Cedric/XpenselyServer
1
0
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases 5 Wiki Activity

security hardening #12

Merged
Cedric merged 15 commits from feature/security-hardening into main 2026-05-05 17:13:54 +02:00
Conversation 0 Commits 15 Files Changed 23
+916 -260

15 Commits

Author SHA1 Message Date
Cedric 9b95741292 fix: add /docs/superpowers to .gitignore 2026-05-05 17:00:01 +02:00
Cedric 2bd229cc5e Remove docs from tracking 2026-05-05 16:59:35 +02:00
Cedric 797d482ebf fix: use ResourceNotFoundException for not-found cases in updateExpense, IllegalArgumentException for ownership mismatch in deleteCustomCategory 2026-05-05 16:55:01 +02:00
Cedric 906b60d264 fix: single-param JPQL queries, ResourceNotFoundException throughout ExpenseListService, remove addExpenseToList loop 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-05 16:40:31 +02:00
Cedric 68783cc892 fix: throw ResourceNotFoundException instead of returning null, replace full-table-scan list queries with JPQL 2026-05-05 15:20:46 +02:00
Cedric 9c91da9f30 test: fix ExpenseListRepositoryTest with H2 and proper save-then-find pattern 
Added H2 as a test-scoped dependency so @DataJpaTest has an embedded
database. Rewrote the test to save an entity and assert on the returned
ID rather than assuming a record exists at ID=1.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-05 11:23:51 +02:00
Cedric 024b3880e7 security: add per-user/IP rate limiting via Bucket4j 
RateLimitFilter (OncePerRequestFilter) enforces 60 req/min per
authenticated Google ID or client IP, using Bucket4j in-memory
token buckets. Filter is registered after BearerTokenAuthenticationFilter
in the production security chain. Added 4 unit tests covering
allow, block, per-IP isolation, and X-Forwarded-For preference.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-05 11:19:42 +02:00
Cedric 457efab452 security: enforce JWT-based authorization on AppUserController 
Added AuthenticatedUserResolver injection and assertSelf guard to
getUser, getUserByGoogleId, and deleteUser endpoints. createUser
remains open for registration. Added 7 controller tests covering
validation failures and 403 enforcement.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-05 11:13:05 +02:00
Cedric 95688e5111 test: add unit tests for AuthenticatedUserResolver 2026-05-05 10:03:35 +02:00
Cedric bb2a4d70b2 feat: add ExpenseListController validation and authorization tests 2026-05-04 22:46:29 +02:00
Cedric a948bca2fc feat: add GlobalExceptionHandler, @Valid to user creation, AuthenticatedUserResolver stub, and rewrite ExpenseListController with authorization 2026-05-04 22:44:37 +02:00
Cedric 3bea06fead feat: add Bean Validation annotations to request models 2026-05-04 22:36:20 +02:00
Cedric b7db35defe build: add spring-boot-starter-validation and bucket4j-core 2026-05-04 22:34:10 +02:00
Cedric efe84942ff docs: add security hardening implementation plan 
8-task TDD plan covering input validation, JWT-based authorization
enforcement, and Bucket4j rate limiting.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-04 22:22:54 +02:00
Cedric e3b8917bfc docs: add security hardening design spec 
Covers input validation, JWT-based authorization enforcement, and
per-user rate limiting via Bucket4j.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-04 21:58:20 +02:00