test(auth): integration tests for full session lifecycle and idle-timeout

Also switches pom.xml to spring-boot-starter-session-jdbc (Spring Boot 4.x split the session auto-config into a separate starter; spring-session-jdbc alone does not register JdbcSessionAutoConfiguration). Adds SpringSessionConfig#cookieSerializer bean to configure fa_session name and SameSite=Strict (spring.session.cookie.* properties are no longer supported by the Boot 4.x auto-configuration layer). Cleans up application.yaml / application-dev.yaml: removes store-type: jdbc and the unsupported cookie.* keys. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-17 19:50:22 +02:00
parent a6c85e3658
commit 0fa330a357
5 changed files with 183 additions and 15 deletions
--- a/backend/src/main/resources/application-dev.yaml
+++ b/backend/src/main/resources/application-dev.yaml
@@ -1,11 +1,9 @@
 spring:
  jpa:
    show-sql: true
-  session:
-    cookie:
-      # Dev runs over HTTP (port 5173 → 8080); Secure=true would prevent the
-      # cookie from being sent on plain HTTP. Override to false for local dev only.
-      secure: false
+  # spring.session.cookie.secure is no longer a supported Boot 4.x property.
+  # DefaultCookieSerializer auto-detects Secure from request.isSecure().
+  # Direct HTTP in dev → isSecure()=false → cookie sent without Secure attribute.

 springdoc:
  api-docs: