|
| 1 | +## [3.4.0] - 2025-09-03 |
| 2 | +### Features |
| 3 | +- Proxy-aware URL and IP detection |
| 4 | + - UserUtils.getAppUrl now builds correct external URLs when behind proxies/load balancers by honoring X-Forwarded-Proto, X-Forwarded-Host, and X-Forwarded-Port; the generated URL always includes a port for backward compatibility |
| 5 | + - UserUtils.getClientIP now checks multiple standard headers in priority order (X-Forwarded-For, X-Real-IP, CF-Connecting-IP, True-Client-IP) with clean fallbacks |
| 6 | +- Remember‑me is now opt‑in and explicitly configurable |
| 7 | + - Disabled by default; enable only when you set both properties: |
| 8 | + - user.security.rememberMe.enabled=true |
| 9 | + - user.security.rememberMe.key=<your-static-secret-key> |
| 10 | +- Role hierarchy applied to method security |
| 11 | + - Method security expressions now honor the configured hierarchy (e.g., ROLE_ADMIN > ROLE_USER) via a MethodSecurityExpressionHandler wired with the RoleHierarchy |
| 12 | +- Stronger password validation for registration |
| 13 | + - New @PasswordMatches class‑level constraint and validator; registration now enforces password and matchingPassword equality, with clear validation errors |
| 14 | +- Safer OAuth2/OIDC account creation |
| 15 | + - Email is validated and normalized (lowercased) for OAuth2 and OIDC providers; authentication fails early with a clear, user‑friendly message if the provider didn’t supply an email (e.g., missing scope/permission) |
| 16 | +- Audit logging hardening and defaults |
| 17 | + - FileAuditLogWriter concurrency is now protected with synchronized methods |
| 18 | + - Default audit log location changed to ./logs with automatic creation; graceful fallback to system temp directory if not writable |
| 19 | + - Periodic flush scheduling only active when audit logging is enabled and flushOnWrite is false |
| 20 | +- Password reset API refinement |
| 21 | + - New PasswordResetRequestDto introduced; endpoint continues to send reset emails but now cleanly models the request as { "email": "..." } |
| 22 | + |
| 23 | +### Fixes |
| 24 | +- Security and privacy hardening |
| 25 | + - Removed session IDs from debug logs to prevent sensitive data exposure |
| 26 | + - CustomOAuth2AuthenticationEntryPoint now returns generic user‑friendly messages and logs detailed errors internally |
| 27 | + - Enforced lowercase normalization for emails throughout registration and OAuth2/OIDC paths, preventing duplicate users by case variance |
| 28 | +- Robust null/edge‑case handling |
| 29 | + - Fixed potential NPE in UserService.getUserByPasswordResetToken when token or token record is null |
| 30 | + - UserService.registerNewUserAccount now validates password matching before proceeding |
| 31 | +- Correct URL generation in emails |
| 32 | + - Registration verification emails now use UserUtils.getAppUrl(request), fixing previously broken links that used only the context path |
| 33 | +- JPA entity equality fixes |
| 34 | + - Role and Privilege equals/hashCode now based on id only; bidirectional relationships excluded to avoid recursion/stack overflows and to improve Set behavior in persistence contexts |
| 35 | +- Build/packaging correctness for consumers |
| 36 | + - Fixed published artifact name to ds-spring-user-framework |
| 37 | + - Removed surprise transitive runtime dependencies from the library (devtools, database drivers) by moving them to test runtime scope |
| 38 | +- Configuration correctness and resilience |
| 39 | + - Fixed CSRF property typo: user.security.disableCSRFdURIs → user.security.disableCSRFURIs |
| 40 | + - Hardened parsing of comma‑delimited URI properties to ignore empty/whitespace entries |
| 41 | +- Logging and code quality |
| 42 | + - Replaced string concatenation in logs with parameterized logging throughout |
| 43 | + - Fixed JavaDoc syntax issues in JSONResponse |
| 44 | + |
| 45 | +### Breaking Changes |
| 46 | +- Password reset endpoint request body |
| 47 | + - /user/resetPassword now expects PasswordResetRequestDto instead of UserDto |
| 48 | + - Migration: change the request body to { "email": " [email protected]" } |
| 49 | +- Configuration property rename |
| 50 | + - user.security.disableCSRFdURIs → user.security.disableCSRFURIs |
| 51 | + - Migration: update your application properties/yaml accordingly |
| 52 | +- Remember‑me behavior |
| 53 | + - Previously could be active with an ephemeral key; now disabled by default and only enabled when both user.security.rememberMe.enabled=true and user.security.rememberMe.key are set |
| 54 | +- MailService bean construction |
