(revokedBy);
+    }
+
+    @Transactional(readOnly = true)
+    public List<Membership> activeForUser(UUID userId) {
+        return repo.findByUserIdAndStatus(userId, MembershipStatus.ACTIVE);
+    }
+
+    @Transactional(readOnly = true)
+    public Optional<Membership> resolve(UUID userId, OrgType orgType, UUID orgId) {
+        return repo.findByUserIdAndOrgTypeAndOrgId(userId, orgType, orgId)
+                .filter(m -> m.getStatus() == MembershipStatus.ACTIVE);
+    }
+
+    @Transactional(readOnly = true)
+    public boolean isOrgAdmin(UUID userId, OrgType orgType, UUID orgId) {
+        return repo.findByUserIdAndOrgTypeAndOrgId(userId, orgType, orgId)
+                .filter(m -> m.getStatus() == MembershipStatus.ACTIVE)
+                .map(m -> rank(m.getRole()) >= rank(MembershipRole.ADMIN))
+                .orElse(false);
+    }
+
+    public void assertAdminOf(UUID userId, OrgType orgType, UUID orgId) {
+        if (!isOrgAdmin(userId, orgType, orgId)) {
+            throw new AccessDeniedException(
+                    "User " + userId + " is not admin of " + orgType + "/" + orgId);
+        }
+    }
+
+    @Transactional(readOnly = true)
+    public List<Membership> adminsByOrg(OrgType orgType, UUID orgId) {
+        return repo.findByOrgTypeAndOrgIdAndStatus(orgType, orgId, MembershipStatus.ACTIVE)
+                .stream()
+                .filter(m -> rank(m.getRole()) >= rank(MembershipRole.ADMIN))
+                .toList();
+    }
+
+    private int rank(MembershipRole r) {
+        return switch (r) {
+            case OWNER -> 5;
+            case ADMIN -> 4;
+            case INSPECTOR -> 3;
+            case VIEWER -> 2;
+            case MEMBER -> 1;
+        };
+    }
+}
@@ -0,0 +1,12 @@
+package de.platesoft.auth.spi;
+
+import de.platesoft.auth.entity.AccessRequest;
+
+/**
+ * Notifies admins of new access requests and requesters of decisions.
+ * The default implementation logs notifications at INFO level.
+ */
+public interface AccessRequestMailer {
+    void notifyAdmins(AccessRequest request);
+    void notifyRequester(AccessRequest request);
+}
@@ -0,0 +1,10 @@
+package de.platesoft.auth.spi;
+
+import de.platesoft.auth.entity.Invitation;
+
+/**
+ * Sends invitation emails. The default implementation logs the accept URL at INFO level.
+ */
+public interface InvitationMailer {
+    void sendInvitation(Invitation invitation, String acceptUrl);
+}
@@ -0,0 +1,16 @@
+package de.platesoft.auth.spi;
+
+import de.platesoft.auth.entity.LoginProvider;
+import de.platesoft.auth.entity.User;
+
+/**
+ * Called on first and subsequent sign-ins. Consumers wire their T3 onboarding logic here.
+ * The default implementation is a no-op.
+ */
+public interface OnboardingHook {
+    void onFirstSignIn(User user, LoginProvider provider);
+
+    default void onSubsequentSignIn(User user, LoginProvider provider) {
+        // no-op by default
+    }
+}
@@ -0,0 +1,13 @@
+package de.platesoft.auth.spi;
+
+import de.platesoft.auth.entity.OrgType;
+
+import java.util.UUID;
+
+/**
+ * Resolves a human-readable display name for an organization.
+ * Used in invitation emails, access request notifications, etc.
+ */
+public interface OrgDisplayNameResolver {
+    String displayName(OrgType type, UUID orgId);
+}
@@ -0,0 +1,19 @@
+package de.platesoft.auth.spi;
+
+import de.platesoft.auth.entity.OrgType;
+
+import java.util.UUID;
+
+/**
+ * Validates that a given (org_type, org_id) pair represents a real organization
+ * in the consuming application's domain.
+ *
+ * <p>plate-auth calls this SPI whenever a membership is being granted or an invitation
+ * is being created. If this returns {@code false}, the operation is rejected.</p>
+ *
+ * <p>The default implementation ({@code PermissiveOrgValidator}) always returns {@code true}
+ * and logs a WARN on every call. Override this bean in production.</p>
+ */
+public interface OrgValidator {
+    boolean exists(OrgType type, UUID orgId);
+}
@@ -0,0 +1,17 @@
+package de.platesoft.auth.spi.defaults;
+
+import de.platesoft.auth.entity.OrgType;
+import de.platesoft.auth.spi.OrgDisplayNameResolver;
+
+import java.util.UUID;
+
+/**
+ * Default display name resolver — returns type:orgId.
+ */
+public class DefaultOrgDisplayNameResolver implements OrgDisplayNameResolver {
+
+    @Override
+    public String displayName(OrgType type, UUID orgId) {
+        return type + ":" + orgId.toString();
+    }
+}
@@ -0,0 +1,25 @@
+package de.platesoft.auth.spi.defaults;
+
+import de.platesoft.auth.entity.AccessRequest;
+import de.platesoft.auth.spi.AccessRequestMailer;
+import lombok.extern.slf4j.Slf4j;
+
+/**
+ * Default AccessRequestMailer — logs notifications at INFO level.
+ */
+@Slf4j
+public class LoggingAccessRequestMailer implements AccessRequestMailer {
+
+    @Override
+    public void notifyAdmins(AccessRequest request) {
+        log.info("[plate-auth] Access request from user {} for {}/{} with role {}",
+                request.getRequester().getEmail(), request.getOrgType(),
+                request.getOrgId(), request.getRequestedRole());
+    }
+
+    @Override
+    public void notifyRequester(AccessRequest request) {
+        log.info("[plate-auth] Access request {} decided: {}",
+                request.getId(), request.getStatus());
+    }
+}
@@ -0,0 +1,19 @@
+package de.platesoft.auth.spi.defaults;
+
+import de.platesoft.auth.entity.Invitation;
+import de.platesoft.auth.spi.InvitationMailer;
+import lombok.extern.slf4j.Slf4j;
+
+/**
+ * Default InvitationMailer — logs the accept URL at INFO level.
+ */
+@Slf4j
+public class LoggingInvitationMailer implements InvitationMailer {
+
+    @Override
+    public void sendInvitation(Invitation invitation, String acceptUrl) {
+        log.info("[plate-auth] Invitation for {} to join {}/{} with role {}. Accept URL: {}",
+                invitation.getEmail(), invitation.getOrgType(), invitation.getOrgId(),
+                invitation.getRole(), acceptUrl);
+    }
+}
@@ -0,0 +1,16 @@
+package de.platesoft.auth.spi.defaults;
+
+import de.platesoft.auth.entity.LoginProvider;
+import de.platesoft.auth.entity.User;
+import de.platesoft.auth.spi.OnboardingHook;
+
+/**
+ * Default OnboardingHook — no-op.
+ */
+public class NoOpOnboardingHook implements OnboardingHook {
+
+    @Override
+    public void onFirstSignIn(User user, LoginProvider provider) {
+        // no-op — consumers override to wire their onboarding logic
+    }
+}
@@ -0,0 +1,22 @@
+package de.platesoft.auth.spi.defaults;
+
+import de.platesoft.auth.entity.OrgType;
+import de.platesoft.auth.spi.OrgValidator;
+import lombok.extern.slf4j.Slf4j;
+
+import java.util.UUID;
+
+/**
+ * Default OrgValidator that accepts all (org_type, org_id) pairs.
+ * Logs a WARN on every call to make it impossible to miss in production.
+ * Override this bean to implement real validation.
+ */
+@Slf4j
+public class PermissiveOrgValidator implements OrgValidator {
+
+    @Override
+    public boolean exists(OrgType type, UUID orgId) {
+        log.warn("OrgValidator default permissive — override de.platesoft.auth.spi.OrgValidator bean before production. Called with ({}, {})", type, orgId);
+        return true;
+    }
+}
@@ -0,0 +1 @@
+de.platesoft.auth.PlateAuthAutoConfiguration
				`@@ -0,0 +1 @@`
				`de.platesoft.auth.PlateAuthAutoConfiguration`