feat(security-post-mvp): Migrate to Spring Security OIDC and protect routes #23
Description
Problem / context
MVP uses a servlet-based Cognito flow for speed. For robustness and standardized security, migrate to Spring Security OIDC, put user in SecurityContext, and secure routes centrally.
Proposed solution
- Configure Spring Security OIDC for Cognito (issuer-uri or full provider/client config).
- Replace servlet callback logic with Spring Security’s OAuth2 login flow (or run in parallel during transition).
- Add HttpSecurity rules: permitAll for public pages, authenticated for drill/submission, ADMIN for admin CRUD.
- Map OIDC claims to authorities (e.g., email/roles) and expose principal in controllers as needed.
- Keep secrets in env/SSM; remove any unused servlet auth code post-migration.
In scope / Out of scope
In scope
- Security config, route protection, principal mapping, docs updates.
Out of scope
- Advanced RBAC, custom user provisioning.
Acceptance criteria
- Visiting protected routes redirects to Cognito and returns successfully
- SecurityContext holds the authenticated principal; controllers can inject it
- Public vs. protected vs. admin routes behave as expected
- Secrets are read from env/SSM (no repo secrets)
- Legacy servlet-based auth removed (or clearly deprecated) after migration
Area
area:security
Dependencies / related issues
Relates to: Issue #10 - Protect Routes and Challenge Data - Supersedes: Issue #8 - Authentication (MVP) for long-term auth strategy
Checklist
- I’ve checked existing issues for duplicates.
- I can help implement this and open a PR.