refactor(mfa): address third round of PR review feedback

- Remove blank lines in WebSecurityConfig import block
- Add clarifying comment in MfaConfiguration for silent skip behavior
- Add positive-path MFA tests verifying fullyAuthenticated: true
  when user has all required FactorGrantedAuthority entries

Author: devondragon

src/main/java/com/digitalsanctuary/spring/user/security/MfaConfiguration.java

@@ -62,6 +62,8 @@ public DefaultAuthorizationManagerFactory<Object> mfaAuthorizationManagerFactory
 		AllRequiredFactorsAuthorizationManager.Builder<Object> factorsBuilder =
 				AllRequiredFactorsAuthorizationManager.builder();
 
+		// Unknown/blank factors are silently skipped here; validateMfaConfiguration() will
+		// throw before startup completes if the configuration is invalid.
 		for (String factor : mfaConfigProperties.getFactors()) {
 			if (factor == null || factor.isBlank()) {
 				continue;

src/main/java/com/digitalsanctuary/spring/user/security/WebSecurityConfig.java

@@ -3,7 +3,6 @@
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
-
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -29,7 +28,6 @@
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.SecurityFilterChain;
-
 import org.springframework.security.web.access.DelegatingMissingAuthorityAccessDeniedHandler;
 import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
 import org.springframework.security.web.session.HttpSessionEventPublisher;

src/test/java/com/digitalsanctuary/spring/user/api/MfaFeatureEnabledIntegrationTest.java

@@ -6,8 +6,12 @@
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrlPattern;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+import java.util.List;
 import java.util.Set;
 import java.util.stream.Collectors;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.junit.jupiter.api.DisplayName;
 import org.junit.jupiter.api.Test;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -90,4 +94,18 @@ void shouldRedirectToPasswordEntryPointWhenMissingFactorAuthority() throws Excep
 				.andExpect(status().is3xxRedirection())
 				.andExpect(redirectedUrlPattern(mfaConfigProperties.getPasswordEntryPointUri() + "**"));
 	}
+
+	@Test
+	@DisplayName("should report fully authenticated when user has all required factor authorities")
+	void shouldReportFullyAuthenticatedWhenUserHasAllRequiredFactorAuthorities() throws Exception {
+		List<GrantedAuthority> authorities = List.of(
+				new SimpleGrantedAuthority("ROLE_USER"),
+				FactorGrantedAuthority.fromAuthority(FactorGrantedAuthority.PASSWORD_AUTHORITY));
+
+		mockMvc.perform(get("/user/mfa/status").with(user("user@test.com").authorities(authorities)))
+				.andExpect(status().isOk())
+				.andExpect(jsonPath("$.data.fullyAuthenticated").value(true))
+				.andExpect(jsonPath("$.data.missingFactors").isEmpty())
+				.andExpect(jsonPath("$.data.satisfiedFactors[0]").value("PASSWORD"));
+	}
 }

src/test/java/com/digitalsanctuary/spring/user/api/MfaMultiFactorIntegrationTest.java

@@ -6,6 +6,9 @@
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 import java.util.List;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.junit.jupiter.api.DisplayName;
 import org.junit.jupiter.api.Test;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -91,4 +94,19 @@ void shouldReportBothFactorsAsMissingForUnauthenticatedRequest() throws Exceptio
 				.andExpect(jsonPath("$.data.missingFactors.length()").value(2))
 				.andExpect(jsonPath("$.data.fullyAuthenticated").value(false));
 	}
+
+	@Test
+	@DisplayName("should report fully authenticated when user has all required factor authorities")
+	void shouldReportFullyAuthenticatedWhenUserHasAllRequiredFactorAuthorities() throws Exception {
+		List<GrantedAuthority> authorities = List.of(
+				new SimpleGrantedAuthority("ROLE_USER"),
+				FactorGrantedAuthority.fromAuthority(FactorGrantedAuthority.PASSWORD_AUTHORITY),
+				FactorGrantedAuthority.fromAuthority(FactorGrantedAuthority.WEBAUTHN_AUTHORITY));
+
+		mockMvc.perform(get("/user/mfa/status").with(user("user@test.com").authorities(authorities)))
+				.andExpect(status().isOk())
+				.andExpect(jsonPath("$.data.fullyAuthenticated").value(true))
+				.andExpect(jsonPath("$.data.missingFactors").isEmpty())
+				.andExpect(jsonPath("$.data.satisfiedFactors.length()").value(2));
+	}
 }