Migration to Spring Boot 4.0.2, Java 25 and Gradle 9.3.1#820
Draft
viktormohl wants to merge 21 commits into
Draft
Migration to Spring Boot 4.0.2, Java 25 and Gradle 9.3.1#820viktormohl wants to merge 21 commits into
viktormohl wants to merge 21 commits into
Conversation
…nerfl#815) - Implement server-side session authentication with HttpOnly cookies - Add configurable session timeout (FAKESMTP_WEBAPP_SESSION_TIMEOUT_MINUTES) - Enable CSRF protection for API requests - Add CSP headers on UI shell routes only - Restructure static assets under /assets/ with reduced public surface - Implement authenticated SSE with heartbeats, connection health indicator, Virtual Threads for high-performance delivery, and exponential backoff - Expose session metadata via /api/meta-data for UI consumption - Add SessionTimeoutManager with inactivity tracking - Update build process to include assets in bootRun/test tasks - Add configurable rate limiting for login attempts - Add configurable support for concurrent sessions
viktormohl
force-pushed
the
switch-to-spring-4.x
branch
2 times, most recently
from
88c7698 to
7b55bf4
Compare
viktormohl
force-pushed
the
switch-to-spring-4.x
branch
from
7b55bf4 to
34bba53
Compare
viktormohl
force-pushed
the
switch-to-spring-4.x
branch
5 times, most recently
from
f33cdbc to
ed9ddef
Compare
- Upgrade platform stack to Spring Boot 4.0.2, Java 25, Gradle 9.3.1, Node.js 24.13.1, and npm 11.8.0. - Adopt Gradle version catalog and align dependencies/configuration for framework compatibility. - Refactor email processing and deletion flow, including `EmailDeletionService`, transactional handling, and batch deletes (`deleteAllInBatch`). - Add inline image API support with Base64 decode on delivery and extend related coverage. - Improve resilience and security around SSE/session/rate-limiting behavior (proxy headers, reconnect/cleanup, context-path handling). - Expand backend/frontend test coverage (integration and unit tests), including SMTP flow, auth/rate-limit scenarios, and React test stability. - Improve operational setup: optimize container base image/runtime and decouple `bootRun` from full SPA asset pipeline.
viktormohl
force-pushed
the
switch-to-spring-4.x
branch
from
ed9ddef to
980a41c
Compare
…responding tests - Implement content type and Base64 data validation for inline images. - Return HTTP 422 for invalid inline image content type or Base64 data. - Extract helper methods for image data decoding and type parsing. - Add unit and integration tests for invalid content scenarios.
- Add normalization logic for Content-ID header values. - Handle malformed or improperly wrapped Content-ID values defensively. - Extend test coverage to validate normalization and edge cases.
- Add test to skip inline images with missing Content-ID headers. - Add parameterized tests for invalid Base64 data and content types. - Refactor common logic into helper methods for setup and assertions.
- Replace single-case tests with parameterized tests for invalid Base64 data and content types. - Add tests to validate persistence rejection for inline images with null data or content type.
…-io and springdoc-openapi
…adle version catalog.
…e metrics configuration - Implement `MaxMessageSizeInputStream` to reject oversized messages during the `DATA` phase with `552 5.3.4 Message size exceeds fixed limit`. - Add `MetricsProperties` to configure Micrometer metrics behavior, including optional address tags. - Refactor data handling flow in `DataCommand` to support payload rejection and proper stream synchronization. - Update management and metrics endpoints security and accessibility. - Improve test coverage for max message size enforcement, metrics inclusion behavior, and actuator security.
… authentication state - Introduce explicit `enabled` flag for Web UI authentication to ensure clear configuration. - Enhance rate-limiting behavior: active only when authentication is enabled, inert otherwise. - Enforce validation rules for authentication configuration to prevent invalid states. - Update documentation to reflect new authentication semantics and rate-limiting behavior. - Improve test coverage for authentication and rate-limiting edge cases.
- Introduce configurable TLS protocols with default fallback to TLSv1.3 and TLSv1.2. - Add redaction of sensitive data in SMTP `AUTH` command debug logs. - Update documentation with TLS and `AUTH` logging changes. - Enhance test coverage for TLS protocol configuration and sensitive data redaction scenarios.
…or forwarded header edge cases
…flow - Simplify actuator base path management by removing `WebEndpointProperties` dependency. - Introduce a dedicated `SecurityFilterChain` for actuator endpoints with HTTP Basic authentication. - Allow unauthenticated access to `/health` and `/info` while protecting other exposed endpoints. - Add integration tests for actuator endpoints with root base path, both authenticated and unauthenticated. - Refactor documentation to clarify access control for actuator endpoints.
- Introduce `.codex/config.toml` and `.codex/rules/dev.rules` to support asynchronous agent workflows with guarded Git operations. - Add `webapp/AGENTS.md` detailing frontend-specific development guidelines and stack components. - Update `AGENTS.md` and `README.md` with Codex agent setup instructions and repository-specific rules. - Provide safe commands, policies, and coordination strategies for Codex-driven development.
- Introduce `docs/features/` with detailed documentation for backend, operations, and security features (`backend-features.md`, `operations-and-security-features.md`, `features-overview.md`). - Add feature coverage matrix (`coverage-matrix.md`) to track implementation and documentation status. - Refactor `AGENTS.md` to clarify AI-assisted development artifact flow and enforce task separation into `agent/plans/`, `agent/tasks/`, and `agent/process/`. - Update `README.md` with links to feature documentation and AI artifact guidelines. - Document AI-assisted development process in `agent/process/ai-development-flow.md`.
…n semantics, and observability details - Add detailed notes for `EHLO` capability advertisements, `STARTTLS`/`AUTH` behavior, and strict parameter handling. - Clarify email retention: deterministic ordering, transactional bulk deletes, and dependency cleanup. - Introduce backend-side observability through `messages.delivered` and `messages.blocked` metrics with Micrometer instrumentation. - Expand MIME processing details: support for `application/octet-stream` and unified size limits for attachments/inline images. - Enhance `operations-and-security-features.md` with explicit authentication state handling and rate-limiting behavior. - Revise coverage matrix post-audit for completed sections.
…ure references in README and coverage matrix.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Important
This MR is based on PR #819 and must be merged after this PR.
Summary
This MR migrates Fake SMTP Server from Spring Boot 3.5.5 to 4.0.2 and upgrades the toolchain to Java 25, Gradle 9.3.1, Node 24.13.1, and npm 11.8.0.
Planned release version: 2.6.0
Key Changes
Build and Platform
gradle/libs.versions.toml) for plugins/dependencies.9.3.1.bellsoft/liberica-runtime-container:jdk-25-slim-musl.25.Spring Boot 4 / Dependency Migration
4.0.2.spring-boot-starter-webmvc-test(required for MockMvc setup in Boot 4).flyway-corewithspring-boot-starter-flyway.write-dates-as-timestamps).Persistence and Deletion Behavior
EmailContentRepositoryandEmailInlineImageRepository.Attachment / Inline Image Size Handling
FAKESMTP_MAX_ATTACHMENT_SIZE(default10MB).processingStatus=SKIPPED_TOO_LARGEprocessingMessage=<reason>/api/emails/{mailId}/attachments/{attachmentId}returns HTTP413.V1_2_0__add_email_part_processing_status.sqlfor processing metadata columns.Runtime Configuration
spring.lifecycle.timeout-per-shutdown-phase=5sserver.servlet.async-timeout=5000Test Results
Reviewer Focus
deleteEmailById,deleteAllEmails, retention timer).413, UI behavior).application.yaml,application-mockserver.yaml, Flyway migration).Breaking / Behavioral Notes
Checklist