Added SignupFormDTO to facilitate sign up validation. Ensures username is letters, number, and underscores, and password has an uppercase letter, digit, and is at least 8 characters. I just picked what I think are reasonable constraints, we can trivially adjust these if necessary.
Added custom UserDetailsService to interface the authentication manager with our database.
Added SecurityUser class that decorates our User class with the UserDetails interface.
Added BCrypt password encoding. With this change, any previously created test user profiles in our database won't be able to authenticate since they just have their passwords in plaintext.
Removed POST /login endpoint from controller. Spring Security has preset functionality to carry out authentication when credentials are posted to the /login endpoint. If the login is successful, the user gets redirected to the defaultSuccessURL (/homepage in our case), if not they get redirected to /login?error. In the latter case, we can use thymeleaf to display the appropriate message on the login page (<div th:if="${param.error}">Login unsuccessful</div>).
Notes:
Any POST requests to our server need to include a CSRF token, otherwise they get rejected. Thymeleaf automatically includes the CSRF token when we use the th:action="@{endpoint}" attribute in our forms instead of a plain action="endpoint" attribute. See the changes to the form in signup.html for an example.
Redirection to the login page for unauthenticated users trying to retrieve secured resources is default functionality, we don't need to configure anything additional for that.
Todo:
Client side validation that gives the user feedback for form inputs that violate the constraints.
Critically, we need a client side message in case a user tries to sign up with a taken username.
Authentication should be working.
SignupFormDTOto facilitate sign up validation. Ensures username is letters, number, and underscores, and password has an uppercase letter, digit, and is at least 8 characters. I just picked what I think are reasonable constraints, we can trivially adjust these if necessary.UserDetailsServiceto interface the authentication manager with our database.SecurityUserclass that decorates ourUserclass with theUserDetailsinterface.POST /loginendpoint from controller. Spring Security has preset functionality to carry out authentication when credentials are posted to the/loginendpoint. If the login is successful, the user gets redirected to the defaultSuccessURL (/homepagein our case), if not they get redirected to/login?error. In the latter case, we can use thymeleaf to display the appropriate message on the login page (<div th:if="${param.error}">Login unsuccessful</div>).Notes:
th:action="@{endpoint}"attribute in our forms instead of a plainaction="endpoint"attribute. See the changes to the form in signup.html for an example.Todo: