Skip to content

chore: adopt ds-spring-user-framework 5.1.0 (SUF-01/SUF-02 security changes)#76

Merged
devondragon merged 1 commit into
mainfrom
chore/adopt-5.1.0
Jul 10, 2026
Merged

chore: adopt ds-spring-user-framework 5.1.0 (SUF-01/SUF-02 security changes)#76
devondragon merged 1 commit into
mainfrom
chore/adopt-5.1.0

Conversation

@devondragon

Copy link
Copy Markdown
Owner

Adopts ds-spring-user-framework 5.1.0 and applies the config/documentation changes its security hardening (SUF-01 / SUF-02) requires.

Dependency

  • build.gradle: ds-spring-user-framework 5.0.15.1.0.

SUF-01 — Host-header poisoning of email links (CWE-640)

5.1.0 logs a startup warning when no canonical URL is configured. Set user.security.appUrl per profile so reset/verification links use a stable, non-spoofable host:

  • base/dev/E2E → http://localhost:8080
  • prd${APP_URL} env var, plus requireCanonicalAppUrl: true (fail-fast)

SUF-02 — /user/setPassword disabled by default

The demo's passkey-only "set a password" flow (update-password.jsPOST /user/setPassword) returns 403 by default under 5.1.0. Set user.security.allowInitialPasswordSetWithoutStepUp=true in the interactive profiles (local, mfa, playwright-test) to keep it working; left false (secure default) in prd, where a StepUpService bean is the recommended path.

Docs

  • README version table → Spring User Framework 5.1.x.
  • CONFIG.md: document appUrl / trustedHosts / requireCanonicalAppUrl / allowInitialPasswordSetWithoutStepUp; fix a pre-existing wrong property prefix (spring.security.*/spring.mail.*user.security.*/user.mail.*).

Validation

  • ./gradlew clean test --refresh-dependencies against the published 5.1.0: 301 tests, 0 failures, 0 errors (182 skipped, docker/profile-gated).
  • Verified against a locally-published build of the identical code: both the SUF-01 and SUF-02 startup warnings are gone and the app boots clean.

Secrets in gitignored profile files were untouched.

…hanges)

Bump the dependency to the 5.1.0 release and apply the config/doc changes its
security hardening requires.

SUF-01 (CWE-640, Host-header poisoning of email links):
- Set user.security.appUrl per profile (localhost for local/E2E; an ${APP_URL}
  env var in prd) so reset/verification links use a stable, non-spoofable host
  and the library's startup warning is silenced.
- prd also sets requireCanonicalAppUrl=true (fail-fast on a missing canonical URL).

SUF-02 (/user/setPassword disabled by default):
- The demo's passkey-only 'set a password' flow (update-password.js -> POST
  /user/setPassword) returns 403 by default under 5.1.0. Set
  allowInitialPasswordSetWithoutStepUp=true in the interactive profiles
  (local, mfa, playwright-test) to keep it working; left false (secure default)
  in prd, where a StepUpService bean is the recommended path.

Changes:
- build.gradle: ds-spring-user-framework 5.0.1 -> 5.1.0.
- README version table: Spring User Framework main -> 5.1.x.
- CONFIG.md: document appUrl/trustedHosts/requireCanonicalAppUrl and
  allowInitialPasswordSetWithoutStepUp; fix the pre-existing wrong property
  prefix (spring.security.*/spring.mail.* -> user.security.*/user.mail.*).
Copilot AI review requested due to automatic review settings July 10, 2026 23:41

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR upgrades the demo app to ds-spring-user-framework 5.1.0 and updates configuration/docs to align with the SUF-01 (canonical URL for email links) and SUF-02 (initial password set protection) security hardening.

Changes:

  • Bump com.digitalsanctuary:ds-spring-user-framework from 5.0.1 to 5.1.0.
  • Configure user.security.appUrl (and production fail-fast) to prevent Host-header derived email link authorities; enable allowInitialPasswordSetWithoutStepUp in interactive/demo profiles to preserve the existing passkey-only “set password” flow.
  • Update README/CONFIG docs to reflect the new framework version and newly documented security properties.

Reviewed changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
src/main/resources/application.yml Adds default canonical user.security.appUrl for local/dev behavior.
src/main/resources/application-prd.yml Adds production canonical URL configuration and enables fail-fast mode.
src/main/resources/application-playwright-test.yml Pins appUrl for E2E and enables the SUF-02 compatibility flag.
src/main/resources/application-mfa.yml Enables the SUF-02 compatibility flag for MFA demo profile.
src/main/resources/application-local.yml-example Documents canonical URL override for tunnels and enables the SUF-02 compatibility flag for local demos.
README.md Updates the version compatibility table to SUF 5.1.x.
CONFIG.md Documents canonical URL/trusted hosts/fail-fast and SUF-02 behavior; updates the documented from-address property.
build.gradle Updates the SUF dependency to 5.1.0.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +45 to +49
# Canonical base URL for security email links; driven by an env var in production so links can never derive
# their authority from a spoofable Host header (SUF-01 / CWE-640).
appUrl: ${APP_URL:https://example.com}
# Fail startup unless a canonical appUrl (or trustedHosts) is configured - a hard guarantee for production.
requireCanonicalAppUrl: true
@devondragon devondragon merged commit 8a4f332 into main Jul 10, 2026
9 checks passed
@devondragon devondragon deleted the chore/adopt-5.1.0 branch July 10, 2026 23:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants