chore: adopt ds-spring-user-framework 5.1.0 (SUF-01/SUF-02 security changes)#76
Merged
Conversation
…hanges)
Bump the dependency to the 5.1.0 release and apply the config/doc changes its
security hardening requires.
SUF-01 (CWE-640, Host-header poisoning of email links):
- Set user.security.appUrl per profile (localhost for local/E2E; an ${APP_URL}
env var in prd) so reset/verification links use a stable, non-spoofable host
and the library's startup warning is silenced.
- prd also sets requireCanonicalAppUrl=true (fail-fast on a missing canonical URL).
SUF-02 (/user/setPassword disabled by default):
- The demo's passkey-only 'set a password' flow (update-password.js -> POST
/user/setPassword) returns 403 by default under 5.1.0. Set
allowInitialPasswordSetWithoutStepUp=true in the interactive profiles
(local, mfa, playwright-test) to keep it working; left false (secure default)
in prd, where a StepUpService bean is the recommended path.
Changes:
- build.gradle: ds-spring-user-framework 5.0.1 -> 5.1.0.
- README version table: Spring User Framework main -> 5.1.x.
- CONFIG.md: document appUrl/trustedHosts/requireCanonicalAppUrl and
allowInitialPasswordSetWithoutStepUp; fix the pre-existing wrong property
prefix (spring.security.*/spring.mail.* -> user.security.*/user.mail.*).
Contributor
There was a problem hiding this comment.
Pull request overview
This PR upgrades the demo app to ds-spring-user-framework 5.1.0 and updates configuration/docs to align with the SUF-01 (canonical URL for email links) and SUF-02 (initial password set protection) security hardening.
Changes:
- Bump
com.digitalsanctuary:ds-spring-user-frameworkfrom 5.0.1 to 5.1.0. - Configure
user.security.appUrl(and production fail-fast) to prevent Host-header derived email link authorities; enableallowInitialPasswordSetWithoutStepUpin interactive/demo profiles to preserve the existing passkey-only “set password” flow. - Update README/CONFIG docs to reflect the new framework version and newly documented security properties.
Reviewed changes
Copilot reviewed 7 out of 8 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| src/main/resources/application.yml | Adds default canonical user.security.appUrl for local/dev behavior. |
| src/main/resources/application-prd.yml | Adds production canonical URL configuration and enables fail-fast mode. |
| src/main/resources/application-playwright-test.yml | Pins appUrl for E2E and enables the SUF-02 compatibility flag. |
| src/main/resources/application-mfa.yml | Enables the SUF-02 compatibility flag for MFA demo profile. |
| src/main/resources/application-local.yml-example | Documents canonical URL override for tunnels and enables the SUF-02 compatibility flag for local demos. |
| README.md | Updates the version compatibility table to SUF 5.1.x. |
| CONFIG.md | Documents canonical URL/trusted hosts/fail-fast and SUF-02 behavior; updates the documented from-address property. |
| build.gradle | Updates the SUF dependency to 5.1.0. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+45
to
+49
| # Canonical base URL for security email links; driven by an env var in production so links can never derive | ||
| # their authority from a spoofable Host header (SUF-01 / CWE-640). | ||
| appUrl: ${APP_URL:https://example.com} | ||
| # Fail startup unless a canonical appUrl (or trustedHosts) is configured - a hard guarantee for production. | ||
| requireCanonicalAppUrl: true |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adopts
ds-spring-user-framework5.1.0 and applies the config/documentation changes its security hardening (SUF-01 / SUF-02) requires.Dependency
build.gradle:ds-spring-user-framework5.0.1→5.1.0.SUF-01 — Host-header poisoning of email links (CWE-640)
5.1.0 logs a startup warning when no canonical URL is configured. Set
user.security.appUrlper profile so reset/verification links use a stable, non-spoofable host:http://localhost:8080prd→${APP_URL}env var, plusrequireCanonicalAppUrl: true(fail-fast)SUF-02 —
/user/setPassworddisabled by defaultThe demo's passkey-only "set a password" flow (
update-password.js→POST /user/setPassword) returns 403 by default under 5.1.0. Setuser.security.allowInitialPasswordSetWithoutStepUp=truein the interactive profiles (local,mfa,playwright-test) to keep it working; leftfalse(secure default) inprd, where aStepUpServicebean is the recommended path.Docs
5.1.x.appUrl/trustedHosts/requireCanonicalAppUrl/allowInitialPasswordSetWithoutStepUp; fix a pre-existing wrong property prefix (spring.security.*/spring.mail.*→user.security.*/user.mail.*).Validation
./gradlew clean test --refresh-dependenciesagainst the published 5.1.0: 301 tests, 0 failures, 0 errors (182 skipped, docker/profile-gated).Secrets in gitignored profile files were untouched.