CodeSignal
diff --git a/‎Dockerfile‎
Lines changed: 2 additions & 2 deletions b/‎Dockerfile‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎backend/pom.xml‎
Lines changed: 13 additions & 1 deletion b/‎backend/pom.xml‎
Lines changed: 13 additions & 1 deletion
diff --git a/‎backend/src/main/java/com/codesignal/pastebin/config/AppConfig.java‎
Lines changed: 14 additions & 0 deletions b/‎backend/src/main/java/com/codesignal/pastebin/config/AppConfig.java‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎backend/src/main/java/com/codesignal/pastebin/config/CorsConfig.java‎
Lines changed: 8 additions & 2 deletions b/‎backend/src/main/java/com/codesignal/pastebin/config/CorsConfig.java‎
Lines changed: 8 additions & 2 deletions
diff --git a/‎backend/src/main/java/com/codesignal/pastebin/controller/AdminController.java‎
Lines changed: 23 additions & 16 deletions b/‎backend/src/main/java/com/codesignal/pastebin/controller/AdminController.java‎
Lines changed: 23 additions & 16 deletions
diff --git a/‎backend/src/main/java/com/codesignal/pastebin/controller/AuthController.java‎
Lines changed: 42 additions & 35 deletions b/‎backend/src/main/java/com/codesignal/pastebin/controller/AuthController.java‎
Lines changed: 42 additions & 35 deletions
@@ -11,7 +11,7 @@ RUN npm run build
 ############################
 # Java build stage
 ############################
-FROM maven:3.9-eclipse-temurin-17 AS build
+FROM maven:3.9-eclipse-temurin-23 AS build
 WORKDIR /app
 COPY backend/pom.xml backend/pom.xml
 RUN --mount=type=cache,target=/root/.m2 mvn -q -DskipTests -f backend/pom.xml dependency:go-offline
@@ -21,7 +21,7 @@ RUN --mount=type=cache,target=/root/.m2 mvn -q -DskipTests -f backend/pom.xml pa
 ############################
 # Runtime image
 ############################
-FROM eclipse-temurin:17-jre
+FROM eclipse-temurin:23-jre
 WORKDIR /app
 # Copy the Spring Boot fat jar (exclude the .original)
 COPY --from=build /app/backend/target/*-SNAPSHOT.jar /app/app.jar
 
@@ -9,7 +9,7 @@
     <description>Java translation of learn_pastebin-python backend</description>
 
     <properties>
-        <java.version>17</java.version>
+        <java.version>23</java.version>
         <spring-boot.version>3.3.3</spring-boot.version>
         <hibernate.version>6.5.2.Final</hibernate.version>
     </properties>
@@ -86,6 +86,18 @@
                     <target>${java.version}</target>
                 </configuration>
             </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-jar-plugin</artifactId>
+                <version>3.3.0</version>
+                <configuration>
+                    <archive>
+                        <manifestEntries>
+                            <Automatic-Module-Name>com.codesignal.pastebin</Automatic-Module-Name>
+                        </manifestEntries>
+                    </archive>
+                </configuration>
+            </plugin>
         </plugins>
     </build>
 </project>
@@ -0,0 +1,14 @@
+package com.codesignal.pastebin.config;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+
+@Configuration
+public class AppConfig {
+    @Bean
+    public PasswordEncoder passwordEncoder() {
+        return new BCryptPasswordEncoder();
+    }
+}
@@ -3,20 +3,26 @@
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsConfigurationSource;
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 import org.springframework.web.filter.CorsFilter;
 
 @Configuration
 public class CorsConfig {
     @Bean
-    public CorsFilter corsFilter() {
+    public CorsConfigurationSource corsConfigurationSource() {
         CorsConfiguration config = new CorsConfiguration();
         config.addAllowedOriginPattern("*");
         config.addAllowedHeader("*");
         config.addAllowedMethod("*");
         config.setAllowCredentials(true);
         UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
         source.registerCorsConfiguration("/**", config);
-        return new CorsFilter(source);
+        return source;
+    }
+
+    @Bean
+    public CorsFilter corsFilter() {
+        return new CorsFilter(corsConfigurationSource());
     }
 }
@@ -4,18 +4,25 @@
 import com.codesignal.pastebin.model.Role;
 import com.codesignal.pastebin.model.User;
 import com.codesignal.pastebin.repo.UserRepository;
+import com.codesignal.pastebin.util.ErrorResponse;
 import com.codesignal.pastebin.util.JwtUtil;
-import jakarta.servlet.http.HttpServletResponse;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
-import org.springframework.web.bind.annotation.*;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestHeader;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.RestController;
 
 import javax.sql.DataSource;
 import java.sql.Connection;
 import java.sql.ResultSet;
 import java.sql.ResultSetMetaData;
 import java.sql.Statement;
-import java.util.*;
+import java.util.ArrayList;
+import java.util.LinkedHashMap;
+import java.util.List;
+import java.util.Map;
 
 @RestController
 @RequestMapping("/api/admin")
@@ -30,38 +37,36 @@ public AdminController(UserRepository users, JwtUtil jwt, DataSource dataSource)
         this.dataSource = dataSource;
     }
 
-    private ResponseEntity<Map<String, Object>> error(HttpStatus status, String detail) {
-        Map<String, Object> err = new HashMap<>();
-        err.put("detail", detail);
-        return ResponseEntity.status(status).body(err);
+    private ResponseEntity<ErrorResponse> error(HttpStatus status, String detail) {
+        return ResponseEntity.status(status).body(new ErrorResponse(detail));
     }
 
-    private Object[] verifyAdminOrError(String authorizationHeader) {
+    private AdminOutcome verifyAdminOrError(String authorizationHeader) {
         if (authorizationHeader == null || authorizationHeader.isBlank()) {
-            return new Object[]{null, error(HttpStatus.UNAUTHORIZED, "Missing authorization header")};
+            return new AdminOutcome(null, error(HttpStatus.UNAUTHORIZED, "Missing authorization header"));
         }
         String token = authorizationHeader.startsWith("Bearer ") ? authorizationHeader.substring(7) : authorizationHeader;
         try {
             DecodedJWT decoded = jwt.verify(token);
             Integer userId = decoded.getClaim("userId").asInt();
             var userOpt = users.findById(userId);
             if (userOpt.isEmpty()) {
-                return new Object[]{null, error(HttpStatus.UNAUTHORIZED, "User not found")};
+                return new AdminOutcome(null, error(HttpStatus.UNAUTHORIZED, "User not found"));
             }
             User u = userOpt.get();
             if (u.getRole() != Role.ADMIN) {
-                return new Object[]{null, error(HttpStatus.FORBIDDEN, "Access denied")};
+                return new AdminOutcome(null, error(HttpStatus.FORBIDDEN, "Access denied"));
             }
-            return new Object[]{u, null};
+            return new AdminOutcome(u, null);
         } catch (Exception e) {
-            return new Object[]{null, error(HttpStatus.UNAUTHORIZED, "Invalid token")};
+            return new AdminOutcome(null, error(HttpStatus.UNAUTHORIZED, "Invalid token"));
         }
     }
 
     @GetMapping("/test")
     public ResponseEntity<?> adminTest(@RequestHeader(value = "authorization", required = false) String authorization) {
-        Object[] res = verifyAdminOrError(authorization);
-        if (res[1] != null) return (ResponseEntity<?>) res[1];
+        var outcome = verifyAdminOrError(authorization);
+        if (outcome.error() != null) return outcome.error();
         return ResponseEntity.ok(Map.of("message", "Admin test endpoint accessed successfully"));
     }
 
@@ -76,7 +81,6 @@ public ResponseEntity<?> accountInfo(@RequestParam(name = "id", required = false
             return error(HttpStatus.BAD_REQUEST, "Missing user ID parameter");
         }
 
-        // Deliberately vulnerable: Direct string concatenation into SQL
         String sql = "SELECT * FROM users WHERE id = " + id;
         try (Connection conn = dataSource.getConnection();
              Statement st = conn.createStatement();
@@ -96,4 +100,7 @@ public ResponseEntity<?> accountInfo(@RequestParam(name = "id", required = false
             return error(HttpStatus.INTERNAL_SERVER_ERROR, "Internal server error");
         }
     }
+
+    private record AdminOutcome(User user, ResponseEntity<ErrorResponse> error) {
+    }
 }
@@ -3,32 +3,34 @@
 import com.codesignal.pastebin.model.Role;
 import com.codesignal.pastebin.model.User;
 import com.codesignal.pastebin.repo.UserRepository;
+import com.codesignal.pastebin.util.ErrorResponse;
 import com.codesignal.pastebin.util.JwtUtil;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
-import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
-import org.springframework.web.bind.annotation.*;
-
-import java.util.HashMap;
-import java.util.Map;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
 
