Integrate authentication via UserAuth (player accounts + login)

[dmccoystephenson]

Summary

Implements #44 — adds real player authentication to Barony by integrating the standalone UserAuth service, replacing the previous anonymous username-only session flow. This makes Barony the first real-world consumer of UserAuth.

Architecture: browser → web-client (proxy) → backend → UserAuth. The backend owns the UserAuth integration so credentials/JWTs never need direct browser↔UserAuth CORS. The backend validates the bearer token against UserAuth GET /session/validate on every authenticated request — the issue's recommended correctness-first option, which honours logout/revocation immediately.

Modules touched

Both (backend + web-client), plus docker-compose.yml and docs.

Backend

• UserAuthClient (new) — proxies UserAuth /register, /login, /session/validate, /logout; base URL via userauth.url (default http://localhost:9998).
• AuthController — rewritten to /api/auth/register, /api/auth/login, /api/auth/logout (proxy to UserAuth; login returns the JWT, logout revokes it).
• GameController — /api/session/* now authenticate via Authorization: Bearer; missing/invalid/expired/revoked tokens → 401. Game state is keyed by the authenticated username.
• SessionService — refreshes a session's access time on reuse (removed the now-dead getSession lookup path) so an active player's state isn't reclaimed mid-play.

Web client

• BackendService/WebController — proxy register/login/logout and forward the bearer token on game requests.
• login.html — adds a password field + register link; stores the JWT. register.html (new). game.html — token-based headers; logout revokes server-side.

docker-compose

Adds userauth + userauth-db (Postgres) alongside Barony, wired via JWT_SECRET, USERAUTH_PATH (sibling checkout build context), ALLOWED_ORIGINS, and USERAUTH_URL for the backend.

Acceptance criteria

• Register → log in → play authenticated session → log out via the web client
• Backend rejects missing/invalid/expired/revoked tokens (401)
• UserAuth + Postgres come up via docker-compose with Barony; CORS allows the web client
• Flow documented (README API + Quick Start + auth flow, PLAYER_GUIDE, CHANGELOG, DOCS)

Test plan

• backend: ./mvnw test — 157 passing (new: UserAuthClientTest, AuthControllerTest, GameControllerAuthTest, SessionServiceTest)
• web-client: ./mvnw test — 4 passing (first test source for this module: BackendServiceTest)
• Live end-to-end against a running UserAuth instance (not run in CI — UserAuth is an external service; mocked at the client boundary instead)

Notes

• This is a feature-sized diff that necessarily spans both modules + compose + docs; it modifies docker-compose.yml, so per the dev-loop's do-not-auto-merge policy it is left for manual review rather than auto-merged.
• UserAuth's README currently carries an "early development" caveat alongside its documented /register//login//session/validate//logout contract; this integration targets that documented contract. Any rough edges found while wiring it up will be filed back to the UserAuth repo per the issue.

Closes #44

🤖 Generated with Claude Code

[dmccoystephenson]

Self-review rubric (adversarial — evidence-grounded; CI green on head 78b11bb as the external anchor):

Universal:

• Scope: PASS — all 17 touched paths serve #44. The one judgment call: GameController was rewritten for Bearer auth and I extracted a shared validateDecision() helper (previously inline-duplicated in decision/sessionDecision); de-dup confined to the file already being changed, not unrelated churn.
• Tests-new: PASS — every new public method is exercised: UserAuthClient (register/login/validate/logout), AuthController (register/login/logout incl. 400s), GameController auth gating (401 no-token, 401 invalid/revoked, 200 valid), SessionService.getOrCreateSession, and BackendService (register/login/logout/getSessionState/sessionTick/sessionCommand) after the follow-up test commit.
• Tests-fix: PASS — the SessionService lastAccessed-refresh fix (regression from removing getSession) is covered by getOrCreateSessionRefreshesLastAccessedOnReuse, which fails without the refresh.
• Sibling structure: PASS — UserAuthClient mirrors BackendService (constructor-injected RestTemplate); register.html mirrors login.html; tests follow the <Class>Test convention.
• Sibling renames: PASS — sessionId→token renamed together across game.html (checkSession/getSessionHeaders/logout) and BackendService session methods; X-Session-Id→Authorization: Bearer swapped on both the backend endpoints and the web-client callers.
• Docs: PASS — README (API + Quick Start + auth flow), PLAYER_GUIDE (account section), CHANGELOG, DOCS updated; MVP.md grep for auth/session/X-Session-Id returned nothing, so no drift there.
• Issue resolution: PASS — register/login/logout + per-request token validation + per-user state all implemented; not a partial close.
• CI: PASS — Backend (157 tests) and Web Client (6 tests) jobs both green.

Repo-specific:

• Both-modules: PASS — separate CI jobs per module both pass; verified locally too.
• API-contract: PASS — backend endpoint changes (/api/session/* → Bearer; new /api/auth/register|logout) reflected in BackendService/WebController and the README API section.
• Changelog: PASS — Unreleased > Authentication entry added.
• Constructor-injection: PASS — UserAuthClient + AuthController/GameController/WebController use constructor injection (@RequiredArgsConstructor); no field @Autowired introduced (the two rewritten controllers previously used field injection).
• Override-correct: PASS (n/a) — no new @Override.

Flagged for human reviewer (judgment, not blocking): live end-to-end against a running UserAuth was not run in CI (external service; mocked at the client boundary). docker-compose is modified, so this PR is intentionally left for manual review rather than auto-merged.

[Copilot]

Pull request overview

Integrates real player authentication into Barony by proxying the external UserAuth service through the backend and switching per-player game APIs from anonymous sessions to Authorization: Bearer <token>.

Changes:

• Added backend-side UserAuth integration (register/login/logout + per-request token validation) and migrated /api/session/* to be per-player and token-authenticated.
• Updated the web-client to support register/login/logout UI + bearer token forwarding, and added initial web-client tests.
• Extended docker-compose.yml and docs to run UserAuth (+ Postgres) alongside Barony and document the auth flow.

Reviewed changes

Copilot reviewed 20 out of 20 changed files in this pull request and generated 15 comments.

Show a summary per file

File	Description
web-client/src/test/java/com/barony/webclient/service/BackendServiceTest.java	Adds first web-client tests for auth proxying + bearer forwarding.
web-client/src/main/resources/templates/register.html	New registration page posting credentials to /api/auth/register.
web-client/src/main/resources/templates/login.html	Adds password-based login and stores JWT client-side.
web-client/src/main/resources/templates/game.html	Switches game requests from X-Session-Id to bearer token; adds logout revocation call.
web-client/src/main/java/com/barony/webclient/service/BackendService.java	Adds register/logout methods and bearer-token session API calls.
web-client/src/main/java/com/barony/webclient/controller/WebController.java	Adds register page + auth proxy endpoints; forwards bearer token on session endpoints.
README.md	Documents UserAuth dependency, docker-compose startup, endpoints, and auth flow examples.
PLAYER_GUIDE.md	Updates player instructions for registration/login/logout with UserAuth.
DOCS.md	Notes authentication flow documentation coverage.
docker-compose.yml	Adds userauth + userauth-db services and wires backend to UserAuth.
CHANGELOG.md	Records UserAuth integration in Unreleased section.
backend/src/test/java/com/barony/backend/service/UserAuthClientTest.java	Tests for UserAuth client proxy behavior.
backend/src/test/java/com/barony/backend/service/SessionServiceTest.java	Tests session keying by username + last-access refresh.
backend/src/test/java/com/barony/backend/controller/GameControllerAuthTest.java	MVC tests for 401 behavior and per-user scoping via mocked validation.
backend/src/test/java/com/barony/backend/controller/AuthControllerTest.java	MVC tests for register/login/logout proxy behavior.
backend/src/main/resources/application.properties	Adds userauth.url configuration via USERAUTH_URL.
backend/src/main/java/com/barony/backend/service/UserAuthClient.java	New RestTemplate-based UserAuth client (register/login/validate/logout).
backend/src/main/java/com/barony/backend/service/SessionService.java	Removes sessionId lookup and refreshes last-access on username reuse.
backend/src/main/java/com/barony/backend/controller/GameController.java	Migrates /api/session/* to authenticate via bearer token + UserAuth validation.
backend/src/main/java/com/barony/backend/controller/AuthController.java	Replaces sessionId login with UserAuth proxy register/login/logout.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[dmccoystephenson]

Acknowledged. The bearer-token-in-localStorage approach was taken to match the integration contract described in #44 ("store the returned JWT, send it as Authorization: Bearer <token>"). A move to an HttpOnly cookie (or a CSP, which would first require refactoring the inline scripts/handlers out of the templates) is a larger change that was kept out of this PR to bound its scope; it has been filed as a follow-up in #46.

— drafted by Claude on behalf of Daniel Stephenson

[dmccoystephenson]

Review comments addressed — commit 8743645

Thanks for the thorough review. All 15 comments were triaged; 14 are fixed in code and 1 is deferred to a follow-up with rationale. Both modules are green (backend 158 tests, web-client 8).

Proxy status passthrough — web-client /api/session/* (5 comments: getSessionState, sessionTick, sessionCommand, sessionReset, getSessionRulerStats)
Correct and important: a backend 401 on a revoked/expired token was being collapsed to 500, so the game page's status === 401 re-login handling never fired. The five endpoints now pass the backend status through (the shared try/catch was factored into a proxy() helper, which decision/sessionDecision/login/logout now use too). Covered by a new WebControllerTest (401 → 401, unreachable → 503).

Cross-user interleaving — backend GameController (6 comments)
Correct. The load-operate-read sequence was synchronizing on the per-session state object while mutating the shared singleton GameService. It now synchronizes on the gameService monitor across the full sequence, so a concurrent request for another user can't swap the shared state mid-operation. A comment was added explaining the monitor choice.

SessionService.getOrCreateSession atomicity (1 comment)
Correct. The scan-then-create was a non-atomic check-then-act; it is now synchronized so concurrent first requests for the same username cannot create split sessions.

AuthController logout with no token (1 comment)
Correct. Logout now returns 400 when no bearer token is present rather than reporting success while revoking nothing. Covered by a new test.

UserAuthClient.register javadoc (1 comment)
Correct. The javadoc now states that 4xx is propagated verbatim while 5xx/connection failures surface as 503, matching the implementation.

JWT in localStorage / XSS (1 comment) — deferred
Valid concern. The client-side bearer-token approach matches the contract specified in #44; an HttpOnly-cookie flow (or a CSP, which needs the inline scripts refactored first) is a larger change kept out of this PR to bound scope. Filed as a follow-up: #46.

---

Drafted by Claude on behalf of Daniel Stephenson.