feat(auth): AuthService — login/logout with audit logging and timing-safe credential rejection

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/src/main/java/org/raddatz/familienarchiv/auth/AuthService.java

@@ -0,0 +1,69 @@
+package org.raddatz.familienarchiv.auth;
+
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.raddatz.familienarchiv.audit.AuditKind;
+import org.raddatz.familienarchiv.audit.AuditService;
+import org.raddatz.familienarchiv.exception.DomainException;
+import org.raddatz.familienarchiv.user.AppUser;
+import org.raddatz.familienarchiv.user.UserService;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.stereotype.Service;
+
+import java.util.Map;
+import java.util.UUID;
+
+@Service
+@RequiredArgsConstructor
+@Slf4j
+public class AuthService {
+
+    private final AuthenticationManager authenticationManager;
+    private final UserService userService;
+    private final AuditService auditService;
+
+    /**
+     * Validates credentials and returns the authenticated user plus the Spring Security
+     * Authentication object. The caller is responsible for persisting the Authentication
+     * to the session via SecurityContextRepository.
+     */
+    public LoginResult login(String email, String password, String ip, String ua) {
+        try {
+            Authentication auth = authenticationManager.authenticate(
+                    new UsernamePasswordAuthenticationToken(email, password));
+
+            AppUser user = userService.findByEmail(email);
+            auditService.log(AuditKind.LOGIN_SUCCESS, user.getId(), null, Map.of(
+                    "userId", user.getId().toString(),
+                    "ip", ip,
+                    "ua", truncateUa(ua)));
+            return new LoginResult(user, auth);
+        } catch (AuthenticationException ex) {
+            // Audit login failure — intentionally does NOT log the attempted password.
+            // DaoAuthenticationProvider already runs a dummy BCrypt on unknown users to
+            // equalise timing between "user not found" and "wrong password" paths.
+            auditService.log(AuditKind.LOGIN_FAILED, null, null, Map.of(
+                    "email", email,
+                    "ip", ip,
+                    "ua", truncateUa(ua)));
+            throw DomainException.invalidCredentials();
+        }
+    }
+
+    public void logout(UUID userId, String ip, String ua) {
+        auditService.log(AuditKind.LOGOUT, userId, null, Map.of(
+                "userId", userId.toString(),
+                "ip", ip,
+                "ua", truncateUa(ua)));
+    }
+
+    private static String truncateUa(String ua) {
+        if (ua == null) return "";
+        return ua.length() > 200 ? ua.substring(0, 200) : ua;
+    }
+
+    public record LoginResult(AppUser user, Authentication authentication) {}
+}

backend/src/main/java/org/raddatz/familienarchiv/exception/DomainException.java

@@ -39,6 +39,11 @@ public class DomainException extends RuntimeException {
         return new DomainException(ErrorCode.UNAUTHORIZED, HttpStatus.UNAUTHORIZED, message);
     }
 
+    public static DomainException invalidCredentials() {
+        return new DomainException(ErrorCode.INVALID_CREDENTIALS, HttpStatus.UNAUTHORIZED,
+                "Invalid email or password");
+    }
+
     public static DomainException conflict(ErrorCode code, String message) {
         return new DomainException(code, HttpStatus.CONFLICT, message);
     }