mirror of
https://github.com/Frooodle/Stirling-PDF.git
synced 2026-04-06 03:19:39 +02:00
3711d8d6b1
# Description of Changes This PR performs a broad cleanup and refactor across the security, SSO, and dependency layers to improve correctness, maintainability, and robustness. ### What was changed - **SSO / Authentication cleanup** - Removed deprecated and ambiguous `SSO` authentication handling in favor of explicit `OAUTH2` and `SAML2`. - Introduced a centralized helper (`isSsoAuthenticationTypeByUsername`) to consistently detect SSO-backed users. - Hardened user creation logic to strictly validate authentication types and reject invalid values. - Updated OAuth2 and SAML2 authentication success handlers to use unified SSO detection logic and clearer control flow. - Adjusted tests to reflect the new canonical authentication types. - **Security & robustness improvements** - Replaced direct `new URL(...)` usage with `URI.create(...).toURL()` to avoid malformed URL edge cases. - Hardened `Referer` parsing logic to safely handle invalid or host-less URIs. - Improved string comparison patterns (`"literal".equals(x)`) to avoid potential `NullPointerException`s. - **Controller and API cleanup** - Removed large blocks of unused and legacy admin settings endpoints from `SettingsController`. - Updated OpenAPI annotations to use `requiredMode` instead of deprecated `required`. - **Dependency and build maintenance** - Updated Spring Boot from `3.5.7` to `3.5.9`. - Updated multiple dependencies (Spring Security, Jackson, Micrometer, Jetty, Hibernate, SnakeYAML, Springdoc, Swagger UI, etc.). - Synced dependency versions in `3rdPartyLicenses.json` and removed duplicate or obsolete entries. - Modernized Gradle DSL usage (`url =`, `username =`, `allowInsecureProtocol = true`). - Ensured Spotless disabling applies consistently across all subprojects. - Added `.build-cache` to `.gitignore`. ### Why the change was made - To eliminate legacy and ambiguous SSO handling that could lead to incorrect authentication decisions. - To improve security and stability when dealing with user-controlled URLs and headers. - To reduce technical debt by removing unused controllers and deprecated patterns. - To keep dependencies up to date and aligned with the current Spring Boot release. - To improve overall code clarity, consistency, and long-term maintainability. --- This pull request contains dependency updates, minor code cleanups, and some refactoring to improve maintainability and correctness. The most significant change is the removal of all admin settings endpoints (GET/POST) from the `SettingsController`, which impacts how application settings can be managed via the API. Additionally, there are dependency version bumps, minor improvements to static resource checks, and small refactors in certificate download logic and Telegram bot service. **Major API changes:** * Removed all admin settings endpoints (general, security, connections, privacy, advanced) from `SettingsController`, including both GET and POST handlers for updating and retrieving settings. This eliminates the ability to manage these settings via the API. **Dependency updates:** * Upgraded `snakeyaml-engine` from 2.10 to 3.0.1 and `springdoc-openapi-starter-webmvc-ui` from 2.8.14 to 2.8.15 in `build.gradle`. **Refactoring and bug fixes:** * Refactored static resource check in `RequestUriUtils.isStaticResource` to use constant-first string comparison for better null safety and clarity. * Updated certificate download logic in `CertificateValidationService` to use `URI.create(urlStr).toURL()` instead of `new URL(urlStr)` for improved URL parsing and error handling. [[1]](diffhunk://#diff-d2646f37bfd3e0963cbce16ab13edb52f2092795f54203b999dd82651154f26dL513-R514) [[2]](diffhunk://#diff-d2646f37bfd3e0963cbce16ab13edb52f2092795f54203b999dd82651154f26dL703-R704) * Refactored `TelegramPipelineBot` to consistently use `telegramProperties.getBotToken()` instead of `getBotToken()`, and removed the `getBotToken()` method override. [[1]](diffhunk://#diff-a2466b92f58750ea37960cd1533e3194d9ecc3b4ef5ad7b64a017ee0e636ad93L85-R85) [[2]](diffhunk://#diff-a2466b92f58750ea37960cd1533e3194d9ecc3b4ef5ad7b64a017ee0e636ad93L395-R395) [[3]](diffhunk://#diff-a2466b92f58750ea37960cd1533e3194d9ecc3b4ef5ad7b64a017ee0e636ad93L519-L523) --- ## Checklist ### General - [ ] I have read the [Contribution Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md) - [ ] I have read the [Stirling-PDF Developer Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md) (if applicable) - [ ] I have read the [How to add new languages to Stirling-PDF](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md) (if applicable) - [ ] I have performed a self-review of my own code - [ ] My changes generate no new warnings ### Documentation - [ ] I have updated relevant docs on [Stirling-PDF's doc repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/) (if functionality has heavily changed) - [ ] I have read the section [Add New Translation Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md#add-new-translation-tags) (for new translation tags only) ### Translations (if applicable) - [ ] I ran [`scripts/counter_translation.py`](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/docs/counter_translation.md) ### UI Changes (if applicable) - [ ] Screenshots or videos demonstrating the UI changes are attached (e.g., as comments or direct attachments in the PR) ### Testing (if applicable) - [ ] I have tested my changes locally. Refer to the [Testing Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md#6-testing) for more details.
Stirling PDF - The Open-Source PDF Platform
Stirling PDF is a powerful, open-source PDF editing platform. Run it as a personal desktop app, in the browser, or deploy it on your own servers with a private API. Edit, sign, redact, convert, and automate PDFs without sending documents to external services.
Key Capabilities
- Everywhere you work - Desktop client, browser UI, and self-hosted server with a private API.
- 50+ PDF tools - Edit, merge, split, sign, redact, convert, OCR, compress, and more.
- Automation & workflows - No-code pipelines direct in UI with APIs to process millions of PDFs.
- Enterprise‑grade - SSO, auditing, and flexible on‑prem deployments.
- Developer platform - REST APIs available for nearly all tools to integrate into your existing systems.
- Global UI - Interface available in 40+ languages.
For a full feature list, see the docs: https://docs.stirlingpdf.com
Quick Start
docker run -p 8080:8080 docker.stirlingpdf.com/stirlingtools/stirling-pdf
Then open: http://localhost:8080
For full installation options (including desktop and Kubernetes), see our Documentation Guide.
Resources
Support
- Community Discord
- Bug Reports: Github issues
Contributing
We welcome contributions! Please see CONTRIBUTING.md for guidelines.
For development setup, see the Developer Guide.
For adding translations, see the Translation Guide.
License
Stirling PDF is open-core. See LICENSE for details.