fix secrets no longer needed

.claude/settings.local.json

@@ -0,0 +1,8 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(git add *)",
+      "Bash(git commit *)"
+    ]
+  }
+}

.gitea/workflows/build.yml

@@ -7,30 +7,29 @@ on:
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-java17
 
     steps:
       # 1. Checkout the code
       - name: Checkout code
         uses: actions/checkout@v4
 
-      # 2. Set up Java and Maven (includes Maven, no separate install needed)
-      - name: Set up JDK (Eclipse Temurin)
-        uses: actions/setup-java@v4
-        with:
-          distribution: "temurin"
-          java-version: "17"
-          cache: maven
-
-      # 3. Build the Spring Boot application
+      # 2. Build the Spring Boot application using the Maven wrapper (Java 17 pre-installed in runner image)
       - name: Build Spring Boot Application
-        run: mvn clean package -DskipTests
+        run: ./mvnw clean package -DskipTests
 
       # 4. Set up Docker Buildx (enables layer caching)
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      # 5. Docker login
+      # 5. Login to Docker Hub to avoid pull rate limits
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USER }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      # 6. Docker login to Gitea registry
       - name: Login to Docker Registry
         uses: docker/login-action@v3
         with:
@@ -38,7 +37,7 @@ jobs:
           username: ${{ secrets.TEAUSER }}
           password: ${{ secrets.TEAPASSWORD }}
 
-      # 6. Build and push Docker image with layer caching
+      # 7. Build and push Docker image with layer caching
       - name: Build and Push Docker Image
         uses: docker/build-push-action@v5
         with:
@@ -48,9 +47,11 @@ jobs:
           cache-from: type=registry,ref=tea.zendric.de/cedric/xpensely-server:buildcache
           cache-to: type=registry,ref=tea.zendric.de/cedric/xpensely-server:buildcache,mode=max
 
-      # 7. Trigger Dokploy to redeploy the dev server automatically
+      # 8. Trigger Dokploy to redeploy the dev server automatically via API
       - name: Trigger Dokploy Redeploy
         run: |
-          curl -X POST "${{ secrets.DOKPLOY_WEBHOOK_URL }}" \
-            -H "Authorization: Bearer ${{ secrets.DOKPLOY_TOKEN }}" \
+          curl -X POST "https://dokploy.zendric.de/api/compose.deploy" \
+            -H "Content-Type: application/json" \
+            -H "x-api-key: ${{ secrets.DOKPLOY_API_TOKEN }}" \
+            -d "{\"composeId\": \"${{ secrets.DOKPLOY_COMPOSE_ID }}\"}" \
             --fail

docker-compose.yml

@@ -1,11 +1,9 @@
 services:
   xpensely-server:
     image: tea.zendric.de/cedric/xpensely-server:latest
+    pull_policy: always
     restart: always
     environment:
-      GOOGLE_CLIENT_ID: ${GOOGLE_CLIENT_ID}
-      GOOGLE_CLIENT_SECRET: ${GOOGLE_CLIENT_SECRET}
-
       DB_PORT: 5432
       DB_P_NAME: ${POSTGRES_DB}
       DB_USERNAME: ${POSTGRES_USER}

dockerfile

@@ -1,4 +1,4 @@
-FROM eclipse-temurin:17-jdk
+FROM eclipse-temurin:21-jdk
 
 COPY ./target/*.jar app.jar
 

docs/API.md

@@ -1,6 +1,6 @@
 # Xpensely Server — API Reference
 
-> Last updated: 2026-05-09 · Branch: `feature/security-hardening`
+> Last updated: 2026-05-14 · Branch: `dev`
 
 ## Table of Contents
 1. [Overview](#1-overview)
@@ -28,6 +28,7 @@ Xpensely Server is a Spring Boot REST API that manages shared expense lists for
 | Method | Path | Description |
 |--------|------|-------------|
 | GET | `/` | Health check — returns `"Welcome"` |
+| GET | `/api/version` | Returns build version and timestamp |
 | POST | `/api/users/createUser` | Register a new user |
 | GET | `/api/users/byName` | Look up a user by username |
 
@@ -98,6 +99,25 @@ Welcome
 
 ---
 
+#### `GET /api/version`
+
+Returns the application version and build timestamp. No authentication required.
+
+**Response:** `200 OK`
+```json
+{
+  "version": "0.0.1-SNAPSHOT",
+  "builtAt": "2026-05-09T10:00:00Z"
+}
+```
+
+| Field | Type | Notes |
+|-------|------|-------|
+| `version` | String | Maven project version |
+| `builtAt` | String (ISO-8601) | UTC timestamp of the build |
+
+---
+
 ### 4.2 Users
 
 Base path: `/api/users`
@@ -121,7 +141,7 @@ Base path: `/api/users`
 | `username` | String | Required. 3–30 chars. Pattern: `^[a-zA-Z0-9_.\-]+$` |
 | `googleId` | String | Required. Non-blank. Must match the JWT `sub` from Google. |
 
-**Success response:** `200 OK` — returns the created [AppUser](#appuser) object.
+**Success response:** `201 Created` — returns the created [AppUser](#appuser) object.
 
