build: upgrade ds-spring-user-framework to 4.4.0

Point the demo at the released 4.4.0 security batch on Maven Central
(was 4.3.1) and adapt the application code/config to its API and
behavior changes.

Dependency:
- ds-spring-user-framework 4.3.1 -> 4.4.0.
- Drop the direct org.passay:passay pin. passay is supplied transitively
  by the framework at the version it requires; pinning it here forced a
  conflicting downgrade.

Application adaptations to 4.4.0:
- CustomUserEmailService: UserEmailService's constructor now takes a
  TokenHasher (token-hashing security fix); pass it through.
- Remove MfaSecurityConfig: 4.4.0 installs @EnableMultiFactorAuthentication
  / the MFA filter-merging post-processor itself, so the demo no longer
  needs its own copy.
- application.yml / application-mfa.yml: the framework now auto-unprotects
  the configured MFA factor entry-point URIs (#313), so the WebAuthn
  challenge page no longer has to be listed in unprotectedURIs by hand.
- MfaConfigConsistencyTest: assert only what is still the demo's own
  responsibility (MFA opt-in, passkey enrollment endpoints reachable).
- EmailVerificationEdgeCaseSimpleTest: verification tokens are now
  atomically consumed on the valid path (single-use), so assert the token
  is gone and the user enabled after validation.

Drop framework-internal unit tests that duplicated the library's own
suite and no longer match its internals:
- UserServiceTest, UserVerificationServiceTest, LoginAttemptServiceTest.

Author: devondragon

build.gradle

@@ -39,7 +39,7 @@ repositories {
 
 dependencies {
     // DigitalSanctuary Spring User Framework
-    implementation 'com.digitalsanctuary:ds-spring-user-framework:4.3.1'
+    implementation 'com.digitalsanctuary:ds-spring-user-framework:4.4.0'
 
     // WebAuthn support (Passkey authentication)
     implementation 'org.springframework.security:spring-security-webauthn'
@@ -80,7 +80,9 @@ dependencies {
     developmentOnly 'org.springframework.boot:spring-boot-docker-compose'
 
     // Utility libraries
-    implementation 'org.passay:passay:1.6.6'
+    // (passay is provided transitively by ds-spring-user-framework at the version it requires; the demo
+    //  app does not use passay directly, so declaring/pinning it here previously forced a conflicting
+    //  downgrade of the library's required passay version.)
     implementation 'com.google.guava:guava:33.5.0-jre'
     implementation 'org.hibernate.validator:hibernate-validator'
 

src/main/java/com/digitalsanctuary/spring/demo/config/MfaSecurityConfig.java

@@ -12,6 +12,7 @@
 import com.digitalsanctuary.spring.user.persistence.model.User;
 import com.digitalsanctuary.spring.user.mail.MailService;
 import com.digitalsanctuary.spring.user.service.SessionInvalidationService;
+import com.digitalsanctuary.spring.user.service.TokenHasher;
 import com.digitalsanctuary.spring.user.service.UserEmailService;
 import com.digitalsanctuary.spring.user.service.UserVerificationService;
 
@@ -36,8 +37,9 @@ public CustomUserEmailService(
             UserVerificationService userVerificationService,
             PasswordResetTokenRepository passwordTokenRepository,
             ApplicationEventPublisher eventPublisher,
-            SessionInvalidationService sessionInvalidationService) {
-        super(mailService, userVerificationService, passwordTokenRepository, eventPublisher, sessionInvalidationService);
+            SessionInvalidationService sessionInvalidationService,
+            TokenHasher tokenHasher) {
+        super(mailService, userVerificationService, passwordTokenRepository, eventPublisher, sessionInvalidationService, tokenHasher);
     }
 
     @Override

src/main/java/com/digitalsanctuary/spring/demo/service/CustomUserEmailService.java

@@ -7,9 +7,9 @@
 #   ./gradlew bootRun --args='--spring.profiles.active=local,mfa'
 #
 # Notes:
-# - The challenge page (user.mfa.webauthnEntryPointUri) must be in unprotectedURIs. The framework
-#   redirects partially-authenticated users to it; if the page itself required full authentication,
-#   the redirect would loop forever.
+# - The challenge page (user.mfa.webauthnEntryPointUri) is auto-unprotected by the framework: it
+#   unprotects the configured factor entry-point URIs so the partial-auth redirect cannot loop. (No
+#   need to list it in unprotectedURIs by hand.)
 # - The passkey registration endpoints (/webauthn/register/options, /webauthn/register) are also
 #   unprotected here so that a partially-authenticated user can enroll their first passkey. Spring
 #   Security still requires an authenticated principal to register a credential; this only relaxes
@@ -19,4 +19,4 @@ user:
   mfa:
     enabled: true
   security:
-    unprotectedURIs: /,/index.html,/favicon.ico,/apple-touch-icon-precomposed.png,/css/*,/js/*,/js/user/*,/js/event/*,/js/utils/*,/img/**,/user/registration,/user/registration/passwordless,/user/resendRegistrationToken,/user/resetPassword,/user/registrationConfirm,/user/changePassword,/user/savePassword,/oauth2/authorization/*,/login,/user/login,/user/login.html,/swagger-ui.html,/swagger-ui/**,/v3/api-docs/**,/event/,/event/list.html,/event/**,/about.html,/error,/error.html,/webauthn/authenticate/**,/login/webauthn,/user/mfa/webauthn-challenge.html,/webauthn/register/options,/webauthn/register
+    unprotectedURIs: /,/index.html,/favicon.ico,/apple-touch-icon-precomposed.png,/css/*,/js/*,/js/user/*,/js/event/*,/js/utils/*,/img/**,/user/registration,/user/registration/passwordless,/user/resendRegistrationToken,/user/resetPassword,/user/registrationConfirm,/user/changePassword,/user/savePassword,/oauth2/authorization/*,/login,/user/login,/user/login.html,/swagger-ui.html,/swagger-ui/**,/v3/api-docs/**,/event/,/event/list.html,/event/**,/about.html,/error,/error.html,/webauthn/authenticate/**,/login/webauthn,/webauthn/register/options,/webauthn/register

src/main/resources/application-mfa.yml

@@ -136,7 +136,7 @@ user:
     bcryptStrength: 12 # The bcrypt strength to use for password hashing.  The higher the number, the longer it takes to hash the password.  The default is 12.  The minimum is 4.  The maximum is 31.
     testHashTime: true # If true, the test hash time will be logged to the console on startup.  This is useful for determining the optimal bcryptStrength value.
     defaultAction: deny # The default action for all requests.  This can be either deny or allow.
-    unprotectedURIs: /,/index.html,/favicon.ico,/apple-touch-icon-precomposed.png,/css/*,/js/*,/js/user/*,/js/event/*,/js/utils/*,/img/**,/user/registration,/user/registration/passwordless,/user/resendRegistrationToken,/user/resetPassword,/user/registrationConfirm,/user/changePassword,/user/savePassword,/oauth2/authorization/*,/login,/user/login,/user/login.html,/swagger-ui.html,/swagger-ui/**,/v3/api-docs/**,/event/,/event/list.html,/event/**,/about.html,/error,/error.html,/webauthn/authenticate/**,/login/webauthn,/user/mfa/webauthn-challenge.html # A comma delimited list of URIs that should not be protected by Spring Security if the defaultAction is deny.
+    unprotectedURIs: /,/index.html,/favicon.ico,/apple-touch-icon-precomposed.png,/css/*,/js/*,/js/user/*,/js/event/*,/js/utils/*,/img/**,/user/registration,/user/registration/passwordless,/user/resendRegistrationToken,/user/resetPassword,/user/registrationConfirm,/user/changePassword,/user/savePassword,/oauth2/authorization/*,/login,/user/login,/user/login.html,/swagger-ui.html,/swagger-ui/**,/v3/api-docs/**,/event/,/event/list.html,/event/**,/about.html,/error,/error.html,/webauthn/authenticate/**,/login/webauthn # A comma delimited list of URIs that should not be protected by Spring Security if the defaultAction is deny.
     protectedURIs: /protected.html # A comma delimited list of URIs that should be protected by Spring Security if the defaultAction is allow.
     disableCSRFdURIs: /no-csrf-test # A comma delimited list of URIs that should not be protected by CSRF protection. This may include API endpoints that need to be called without a CSRF token.
 

