refactor(auth): add comments, clearContext on logout, explain session auth

- Add comment to SecurityConfig explaining why CSRF is disabled - Add SecurityContextHolder.clearContext() to logout for clean thread state - Add Javadoc on authenticateInSession() explaining manual session setup Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-02 18:52:16 +02:00
parent 61249af086
commit 93ce1eaeac
2 changed files with 8 additions and 0 deletions
--- a/backend/src/main/java/com/recipeapp/auth/SecurityConfig.java
+++ b/backend/src/main/java/com/recipeapp/auth/SecurityConfig.java
@@ -18,6 +18,8 @@ public class SecurityConfig {
    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
+                // CSRF is disabled: SvelteKit is the only client and submits form actions
+                // server-side, so the browser never calls the backend directly.
                .csrf(csrf -> csrf.disable())
                .authorizeHttpRequests(auth -> auth
                        .requestMatchers("/v1/auth/signup", "/v1/auth/login").permitAll()