 **Error responses:**
 | Status | Condition |
@@ -145,6 +165,7 @@ Base path: `/api/users`
 **Error responses:**
 | Status | Condition |
 |--------|-----------|
+| 403 | Authenticated user's ID does not match the requested `id` |
 | 404 | No user found for `id` |
 
 ---
@@ -181,6 +202,7 @@ Base path: `/api/users`
 **Error responses:**
 | Status | Condition |
 |--------|-----------|
+| 403 | Requested Google ID does not match the authenticated user's Google ID |
 | 404 | No user found for that Google ID |
 
 ---
@@ -194,11 +216,12 @@ Base path: `/api/users`
 |-------|------|----------|-------------|
 | `id` | Long | Yes | Database ID of the user to delete |
 
-**Success response:** `200 OK` — returns the deleted [AppUser](#appuser).
+**Success response:** `200 OK` — returns a plain string: `"User deleted: <username>"`.
 
 **Error responses:**
 | Status | Condition |
 |--------|-----------|
+| 403 | Authenticated user's ID does not match the requested `id` |
 | 404 | No user found for `id` |
 
 ---
@@ -219,7 +242,11 @@ Returns all expense lists where the caller is the owner **or** has been shared t
 
 **Request body:** None
 
-**Success response:** `200 OK` — array of [ExpenseList](#expenselist).
+**Success responses:**
+| Status | Condition |
+|--------|-----------|
+| 200 OK | Returns array of [ExpenseList](#expenselist) |
+| 204 No Content | Caller has no expense lists |
 
 ```json
 [
@@ -337,7 +364,7 @@ Only the **owner** may delete a list. Deleting a list cascades to all its expens
 | `date` | String (ISO-8601) | Required. Format: `YYYY-MM-DD`. |
 | `category` | String | Required. Non-blank category name. |
 
-**Success response:** `200 OK` — returns the created [Expense](#expense).
+**Success response:** `201 Created` — returns the created [Expense](#expense).
 
 **Error responses:**
 | Status | Condition |
@@ -411,7 +438,7 @@ Caller must be a member of the list. Expense must belong to the specified list.
 
 Caller must be a member of the list.
 
-**Success response:** `200 OK` — returns the deleted [Expense](#expense).
+**Success response:** `204 No Content`
 
 **Error responses:**
 | Status | Condition |
@@ -465,13 +492,14 @@ Joins the caller to a shared expense list using an invite code.
 |-------|------|-------------|
 | `inviteCode` | String | Required. Exactly 6 characters. |
 
-**Success response:** `200 OK` — returns the [ExpenseList](#expenselist) the caller joined.
+**Success response:** `200 OK` — returns a plain string: `"User added to the list"`.
 
 **Error responses:**
 | Status | Condition |
 |--------|-----------|
-| 400 | Validation failure or invite code not found / expired |
-| 403 | Caller is already the owner of this list |
+| 400 | Validation failure or caller is already the owner of the list |
+| 404 | Invite code not found or expired |
+| 226 IM Used | List already has a second member (`sharedWith` is not null) |
 
 ---
 

pom.xml

@@ -128,6 +128,13 @@
                         </exclude>
                     </excludes>
                 </configuration>
+                <executions>
+                    <execution>
+                        <goals>
+                            <goal>build-info</goal>
+                        </goals>
+                    </execution>
+                </executions>
             </plugin>
         </plugins>
     </build>

src/main/java/de/zendric/app/xpensely_server/controller/HomeController.java

@@ -1,13 +1,30 @@
 package de.zendric.app.xpensely_server.controller;
 
+import org.springframework.boot.info.BuildProperties;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RestController;
 
+import java.util.Map;
+
 @RestController
 class HomeController {
 
+    private final BuildProperties buildProperties;
+
+    HomeController(BuildProperties buildProperties) {
+        this.buildProperties = buildProperties;
+    }
+
     @GetMapping("/")
     public String getAll() {
         return "Welcome";
     }
+
+    @GetMapping("/api/version")
+    public Map<String, String> version() {
+        return Map.of(
+                "version", buildProperties.getVersion(),
+                "builtAt", buildProperties.getTime().toString()
+        );
+    }
 }

src/main/java/de/zendric/app/xpensely_server/security/SecurityConfig.java

@@ -28,10 +28,10 @@ public class SecurityConfig {
         public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                 http
                                 .authorizeHttpRequests(auth -> auth
+                                                .requestMatchers("/api/version").permitAll()
                                                 .anyRequest().authenticated())
                                 .oauth2ResourceServer(oauth2 -> oauth2
                                                 .jwt(Customizer.withDefaults()))
-                                .oauth2Login(Customizer.withDefaults())
                                 .addFilterAfter(new RateLimitFilter(), BearerTokenAuthenticationFilter.class)
                                 .csrf(csrf -> csrf.disable());
 

src/main/resources/application.properties

@@ -3,8 +3,6 @@ spring.application.name=XpenselyServer
 
 #Security
 spring.security.enabled=false
-spring.security.oauth2.client.registration.google.client-id=${GOOGLE_CLIENT_ID}
-spring.security.oauth2.client.registration.google.client-secret=${GOOGLE_CLIENT_SECRET}
 spring.security.oauth2.resourceserver.jwt.issuer-uri=https://accounts.google.com
 
 # PostgreSQL Configuration