| 55 | + - MailService now uses constructor injection for both JavaMailSender and MailContentBuilder |
| 56 | + - Migration: if you construct MailService manually, pass both dependencies; Spring auto‑config will wire it automatically in typical setups |
| 57 | +- OAuth2/OIDC email requirement |
| 58 | + - Authentication now fails if the provider does not return an email address; ensure the email scope/permission is granted |
| 59 | + |
| 60 | +### Refactoring |
| 61 | +- WebSecurityConfig |
| 62 | + - Simplified remember‑me configuration; created DaoAuthenticationProvider via constructor; used RoleHierarchyImpl.fromHierarchy; reduced boilerplate and improved readability |
| 63 | +- UserUtils |
| 64 | + - Streamlined IP header checks and forward‑aware app URL construction; clarified JavaDoc |
| 65 | +- General logging cleanup |
| 66 | + - Consistent use of parameterized logging; removed System.out and noisy concatenation |
| 67 | + |
| 68 | +### Documentation |
| 69 | +- Major README overhaul |
| 70 | + - Step‑by‑step Quick Start with prerequisites, dependencies (Thymeleaf, Mail, JPA, Security, Spring Retry), database examples (MariaDB/PostgreSQL/H2), email setup, and complete example configuration |
| 71 | + - Clear explanation of registration modes: auto‑enable vs email verification, with expected behavior and configuration |
| 72 | + - Guidance on customizing views and next steps |
| 73 | +- Configuration metadata fixes |
| 74 | + - property names corrected (camelCase), types fixed (Boolean/Integer), missing properties added for better IDE assistance |
| 75 | + |
| 76 | +### Testing |
| 77 | +- Substantial test coverage added across critical paths |
| 78 | + - OAuth2/OIDC services |
| 79 | + - DSOAuth2UserServiceTest (≈15 tests): Google/Facebook flows, new vs existing users, provider conflicts, error handling |
| 80 | + - DSOidcUserServiceTest (≈14 tests): Keycloak flows, claims extraction, DSUserDetails integration, conflict scenarios |
| 81 | + - Security utilities and flows |
| 82 | + - UserUtilsTest (≈29 tests): IP extraction header priority and URL building |
| 83 | + - CustomOAuth2AuthenticationEntryPointTest (≈21 tests): exception handling, redirects, failure handler delegation |
| 84 | + - LoginHelperServiceTest (≈15 tests): last activity tracking, automatic unlock, authorities handling, edge cases |
| 85 | + - LogoutSuccessServiceTest (≈17 tests): audit event creation, IP extraction, URL resolution, exception scenarios |
| 86 | + - RolePrivilegeSetupServiceTest (≈15 tests): initialization, reuse of privileges, transactional handling, mixed existing/new entities |
| 87 | + - Mail |
| 88 | + - MailServiceTest (≈24 tests): simple/template sends, async behavior, retry/recovery, edge cases |
| 89 | + - Validation |
| 90 | + - PasswordMatchesValidatorTest: positive/negative cases for password confirmation |
| 91 | +- Test infrastructure improvements |
| 92 | + - Added fixture builders for OAuth2/OIDC users (Google, Facebook, Keycloak) for realistic claims and attributes |
| 93 | + - Dependency updates for test stack (AssertJ, ArchUnit, Awaitility, Testcontainers, Rest‑Assured, GreenMail) |
| 94 | + |
| 95 | +### Other Changes |
| 96 | +- Dependency updates |
| 97 | + - Spring Boot 3.5.5 |
| 98 | + - Test libraries: AssertJ 3.27.4, ArchUnit 1.4.1, Awaitility 4.3.0, Testcontainers 1.21.3, Rest‑Assured 5.5.6, GreenMail 2.1.5 |
| 99 | + - MariaDB JDBC driver 3.5.5 |
| 100 | +- Build improvements |
| 101 | + - Published artifact renamed correctly to ds-spring-user-framework |
| 102 | + - Group/publishing coordinates aligned; dependency management standardized via Spring Boot BOM |
| 103 | + - Added Gradle Versions Plugin configuration to prefer stable releases |
| 104 | +- Internal tools |
| 105 | + - Updated changelog generator to use a newer model (gpt‑5) |
| 106 | + |
| 107 | +Migration checklist |
| 108 | +- Update /user/resetPassword client requests to use PasswordResetRequestDto { "email": "..." } |
| 109 | +- Rename user.security.disableCSRFdURIs to user.security.disableCSRFURIs |
| 110 | +- If you rely on remember‑me, add: |
| 111 | + - user.security.rememberMe.enabled=true |
| 112 | + - user.security.rememberMe.key=<stable-secret> |
| 113 | +- Ensure OAuth2/OIDC providers grant email scope; otherwise login will fail by design |
| 114 | +- If constructing MailService manually, pass both JavaMailSender and MailContentBuilder |
| 115 | +- Be aware that emails are now normalized to lowercase; verify database uniqueness constraints if case sensitivity was previously assumed |
| 116 | + |
1 | 117 | ## [3.3.0] - 2025-07-22 |
2 | 118 | # Changelog |
3 | 119 |
|
|
0 commit comments