Draft
Conversation
Copilot
AI
changed the title
[WIP] Conduct code review for existing implementation
Code review: Spring Boot Security Module
Apr 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Comprehensive code review of the Spring Boot JWT + MongoDB security module. No code changes — findings only.
🔴 Critical
application.properties,application-dev.properties) — secrets must be externalised to env vars;application-prod.propertiesalready does this correctlySecurityConfigsetsallowedOriginPatterns("*")withallowCredentials(true); any origin can make credentialed requestsUserPrincipal.getAuthorities()hardcodes"USER"regardless of stored roles;@PreAuthorize("hasRole('ADMIN')")will never workInvalidTokenExceptioninJwtFilter— malformed/expired token throws uncaught exception → 500 instead of 401🟠 High
CorsConfig.java(WebMvcConfigurer) is dead code; Spring Security'scorsConfigurationSource()inSecurityConfigtakes precedenceUserServicescreates its ownBCryptPasswordEncoderinstead of injecting the declaredPasswordEncoderbeanJwtFilterusesApplicationContext.getBean()to avoid a circular dependency — anti-pattern; restructure with@Lazyor direct injectionPATCH/DELETE /api/routines/{id}— any authenticated user can mutate any other user's routineGET /api/routinesexposes all users' data — should be admin-only or removedShopentity missing@Id—private String idis never populated on reads🟡 Medium
RegisterRequestreports "6–100 chars" butValidationUtilsenforces 8-char + complexity;ValidationUtilswins at runtime but client message is wrongRegisterRequesthas a weaker, unused email regex — confusing alongsideValidationUtils; remove itUsers— both@CreatedDate/@LastModifiedDatefields and an embeddedAuditDateTimeobjectUserServices.verify(), commented-outUserControllerblock, entirely commented-outJpaConfig.javaV1,V2Flyway scripts) left in a MongoDB projectShopService.updateShop()NPE ifauditDateTimeis null on the fetched document@Getter/@Setteralongside@DataonUsers,Routine,RoutineStatusRequest@Autowired) used inconsistently —RoutineController/RoutineService/ShopControlleralready use constructor injection correctly; apply consistentlyShopRepositorydeclares bothfindByUserIdandgetShopByUserId(same query)