Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 32 additions & 0 deletions .github/workflows/gradle.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
name: Java CI with Gradle

on:
push:
branches: [ master ]
pull_request:
branches: [ master ]

jobs:
build:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4
- name: Set up JDK 21
uses: actions/setup-java@v4
with:
java-version: '21'
distribution: 'temurin'
- name: Cache Gradle packages
uses: actions/cache@v4
with:
path: |
~/.gradle/caches
~/.gradle/wrapper
key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
restore-keys: |
${{ runner.os }}-gradle-
- name: Grant execute permission for gradlew
run: chmod +x gradlew
- name: Build with Gradle
run: ./gradlew clean test
57 changes: 40 additions & 17 deletions build.gradle
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
plugins {
id 'org.springframework.boot' version '2.6.3'
id 'io.spring.dependency-management' version '1.0.11.RELEASE'
id 'org.springframework.boot' version '3.5.15'
id 'io.spring.dependency-management' version '1.1.7'
id 'java'
id "com.netflix.dgs.codegen" version "5.0.6"
id "com.diffplug.spotless" version "6.2.1"
id "com.netflix.dgs.codegen" version "7.0.3"

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚩 DGS BOM version (9.2.2) vs codegen plugin version (7.0.3) mismatch

The DGS platform BOM is set to 9.2.2 (build.gradle:34) while the DGS codegen Gradle plugin is 7.0.3 (build.gradle:5). These are separate artifacts with independent versioning, but significant version gaps can lead to generated code that doesn't align with the runtime API. The codegen generates types in io.spring.graphql.types and constants in io.spring.graphql.DgsConstants — if the newer DGS runtime expects different type structures or annotations, there could be subtle incompatibilities. Worth verifying that the generated code compiles and works correctly with DGS 9.2.2.

Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verified — the codegen plugin (7.0.3) and DGS runtime BOM (9.2.2) are intentionally on independent version lines and are compatible here. The generated io.spring.graphql.types.* / DgsConstants compile and run against DGS 9.2.2 / graphql-java 22.3: ./gradlew clean test passes (68 tests) and the app boots and serves GraphQL. The one codegen-behavior difference (DGS codegen 7.x no longer auto-maps schema PageInfo to graphql.relay.PageInfo) is handled explicitly via typeMapping = ["PageInfo": "graphql.relay.PageInfo"] on the generateJava task.

id "com.diffplug.spotless" version "6.25.0"
}

version = '0.0.1-SNAPSHOT'
sourceCompatibility = '11'
targetCompatibility = '11'
sourceCompatibility = '21'
targetCompatibility = '21'

spotless {
java {
Expand All @@ -24,36 +24,58 @@ repositories {
mavenCentral()
}

dependencyManagement {
dependencies {
// Override vulnerable versions pinned by transitive BOMs/dependencies:
// - kotlin-stdlib < 2.1.0: Information Exposure (SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744),
// pulled in (and pinned to 1.9.25) via the DGS platform BOM / codegen support.
// - commons-lang3 < 3.18.0: Uncontrolled Recursion (SNYK-JAVA-ORGAPACHECOMMONS-10734078),
// pulled transitively by rest-assured (test scope).
dependency 'org.jetbrains.kotlin:kotlin-stdlib:2.1.20'
dependency 'org.apache.commons:commons-lang3:3.18.0'
}
}

configurations {
compileOnly {
extendsFrom annotationProcessor
}
}

dependencies {
implementation platform('com.netflix.graphql.dgs:graphql-dgs-platform-dependencies:9.2.2')

implementation 'org.springframework.boot:spring-boot-starter-web'
implementation 'org.springframework.boot:spring-boot-starter-validation'
implementation 'org.springframework.boot:spring-boot-starter-hateoas'
implementation 'org.springframework.boot:spring-boot-starter-security'
implementation 'org.mybatis.spring.boot:mybatis-spring-boot-starter:2.2.2'
implementation 'com.netflix.graphql.dgs:graphql-dgs-spring-boot-starter:4.9.21'
implementation 'org.mybatis.spring.boot:mybatis-spring-boot-starter:3.0.4'
implementation 'com.netflix.graphql.dgs:graphql-dgs-spring-boot-starter'
// Declared directly (also managed below) so the resolved kotlin-stdlib is a
// patched 2.1.0+ release; the DGS platform BOM otherwise pins 1.9.25, which
// carries an Information Exposure advisory (SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744).
implementation 'org.jetbrains.kotlin:kotlin-stdlib:2.1.20'
implementation 'org.flywaydb:flyway-core'

@devin-ai-integration devin-ai-integration Bot Jun 24, 2026

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 Missing Flyway SQLite module causes startup failure with Flyway 11.x

The Spring Boot upgrade from 2.6.3 to 3.5.15 pulls Flyway 11.7.2 (confirmed via ./gradlew dependencies). Starting with Flyway 10, database-specific support was modularized into separate artifacts — SQLite support is no longer bundled in flyway-core and requires a dedicated module (e.g. org.flywaydb:flyway-database-sqlite). The project clearly uses SQLite (application.properties:1 has spring.datasource.url=jdbc:sqlite:dev.db), but build.gradle:42 only declares org.flywaydb:flyway-core. At application startup, Flyway will fail to recognize the SQLite database type and throw an error, preventing the app (and all integration tests) from running.

Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verified empirically — this is not an issue for the Flyway version in play. SQLite support is still bundled in flyway-core 11.7.2; it was not moved to a community module.

Starting the app fresh (deleted dev.db, ran ./gradlew bootRun) produced:

o.f.core.FlywayExecutor : Database: jdbc:sqlite:dev.db (SQLite 3.50)
o.f.core.internal.command.DbValidate : Successfully validated 1 migration
o.f.core.internal.command.DbMigrate  : Migrating schema "main" to version "1 - create tables"
o.f.core.internal.command.DbMigrate  : Successfully applied 1 migration to schema "main", now at version v1
o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat started on port 8080 (http)

The fresh dev.db contains flyway_schema_history + all app tables, and the 68 @SpringBootTest integration tests (in-memory SQLite, Flyway-managed schema) all pass. No extra Flyway module needed.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚩 Flyway SQLite support may require additional module with Flyway 10+

Spring Boot 3.2+ ships Flyway 10+, which modularized database support into separate artifacts. The build.gradle:48 only declares implementation 'org.flywaydb:flyway-core' without a database-specific module for SQLite. In Flyway 10, community databases (SQLite, H2, HSQLDB, Derby) were initially kept in flyway-core, but in later Flyway releases they may have been extracted. Depending on the exact Flyway version managed by Spring Boot 3.5.15's BOM, an additional dependency like org.flywaydb:flyway-database-sqlite (or equivalent community module) may be required. Without it, the application could fail at startup with a "No database found to handle jdbc:sqlite:..." error. This is worth verifying by running the full test suite.

Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verified empirically — no extra Flyway module is needed for SQLite here.

Flyway resolved by Spring Boot 3.5.15's BOM is 11.7.2, and SQLite support is still bundled in flyway-core for that line (it was not extracted to a separate community module in 11.7.x). Confirmed by running the app against a fresh dev.db:

Database: jdbc:sqlite:dev.db (SQLite 3.50)
Successfully validated 1 migration
Migrating schema "main" to version "1 - init schema"
Successfully applied 1 migration to schema "main"
Tomcat started on port 8080

GraphQL also serves correctly on the same boot (exercising the SQLite-backed read path):

  • { tags } -> {"data":{"tags":[]}}
  • { articles(first:5){ pageInfo{ hasNextPage } edges{ node{ slug } } } } -> valid ArticlesConnection

All 68 tests (in-memory SQLite) pass as well. If a future Flyway 11.10+ bump extracts SQLite into flyway-database-sqlite, we'll add it then; for 11.7.2 it's unnecessary.

implementation 'io.jsonwebtoken:jjwt-api:0.11.2'
runtimeOnly 'io.jsonwebtoken:jjwt-impl:0.11.2',
'io.jsonwebtoken:jjwt-jackson:0.11.2'
implementation 'io.jsonwebtoken:jjwt-api:0.11.5'
runtimeOnly 'io.jsonwebtoken:jjwt-impl:0.11.5',
'io.jsonwebtoken:jjwt-jackson:0.11.5'
implementation 'joda-time:joda-time:2.10.13'
implementation 'org.xerial:sqlite-jdbc:3.36.0.3'
implementation 'org.xerial:sqlite-jdbc:3.50.3.0'

compileOnly 'org.projectlombok:lombok'
annotationProcessor 'org.projectlombok:lombok'

testImplementation 'io.rest-assured:rest-assured:4.5.1'
testImplementation 'io.rest-assured:json-path:4.5.1'
testImplementation 'io.rest-assured:xml-path:4.5.1'
testImplementation 'io.rest-assured:spring-mock-mvc:4.5.1'
// Declared directly (also managed above) so the resolved commons-lang3 is a
// patched 3.18.0 release; rest-assured otherwise pulls 3.17.0 transitively
// (Uncontrolled Recursion, SNYK-JAVA-ORGAPACHECOMMONS-10734078).
testImplementation 'org.apache.commons:commons-lang3:3.18.0'
testImplementation 'io.rest-assured:rest-assured:5.5.7'
testImplementation 'io.rest-assured:json-path:5.5.7'
testImplementation 'io.rest-assured:xml-path:5.5.7'
testImplementation 'io.rest-assured:spring-mock-mvc:5.5.7'
testImplementation 'org.springframework.security:spring-security-test'
testImplementation 'org.springframework.boot:spring-boot-starter-test'
testImplementation 'org.mybatis.spring.boot:mybatis-spring-boot-starter-test:2.2.2'
testImplementation 'org.mybatis.spring.boot:mybatis-spring-boot-starter-test:3.0.4'
}

tasks.named('test') {
Expand All @@ -69,4 +91,5 @@ tasks.named('clean') {
tasks.named('generateJava') {
schemaPaths = ["${projectDir}/src/main/resources/schema"] // List of directories containing schema files
packageName = 'io.spring.graphql' // The package name to use to generate sources
typeMapping = ["PageInfo": "graphql.relay.PageInfo"]
}
2 changes: 1 addition & 1 deletion gradle/wrapper/gradle-wrapper.properties
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
distributionBase=GRADLE_USER_HOME
distributionPath=wrapper/dists
distributionUrl=https\://services.gradle.org/distributions/gradle-7.4-bin.zip
distributionUrl=https\://services.gradle.org/distributions/gradle-8.10.2-bin.zip
zipStoreBase=GRADLE_USER_HOME
zipStorePath=wrapper/dists
2 changes: 1 addition & 1 deletion src/main/java/io/spring/api/ArticleApi.java
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,9 @@
import io.spring.core.article.ArticleRepository;
import io.spring.core.service.AuthorizationService;
import io.spring.core.user.User;
import jakarta.validation.Valid;
import java.util.HashMap;
import java.util.Map;
import javax.validation.Valid;
import lombok.AllArgsConstructor;
import org.springframework.http.ResponseEntity;
import org.springframework.security.core.annotation.AuthenticationPrincipal;
Expand Down
2 changes: 1 addition & 1 deletion src/main/java/io/spring/api/ArticlesApi.java
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@
import io.spring.application.article.NewArticleParam;
import io.spring.core.article.Article;
import io.spring.core.user.User;
import jakarta.validation.Valid;
import java.util.HashMap;
import javax.validation.Valid;
import lombok.AllArgsConstructor;
import org.springframework.http.ResponseEntity;
import org.springframework.security.core.annotation.AuthenticationPrincipal;
Expand Down
4 changes: 2 additions & 2 deletions src/main/java/io/spring/api/CommentsApi.java
Original file line number Diff line number Diff line change
Expand Up @@ -11,11 +11,11 @@
import io.spring.core.comment.CommentRepository;
import io.spring.core.service.AuthorizationService;
import io.spring.core.user.User;
import jakarta.validation.Valid;
import jakarta.validation.constraints.NotBlank;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.validation.Valid;
import javax.validation.constraints.NotBlank;
import lombok.AllArgsConstructor;
import lombok.Getter;
import lombok.NoArgsConstructor;
Expand Down
2 changes: 1 addition & 1 deletion src/main/java/io/spring/api/CurrentUserApi.java
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,9 @@
import io.spring.application.user.UpdateUserParam;
import io.spring.application.user.UserService;
import io.spring.core.user.User;
import jakarta.validation.Valid;
import java.util.HashMap;
import java.util.Map;
import javax.validation.Valid;
import lombok.AllArgsConstructor;
import org.springframework.http.ResponseEntity;
import org.springframework.security.core.annotation.AuthenticationPrincipal;
Expand Down
6 changes: 3 additions & 3 deletions src/main/java/io/spring/api/UsersApi.java
Original file line number Diff line number Diff line change
Expand Up @@ -12,12 +12,12 @@
import io.spring.core.service.JwtService;
import io.spring.core.user.User;
import io.spring.core.user.UserRepository;
import jakarta.validation.Valid;
import jakarta.validation.constraints.Email;
import jakarta.validation.constraints.NotBlank;
import java.util.HashMap;
import java.util.Map;
import java.util.Optional;
import javax.validation.Valid;
import javax.validation.constraints.Email;
import javax.validation.constraints.NotBlank;
import lombok.AllArgsConstructor;
import lombok.Getter;
import lombok.NoArgsConstructor;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,15 +2,15 @@

import static org.springframework.http.HttpStatus.UNPROCESSABLE_ENTITY;

import jakarta.validation.ConstraintViolation;
import jakarta.validation.ConstraintViolationException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.stream.Collectors;
import javax.validation.ConstraintViolation;
import javax.validation.ConstraintViolationException;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpStatus;
import org.springframework.http.HttpStatusCode;
import org.springframework.http.MediaType;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.MethodArgumentNotValidException;
Expand Down Expand Up @@ -63,7 +63,7 @@ public ResponseEntity<Object> handleInvalidAuthentication(
protected ResponseEntity<Object> handleMethodArgumentNotValid(
MethodArgumentNotValidException e,
HttpHeaders headers,
HttpStatus status,
HttpStatusCode status,
WebRequest request) {
List<FieldErrorResource> errorResources =
e.getBindingResult().getFieldErrors().stream()
Expand Down
8 changes: 4 additions & 4 deletions src/main/java/io/spring/api/security/JwtTokenFilter.java
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,13 @@

import io.spring.core.service.JwtService;
import io.spring.core.user.UserRepository;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Collections;
import java.util.Optional;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
Expand Down
61 changes: 31 additions & 30 deletions src/main/java/io/spring/api/security/WebSecurityConfig.java

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟨 Permissive CORS configuration allows any origin

The CorsConfigurationSource bean at src/main/java/io/spring/api/security/WebSecurityConfig.java:71 sets setAllowedOrigins(asList("*")), allowing requests from any origin. While allowCredentials is set to false (mitigating credential leakage via CORS), an overly permissive origin policy can still facilitate cross-origin data exfiltration of non-credentialed responses.

(Refers to line 71)

Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This CORS configuration is pre-existing and unchanged by this PR. On master the same bean already sets setAllowedOrigins(asList("*")) with setAllowCredentials(false) (original WebSecurityConfig.java:68-76). This upgrade only migrated the surrounding security config from the removed WebSecurityConfigurerAdapter to the Spring Security 6 SecurityFilterChain bean — the CORS policy was carried over verbatim.

