4.3.0

What's New

RegistrationGuard SPI

A new Service Provider Interface for gating user registration across all registration paths (form, passwordless, OAuth2, OIDC). Implement RegistrationGuard to add custom pre-registration logic like invite-only access, domain whitelisting, or rate limiting.

• RegistrationGuard interface with @FunctionalInterface support for lambda implementations
• RegistrationContext record providing email, source, and provider name
• RegistrationDecision record with allow() / deny(reason) factory methods
• Default permit-all guard auto-configured via @ConditionalOnMissingBean
• Full documentation in REGISTRATION-GUARD.md

OIDC Service Alignment

Fixed four inconsistencies in DSOidcUserService to match DSOAuth2UserService behavior:

• Email normalization: Email lookup now uses trim().toLowerCase(Locale.ROOT) before findByEmail(), preventing case-sensitive and locale-dependent mismatches
• Audit events: New OIDC user registration now publishes an "OIDC Registration Success" audit event
• Transactional boundaries: Added @Transactional at class level for proper database operation handling
• Login helper integration: loadUser() now routes through LoginHelperService.userLoginHelper() to update lastActivityDate and run lockout checks

Additional Improvements

• DSUserDetails remains immutable — OIDC tokens are set via a new LoginHelperService overload rather than mutable setters
• OAuth2Error now includes the denial reason in the error description field for programmatic access by AuthenticationFailureHandler implementations
• Audit events are published after save() to prevent false-positive audit records if persistence fails
• RegistrationDecision.deny() uses String.isBlank() (Java 17+) and a named DEFAULT_DENIAL_REASON constant

Full Changelog

4.2.2...4.3.0

4.2.2

What's Changed

• chore(deps): bump com.webauthn4j:webauthn4j-core from 0.31.0.RELEASE to 0.31.1.RELEASE by @dependabot[bot] in #269
• chore(deps): bump nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect from 3.4.0 to 4.0.0 by @dependabot[bot] in #270
• feat: Wrap Spring Security 7 MFA in simple user.mfa.* properties by @devondragon in #272
• chore(deps): bump gradle-wrapper from 9.3.1 to 9.4.0 by @dependabot[bot] in #273
• Fix non-portable BLOB columnDefinition in WebAuthnCredential by @devondragon in #275

Full Changelog: 4.2.1...4.2.2

4.2.1 - Passwordless Passkey-Only Accounts

What's Changed

New Features

• feat: add passwordless passkey-only account support (#254) by @devondragon in #267
• feat(dev): add DevLoginAutoConfiguration for local development

Bug Fixes

• fix(auth): publish InteractiveAuthenticationSuccessEvent from authWithoutPassword()
• fix: remove dead code and document passwordless endpoint requirements

Improvements

• refactor: migrate @ConfigurationProperties from @component to @EnableConfigurationProperties (#264)
• refactor(security): extract WebAuthn ObjectPostProcessor into helper method (#261)

Dependencies

• chore(deps): bump org.springframework.boot from 4.0.2 to 4.0.3 (#266)
• chore(deps): bump com.webauthn4j:webauthn4j-core (#265)

Full Changelog: 4.2.0...4.2.1

4.2.0 - Passkey WebAuthn Support

What's Changed

• feat: add WebAuthn/Passkey authentication support by @devondragon in #256
• fix(webauthn): apply PR #256 review fixes by @devondragon in #258
• fix(webauthn): address PR #258 review feedback by @devondragon in #259

Full Changelog: 4.1.0...4.2.0

4.0.1

What's Changed

• Update major test dependencies by @devondragon in #238

Full Changelog: 4.0.0...4.0.1

4.0.0

Spring Boot 4.0 Upgrade

This major release upgrades the Spring User Framework to Spring Boot 4.0, bringing Spring Security 7, Java 21 support, and modernized infrastructure.

Breaking Changes

Java 21 Required

Spring Boot 4.0 requires Java 21 or higher. Update your JDK and build configuration before upgrading.

Spring Security 7

• All URL patterns must start with / - Update your unprotectedURIs and protectedURIs configuration
• Deprecated APIs removed: authorizeRequests() → authorizeHttpRequests(), antMatchers() → requestMatchers()

Test Infrastructure

Test annotations have moved to new packages:

Annotation	New Package
@AutoConfigureMockMvc	org.springframework.boot.webmvc.test.autoconfigure
@WebMvcTest	org.springframework.boot.webmvc.test.autoconfigure
@DataJpaTest	org.springframework.boot.data.jpa.test.autoconfigure

New test dependencies required:
testImplementation 'org.springframework.boot:spring-boot-data-jpa-test'
testImplementation 'org.springframework.boot:spring-boot-webmvc-test'

API Changes

• Profile Update Endpoint: /user/updateUser now accepts UserProfileUpdateDto (firstName, lastName only) instead of UserDto. This improves security by not requiring password fields for profile updates.

New Features

• UserProfileUpdateDto - New DTO for profile updates with validation constraints
• Comprehensive Migration Guide - See MIGRATION.md for detailed upgrade instructions

Dependencies

Dependency	Version
Spring Boot	4.0.0
Spring Security	7.x
Java	21+
Thymeleaf Extras Spring Security	3.1.3.RELEASE (compatible with Spring Security 7)

Documentation

• Added MIGRATION.md with step-by-step upgrade instructions
• Updated README with Spring Boot 4.0 installation instructions
• Added version compatibility table

Migration

See the MIGRATION.md for detailed instructions on upgrading from 3.x.

Quick checklist:

1. Update to Java 21+
2. Update framework dependency to 4.0.0
3. Ensure all URL patterns in security config start with /
4. Update test annotation imports to new packages
5. Update any code calling /user/updateUser to use new DTO format

Full Changelog: 3.5.1...4.0.0

3.5.1

What's Changed

• Feature/password validation fixes by @devondragon in #226
• Add Claude Code GitHub Workflow by @devondragon in #227

Full Changelog: 3.5.0...3.5.1

3.5.0

What's Changed

• Bump org.projectlombok:lombok from 1.18.38 to 1.18.40 by @dependabot[bot] in #212
• Bump org.projectlombok:lombok from 1.18.40 to 1.18.42 by @dependabot[bot] in #213
• Bump org.assertj:assertj-core from 3.27.4 to 3.27.5 by @dependabot[bot] in #216
• Bump org.springframework.boot from 3.5.5 to 3.5.6 by @dependabot[bot] in #214
• Bump com.google.guava:guava from 33.4.8-jre to 33.5.0-jre by @dependabot[bot] in #215
• Add Password Policy Functionality by @Edamijueda in #217
• Bump com.github.ben-manes.versions from 0.52.0 to 0.53.0 by @dependabot[bot] in #221
• Bump com.h2database:h2 from 2.3.232 to 2.4.240 by @dependabot[bot] in #219
• Bump com.icegreen:greenmail from 2.1.5 to 2.1.6 by @dependabot[bot] in #220
• Bump org.assertj:assertj-core from 3.27.5 to 3.27.6 by @dependabot[bot] in #222
• Bump com.icegreen:greenmail from 2.1.6 to 2.1.7 by @dependabot[bot] in #223
• Bump version to 3.5.0-SNAPSHOT; add VS Code Java home settings; use A… by @devondragon in #225

Full Changelog: 3.4.1...3.5.0

3.4.1

What's Changed

• Fix NPE in audit logging when user ID is null by @devondragon in #211

Full Changelog: 3.4.0...3.4.1

3.4.0

What's Changed

• Bump org.springframework.boot from 3.5.3 to 3.5.4 by @dependabot[bot] in #195
• Bump org.testcontainers:testcontainers from 1.19.3 to 1.21.3 by @dependabot[bot] in #196
• Bump springBootVersion from 3.5.3 to 3.5.4 by @dependabot[bot] in #197
• Bump org.assertj:assertj-core from 3.24.2 to 3.27.3 by @dependabot[bot] in #198
• Bump io.rest-assured:rest-assured from 5.3.2 to 5.5.5 by @dependabot[bot] in #199
• Bump org.awaitility:awaitility from 4.2.0 to 4.3.0 by @dependabot[bot] in #200
• Bump com.tngtech.archunit:archunit-junit5 from 1.2.0 to 1.4.1 by @dependabot[bot] in #201
• Bump com.icegreen:greenmail from 2.0.0 to 2.1.4 by @dependabot[bot] in #202
• Bump org.assertj:assertj-core from 3.27.3 to 3.27.4 by @dependabot[bot] in #203
• Bump org.mariadb.jdbc:mariadb-java-client from 3.5.4 to 3.5.5 by @dependabot[bot] in #205
• Bump com.icegreen:greenmail from 2.1.4 to 2.1.5 by @dependabot[bot] in #204
• Bump io.rest-assured:rest-assured from 5.5.5 to 5.5.6 by @dependabot[bot] in #206
• Bump springBootVersion from 3.5.4 to 3.5.5 by @dependabot[bot] in #207
• Bump org.springframework.boot from 3.5.4 to 3.5.5 by @dependabot[bot] in #208
• Small-fixes-improvements by @devondragon in #209

Full Changelog: 3.3.0...3.4.0