refactor(mfa): address second round of PR review feedback

- Remove redundant setDefaultAccessDeniedHandler call in setupMfa();
  the builder already initializes the default handler
- Replace mutable HashMap with immutable Map.of() for factor-to-URI map
- Tighten unprotected URI from /user/mfa/** wildcard to /user/mfa/status
  to avoid silently exposing future MFA endpoints
- Remove redundant toUpperCase() calls in MfaAPI.getMfaStatus() since
  requiredFactors is already uppercased during stream mapping
- Remove unused HashMap and AccessDeniedHandlerImpl imports

Author: devondragon

src/main/java/com/digitalsanctuary/spring/user/api/MfaAPI.java

@@ -58,18 +58,15 @@ public ResponseEntity<JSONResponse> getMfaStatus(Authentication authentication)
 			Collection<? extends GrantedAuthority> authorities = authentication.getAuthorities();
 
 			for (String factor : requiredFactors) {
-				String normalized = factor.toUpperCase();
-				String authorityString = MfaConfiguration.mapFactorToAuthority(normalized);
+				String authorityString = MfaConfiguration.mapFactorToAuthority(factor);
 				if (authorityString != null && hasAuthority(authorities, authorityString)) {
-					satisfiedFactors.add(normalized);
+					satisfiedFactors.add(factor);
 				} else {
-					missingFactors.add(normalized);
+					missingFactors.add(factor);
 				}
 			}
 		} else {
-			for (String factor : requiredFactors) {
-				missingFactors.add(factor.toUpperCase());
-			}
+			missingFactors.addAll(requiredFactors);
 		}
 
 		MfaStatusResponse status = MfaStatusResponse.builder()

src/main/java/com/digitalsanctuary/spring/user/security/WebSecurityConfig.java

@@ -3,7 +3,7 @@
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
-import java.util.HashMap;
+
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -29,7 +29,7 @@
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.SecurityFilterChain;
-import org.springframework.security.web.access.AccessDeniedHandlerImpl;
+
 import org.springframework.security.web.access.DelegatingMissingAuthorityAccessDeniedHandler;
 import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
 import org.springframework.security.web.session.HttpSessionEventPublisher;
@@ -263,9 +263,9 @@ private void setupMfa(HttpSecurity http) throws Exception {
 		DelegatingMissingAuthorityAccessDeniedHandler.Builder handlerBuilder =
 				DelegatingMissingAuthorityAccessDeniedHandler.builder();
 
-		Map<String, String> factorToUri = new HashMap<>();
-		factorToUri.put("PASSWORD", mfaConfigProperties.getPasswordEntryPointUri());
-		factorToUri.put("WEBAUTHN", mfaConfigProperties.getWebauthnEntryPointUri());
+		Map<String, String> factorToUri = Map.of(
+				"PASSWORD", mfaConfigProperties.getPasswordEntryPointUri(),
+				"WEBAUTHN", mfaConfigProperties.getWebauthnEntryPointUri());
 
 		for (String factor : mfaConfigProperties.getFactors()) {
 			String authority = MfaConfiguration.mapFactorToAuthority(factor);
@@ -276,7 +276,6 @@ private void setupMfa(HttpSecurity http) throws Exception {
 		}
 
 		DelegatingMissingAuthorityAccessDeniedHandler handler = handlerBuilder.build();
-		handler.setDefaultAccessDeniedHandler(new AccessDeniedHandlerImpl());
 		http.exceptionHandling(handling -> handling.accessDeniedHandler(handler));
 		log.info("MFA configured with access denied handler for factors: {}", mfaConfigProperties.getFactors());
 	}
@@ -322,7 +321,7 @@ private List<String> getUnprotectedURIsList() {
 			unprotectedURIs.add("/dev/**");
 		}
 		if (mfaConfigProperties.isEnabled()) {
-			unprotectedURIs.add("/user/mfa/**");
+			unprotectedURIs.add("/user/mfa/status");
 		}
 		unprotectedURIs.removeAll(Collections.emptyList());
 		return unprotectedURIs;