Since allowCredentials is false, the wildcard origin cannot be used to exfiltrate credentialed responses. Tightening the allowed origins is a reasonable hardening idea, but it's a behavioral change to existing config that's out of scope for this Java 21 / Spring Boot 3 migration PR. Happy to do it as a follow-up if desired.

Original file line number Diff line number Diff line change
@@ -1,17 +1,18 @@
package io.spring.api.security;

import static java.util.Arrays.asList;
import static org.springframework.security.config.Customizer.withDefaults;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.HttpStatusEntryPoint;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.web.cors.CorsConfiguration;
Expand All @@ -20,7 +21,7 @@

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
public class WebSecurityConfig {

@Bean
public JwtTokenFilter jwtTokenFilter() {
Expand All @@ -32,36 +33,36 @@ public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}

@Override
protected void configure(HttpSecurity http) throws Exception {

http.csrf()
.disable()
.cors()
.and()
.exceptionHandling()
.authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED))
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers(HttpMethod.OPTIONS)
.permitAll()
.antMatchers("/graphiql")
.permitAll()
.antMatchers("/graphql")
.permitAll()
.antMatchers(HttpMethod.GET, "/articles/feed")
.authenticated()
.antMatchers(HttpMethod.POST, "/users", "/users/login")
.permitAll()
.antMatchers(HttpMethod.GET, "/articles/**", "/profiles/**", "/tags")
.permitAll()
.anyRequest()
.authenticated();
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.csrf(csrf -> csrf.disable())
.cors(withDefaults())
.exceptionHandling(
handling ->
handling.authenticationEntryPoint(
new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED)))
.sessionManagement(
management -> management.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.authorizeHttpRequests(
requests ->
requests
.requestMatchers(HttpMethod.OPTIONS)
.permitAll()
.requestMatchers("/graphiql")
.permitAll()
.requestMatchers("/graphql")
.permitAll()
.requestMatchers(HttpMethod.GET, "/articles/feed")
.authenticated()
.requestMatchers(HttpMethod.POST, "/users", "/users/login")
.permitAll()
.requestMatchers(HttpMethod.GET, "/articles/**", "/profiles/**", "/tags")
.permitAll()
.anyRequest()
.authenticated());

http.addFilterBefore(jwtTokenFilter(), UsernamePasswordAuthenticationFilter.class);
return http.build();
}

@Bean
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
import io.spring.core.article.Article;
import io.spring.core.article.ArticleRepository;
import io.spring.core.user.User;
import javax.validation.Valid;
import jakarta.validation.Valid;
import lombok.AllArgsConstructor;
import org.springframework.stereotype.Service;
import org.springframework.validation.annotation.Validated;
Expand Down
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
package io.spring.application.article;

import jakarta.validation.Constraint;
import jakarta.validation.Payload;
import java.lang.annotation.Documented;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
import javax.validation.Constraint;
import javax.validation.Payload;

@Documented
@Constraint(validatedBy = DuplicatedArticleValidator.class)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@

import io.spring.application.ArticleQueryService;
import io.spring.core.article.Article;
import javax.validation.ConstraintValidator;
import javax.validation.ConstraintValidatorContext;
import jakarta.validation.ConstraintValidator;
import jakarta.validation.ConstraintValidatorContext;
import org.springframework.beans.factory.annotation.Autowired;

class DuplicatedArticleValidator
Expand Down
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
package io.spring.application.article;

import com.fasterxml.jackson.annotation.JsonRootName;
import jakarta.validation.constraints.NotBlank;
import java.util.List;
import javax.validation.constraints.NotBlank;
import lombok.AllArgsConstructor;
import lombok.Builder;
import lombok.Getter;
Expand Down
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
package io.spring.application.user;

import jakarta.validation.Constraint;
import jakarta.validation.Payload;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import javax.validation.Constraint;
import javax.validation.Payload;

@Constraint(validatedBy = DuplicatedEmailValidator.class)
@Retention(RetentionPolicy.RUNTIME)
Expand Down
Loading
Loading