From 93ce1eaeac34f61ea5ed0fed2f9798305f8ad462 Mon Sep 17 00:00:00 2001
From: Marcel Raddatz <marcel@raddatz.cloud>
Date: Thu, 2 Apr 2026 18:52:16 +0200
Subject: [PATCH] refactor(auth): add comments, clearContext on logout, explain
 session auth

- Add comment to SecurityConfig explaining why CSRF is disabled
- Add SecurityContextHolder.clearContext() to logout for clean thread state
- Add Javadoc on authenticateInSession() explaining manual session setup

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../src/main/java/com/recipeapp/auth/AuthController.java    | 6 ++++++
 .../src/main/java/com/recipeapp/auth/SecurityConfig.java    | 2 ++
 2 files changed, 8 insertions(+)

diff --git a/backend/src/main/java/com/recipeapp/auth/AuthController.java b/backend/src/main/java/com/recipeapp/auth/AuthController.java
index 51f5fa7..d0f6605 100644
--- a/backend/src/main/java/com/recipeapp/auth/AuthController.java
+++ b/backend/src/main/java/com/recipeapp/auth/AuthController.java
@@ -50,6 +50,11 @@ public class AuthController {
         return ResponseEntity.ok(ApiResponse.success(user));
     }
 
+    /**
+     * Creates an authenticated Spring Security context and stores it in the HTTP session
+     * so that subsequent requests from the same session are recognised as authenticated.
+     * We do this manually because we are not using Spring Security's built-in form login.
+     */
     private void authenticateInSession(String email, String role, HttpServletRequest request) {
         var auth = UsernamePasswordAuthenticationToken.authenticated(
                 email, null, List.of(new SimpleGrantedAuthority("ROLE_" + role.toUpperCase())));
@@ -66,6 +71,7 @@ public class AuthController {
         if (session != null) {
             session.invalidate();
         }
+        SecurityContextHolder.clearContext();
         return ResponseEntity.noContent().build();
     }
 
diff --git a/backend/src/main/java/com/recipeapp/auth/SecurityConfig.java b/backend/src/main/java/com/recipeapp/auth/SecurityConfig.java
index 7c1a6bd..27c35dc 100644
--- a/backend/src/main/java/com/recipeapp/auth/SecurityConfig.java
+++ b/backend/src/main/java/com/recipeapp/auth/SecurityConfig.java
@@ -18,6 +18,8 @@ public class SecurityConfig {
     @Bean
     public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
         http
+                // CSRF is disabled: SvelteKit is the only client and submits form actions
+                // server-side, so the browser never calls the backend directly.
                 .csrf(csrf -> csrf.disable())
                 .authorizeHttpRequests(auth -> auth
                         .requestMatchers("/v1/auth/signup", "/v1/auth/login").permitAll()