fix(security): enforce validation on request bodies and tighten JWT issuer checks

[balazs-szucs]

Description

Linked Issue: Fixes #

Changes

JWT Hardening (JwtUtils.java)

• Reduced access token expiry from 10 hours → 2 hours
• New tokens now include iss: "booklore" claim
• Graceful issuer enforcement on parsing: rejects tokens with a wrong issuer
  but allows legacy tokens with no issuer claim to pass through
• Action required in ~30 days: switch to hard .requireIssuer("booklore")
  once all legacy tokens have naturally expired

Security Headers (SecurityConfig.java)

• Added X-Frame-Options: DENY to prevent clickjacking

Input Validation (Controllers)

• Added @Valid / @Validated to request bodies across:
  • BookdropFileController discard files, finalize import
  • MetadataController update, bulk edit, toggle locks, ISBN lookup
  • OidcGroupMappingController create, update
• Previously these endpoints accepted unvalidated input even if DTOs
  had Bean Validation constraints

Logging (LoggingFilter.java)

• Sensitive headers (Authorization, Cookie, Set-Cookie, X-API-Key,
  X-Forwarded-Access-Token) are now redacted in dev profile request logging

Summary by CodeRabbit

• Security & Hardening

  • Sensitive headers are now redacted in request logs.
  • Access token lifetime reduced from 10 hours to 2 hours.
  • JWT token issuer validation now enforced.
  • X-Frame-Options header protection added to API endpoints.

• Data Validation

  • Enhanced request validation for file import, metadata management, and OIDC group mapping endpoints.

[coderabbitai]

📝 Walkthrough

Walkthrough

Six files across security and input validation domains were modified. Changes include JWT issuer claim validation and token expiration reduction, sensitive HTTP header redaction in request logging, stricter frame-option security headers, and systematic addition of validation annotations to multiple controller request body parameters.

Changes

Cohort / File(s)	Summary
Security Configuration booklore-api/src/main/java/org/booklore/config/LoggingFilter.java, booklore-api/src/main/java/org/booklore/config/security/JwtUtils.java, booklore-api/src/main/java/org/booklore/config/security/SecurityConfig.java	JWT issuer validation added with access token expiration reduced from 10 to 2 hours; sensitive HTTP headers redacted during request logging; X-Frame-Options header denial enforced.
Request Body Validation booklore-api/src/main/java/org/booklore/controller/BookdropFileController.java, booklore-api/src/main/java/org/booklore/controller/MetadataController.java, booklore-api/src/main/java/org/booklore/controller/OidcGroupMappingController.java	@Valid or @Validated annotations added to request body parameters across three controllers to enforce input validation on endpoint request payloads.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 With issuer claims now sealed tight,
And headers wrapped from prying sight,
Validation guards at every door,
The API's safer than before!
A hare's delight—security's care! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely summarizes the main changes: security hardening through request body validation and JWT issuer enforcement.
Description check	✅ Passed	The description follows the required template structure and provides comprehensive, well-organized details of all changes across multiple components.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@booklore-api/src/main/java/org/booklore/config/security/JwtUtils.java`:
- Around line 79-85: The current JwtUtils issuer check silently allows
issuer-less tokens indefinitely; change it to read a configurable cutoff (e.g.,
env/config property like jwt.issuerEnforceDate or JWT_ISSUER_ENFORCE_DATE) and
enforce the issuer after that date: keep the existing graceful behavior (allow
null issuer) only if now is before the configured cutoff, but once now >= cutoff
require claims.getIssuer() to equal "booklore" and throw JwtException otherwise;
update the issuer logic in JwtUtils (the block using claims.getIssuer()) to
parse the configured cutoff (with a safe default set to 2026-04-24) and branch
on current date so the grace period is time-limited and configurable.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: fbe75c27-d23c-4ba2-b6ea-7c9ce8ec1277

📥 Commits

Reviewing files that changed from the base of the PR and between ccefdcd and b0b2ac1.

📒 Files selected for processing (6)

• booklore-api/src/main/java/org/booklore/config/LoggingFilter.java
• booklore-api/src/main/java/org/booklore/config/security/JwtUtils.java
• booklore-api/src/main/java/org/booklore/config/security/SecurityConfig.java
• booklore-api/src/main/java/org/booklore/controller/BookdropFileController.java
• booklore-api/src/main/java/org/booklore/controller/MetadataController.java
• booklore-api/src/main/java/org/booklore/controller/OidcGroupMappingController.java

[imajes]

@balazs-szucs can we add some tests here?

[balazs-szucs]

@balazs-szucs can we add some tests here?

this is boilerplate.