pplate/plate-auth
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b43ab5e02cc0cc96cee1215cb239cf4cac27afd5
plate-auth/CHANGELOG.md
T
Patrick Plate b43ab5e02c fix(sprint-0): panel-review-v2 blockers — scoped security chain, fail-closed CORS, no @ComponentScan, drop dead RefreshToken 
Review-v2 (Sprint-0-Plan-Review-v2) blockers:
- B1: SecurityConfig chain now securityMatcher-scoped to plate-auth endpoints so it cannot hijack the consuming app's routes
- B2: removed @ComponentScan from auto-config; explicit @Import of @Configuration + @Service/@RestController classes
- B4: CORS fails closed (same-origin) when allowed-origins empty instead of defaulting to '*'
- B5: removed dead RefreshToken entity + repo; v0.1 uses stateless JWT refresh (rotation deferred to v0.3)
- W-A: documented OnboardingHook transaction contract

Verified: mvn -pl plate-auth-starter compile succeeds.
2026-06-24 20:22:36 +02:00

1.6 KiB
Raw Blame History

Changelog

All notable changes to this project will be documented in this file.

[Unreleased]

Security / Correctness — Review-v2 blockers fixed

  • B1: SecurityConfig SecurityFilterChain is now securityMatcher-scoped to plate-auth's own endpoints (/api/auth/**, /api/invitations/**, /api/access-requests/**, /api/admin/**, /api/me, /api/memberships/**). Previously an unscoped @Order(-100) chain with anyRequest().authenticated() would hijack the consuming app's own routes. (panel B1)
  • B2: Removed @ComponentScan(basePackages="de.platesoft.auth") from PlateAuthAutoConfiguration (auto-configuration anti-pattern per Spring Boot guidance). Replaced with explicit @Import of the concrete @Configuration classes + @Service/@RestController components. (panel B2)
  • B4: CORS now fails closed by default. Empty plate.auth.cors.allowed-origins disables CORS for plate-auth endpoints (same-origin only) instead of defaulting to allowedOriginPatterns("*"). (panel B4)
  • B5: Removed dead RefreshToken entity + RefreshTokenRepository. v0.1 issues stateless JWT refresh tokens (per the documented threat model); rotation/family-tracking is deferred to v0.3. (panel B5)
  • W-A: Documented the OnboardingHook transaction contract (hooks run inside the exchange transaction; keep them fast + idempotent).

Added

  • Initial project scaffold (W1)
  • Maven parent POM with ${revision} CI-friendly versioning
  • plate-auth-starter module skeleton
  • @platesoft/auth npm package skeleton (tsup + ESM/CJS dual build)
  • Gitea Actions CI + release pipelines
  • Apache-2.0 LICENSE
Reference in New Issue View Git Blame Copy Permalink