T

Patrick Plate b43ab5e02c fix(sprint-0): panel-review-v2 blockers — scoped security chain, fail-closed CORS, no @ComponentScan, drop dead RefreshToken

Review-v2 (Sprint-0-Plan-Review-v2) blockers:
- B1: SecurityConfig chain now securityMatcher-scoped to plate-auth endpoints so it cannot hijack the consuming app's routes
- B2: removed @ComponentScan from auto-config; explicit @Import of @Configuration + @Service/@RestController classes
- B4: CORS fails closed (same-origin) when allowed-origins empty instead of defaulting to '*'
- B5: removed dead RefreshToken entity + repo; v0.1 uses stateless JWT refresh (rotation deferred to v0.3)
- W-A: documented OnboardingHook transaction contract

Verified: mvn -pl plate-auth-starter compile succeeds.

2026-06-24 20:22:36 +02:00

.gitea/workflows

feat(w1): maven skeleton + CI scaffold

2026-06-24 15:40:17 +02:00

test(w7): greenfield consumer integration test

2026-06-24 16:11:38 +02:00

packages/auth

feat(w1): maven skeleton + CI scaffold

2026-06-24 15:40:17 +02:00

plate-auth-starter

fix(sprint-0): panel-review-v2 blockers — scoped security chain, fail-closed CORS, no @ComponentScan, drop dead RefreshToken

2026-06-24 20:22:36 +02:00

.editorconfig

feat(w1): maven skeleton + CI scaffold

2026-06-24 15:40:17 +02:00

.gitignore

feat(w1): maven skeleton + CI scaffold

2026-06-24 15:40:17 +02:00

CHANGELOG.md

fix(sprint-0): panel-review-v2 blockers — scoped security chain, fail-closed CORS, no @ComponentScan, drop dead RefreshToken

2026-06-24 20:22:36 +02:00

LICENSE

feat(w1): maven skeleton + CI scaffold

2026-06-24 15:40:17 +02:00

package.json

feat(w1): maven skeleton + CI scaffold

2026-06-24 15:40:17 +02:00

pnpm-workspace.yaml

feat(w1): maven skeleton + CI scaffold

2026-06-24 15:40:17 +02:00

pom.xml

test(w7): greenfield consumer integration test

2026-06-24 16:11:38 +02:00

README.md

feat(w1): maven skeleton + CI scaffold

2026-06-24 15:40:17 +02:00

README.md

plate-auth

Reusable authentication + multi-tenancy library for Spring Boot 4 + NextAuth v5.

Two artifacts, one contract

Artifact	Registry	Purpose
`de.platesoft:plate-auth-starter`	Gitea Maven	Spring Boot auto-config: JWT, OAuth, memberships, invitations, access requests
`@platesoft/auth`	Gitea npm	NextAuth v5 config factory, HMAC exchange, proxy helpers, React hooks

The wire contract between them is an HMAC-SHA256 signed exchange envelope + JWT bearer tokens.

Quick start (5 lines)

Backend (Spring Boot 4)

<dependency>
  <groupId>de.platesoft</groupId>
  <artifactId>plate-auth-starter</artifactId>
  <version>0.1.0</version>
</dependency>

plate:
  auth:
    jwt:
      secret: ${PLATE_AUTH_JWT_SECRET}      # ≥32 chars
    exchange:
      secret: ${PLATE_AUTH_EXCHANGE_SECRET}  # ≥32 chars, shared with frontend

Frontend (Next.js 15 + NextAuth v5)

pnpm add @platesoft/auth@0.1.0 --registry=https://git.plate-software.de/api/packages/pplate/npm/

// app/api/auth/[...nextauth]/route.ts
import NextAuth from 'next-auth';
import { createAuthConfig } from '@platesoft/auth/config';

const config = createAuthConfig({
  providers: { google: { clientId: process.env.GOOGLE_CLIENT_ID!, clientSecret: process.env.GOOGLE_CLIENT_SECRET! } },
  exchange:  { backendUrl: process.env.NEXT_PUBLIC_BACKEND_URL!, secret: process.env.NEXTAUTH_EXCHANGE_SECRET! },
});
export const { handlers, auth, signIn, signOut } = NextAuth(config);
export const { GET, POST } = handlers;

SPI Extension Points

Interface	Default	Purpose
`OrgValidator`	`PermissiveOrgValidator` (WARN per call)	Validate `(org_type, org_id)` exists
`OrgDisplayNameResolver`	Returns `type:id`	Pretty-print org
`InvitationMailer`	Logs accept URL	Send invite emails
`AccessRequestMailer`	Logs notifications	Notify on access requests
`OnboardingHook`	No-op	First sign-in hook

Override any bean with @ConditionalOnMissingBean — register your own to replace.

Documentation

Full docs live in the plate-auth wiki.

License

Apache-2.0 — see LICENSE.