You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Authentication backend built with Spring Boot 4 and Java 21. Supports local registration and login (email/password), OAuth2 login (Google, GitHub), JWT tokens in HttpOnly cookies, and refresh token rotation stored in PostgreSQL.
The project is part of a larger ecosystem (e.g. frontend at http://localhost:5173, “Edumate” naming in Docker/Swagger config), but works as a standalone auth microservice.
Based on the current codebase — gaps, inconsistencies, and suggested improvements.
Critical / fixes
Database name mismatch — docker-compose.yml creates edumate, while .env.template points to auth. Align everywhere.
Token lifetime inconsistency — access_token cookie has maxAge(60) (60 seconds) in AuthController, while JWT in JwtService expires after ~24 minutes, and in OAuth2SuccessHandler the cookie is 15 minutes. Unify JWT and cookie TTL.
Logout does not revoke refresh tokens in DB — /auth/logout only clears cookies; revokeAllForUser exists in the repository but is unused.
**AuthProvider.LOCAL not set on registration** — provider stays null for local accounts.
No global exception handler — RuntimeException, IllegalStateException return raw 500 instead of proper HTTP codes (409 for taken email, 401 for invalid refresh token, etc.).
**ddl-auto=create-drop** — data is lost on restart; add migrations (Flyway/Liquibase) and use validate/update in prod.
Linking OAuth and local accounts — findByEmail does not check provider; consider account linking strategy or duplicate blocking.
Swagger vs cookies — docs describe Bearer JWT, but the app uses HttpOnly cookies; update OpenAPI (cookie security scheme) or add Authorization header support.
Hardcoded CORS and redirect URL — localhost:5173 is hardcoded; move to environment config.
Refresh token rotation without User-Agent/IP validation — variables are logged but not used for reuse detection.
Functionality
Email verification — no email verification after registration.
Password reset — no “forgot password” flow.
Expired token cleanup — deleteExpired in the repository is never called; add a scheduled job.
Remove or document TestController — /test requires auth but is commented out in permitAll.
Code quality
Refactor duplication — cookie logic duplicated in AuthController and OAuth2SuccessHandler; extract a helper/factory.
DevOps / production
Spring profiles — application-dev.properties, application-prod.properties with different JPA, logging, CORS settings.
Health checks — add Spring Actuator (/actuator/health).
CI/CD — pipeline (build, test, Docker push).
Documentation
Request examples — curl/HTTPie for register, login, refresh with cookie handling.