This commit addresses 4 critical security issues in password management: **Fix #1: Add password validation to /updatePassword endpoint** - Added passwordPolicyService.validate() call before saving password - Prevents users from setting weak passwords when updating - Enforces all policy rules including history, similarity, and complexity **Fix #2: Implement missing /savePassword endpoint** - Created SavePasswordDto for password reset with token - Implemented complete /savePassword endpoint with full validation - Added deletePasswordResetToken method to UserService - Added message keys for password reset flow - Fixes incomplete password reset functionality **Fix #3: Document password history behavior** - Added JavaDoc explaining null user parameter during registration - Documented that history checks only apply to existing users - Added clarifying comments in registration endpoint **Fix #4: Add transaction isolation for password history cleanup** - Added @transactional(isolation = SERIALIZABLE) to cleanUpPasswordHistory - Prevents race conditions during concurrent password changes - Added comprehensive JavaDoc documentation **Additional improvements:** - Cascade delete configuration for PasswordHistoryEntry (from earlier work) - LAZY fetch type optimization on both sides of relationship - All existing tests pass (372 tests) See IMPLEMENTATION_PLAN_PASSWORD_FIXES.md for detailed analysis and implementation plan. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>

Add support for configuring CSRF exclusions URLs #2

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions