refactor(auth): replace @Autowired(required=false) with SessionRevocationPort + constructor injection

Extract SessionRevocationPort interface with JdbcSessionRevocationAdapter
(@ConditionalOnBean) and NoOpSessionRevocationAdapter (@ConditionalOnMissingBean).
AuthService now uses @RequiredArgsConstructor with final fields for both
LoginRateLimiter and SessionRevocationPort, removing all null guards.
AuthServiceTest drops ReflectionTestUtils.setField and uses @Mock on the port.

Fixes Felix's blocker: @Autowired(required=false) field injection in AuthService.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/src/main/java/org/raddatz/familienarchiv/auth/AuthService.java

@@ -7,12 +7,10 @@ import org.raddatz.familienarchiv.audit.AuditService;
 import org.raddatz.familienarchiv.exception.DomainException;
 import org.raddatz.familienarchiv.user.AppUser;
 import org.raddatz.familienarchiv.user.UserService;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
-import org.springframework.session.jdbc.JdbcIndexedSessionRepository;
 import org.springframework.stereotype.Service;
 
 import java.util.Map;
@@ -26,28 +24,17 @@ public class AuthService {
     private final AuthenticationManager authenticationManager;
     private final UserService userService;
     private final AuditService auditService;
+    private final LoginRateLimiter loginRateLimiter;
+    private final SessionRevocationPort sessionRevocationPort;
 
-    @Autowired(required = false)
-    private JdbcIndexedSessionRepository sessionRepository;
-
-    @Autowired(required = false)
-    private LoginRateLimiter loginRateLimiter;
-
-    /**
-     * Validates credentials and returns the authenticated user plus the Spring Security
-     * Authentication object. The caller is responsible for persisting the Authentication
-     * to the session via SecurityContextRepository.
-     */
     public LoginResult login(String email, String password, String ip, String ua) {
-        if (loginRateLimiter != null) {
-            try {
-                loginRateLimiter.checkAndConsume(ip, email);
-            } catch (DomainException ex) {
-                auditService.log(AuditKind.LOGIN_RATE_LIMITED, null, null, Map.of(
-                        "ip", ip,
-                        "email", email));
-                throw ex;
-            }
+        try {
+            loginRateLimiter.checkAndConsume(ip, email);
+        } catch (DomainException ex) {
+            auditService.log(AuditKind.LOGIN_RATE_LIMITED, null, null, Map.of(
+                    "ip", ip,
+                    "email", email));
+            throw ex;
         }
         try {
             Authentication auth = authenticationManager.authenticate(
@@ -58,9 +45,7 @@ public class AuthService {
                     "userId", user.getId().toString(),
                     "ip", ip,
                     "ua", truncateUa(ua)));
-            if (loginRateLimiter != null) {
-                loginRateLimiter.invalidateOnSuccess(ip, email);
-            }
+            loginRateLimiter.invalidateOnSuccess(ip, email);
             return new LoginResult(user, auth);
         } catch (AuthenticationException ex) {
             // Audit login failure — intentionally does NOT log the attempted password.
@@ -75,22 +60,11 @@ public class AuthService {
     }
 
     public int revokeOtherSessions(String currentSessionId, String principalName) {
-        if (sessionRepository == null) return 0;
-        int count = 0;
-        for (String id : sessionRepository.findByPrincipalName(principalName).keySet()) {
-            if (!id.equals(currentSessionId)) {
-                sessionRepository.deleteById(id);
-                count++;
-            }
-        }
-        return count;
+        return sessionRevocationPort.revokeOtherSessions(currentSessionId, principalName);
     }
 
     public int revokeAllSessions(String principalName) {
-        if (sessionRepository == null) return 0;
-        var sessions = sessionRepository.findByPrincipalName(principalName);
-        sessions.keySet().forEach(sessionRepository::deleteById);
-        return sessions.size();
+        return sessionRevocationPort.revokeAllSessions(principalName);
     }
 
     public void logout(String email, String ip, String ua) {

backend/src/main/java/org/raddatz/familienarchiv/auth/JdbcSessionRevocationAdapter.java

@@ -0,0 +1,33 @@
+package org.raddatz.familienarchiv.auth;
+
+import lombok.RequiredArgsConstructor;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
+import org.springframework.session.jdbc.JdbcIndexedSessionRepository;
+import org.springframework.stereotype.Service;
+
+@Service
+@ConditionalOnBean(JdbcIndexedSessionRepository.class)
+@RequiredArgsConstructor
+class JdbcSessionRevocationAdapter implements SessionRevocationPort {
+
+    private final JdbcIndexedSessionRepository sessionRepository;
+
+    @Override
+    public int revokeOtherSessions(String currentSessionId, String principalName) {
+        int count = 0;
+        for (String id : sessionRepository.findByPrincipalName(principalName).keySet()) {
+            if (!id.equals(currentSessionId)) {
+                sessionRepository.deleteById(id);
+                count++;
+            }
+        }
+        return count;
+    }
+
+    @Override
+    public int revokeAllSessions(String principalName) {
+        var sessions = sessionRepository.findByPrincipalName(principalName);
+        sessions.keySet().forEach(sessionRepository::deleteById);
+        return sessions.size();
+    }
+}

backend/src/main/java/org/raddatz/familienarchiv/auth/NoOpSessionRevocationAdapter.java

@@ -0,0 +1,19 @@
+package org.raddatz.familienarchiv.auth;
+
+import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
+import org.springframework.stereotype.Service;
+
+@Service
+@ConditionalOnMissingBean(SessionRevocationPort.class)
+class NoOpSessionRevocationAdapter implements SessionRevocationPort {
+
+    @Override
+    public int revokeOtherSessions(String currentSessionId, String principalName) {
+        return 0;
+    }
+
+    @Override
+    public int revokeAllSessions(String principalName) {
+        return 0;
+    }
+}

backend/src/main/java/org/raddatz/familienarchiv/auth/SessionRevocationPort.java

@@ -0,0 +1,6 @@
+package org.raddatz.familienarchiv.auth;
+
+public interface SessionRevocationPort {
+    int revokeOtherSessions(String currentSessionId, String principalName);
+    int revokeAllSessions(String principalName);
+}