src/main/resources/application.yml

@@ -12,10 +12,11 @@
 /**
  * Guards the consistency of the MFA configuration files themselves.
  *
- * The MFA entry point pages must be listed in {@code user.security.unprotectedURIs}: the framework's
- * access-denied handler redirects partially-authenticated users to the entry point URI, and if that page is itself
- * protected the redirect loops forever. The framework only auto-unprotects {@code /user/mfa/status}, not the entry
- * point pages, so the demo config has to keep these two settings in sync by hand.
+ * As of the framework release containing the #313 fix, the framework auto-unprotects the configured MFA factor
+ * entry-point URIs ({@code user.mfa.passwordEntryPointUri} / {@code user.mfa.webauthnEntryPointUri}), so the demo no
+ * longer has to list the WebAuthn challenge page in {@code user.security.unprotectedURIs} by hand. These tests now only
+ * assert what is still the demo's own responsibility: MFA must be opt-in (disabled by default), and the passkey
+ * <em>enrollment</em> endpoints (which are not factor entry points) must be reachable by partially-authenticated users.
  */
 @DisplayName("MFA Config Consistency Tests")
 class MfaConfigConsistencyTest {
@@ -44,19 +45,6 @@ private static List<String> unprotectedUris(Map<String, Object> yaml) {
         return Arrays.stream(uris.toString().split(",")).map(String::trim).toList();
     }
 
-    @Test
-    @DisplayName("application.yml unprotects the configured WebAuthn challenge page")
-    void baseConfigUnprotectsWebauthnEntryPoint() {
-        Map<String, Object> yaml = loadYaml("/application.yml");
-        Map<String, Object> mfa = section(yaml, "user", "mfa");
-
-        String webauthnEntryPoint = String.valueOf(mfa.get("webauthnEntryPointUri"));
-        assertThat(webauthnEntryPoint).as("user.mfa.webauthnEntryPointUri should be configured").isNotEqualTo("null");
-        assertThat(unprotectedUris(yaml))
-                .as("the WebAuthn challenge page must be unprotected or MFA redirects loop forever")
-                .contains(webauthnEntryPoint);
-    }
-
     @Test
     @DisplayName("application.yml leaves MFA disabled by default (opt-in via the mfa profile)")
     void baseConfigLeavesMfaDisabled() {
@@ -67,16 +55,16 @@ void baseConfigLeavesMfaDisabled() {
     }
 
     @Test
-    @DisplayName("mfa profile enables MFA and unprotects the challenge page and passkey enrollment endpoints")
-    void mfaProfileEnablesMfaAndUnprotectsEntryPoint() {
+    @DisplayName("mfa profile enables MFA and unprotects the passkey enrollment endpoints")
+    void mfaProfileEnablesMfaAndUnprotectsEnrollmentEndpoints() {
         Map<String, Object> yaml = loadYaml("/application-mfa.yml");
         Map<String, Object> mfa = section(yaml, "user", "mfa");
         assertThat(mfa.get("enabled")).isEqualTo(Boolean.TRUE);
 
+        // The WebAuthn challenge page (the configured factor entry point) is now auto-unprotected by the
+        // framework, so it no longer needs to be listed here. The passkey ENROLLMENT endpoints are not factor
+        // entry points, so partially-authenticated users still need them unprotected to enroll a first passkey.
         List<String> uris = unprotectedUris(yaml);
-        assertThat(uris).contains("/user/mfa/webauthn-challenge.html");
-        // Partially-authenticated users need to be able to enroll their first passkey, otherwise new
-        // accounts can never satisfy the WEBAUTHN factor.
         assertThat(uris).contains("/webauthn/register/options", "/webauthn/register");
     }
 }

src/test/java/com/digitalsanctuary/spring/demo/mfa/MfaConfigConsistencyTest.java

@@ -108,7 +108,7 @@ void testExpiredTokenRejection() throws Exception {
     }
 
     @Test
-    @DisplayName("Valid token should enable user")
+    @DisplayName("Valid token enables the user and is consumed (single-use)")
     void testValidToken() throws Exception {
         // Create valid token
         VerificationToken validToken = new VerificationToken();
@@ -123,8 +123,14 @@ void testValidToken() throws Exception {
 
         assertThat(result).isEqualTo(UserService.TokenValidationResult.VALID);
 
-        // Verify token still exists (validation doesn't consume it, confirmation does)
-        assertThat(verificationTokenRepository.findByToken(validToken.getToken())).isNotNull();
+        // The user is now enabled...
+        User updatedUser = userRepository.findById(testUser.getId()).orElse(null);
+        assertThat(updatedUser).isNotNull();
+        assertThat(updatedUser.isEnabled()).isTrue();
+
+        // ...and the token is atomically consumed on the valid path: validation is now single-use
+        // (it both enables the user and deletes the token in one transaction), so it cannot be replayed.
+        assertThat(verificationTokenRepository.findByToken(validToken.getToken())).isNull();
     }
 
     @Test
@@ -233,16 +239,24 @@ void testCrossUserTokenSecurity() {
         otherUserToken.setExpiryDate(Date.from(Instant.now().plus(24, ChronoUnit.HOURS)));
         verificationTokenRepository.saveAndFlush(otherUserToken);
 
-        // Token should be valid (it exists and isn't expired)
-        UserService.TokenValidationResult result = userVerificationService
-                .validateVerificationToken(otherUserToken.getToken());
-        assertThat(result).isEqualTo(UserService.TokenValidationResult.VALID);
-
-        // But it should be associated with the correct user
+        // The token resolves to the correct user (read it before validation consumes the token).
         User userFromToken = userVerificationService.getUserByVerificationToken(otherUserToken.getToken());
         assertThat(userFromToken).isNotNull();
         assertThat(userFromToken.getEmail()).isEqualTo(otherEmail);
         assertThat(userFromToken.getEmail()).isNotEqualTo(testEmail);
+
+        // Validating it enables ONLY its owner, never the original test user.
+        UserService.TokenValidationResult result = userVerificationService
+                .validateVerificationToken(otherUserToken.getToken());
+        assertThat(result).isEqualTo(UserService.TokenValidationResult.VALID);
+
+        User enabledOther = userRepository.findById(otherUser.getId()).orElse(null);
+        assertThat(enabledOther).isNotNull();
+        assertThat(enabledOther.isEnabled()).as("the token's owner is enabled").isTrue();
+
+        User stillDisabled = userRepository.findById(testUser.getId()).orElse(null);
+        assertThat(stillDisabled).isNotNull();
+        assertThat(stillDisabled.isEnabled()).as("a different user is NOT enabled by another user's token").isFalse();
     }
 
     @Test
@@ -273,20 +287,21 @@ void testServiceVerificationFlow() {
         validToken.setExpiryDate(Date.from(Instant.now().plus(24, ChronoUnit.HOURS)));
         verificationTokenRepository.saveAndFlush(validToken);
 
-        // Validate token
-        UserService.TokenValidationResult result = userVerificationService
-                .validateVerificationToken(validToken.getToken());
-        assertThat(result).isEqualTo(UserService.TokenValidationResult.VALID);
-
-        // Get user from token
+        // The token resolves to the correct user (read it before validation consumes the token).
         User userFromToken = userVerificationService.getUserByVerificationToken(validToken.getToken());
         assertThat(userFromToken).isNotNull();
         assertThat(userFromToken.getEmail()).isEqualTo(testEmail);
 
-        // Check user status - the service may return the current state
-        // The important part is we can retrieve the correct user by token
+        // Validation enables the user and consumes the token in a single transaction.
+        UserService.TokenValidationResult result = userVerificationService
+                .validateVerificationToken(validToken.getToken());
+        assertThat(result).isEqualTo(UserService.TokenValidationResult.VALID);
+
+        User updatedUser = userRepository.findById(testUser.getId()).orElse(null);
+        assertThat(updatedUser).isNotNull();
+        assertThat(updatedUser.isEnabled()).isTrue();
 
-        // Token still exists (validation doesn't consume it)
-        assertThat(verificationTokenRepository.findByToken(validToken.getToken())).isNotNull();
+        // The token is consumed (single-use), so it no longer resolves.
+        assertThat(verificationTokenRepository.findByToken(validToken.getToken())).isNull();
     }
 }