feat(auth): switch CustomUserDetailsService to email-based lookup

loadUserByUsername now calls findByEmail and returns email as the Spring Security principal name. Tests updated to assert email identity. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-18 20:31:32 +02:00
parent fced33e033
commit 0b0559cbe9
2 changed files with 30 additions and 34 deletions
--- a/backend/src/main/java/org/raddatz/familienarchiv/service/CustomUserDetailsService.java
+++ b/backend/src/main/java/org/raddatz/familienarchiv/service/CustomUserDetailsService.java
@@ -29,24 +29,22 @@ public class CustomUserDetailsService implements UserDetailsService {
    private final AppUserRepository userRepository;

    @Override
-    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
-        AppUser appUser = userRepository.findByUsername(username)
-                .orElseThrow(() -> new UsernameNotFoundException("User nicht gefunden: " + username));
+    public UserDetails loadUserByUsername(String email) throws UsernameNotFoundException {
+        AppUser appUser = userRepository.findByEmail(email)
+                .orElseThrow(() -> new UsernameNotFoundException("User nicht gefunden: " + email));

-        // Collect all permissions from all groups; warn about any that don't match a known Permission enum value
        var authorities = appUser.getGroups().stream()
                .flatMap(group -> group.getPermissions().stream())
                .peek(p -> {
                    if (!KNOWN_PERMISSIONS.contains(p)) {
-                        log.warn("Unknown permission '{}' found in database for user '{}' — it will be granted but never matched by @RequirePermission", p, appUser.getUsername());
+                        log.warn("Unknown permission '{}' found in database for user '{}' — it will be granted but never matched by @RequirePermission", p, appUser.getEmail());
                    }
                })
                .map(SimpleGrantedAuthority::new)
                .collect(Collectors.toSet());

-        // Rückgabe des Standard Spring Security User Objekts
        return new User(
-                appUser.getUsername(),
+                appUser.getEmail(),
                appUser.getPassword(),
                appUser.isEnabled(),
                true, true, true,