Refactor WebSecurityConfig WebAuthn ObjectPostProcessor wiring for readability

[devondragon]

Summary

Refactor WebSecurityConfig.setupWebAuthn() to remove the inline, fully-qualified anonymous ObjectPostProcessor used only to set the WebAuthnAuthenticationSuccessHandler.

Current implementation works, but it is noisy and harder to maintain than necessary.

Context

During PR review, we identified a low-priority cleanup item in:

• src/main/java/com/digitalsanctuary/spring/user/security/WebSecurityConfig.java

The current code block (around setupWebAuthn) has this pattern:

• withObjectPostProcessor(new org.springframework.security.config.ObjectPostProcessor<org.springframework.security.web.webauthn.authentication.WebAuthnAuthenticationFilter>() { ... })
• The anonymous class only does one thing: filter.setAuthenticationSuccessHandler(new WebAuthnAuthenticationSuccessHandler(userDetailsService));

Why this matters

The current approach is functionally correct, but has avoidable maintenance cost:

• Readability: fully-qualified types + anonymous class add visual noise in core security config.
• Change safety: success-handler wiring is buried inside inline boilerplate.
• Consistency: the rest of WebSecurityConfig is mostly concise and method-extracted.

Goals

• Preserve current runtime behavior exactly.
• Reduce verbosity and improve local readability.
• Make the success-handler wiring explicit and easy to test/adjust.

Proposed Refactor

1. Add imports for:
   • org.springframework.security.config.ObjectPostProcessor
   • org.springframework.security.web.webauthn.authentication.WebAuthnAuthenticationFilter
2. Extract post-processing logic from inline anonymous class into a small helper method (or bean), for example:
   • private ObjectPostProcessor<WebAuthnAuthenticationFilter> webAuthnSuccessHandlerPostProcessor()
3. In setupWebAuthn(), replace inline anonymous class with:
   • .withObjectPostProcessor(webAuthnSuccessHandlerPostProcessor())
4. Optionally extract success-handler construction so new WebAuthnAuthenticationSuccessHandler(userDetailsService) is not inline.

Acceptance Criteria

• No fully-qualified ObjectPostProcessor<WebAuthnAuthenticationFilter> anonymous class remains in setupWebAuthn().
• Behavior remains unchanged:
  • WebAuthn authentication still installs WebAuthnAuthenticationSuccessHandler.
  • Existing WebAuthn tests continue to pass.
• Code compiles and tests pass:
  • ./gradlew compileJava compileTestJava
  • ./gradlew test --tests '*WebAuthn*'

Non-Goals

• No change to WebAuthn feature flags/conditionals.
• No change to WebAuthn endpoint behavior or API error handling.
• No broader security-chain redesign.

Suggested Validation

• Run existing WebAuthn tests:
  • WebAuthnAuthenticationSuccessHandlerTest
  • WebAuthnManagementAPITest
  • WebAuthnFeatureEnabledIntegrationTest
  • WebAuthnFeatureDisabledIntegrationTest
• Optionally run full suite if touching neighboring config code.

Priority

Low (code quality/refactor only, no functional defect).

[devondragon]

Resolved in PR #261. The inline anonymous ObjectPostProcessor with fully-qualified type names in setupWebAuthn() has been extracted into a private webAuthnSuccessHandlerPostProcessor() helper method, with proper imports added. All WebAuthn tests and the full test suite pass. Behavior is unchanged.