Skip to content

feat(api): /api/v1/auth via host callbacks#77

Merged
mpge merged 1 commit into
mainfrom
feat/api-auth
Jun 27, 2026
Merged

feat(api): /api/v1/auth via host callbacks#77
mpge merged 1 commit into
mainfrom
feat/api-auth

Conversation

@mpge

@mpge mpge commented Jun 27, 2026

Copy link
Copy Markdown
Member

Adds the general JSON API auth contract (consumed by the Flutter app) to Spring, using the host-callback model — dependency-free, no password hashing in the package. Matches the Phoenix / Go / NestJS / Django / Rails / .NET reference.

What

  • EscalatedApiAuthenticator — an optional host @Bean (interface with default methods that throw UnsupportedOperationException, so the host implements only what it needs).
  • ApiAuthController (/escalated/api/v1/auth): POST login/register/logout/refresh/validate, GET me, PATCH profile. Bearer token from the Authorization header. No bean / unimplemented method → 501; null result → 401.
  • EscalatedSecurityConfig now permitAlls the public auth paths (login/register/refresh/logout); me/profile/validate stay authenticated.

Verification

  • ./gradlew checkstyleMain checkstyleTest clean on changed files (the CI lint gate); ./gradlew test BUILD SUCCESSFUL.
  • New ApiAuthControllerTest — 7 tests (501 no-bean, delegation, 401 null, 501 unimplemented method, me forwards bearer token, logout always-200, validate requires token).

Add the general JSON API auth contract (login, register, logout, refresh,
me, profile, validate) consumed by the Flutter app. Credential handling is
delegated to a host-provided EscalatedApiAuthenticator bean — Escalated owns
no passwords or sessions. No bean (or an unimplemented method) responds 501;
a method returning null is an auth failure (401).

login/register/refresh/logout are permitAll in the API security chain (no
token yet); me/profile/validate use the bearer token.
@mpge mpge merged commit 2a11839 into main Jun 27, 2026
2 checks passed
@mpge mpge deleted the feat/api-auth branch June 27, 2026 10:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant