Cedric/XpenselyServer
1
0
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases 5 Wiki Activity

docs: add security hardening design spec #14

Closed
Cedric wants to merge 0 commits from feature/security-hardening into main
pull from: feature/security-hardening
merge into: Cedric:main
Conversation 0 Commits - Files Changed -
Cedric commented 2026-05-10 20:22:41 +02:00
Owner
Copy Link
Copy Source
No description provided.
Cedric added 28 commits 2026-05-10 20:22:41 +02:00
docs: add security hardening design spec e3b8917bfc 
Covers input validation, JWT-based authorization enforcement, and
per-user rate limiting via Bucket4j.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
docs: add security hardening implementation plan efe84942ff 
8-task TDD plan covering input validation, JWT-based authorization
enforcement, and Bucket4j rate limiting.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
build: add spring-boot-starter-validation and bucket4j-core b7db35defe
feat: add Bean Validation annotations to request models 3bea06fead
feat: add GlobalExceptionHandler, @Valid to user creation, AuthenticatedUserResolver stub, and rewrite ExpenseListController with authorization a948bca2fc
feat: add ExpenseListController validation and authorization tests bb2a4d70b2
test: add unit tests for AuthenticatedUserResolver 95688e5111
security: enforce JWT-based authorization on AppUserController 457efab452 
Added AuthenticatedUserResolver injection and assertSelf guard to
getUser, getUserByGoogleId, and deleteUser endpoints. createUser
remains open for registration. Added 7 controller tests covering
validation failures and 403 enforcement.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
security: add per-user/IP rate limiting via Bucket4j 024b3880e7 
RateLimitFilter (OncePerRequestFilter) enforces 60 req/min per
authenticated Google ID or client IP, using Bucket4j in-memory
token buckets. Filter is registered after BearerTokenAuthenticationFilter
in the production security chain. Added 4 unit tests covering
allow, block, per-IP isolation, and X-Forwarded-For preference.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
test: fix ExpenseListRepositoryTest with H2 and proper save-then-find pattern 9c91da9f30 
Added H2 as a test-scoped dependency so @DataJpaTest has an embedded
database. Rewrote the test to save an entity and assert on the returned
ID rather than assuming a record exists at ID=1.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
fix: throw ResourceNotFoundException instead of returning null, replace full-table-scan list queries with JPQL 68783cc892
fix: single-param JPQL queries, ResourceNotFoundException throughout ExpenseListService, remove addExpenseToList loop 906b60d264 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
fix: use ResourceNotFoundException for not-found cases in updateExpense, IllegalArgumentException for ownership mismatch in deleteCustomCategory 797d482ebf
Remove docs from tracking 2bd229cc5e
fix: add /docs/superpowers to .gitignore 9b95741292
fix: centralise error handling in GlobalExceptionHandler, add SLF4J logging, remove HTTP 417 and e.printStackTrace() f0de751da4 
- Expand GlobalExceptionHandler with handlers for ResourceNotFoundException (404),
  UsernameAlreadyExistsException (409), ResponseStatusException (pass-through),
  RuntimeException (500), and generic Exception (500); add SLF4J logging
- Remove all bare try/catch blocks and e.printStackTrace() calls from
  ExpenseListController; add SLF4J logger field
- Add test: create_returns500_onUnexpectedServiceError

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
feat: add CreateExpenseListRequest DTO with validation to POST /create endpoint 8b96433b1a 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
test: add jsonPath field assertions to create validation tests b1324e3048
Bugfixes 3d456f2f81
docs: scaffold API.md with section headings 9c35bb8435
docs: write API overview section 8fb1820bc7
docs: write authentication section 9b93cd97a6
docs: write rate limiting section 18e740bb73
docs: write home and users endpoint sections 2b84ed0de8
docs: write expense lists endpoint section ddf64305a5
docs: write data models section 2782823c3d
docs: write error handling section 7189e4fb08
docs: write recent changes section a5e5824a44
Cedric closed this pull request 2026-05-10 20:30:37 +02:00

Pull request closed

This pull request cannot be reopened because the branch was deleted.
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
bug
Something is not working
 duplicate
This issue or pull request already exists
 enhancement
New feature
 help wanted
Need some help
 invalid
Something is wrong
 question
More information is needed
 wontfix
This won't be fixed
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
Cedric (Cedric Hornberger)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Cedric/XpenselyServer#14
Delete Branch "feature/security-hardening"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?