 @RestController
 @RequestMapping("/api/auth")
 public class AuthController {
     private final UserRepository users;
     private final JwtUtil jwt;
-    private final BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
+    private final PasswordEncoder encoder;
 
-    public AuthController(UserRepository users, JwtUtil jwt) {
+    public AuthController(UserRepository users, JwtUtil jwt, PasswordEncoder encoder) {
         this.users = users;
         this.jwt = jwt;
+        this.encoder = encoder;
     }
 
     @PostMapping("/register")
-    public ResponseEntity<?> register(@RequestBody Map<String, Object> body) {
-        String username = (String) body.get("username");
-        String password = (String) body.get("password");
-        String roleRaw = (String) body.getOrDefault("role", "user");
+    public ResponseEntity<?> register(@RequestBody RegisterRequest request) {
+        String username = request.username();
+        String password = request.password();
+        String roleRaw = request.role() == null ? "user" : request.role();
 
         if (username == null || password == null) {
             return error(HttpStatus.BAD_REQUEST, "Username and password are required");
@@ -38,41 +40,46 @@ public ResponseEntity<?> register(@RequestBody Map<String, Object> body) {
             return error(HttpStatus.BAD_REQUEST, "Username already exists");
         }
 
-        Role role = "admin".equals(roleRaw) ? Role.ADMIN : Role.USER;
+        Role role = switch (roleRaw) {
+            case "admin" -> Role.ADMIN;
+            default -> Role.USER;
+        };
         User u = new User();
         u.setUsername(username);
         u.setPassword(encoder.encode(password));
         u.setRole(role);
         users.save(u);
 
-        Map<String, Object> res = new HashMap<>();
-        res.put("message", "User registered successfully");
-        res.put("userId", u.getId());
-        return ResponseEntity.ok(res);
+        return ResponseEntity.ok(new RegisterResponse("User registered successfully", u.getId()));
     }
 
     @PostMapping("/login")
-    public ResponseEntity<?> login(@RequestBody Map<String, Object> body) {
-        String username = (String) body.get("username");
-        String password = (String) body.get("password");
-
-        var userOpt = users.findByUsername(username);
-        if (userOpt.isPresent()) {
-            User u = userOpt.get();
-            if (encoder.matches(password, u.getPassword())) {
-                String token = jwt.generateTokenWithUserId(u.getId());
-                Map<String, Object> res = new HashMap<>();
-                res.put("token", token);
-                return ResponseEntity.ok(res);
-            }
+    public ResponseEntity<?> login(@RequestBody LoginRequest request) {
+        String username = request.username();
+        String password = request.password();
+
+        User user = users.findByUsername(username).orElse(null);
+        if (user == null || !encoder.matches(password, user.getPassword())) {
+            return error(HttpStatus.UNAUTHORIZED, "Invalid credentials");
         }
-        return error(HttpStatus.UNAUTHORIZED, "Invalid credentials");
+
+        String token = jwt.generateTokenWithUserId(user.getId());
+        return ResponseEntity.ok(new TokenResponse(token));
     }
 
-    private ResponseEntity<Map<String, Object>> error(HttpStatus status, String detail) {
-        Map<String, Object> err = new HashMap<>();
-        err.put("detail", detail);
-        return ResponseEntity.status(status).body(err);
+    private ResponseEntity<ErrorResponse> error(HttpStatus status, String detail) {
+        return ResponseEntity.status(status).body(new ErrorResponse(detail));
+    }
+
+    public record RegisterRequest(String username, String password, String role) {
     }
-}
 
+    public record LoginRequest(String username, String password) {
+    }
+
+    public record RegisterResponse(String message, Integer userId) {
+    }
+
+    public record TokenResponse(String token) {
+    }
+}