Merge branch 'develop' into copilot/enhance-message-timestamps-ui

# Conflicts:
#	webapp/src/main/resources/templates/chat.html

Author: dmccoystephenson

backend/pom.xml

@@ -51,6 +51,38 @@
             <scope>runtime</scope>
         </dependency>
 
+        <!-- Spring Security -->
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+        </dependency>
+
+        <!-- JWT -->
+        <dependency>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt-api</artifactId>
+            <version>0.11.5</version>
+        </dependency>
+        <dependency>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt-impl</artifactId>
+            <version>0.11.5</version>
+            <scope>runtime</scope>
+        </dependency>
+        <dependency>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt-jackson</artifactId>
+            <version>0.11.5</version>
+            <scope>runtime</scope>
+        </dependency>
+
+        <!-- Spring Security Test -->
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-test</artifactId>
+            <scope>test</scope>
+        </dependency>
+
         <!-- Spring Boot Test -->
         <dependency>
             <groupId>org.springframework.boot</groupId>

backend/src/main/java/com/accord/config/SecurityConfig.java

@@ -0,0 +1,70 @@
+package com.accord.config;
+
+import com.accord.security.JwtAuthenticationFilter;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
+import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+
+@Configuration
+@EnableWebSecurity
+public class SecurityConfig {
+
+    @Autowired
+    private UserDetailsService userDetailsService;
+
+    @Autowired
+    private JwtAuthenticationFilter jwtAuthenticationFilter;
+
+    @Bean
+    public PasswordEncoder passwordEncoder() {
+        return new BCryptPasswordEncoder();
+    }
+
+    @Bean
+    public DaoAuthenticationProvider authenticationProvider() {
+        DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
+        authProvider.setUserDetailsService(userDetailsService);
+        authProvider.setPasswordEncoder(passwordEncoder());
+        return authProvider;
+    }
+
+    @Bean
+    public AuthenticationManager authenticationManager(AuthenticationConfiguration authConfig) throws Exception {
+        return authConfig.getAuthenticationManager();
+    }
+
+    @Bean
+    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+        http
+            .csrf(csrf -> csrf.disable())
+            .authorizeHttpRequests(auth -> auth
+                .requestMatchers("/api/users/register", "/api/users/login").permitAll()
+                // WebSocket endpoint is public for initial handshake, but STOMP CONNECT is authenticated
+                .requestMatchers("/ws/**").permitAll()
+                // WARNING: H2 console should be disabled in production or protected with authentication
+                .requestMatchers("/h2-console/**").permitAll()
+                .anyRequest().authenticated()
+            )
+            .sessionManagement(session -> session
+                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
+            )
+            .authenticationProvider(authenticationProvider())
+            .addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
+
+        // Allow H2 console frames - WARNING: Disable in production
+        http.headers(headers -> headers.frameOptions(frame -> frame.disable()));
+
+        return http.build();
+    }
+}

backend/src/main/java/com/accord/config/WebSocketConfig.java

@@ -1,7 +1,10 @@
 package com.accord.config;
 
+import com.accord.security.WebSocketAuthInterceptor;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.messaging.simp.config.ChannelRegistration;
 import org.springframework.messaging.simp.config.MessageBrokerRegistry;
 import org.springframework.web.socket.config.annotation.EnableWebSocketMessageBroker;
 import org.springframework.web.socket.config.annotation.StompEndpointRegistry;
@@ -14,6 +17,9 @@ public class WebSocketConfig implements WebSocketMessageBrokerConfigurer {
     @Value("${app.cors.allowed-origins}")
     private String allowedOrigins;
 
+    @Autowired
+    private WebSocketAuthInterceptor webSocketAuthInterceptor;
+
     @Override
     public void configureMessageBroker(MessageBrokerRegistry config) {
         config.enableSimpleBroker("/topic");
@@ -34,4 +40,9 @@ public void registerStompEndpoints(StompEndpointRegistry registry) {
                 .setAllowedOriginPatterns(origins)
                 .withSockJS();
     }
+
+    @Override
+    public void configureClientInboundChannel(ChannelRegistration registration) {
+        registration.interceptors(webSocketAuthInterceptor);
+    }
 }

backend/src/main/java/com/accord/controller/ChatController.java

@@ -1,11 +1,13 @@
 package com.accord.controller;
 
 import com.accord.model.ChatMessage;
+import com.accord.model.TypingIndicator;
 import com.accord.service.ChatService;
 import com.accord.util.ValidationUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.ResponseEntity;
+import org.springframework.messaging.handler.annotation.DestinationVariable;
 import org.springframework.messaging.handler.annotation.MessageMapping;
 import org.springframework.messaging.handler.annotation.SendTo;
 import org.springframework.stereotype.Controller;
@@ -64,7 +66,7 @@ public ChatMessage sendMessage(Map<String, String> payload) {
 
     @MessageMapping("/chat.send/{channelId}")
     @SendTo("/topic/messages/{channelId}")
-    public ChatMessage sendMessageToChannel(@org.springframework.messaging.handler.annotation.DestinationVariable Long channelId, 
+    public ChatMessage sendMessageToChannel(@DestinationVariable Long channelId, 
                                            Map<String, String> payload) {
         if (payload == null) {
             throw new IllegalArgumentException("Payload must not be null");
@@ -115,7 +117,7 @@ public ChatMessage userJoin(Map<String, String> payload) {
 
     @MessageMapping("/chat.join/{channelId}")
     @SendTo("/topic/messages/{channelId}")
-    public ChatMessage userJoinChannel(@org.springframework.messaging.handler.annotation.DestinationVariable Long channelId,
+    public ChatMessage userJoinChannel(@DestinationVariable Long channelId,
                                       Map<String, String> payload) {
         if (payload == null) {
             throw new IllegalArgumentException("Payload must not be null");
@@ -135,6 +137,33 @@ public ChatMessage userJoinChannel(@org.springframework.messaging.handler.annota
         String trimmedUsername = username.trim();
         return chatService.saveMessage("System", trimmedUsername + " has joined the chat", channelId);
     }
+
+    @MessageMapping("/chat.typing/{channelId}")
+    @SendTo("/topic/typing/{channelId}")
+    public TypingIndicator userTyping(@DestinationVariable Long channelId,
+                                     Map<String, Object> payload) {
+        if (payload == null) {
+            throw new IllegalArgumentException("Payload must not be null");
+        }
+        
+        String username = (String) payload.get("username");
+        Boolean typing = (Boolean) payload.get("typing");
+        
+        if (!ValidationUtils.isValidUsername(username, minUsernameLength, maxUsernameLength)) {
+            throw new IllegalArgumentException("Invalid username");
+        }
+        
+        if (typing == null) {
+            typing = true; // Default to typing=true if not specified
+        }
+        
+        // Verify channel exists
+        if (!channelService.getChannelById(channelId).isPresent()) {
+            throw new IllegalArgumentException("Channel does not exist");
+        }
+        
+        return new TypingIndicator(username.trim(), channelId, typing);
+    }
 }
 
 @RestController

backend/src/main/java/com/accord/controller/UserController.java

@@ -1,15 +1,44 @@
 package com.accord.controller;
 
+import com.accord.dto.AuthResponse;
+import com.accord.dto.LoginRequest;
+import com.accord.dto.RegisterRequest;
 import com.accord.model.User;
+import com.accord.security.JwtUtil;
 import com.accord.service.UserService;
 import com.accord.util.ValidationUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.web.bind.annotation.*;
 
 import java.util.Map;
 
+/**
+ * User authentication controller handling registration and login.
+ * 
+ * SECURITY NOTE: Rate Limiting
+ * ----------------------------------------------------------------------------
+ * This controller lacks rate limiting protection, making it vulnerable to:
+ * - Username enumeration attacks
+ * - Brute force password attacks
+ * - Resource exhaustion through repeated requests
+ * 
+ * For production deployments, consider implementing rate limiting using:
+ * - Spring Security's built-in rate limiting (Spring Security 6.2+)
+ * - Bucket4j library for token bucket rate limiting
+ * - API Gateway rate limiting (e.g., AWS API Gateway, Kong)
+ * - Web Application Firewall (WAF) with rate limiting rules
+ * 
+ * Recommended limits:
+ * - 5-10 failed login attempts per username per 15 minutes
+ * - 10-20 registration attempts per IP address per hour
+ * - Consider CAPTCHA after repeated failures
+ * ----------------------------------------------------------------------------
+ */
 @RestController
 @RequestMapping("/api/users")
 @CrossOrigin(origins = "${app.cors.allowed-origins}")
@@ -21,19 +50,71 @@ public class UserController {
     @Value("${app.username.min-length}")
     private int minUsernameLength;
 
+    @Value("${app.password.min-length}")
+    private int minPasswordLength;
+
     @Autowired
     private UserService userService;
 
-    @PostMapping("/login")
-    public ResponseEntity<User> login(@RequestBody Map<String, String> request) {
-        String username = request.get("username");
+    @Autowired
+    private JwtUtil jwtUtil;
+
+    @Autowired
+    private AuthenticationManager authenticationManager;
+
+    @PostMapping("/register")
+    public ResponseEntity<?> register(@RequestBody RegisterRequest request) {
+        String username = request.getUsername();
+        String password = request.getPassword();
+        
+        if (username == null || username.trim().isEmpty()) {
+            return ResponseEntity.badRequest().body(Map.of("error", "Username is required"));
+        }
 
         if (!ValidationUtils.isValidUsername(username, minUsernameLength, maxUsernameLength)) {
-            return ResponseEntity.badRequest().build();
+            return ResponseEntity.badRequest().body(Map.of("error", "Invalid username"));
+        }
+        
+        if (password == null || password.isEmpty()) {
+            return ResponseEntity.badRequest().body(Map.of("error", "Password is required"));
         }
 
-        User user = userService.createOrGetUser(username.trim());
-        return ResponseEntity.ok(user);
+        if (!ValidationUtils.isValidPassword(password, minPasswordLength)) {
+            return ResponseEntity.badRequest().body(Map.of("error", "Password must be at least " + minPasswordLength + 
+                " characters and contain uppercase, lowercase, and digit"));
+        }
+        
+        try {
+            User user = userService.registerUser(username.trim(), password);
+            String token = jwtUtil.generateToken(user.getUsername());
+            return ResponseEntity.ok(new AuthResponse(token, user.getUsername(), user.getId()));
+        } catch (IllegalArgumentException e) {
+            return ResponseEntity.badRequest().body(Map.of("error", e.getMessage()));
+        }
+    }
+
+    @PostMapping("/login")
+    public ResponseEntity<?> login(@RequestBody LoginRequest request) {
+        String username = request.getUsername();
+        String password = request.getPassword();
+        
+        if (username == null || username.trim().isEmpty() || password == null || password.isEmpty()) {
+            return ResponseEntity.badRequest().body(Map.of("error", "Username and password are required"));
+        }
+        
+        try {
+            authenticationManager.authenticate(
+                new UsernamePasswordAuthenticationToken(username.trim(), password)
+            );
+            
+            User user = userService.findByUsername(username.trim())
+                    .orElseThrow(() -> new BadCredentialsException("Invalid credentials"));
+            
+            String token = jwtUtil.generateToken(user.getUsername());
+            return ResponseEntity.ok(new AuthResponse(token, user.getUsername(), user.getId()));
+        } catch (BadCredentialsException e) {
+            return ResponseEntity.status(401).body(Map.of("error", "Invalid username or password"));
+        }
     }
 
     @GetMapping("/check/{username}")

backend/src/main/java/com/accord/dto/AuthResponse.java

@@ -0,0 +1,40 @@
+package com.accord.dto;
+
+public class AuthResponse {
+    private String token;
+    private String username;
+    private Long userId;
+
+    public AuthResponse() {
+    }
+
+    public AuthResponse(String token, String username, Long userId) {
+        this.token = token;
+        this.username = username;
+        this.userId = userId;
+    }
+
+    public String getToken() {
+        return token;
+    }
+
+    public void setToken(String token) {
+        this.token = token;
+    }
+
+    public String getUsername() {
+        return username;
+    }
+
+    public void setUsername(String username) {
+        this.username = username;
+    }
+
+    public Long getUserId() {
+        return userId;
+    }
+
+    public void setUserId(Long userId) {
+        this.userId = userId;
+    }
+}