feat(gdpr): add GDPR compliance features #252
Conversation
Add the ability to query audit logs, which is essential for GDPR data export functionality. The implementation uses an interface-based design allowing different backends (file, database, Elasticsearch). - AuditEventDTO: DTO for returning audit event data - AuditLogQueryService: Interface for querying audit events by user - FileAuditLogQueryService: Default implementation parsing pipe-delimited logs The file-based implementation parses the existing audit log format and supports filtering by user, timestamp, and action type. Closes #250
Add events for GDPR lifecycle operations following the existing event pattern used by UserPreDeleteEvent and OnRegistrationCompleteEvent. - UserDataExportedEvent: Published after successful data export - UserDeletedEvent: Published after user deletion (post-transaction) - ConsentChangedEvent: Published when consent is granted or withdrawn These events enable consuming applications to react to GDPR operations, such as updating external systems or triggering notifications.
Implement core GDPR functionality including data export, deletion orchestration, and consent tracking services. Core Types: - ConsentType: Enum of standard consent types (PRIVACY_POLICY, etc.) - ConsentRecord: DTO for consent grant/withdrawal data - GdprDataContributor: Interface for apps to contribute export data - GdprConfig: Configuration properties with user.gdpr.* prefix - GdprExportDTO: Complete data export response structure Services: - GdprExportService: Aggregates user data for GDPR Article 15 export - GdprDeletionService: Orchestrates GDPR Article 17 deletion with hooks - ConsentAuditService: Tracks consent changes via audit system The GdprDataContributor interface allows consuming applications to include their domain-specific data in exports and clean up during deletion, making the framework extensible while handling core data.
Add REST controller with endpoints for GDPR operations at /user/gdpr/* following the existing UserAPI pattern. Endpoints: - GET /user/gdpr/export - Export current user's data as JSON - POST /user/gdpr/delete - Request account deletion - POST /user/gdpr/consent - Record consent grant/withdrawal - GET /user/gdpr/consent - Get current consent status All endpoints require authentication and return standard JSONResponse format. When GDPR features are disabled via configuration, endpoints return 404 Not Found.
Update existing files to support GDPR functionality: Configuration (dsspringuserconfig.properties): - user.gdpr.enabled: Master toggle for GDPR features - user.gdpr.exportBeforeDeletion: Auto-export before hard delete - user.gdpr.consentTracking: Enable consent audit events UserService: - Publish UserDeletedEvent after successful user deletion - Captures userId and email before deletion for the event
Address critical code review finding: fragile string parsing had injection risk. Now using Jackson ObjectMapper for safe JSON handling. - Add ConsentExtraData DTO for consent extra data serialization - Replace buildExtraData() with Jackson writeValueAsString() - Replace extractConsentType()/extractValue() with Jackson readValue() - Remove vulnerable escapeJson() helper method - Optimize consent status/export to process events in single pass
Address critical code review finding: user emails were being logged, exposing PII. Now using user IDs instead. - Replace user.getEmail() with user.getId() in all GDPR log statements - Affected files: GdprAPI, GdprDeletionService - ConsentAuditService/GdprExportService already updated in prior commit
Address high-severity code review finding: unbounded memory usage when reading large audit log files. - Replace BufferedReader iteration with Files.lines() stream - Process lines lazily to reduce memory footprint - Maintain same filtering and sorting behavior
Add comprehensive unit tests for GDPR REST API endpoints using standalone MockMvc with mocked services. Test cases cover: - Data export: authenticated, unauthenticated, GDPR disabled - Account deletion: authenticated, unauthenticated - Consent recording: valid, custom type, validation errors - Consent status: authenticated, unauthenticated, tracking disabled
Pull Request Review: GDPR Compliance FeaturesI've completed a thorough review of this PR. Overall, this is excellent work with a solid architecture and comprehensive implementation. The code quality is high, and the security fixes mentioned in the PR description have been properly addressed. ✅ StrengthsArchitecture & Design
Code Quality
Security
Test Coverage
🔍 Issues & Recommendations1. CRITICAL: Session Management Vulnerability in Account DeletionLocation: GdprAPI.java:278-284 Issue: The logout implementation only clears the local security context and logs out the current session, but doesn't invalidate ALL user sessions across different devices/browsers. Risk: After account deletion, user sessions on other devices remain active with a valid session but deleted user entity, potentially causing:
Recommendation: Leverage the existing 2. MEDIUM: Missing Cascade Delete DocumentationLocation: GdprDeletionService.java:221 Issue: Comment states "Password history entries are deleted automatically via cascade (orphanRemoval = true)" but this critical behavior isn't validated. Recommendation:
3. MEDIUM: File Audit Query Performance ConcernsLocation: FileAuditLogQueryService.java:96-111 Issue: The implementation reads and parses the entire log file for every query using Current code: Concerns:
Recommendations:
Example addition to JavaDoc (FileAuditLogQueryService.java:24): 4. LOW: Transaction Boundary ClarificationLocation: GdprDeletionService.java:99-140 Observation: The export happens outside the transaction (good!), but the comment "Note: Export is performed OUTSIDE the transaction" appears in both methods' JavaDoc. Consider making this pattern more explicit. Recommendation: The current design is correct, but consider adding a comment explaining why: 5. LOW: Missing Index RecommendationsIssue: GDPR export queries audit logs by user email/ID. If the audit log is database-backed in consuming apps, these fields should be indexed. Recommendation: Add to JavaDoc or documentation:
6. LOW: Potential NPE in ConsentAuditServiceLocation: ConsentAuditService.java:103-104 Issue: The second line has potential NPE if Recommendation: Current code is actually safe, but consider extracting to a helper method for clarity: 📝 Suggestions for Enhancement (Optional)1. Consider Export Format OptionsThe export is currently JSON-only. For full GDPR compliance, consider supporting:
2. Rate Limiting for GDPR EndpointsConsider adding rate limiting to prevent abuse:
3. Async Export for Large DatasetsFor users with extensive data, consider:
4. Audit the AuditorsThe GDPR operations themselves are audited, but consider:
🎯 ConclusionThis is a high-quality PR that adds comprehensive GDPR compliance features to the framework. The architecture is solid, the code is well-tested, and the security fixes mentioned in the PR description have been properly implemented. Must Fix Before Merge
Should Address
Nice to Have
Overall Assessment: APPROVE with the critical session management fix. Excellent work on implementing a complex feature with proper attention to security, extensibility, and GDPR compliance! 🚀 Reviewed by: Claude Sonnet 4.5 (AI Code Review) |
There was a problem hiding this comment.
Pull request overview
This pull request adds comprehensive GDPR compliance features to the Spring User Framework, implementing three primary GDPR rights: Right of Access (data export), Right to be Forgotten (account deletion), and Consent Management. The implementation includes a well-designed extensibility mechanism through the GdprDataContributor interface, allowing consuming applications to add their own domain-specific data to exports and handle cleanup during deletion.
Changes:
- Added GDPR services:
GdprExportService,GdprDeletionService, andConsentAuditServicefor data export, deletion, and consent tracking - Introduced new REST API endpoints under
/user/gdpr/*for export, delete, and consent operations - Created event system with
UserDeletedEvent,UserDataExportedEvent, andConsentChangedEventfor integration hooks - Implemented
FileAuditLogQueryServiceusing Java Streams to efficiently query audit logs for GDPR exports - Added configuration via
user.gdpr.*properties with sensible defaults
Reviewed changes
Copilot reviewed 26 out of 26 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| src/main/java/com/digitalsanctuary/spring/user/gdpr/GdprExportService.java | Core service for GDPR data export with Jackson-based JSON parsing and contributor aggregation |
| src/main/java/com/digitalsanctuary/spring/user/gdpr/GdprDeletionService.java | Orchestrates GDPR-compliant deletion with transaction handling and event publishing |
| src/main/java/com/digitalsanctuary/spring/user/gdpr/ConsentAuditService.java | Tracks consent grants/withdrawals via audit system with proper validation |
| src/main/java/com/digitalsanctuary/spring/user/api/GdprAPI.java | REST API controller providing JSON endpoints for GDPR operations |
| src/main/java/com/digitalsanctuary/spring/user/audit/FileAuditLogQueryService.java | Stream-based audit log querying to avoid memory issues with large files |
| src/main/java/com/digitalsanctuary/spring/user/service/UserService.java | Updated to publish UserDeletedEvent after successful deletion |
| src/main/java/com/digitalsanctuary/spring/user/dto/ConsentRequestDto.java | DTO for consent requests with validation (minor regex issue found) |
| src/main/java/com/digitalsanctuary/spring/user/gdpr/GdprDataContributor.java | Interface allowing apps to contribute custom data to GDPR exports |
| src/main/resources/config/dsspringuserconfig.properties | Added GDPR configuration properties with defaults |
| Test files | Comprehensive test coverage for all new services, events, and API endpoints |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| import com.digitalsanctuary.spring.user.service.DSUserDetails; | ||
| import com.digitalsanctuary.spring.user.service.UserService; | ||
| import com.digitalsanctuary.spring.user.test.builders.UserTestDataBuilder; | ||
| import com.fasterxml.jackson.databind.ObjectMapper; |
There was a problem hiding this comment.
Inconsistent Jackson imports: The test uses com.fasterxml.jackson.databind.ObjectMapper (line 47) while the main code uses tools.jackson.databind.ObjectMapper. This could indicate a Jackson version mismatch. Verify that both versions are compatible and consider using the same package throughout for consistency.
| import com.fasterxml.jackson.databind.ObjectMapper; | |
| import tools.jackson.databind.ObjectMapper; |
There was a problem hiding this comment.
Fixed in commit 69ad61b. Updated the test to use tools.jackson.databind.ObjectMapper (Jackson 3.x) for consistency with the main code.
| log.info("GdprDeletionService.deleteUser: Successfully deleted user {}", userId); | ||
|
|
||
| // Step 6: Publish UserDeletedEvent after successful deletion | ||
| eventPublisher.publishEvent(new UserDeletedEvent(this, userId, user.getEmail(), wasExported)); |
There was a problem hiding this comment.
User email is accessed after deletion (line 171) but before transaction commit. While this works because the entity is still in memory, it's safer and more consistent to capture the email at the start of the method (like userId at line 152) to avoid any potential issues with entity lifecycle management. Recommend adding String userEmail = user.getEmail(); after line 152 and using that variable at line 171.
There was a problem hiding this comment.
Fixed in commit 69ad61b. Now capturing userEmail at the start of executeUserDeletion() (line 153) and using that variable when publishing the UserDeletedEvent.
| * Must contain only alphanumeric characters, underscores, and hyphens. | ||
| */ | ||
| @Size(max = 100, message = "Custom type must not exceed 100 characters") | ||
| @Pattern(regexp = "^[a-zA-Z0-9_-]*$", message = "Custom type can only contain letters, numbers, underscores, and hyphens") |
There was a problem hiding this comment.
The Pattern regex allows empty strings due to the * quantifier (zero or more). This means an empty string would pass validation but still be invalid for CUSTOM consent types. Consider changing the regex to ^[a-zA-Z0-9_-]+$ (using + instead of *) to require at least one character, or add @NotBlank when consentType is CUSTOM. Currently, the manual validation in GdprAPI.java line 187 catches this, but it's better to fail fast at the validation layer.
| @Pattern(regexp = "^[a-zA-Z0-9_-]*$", message = "Custom type can only contain letters, numbers, underscores, and hyphens") | |
| @Pattern(regexp = "^[a-zA-Z0-9_-]+$", message = "Custom type can only contain letters, numbers, underscores, and hyphens") |
There was a problem hiding this comment.
Fixed in commit 69ad61b. Changed the regex from ^[a-zA-Z0-9_-]*$ to ^[a-zA-Z0-9_-]+$ to require at least one character.
Use SessionInvalidationService to invalidate ALL user sessions across all devices/browsers before account deletion, not just the current session. This prevents: - Security vulnerabilities from orphaned sessions with deleted user refs - GDPR non-compliance from user data remaining accessible via active sessions - Application errors when code tries to access the deleted user entity Changes: - Add SessionInvalidationService dependency to GdprAPI - Update logoutUser() to accept User parameter and call invalidateUserSessions() - Update GdprAPITest with SessionInvalidationService mock - Update test to use Jackson 3.x (tools.jackson) for consistency with main code
Address code review feedback from PR #252: - ConsentRequestDto: Change regex pattern from * to + to prevent empty strings from passing validation for custom consent types - GdprDeletionService: Capture user email at start of executeUserDeletion() before entity deletion to avoid potential entity lifecycle issues when publishing UserDeletedEvent - FileAuditLogQueryService: Enhance JavaDoc with detailed performance warning about file-scanning limitations (<50MB, <100K events) and recommendations for high-volume production deployments
Feedback AddressedThanks for the thorough review! Here's the status of each item: ✅ Fixed (Commits ba40f71, 69ad61b)1. CRITICAL: Session Management Vulnerability 2. File Audit Performance Warning 3. (From Copilot) Regex validation, entity lifecycle, and Jackson consistency issues also fixed. 📋 Deferred to BacklogCreated Linear issues for items that don't fit this PR's scope:
ℹ️ No Action Taken
|
Code Review: GDPR Compliance FeaturesExecutive SummaryThis is a well-architected PR that adds comprehensive GDPR compliance features. The code demonstrates solid Spring Boot/Spring Security practices and good test coverage. However, there are 4 critical issues that must be fixed before merging, along with several high-priority performance and security concerns. Overall Assessment: APPROVE WITH CHANGES REQUIRED 🚨 Critical Issues (Must Fix Before Merge)1. Session Invalidation Logic VulnerabilityLocation: After calling Fix: private void logoutUser(User user, HttpServletRequest request) {
try {
int invalidatedCount = sessionInvalidationService.invalidateUserSessions(user);
log.debug("Invalidated {} sessions for user {}", invalidatedCount, user.getId());
SecurityContextHolder.clearContext();
// Check if session still exists before logout
if (request.getSession(false) != null) {
request.logout();
}
} catch (ServletException e) {
log.warn("Logout failed", e);
}
}2. Audit Event Null User in DeletionLocation: After successful deletion, the code logs an audit event with logAuditEvent("GdprDelete", "Success", "User account deleted", null, request);Fix: Log the audit event BEFORE deletion, or store user ID/email in the message: String userInfo = user.getId() + ":" + user.getEmail();
// ... delete user ...
logAuditEvent("GdprDelete", "Success", "User account deleted: " + userInfo, null, request);3. Missing Authorization Check on DeletionLocation: The Fix: User user = validateAndGetUser(userDetails);
// Explicit authorization check
if (!user.getId().equals(userDetails.getUser().getId())) {
return buildErrorResponse("Unauthorized", 403, HttpStatus.FORBIDDEN);
}4. Transaction Boundary IssueLocation: The Fix: Use
|
Apply fixes from second round of code review: Security/Compliance: - Sanitize custom consent type names in logs to prevent PII exposure (log "CUSTOM" instead of actual custom type name) Performance/Stability: - Add configurable maxQueryResults limit to AuditConfig (default 10000) to prevent unbounded memory usage when querying large audit logs - Apply limit in FileAuditLogQueryService.findByUser() stream Code Quality: - Inject Spring-configured ObjectMapper via constructor in GdprExportService and ConsentAuditService instead of creating new instances (respects application's Jackson configuration) - Update tests with @SPY ObjectMapper for proper injection Configuration: - Add user.audit.maxQueryResults property to dsspringuserconfig.properties
Second Round of Feedback AddressedFixes applied in commit 356ca98: ✅ Fixed1. Hardcoded ObjectMapper Creation (Issue #11) 2. Potential PII Exposure in Logs (Issue #8) 3. Unbounded Memory in File Parsing (Issue #6) 4. CSRF Protection Verification (Issue #10) ℹ️ Not Addressed (Deferred or N/A)
|
Pull Request Review: GDPR Compliance FeaturesOverall AssessmentThis is an excellent and well-architected implementation of GDPR compliance features. The code demonstrates strong engineering practices, comprehensive test coverage, and thoughtful attention to security concerns. The PR description clearly documents the security fixes made during code review, which is commendable. Recommendation: ✅ Approve with minor suggestions Strengths1. Architecture & Design ⭐⭐⭐⭐⭐
2. Security 🔒The PR description shows critical security issues were already addressed:
Additional Security Observations:
3. Code Quality ✨
4. Test Coverage ✅
5. GDPR Compliance 📋
Suggestions for ImprovementMinor Issues1. Async Export Consideration (Performance, Low Priority)File: The export operation is currently synchronous. For users with large audit histories or many data contributors, this could cause request timeouts. Consider: // Option 1: Add async variant
@Async
public CompletableFuture<GdprExportDTO> exportUserDataAsync(User user) { ... }
// Option 2: Add timeout warning in docs
/**
* @throws TimeoutException for users with extensive audit history
*/2. Transaction Boundary Documentation (Code Clarity)File: The comment at line 126 says export is "OUTSIDE transaction", but it's not immediately obvious why this is safe. Consider adding: // Step 1: Export data OUTSIDE transaction (avoids holding transaction during slow I/O)
// Note: Safe because user data is read-only here; deletion hasn't started yet3. Audit Log Parsing Scalability (Performance, Medium Priority)File: The implementation reads the entire log file for each query. While the PR description acknowledges this ("suitable for small to medium audit volumes"), consider:
/**
* <p>⚠️ Performance Note: Reads entire log file on each query.
* For audit logs exceeding 10MB (~100k events), consider implementing
* a database-backed AuditLogQueryService.
*/4. Rate Limiting for Export Endpoint (Security, Medium Priority)File: The
5. Date Format Consistency (Code Quality, Low Priority)File: Multiple date formatters are tried in order. This is defensive but could be fragile. Consider:
Test Coverage AssessmentCoverage is strong but could be enhanced:
Security Checklist ✓
Configuration ReviewFile: The default values are sensible:
Consider documenting the security implications of disabling these features. Notable Implementation Details 👍
Final ThoughtsThis PR adds significant value to the Spring User Framework and demonstrates mature software engineering practices. The security fixes documented in the PR description show excellent attention to detail. The extensibility mechanisms ( The minor suggestions above are truly minor and don't block approval. Great work! 🎉 Generated with Claude Code |
Address 3 bugs identified by Codex code review: [P1] Fix audit timestamp parsing for zone-less dates - FileAuditLogQueryService.parseTimestamp() now tries LocalDateTime.parse() after ZonedDateTime.parse() fails, handling MessageFormat output like "Jan 16, 2025, 2:03:04 PM" that lacks timezone info - Converts LocalDateTime to Instant using system default zone - Fixes null timestamps in all audit events [P2] Clear withdrawnAt when consent is re-granted - GdprExportService.exportConsents() now sets withdrawnAt=null when updating existing consent record with a grant - Fixes bug where re-granted consents appeared inactive [P3] Preserve user identity in GDPR deletion audit event - GdprAPI.deleteAccount() now passes user object to logAuditEvent() instead of null, preserving user ID/email in audit trail - User is still in memory at this point before logout
Codex Review Fixes AppliedRan ✅ [P1] Audit Timestamp Parsing BugFile: The audit log writer uses Fix: Now tries ✅ [P2] Consent Re-Grant State BugFile: When a user withdraws consent and later re-grants it, the Fix: Added ✅ [P3] Deletion Audit Event Missing UserFile: GDPR deletion audit events were logged with Fix: Now passes the |
GDPR Compliance Feature Review - Comprehensive AnalysisI've completed a thorough code review of PR #252. This is an excellent implementation of GDPR features with strong security practices. The code review fixes mentioned in the PR description (Jackson parsing, PII in logs, validation, streams, transaction management) have been properly applied. Overall AssessmentSummary: Well-architected GDPR implementation (~4,357 lines across 27 files) with defense-in-depth security. The PR adds data export, user deletion, and consent management with proper authentication, authorization, validation, and audit trails. Recommendation: Address Critical and High priority items before merge. Medium/Low items can be handled in follow-up PRs. |
Critical Priority Issues1. Session Management Race Condition (GdprAPI.java:141-142)Location: 2. Partial Deletion Risk (GdprDeletionService.java:155-177)Location: |
High Priority Issues3. X-Forwarded-For Spoofing (ConsentAuditService.java:399-402)Location: 4. Log File Injection Vulnerability (FileAuditLogQueryService.java:170-192)Location: 5. Missing Rate Limiting (GdprAPI.java - all endpoints)Issue: No rate limiting on resource-intensive operations ( 6. Unbounded Memory Risk (GdprExportService.java:131-137)Issue: While using streams and having 7. Missing Integration TestsIssue: Tests use mocks, not real database or file I/O. Race conditions, transaction rollback, and file parsing bugs won't be caught. |
Medium Priority Issues8. Audit Query PerformanceIssue: GDPR export reads audit log file 3+ times (once for general audit, twice for consent). For 50MB logs, this means 150MB+ I/O per export. 9. Event Publishing After Deletion (GdprDeletionService.java:172)Issue: 10. Date Parsing Timezone Ambiguity (FileAuditLogQueryService.java:217-219)Issue: Parses 11. Session ID Creation (GdprAPI.java:309)Issue: 12. Missing Concurrent Operation TestsIssue: No tests for simultaneous export+delete, or multiple concurrent exports. |
Positive Security Findings ✅The implementation demonstrates many excellent practices:
|
Code Quality & Test CoverageArchitecture
Test Coverage
Documentation & Style
|
ConclusionThis is a high-quality GDPR implementation with strong security foundations. The code review fixes from the PR description have been properly applied. The remaining issues are primarily edge cases, performance optimizations, and testing gaps rather than fundamental design flaws. Next Steps
Great work on this complex feature! The framework now provides solid GDPR compliance capabilities. 🎉 Review completed by Claude Sonnet 4.5 | Analyzed 4,357 additions across 27 files Additional low-priority items (error message sanitization, JSON serialization control, large data volume testing) are documented but can be addressed in future iterations. |
- Add JavaDoc warning in GdprDeletionService about contributor transaction safety (external API calls could cause partial deletion) - Consolidate ConsentAuditService to use shared UserUtils.getClientIP() - Fix session creation in GdprAPI audit logging (use getSession(false)) - Add rate limiting documentation to export and delete endpoints - Add defensive parsing in FileAuditLogQueryService for unescaped pipes
Final PR Review Feedback AddressedFixes applied in commit fd6dda4: ✅ Fixed1. GdprDataContributor Transaction Safety Warning 2. X-Forwarded-For IP Handling 3. Session ID Creation in Audit Logging 4. Rate Limiting Documentation 5. Defensive Log Parsing 📋 Deferred to BacklogCreated Linear issues for items requiring architectural changes:
ℹ️ No Action Taken (False Positives)
|
PR Review: GDPR Compliance FeaturesThis is a substantial and well-implemented feature addition that adds comprehensive GDPR compliance capabilities to the Spring User Framework. The code quality is generally excellent, with good documentation, proper separation of concerns, and thorough test coverage. ✅ Strengths1. Architecture & Design
2. Security ImprovementsThe PR already includes critical security fixes:
3. Code Quality
🔍 Issues & RecommendationsCRITICAL Issues1. FileAuditLogQueryService.java:175 - Pipe Character EscapingThe parser handles unescaped pipes defensively but the root cause needs fixing. Recommendation: Document that FileAuditLogWriter MUST escape pipes, or migrate to JSON Lines format. HIGH Priority Issues2. GdprAPI.java:284 - Potential LazyInitializationExceptionRe-fetching user is good, but ensure services use @transactional or explicitly fetch associations. 3. ConsentAuditService.java:103 - Potential NullPointerExceptionrequest.getSession() creates session if missing. Should use request.getSession(false). 4. FileAuditLogQueryService.java:111 - Performance WarningFile read on each query. Add runtime warning for large files (>50MB). 5. GdprDeletionService.java:189 - Transaction BoundaryNeed test to verify rollback if contributor throws exception. MEDIUM Priority Issues6. Export PerformanceExport outside transaction is good, but could have race condition if user modified during export. 7. Pattern ValidationConsentRequestDto pattern allows confusing values like ---. Consider requiring alphabetic character. 8. Rate LimitingComments mention rate limiting but no implementation guidance provided. 9. Sorting PerformanceO(n log n) sort on every query. Consider assuming chronological order for append-only logs. 🔒 Security AssessmentPositive practices:
GDPR Compliance:
🧪 Test CoverageGood coverage with:
Recommendations:
🎯 Final RecommendationsBefore Merging:
Post-Merge:
📝 SummaryThis is an excellent PR that adds critical GDPR compliance features with good design patterns and solid implementation. The code quality is high, documentation is thorough, and the architecture is extensible. Recommendation: Approve with minor fixes The identified issues are relatively minor and can be addressed quickly. The security fixes already in the PR demonstrate thorough review. Great work! 🎉 |
- Change user.gdpr.enabled default to false for backward compatibility - Add GDPR features to README.md Features list - Add comprehensive GDPR Compliance section to README.md with: - Configuration instructions - Data export (Right of Access) documentation - Account deletion (Right to be Forgotten) documentation - Consent management API documentation - GdprDataContributor extensibility guide - GDPR events reference - Add GDPR configuration section to CONFIG.md - Add user.audit.maxQueryResults to CONFIG.md
Documentation & Default Configuration UpdateCommit da9555d adds: Breaking Change MitigationGDPR now disabled by default ( Existing applications upgrading to this version will not have GDPR endpoints automatically exposed. Applications that want GDPR features must explicitly enable them: user:
gdpr:
enabled: trueDocumentation AddedREADME.md:
CONFIG.md:
|
GDPR Feature Implementation Code ReviewOverviewThis PR adds comprehensive GDPR compliance features. Overall, the implementation is well-structured and production-ready, with excellent attention to security concerns. ✅ Strengths1. Architecture & Design
2. Security ImprovementsAll critical fixes from previous review are correctly implemented:
3. Code Quality
4. Testing
🔍 Critical IssuesCRITICAL: Rate Limiting MissingLocation: GdprAPI.java:89-90 The /export and /delete endpoints perform extremely expensive operations (file I/O, full log parsing) and are vulnerable to resource exhaustion attacks. A malicious user could call these endpoints in a loop and cause significant damage. Recommendation: Add Spring Security rate limiting or bucket4j before deployment. HIGH: Performance IssuesLocation: FileAuditLogQueryService.java:95-133 Issue 1: GDPR export calls this service 3+ times, each re-reading the entire log file. For a 50MB log, that's 150MB+ of I/O per export. Recommendation: Add in-memory caching with TTL. Issue 2: Lines 184-196 handle unescaped pipes by rejoining - fragile approach. Recommendation: Migrate to JSON Lines format for audit logs (industry standard). MEDIUM: Transaction ManagementLocation: GdprDeletionService.java:150-177 Publishing events within @transactional method. If listeners perform slow operations, they'll block the transaction. Recommendation: Use @TransactionalEventListener with AFTER_COMMIT phase. MEDIUM: Missing ValidationLocation: ConsentRequestDto.java No max length on policyVersion field could lead to data truncation. Recommendation: Add @SiZe(max=255) validation. 🔐 Security Assessment
📋 Test Coverage ObservationsGood: Happy paths, error cases, validation Missing:
✅ Checklist Before Merge
SummaryThis is solid, production-ready code with excellent architecture. The critical security issues from previous review are properly fixed. Main concerns:
With rate limiting addressed, this PR is ready to merge. Other issues can be follow-ups. Overall Assessment: 8.5/10 🎉 Excellent work on a complex feature with significant compliance implications! |
Summary
Add comprehensive GDPR compliance features to the Spring User Framework:
/user/gdpr/export/user/gdpr/deleteGdprDataContributorinterface for apps to add custom dataKey Components
New Services
GdprExportService- Aggregates user data from framework and registered contributorsGdprDeletionService- Orchestrates GDPR-compliant user deletion with pre-delete eventsConsentAuditService- Records consent changes via existing audit infrastructureNew REST API (
/user/gdpr/*)GET /export- Export user data as JSONPOST /delete- Request account deletionPOST /consent- Record consent grant/withdrawalGET /consent- Get current consent statusNew Events
UserPreDeleteEvent- Published before deletion for cleanupUserDeletedEvent- Published after successful deletionUserDataExportedEvent- Published after data exportConsentChangedEvent- Published on consent changesConfiguration
All features configurable via
user.gdpr.*properties with sensible defaults.Security Fixes (Code Review)
This PR includes fixes for issues identified in code review:
Test Plan
./gradlew build)