Ludy 3711d8d6b1 refactor(security): clean up SSO handling, harden URL parsing, and bump dependencies (#5523) ... # Description of Changes This PR performs a broad cleanup and refactor across the security, SSO, and dependency layers to improve correctness, maintainability, and robustness. ### What was changed - **SSO / Authentication cleanup** - Removed deprecated and ambiguous `SSO` authentication handling in favor of explicit `OAUTH2` and `SAML2`. - Introduced a centralized helper (`isSsoAuthenticationTypeByUsername`) to consistently detect SSO-backed users. - Hardened user creation logic to strictly validate authentication types and reject invalid values. - Updated OAuth2 and SAML2 authentication success handlers to use unified SSO detection logic and clearer control flow. - Adjusted tests to reflect the new canonical authentication types. - **Security & robustness improvements** - Replaced direct `new URL(...)` usage with `URI.create(...).toURL()` to avoid malformed URL edge cases. - Hardened `Referer` parsing logic to safely handle invalid or host-less URIs. - Improved string comparison patterns (`"literal".equals(x)`) to avoid potential `NullPointerException`s. - **Controller and API cleanup** - Removed large blocks of unused and legacy admin settings endpoints from `SettingsController`. - Updated OpenAPI annotations to use `requiredMode` instead of deprecated `required`. - **Dependency and build maintenance** - Updated Spring Boot from `3.5.7` to `3.5.9`. - Updated multiple dependencies (Spring Security, Jackson, Micrometer, Jetty, Hibernate, SnakeYAML, Springdoc, Swagger UI, etc.). - Synced dependency versions in `3rdPartyLicenses.json` and removed duplicate or obsolete entries. - Modernized Gradle DSL usage (`url =`, `username =`, `allowInsecureProtocol = true`). - Ensured Spotless disabling applies consistently across all subprojects. - Added `.build-cache` to `.gitignore`. ### Why the change was made - To eliminate legacy and ambiguous SSO handling that could lead to incorrect authentication decisions. - To improve security and stability when dealing with user-controlled URLs and headers. - To reduce technical debt by removing unused controllers and deprecated patterns. - To keep dependencies up to date and aligned with the current Spring Boot release. - To improve overall code clarity, consistency, and long-term maintainability. --- This pull request contains dependency updates, minor code cleanups, and some refactoring to improve maintainability and correctness. The most significant change is the removal of all admin settings endpoints (GET/POST) from the `SettingsController`, which impacts how application settings can be managed via the API. Additionally, there are dependency version bumps, minor improvements to static resource checks, and small refactors in certificate download logic and Telegram bot service. **Major API changes:** * Removed all admin settings endpoints (general, security, connections, privacy, advanced) from `SettingsController`, including both GET and POST handlers for updating and retrieving settings. This eliminates the ability to manage these settings via the API. **Dependency updates:** * Upgraded `snakeyaml-engine` from 2.10 to 3.0.1 and `springdoc-openapi-starter-webmvc-ui` from 2.8.14 to 2.8.15 in `build.gradle`. **Refactoring and bug fixes:** * Refactored static resource check in `RequestUriUtils.isStaticResource` to use constant-first string comparison for better null safety and clarity. * Updated certificate download logic in `CertificateValidationService` to use `URI.create(urlStr).toURL()` instead of `new URL(urlStr)` for improved URL parsing and error handling. [[1]](diffhunk://#diff-d2646f37bfd3e0963cbce16ab13edb52f2092795f54203b999dd82651154f26dL513-R514) [[2]](diffhunk://#diff-d2646f37bfd3e0963cbce16ab13edb52f2092795f54203b999dd82651154f26dL703-R704) * Refactored `TelegramPipelineBot` to consistently use `telegramProperties.getBotToken()` instead of `getBotToken()`, and removed the `getBotToken()` method override. [[1]](diffhunk://#diff-a2466b92f58750ea37960cd1533e3194d9ecc3b4ef5ad7b64a017ee0e636ad93L85-R85) [[2]](diffhunk://#diff-a2466b92f58750ea37960cd1533e3194d9ecc3b4ef5ad7b64a017ee0e636ad93L395-R395) [[3]](diffhunk://#diff-a2466b92f58750ea37960cd1533e3194d9ecc3b4ef5ad7b64a017ee0e636ad93L519-L523) --- ## Checklist ### General - [ ] I have read the [Contribution Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md) - [ ] I have read the [Stirling-PDF Developer Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md) (if applicable) - [ ] I have read the [How to add new languages to Stirling-PDF](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md) (if applicable) - [ ] I have performed a self-review of my own code - [ ] My changes generate no new warnings ### Documentation - [ ] I have updated relevant docs on [Stirling-PDF's doc repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/) (if functionality has heavily changed) - [ ] I have read the section [Add New Translation Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md#add-new-translation-tags) (for new translation tags only) ### Translations (if applicable) - [ ] I ran [`scripts/counter_translation.py`](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/docs/counter_translation.md) ### UI Changes (if applicable) - [ ] Screenshots or videos demonstrating the UI changes are attached (e.g., as comments or direct attachments in the PR) ### Testing (if applicable) - [ ] I have tested my changes locally. Refer to the [Testing Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md#6-testing) for more details.		2026-01-22 19:39:34 +00:00
..
src	refactor(security): clean up SSO handling, harden URL parsing, and bump dependencies (#5523)	2026-01-22 19:39:34 +00:00
.gitignore
build.gradle	build(deps): bump io.micrometer:micrometer-core from 1.16.1 to 1.16.2 (#5466)	2026-01-22 19:27:23 +00:00