- Set static MySQL connection with IP and password
- Changed server port from 8081 to 8080
- Enabled HTTPS with keystore configuration
- Exposed actuator endpoints for monitoring
- Removed old and unused commented-out configurations
- Updated pom.xml: removed redundant tags, grouped dependencies, added scopes, and upgraded plugins
- Enhanced RegisterUserDto with validation annotations and added missing fields (username, fullname)
- Updated User entity with builder constructor and removed redundant getters/setters
- Completed FileMetadata entity with Lombok and required setters/getters
- Improved HDFSConfig with correct annotation and clearer exception message
- Adjusted HTTP to HTTPS redirect port (8085 -> 8443)
- Allowed /actuator/** in SecurityConfig and disabled deprecated XSS protection
- Skipped JWT filter for /api/auth and /actuator paths
- Refactored AuthenticationService to use builder pattern and RSA key injection
- Fixed application.properties for static MySQL connection (removed ${MYSQL_PASSWORD})
- Added explicit getter/setter methods in User entity for use with service layer
- Implemented standard getters/setters in SignupRequest DTO
- Replaced incorrect imports from models.User to entity.User across services and repository
- Rewrote AuthController to inject all dependencies via constructor
- Fixed token refresh/login logic and added rate limiter and blacklist support
- Implemented getters in LoginRequest DTO
- Updated User model to implement UserDetails and extend entity.User
- Switched HDFScontroller to use entity.User instead of models.User
- Rewrote HDFSConfig to include static getHDFS() method and secure config via env vars
- Simplified JwtService, added overload for entity.User, and fixed key handling
- Caffeine cache used to allow max 5 login attempts per minute.
- Login endpoint blocks IPs exceeding rate, returns 429 status.
- Failed attempts are reset after successful login or after 1 minute.
- Intercepts all requests and checks for Bearer token.
- Validates token signature and expiry using JwtService.
- Loads user from DB and sets authentication context.
- Sends 401 Unauthorized if token is missing, invalid, or expired.
- POST /api/auth/login authenticates user and returns JWT token.
- POST /api/auth/logout is a placeholder (client deletes token).
- JwtService handles token creation and expiry validation.
- HTTP connector on port 8080 redirects to HTTPS (8443).
- Ensures users accessing http:// are forwarded to https://
- No need for external proxy (e.g., Nginx) for redirection.
- All requests now require HTTPS.
- Stateless sessions enabled for JWT-based auth.
- XSS, HSTS, and Frame-Options headers added.
- /api/auth/** is public, all other routes require authentication.
- CSRF disabled (assumes token-based auth).
- FileController encrypts uploads using AES-GCM with salt and IV.
- Downloads are decrypted on-the-fly using user-supplied password.
- File metadata (salt, IV, username, path) stored in DB.
- EncryptionService uses PBKDF2 to derive a key from user password and salt.
- AES-GCM encryption with 128-bit tag and 12-byte IV.
- Ready for streaming encryption to/from HDFS without temp files.
- Enforced alphanumeric-only usernames using regex validation.
- Passwords must be >= 8 chars and checked against haveibeenpwned.com.
- Improved SignupRequest DTO with validation annotations.
- Implemented UserService to handle password validation and encoding.
Kshitij
SonaliChaudhari