add Feature/docs documents swagger

pom.xml

@@ -134,6 +134,12 @@
 			<artifactId>spring-security-test</artifactId>
 			<scope>test</scope>
 		</dependency>
+
+		<dependency>
+			<groupId>org.springdoc</groupId>
+			<artifactId>springdoc-openapi-starter-webmvc-ui</artifactId>
+			<version>2.8.8</version>
+		</dependency>
 	</dependencies>
 
 	<build>

src/main/java/com/wallet/secure/config/OpenApiConfig.java

@@ -0,0 +1,105 @@
+package com.wallet.secure.config;
+
+import io.swagger.v3.oas.models.Components;
+import io.swagger.v3.oas.models.OpenAPI;
+import io.swagger.v3.oas.models.info.Contact;
+import io.swagger.v3.oas.models.info.Info;
+import io.swagger.v3.oas.models.info.License;
+import io.swagger.v3.oas.models.security.SecurityRequirement;
+import io.swagger.v3.oas.models.security.SecurityScheme;
+import io.swagger.v3.oas.models.servers.Server;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+import java.util.List;
+
+/**
+ * OpenAPI 3.0 configuration — generates Swagger UI and API spec.
+ *
+ * Accessible at:
+ * → Swagger UI:   http://localhost:8080/swagger-ui/index.html
+ * → OpenAPI JSON: http://localhost:8080/v3/api-docs
+ * → OpenAPI YAML: http://localhost:8080/v3/api-docs.yaml
+ *
+ * WHY document the API:
+ * → Reclutadores pueden probar la API sin Postman
+ * → Frontend developers know exactly what each endpoint expects
+ * → Auto-generated from annotations — always in sync with code
+ *
+ * Security scheme: Bearer JWT
+ * → "Authorize" button in Swagger UI accepts the access token
+ * → All authenticated endpoints show the lock icon
+ * → Testers can login, copy the token, paste in Authorize → test everything
+ */
+@Configuration
+public class OpenApiConfig {
+
+    private static final String SECURITY_SCHEME_NAME = "bearerAuth";
+
+    @Bean
+    public OpenAPI secureWalletOpenAPI() {
+        return new OpenAPI()
+                .info(buildInfo())
+                .servers(buildServers())
+                .addSecurityItem(new SecurityRequirement().addList(SECURITY_SCHEME_NAME))
+                .components(new Components()
+                        .addSecuritySchemes(SECURITY_SCHEME_NAME, buildSecurityScheme()));
+    }
+
+    private Info buildInfo() {
+        return new Info()
+                .title("Secure Wallet API")
+                .version("0.0.1-SNAPSHOT")
+                .description("""
+                        ## Digital Wallet with OWASP Security Best Practices
+
+                        A production-grade REST API implementing:
+                        - **JWT Authentication** with access + refresh tokens
+                        - **Multi-device session management** (user_sessions table)
+                        - **ACID-compliant financial transactions** with pessimistic locking
+                        - **Complete audit trail** (audit_logs + transaction_history)
+                        - **OWASP Top 10** mitigations throughout
+
+                        ### How to authenticate:
+                        1. `POST /auth/register` or `POST /auth/login`
+                        2. Copy the `accessToken` from the response
+                        3. Click **Authorize** → paste `Bearer {accessToken}`
+                        4. All authenticated endpoints are now accessible
+
+                        ### Roles:
+                        - `USER` — standard wallet operations
+                        - `ADMIN` — user management, wallet suspension, session audit
+                        """)
+                .contact(new Contact()
+                        .name("DJAngel973")
+                        .url("https://github.com/DJAngel973/Secure-Wallet-API"))
+                .license(new License()
+                        .name("MIT")
+                        .url("https://opensource.org/licenses/MIT"));
+    }
+
+    private List<Server> buildServers() {
+        return List.of(
+                new Server()
+                        .url("http://localhost:8080")
+                        .description("Local development"),
+                new Server()
+                        .url("https://api.securewallet.dev")
+                        .description("Production (future)")
+        );
+    }
+
+    /**
+     * Defines the JWT Bearer security scheme.
+     * This adds the "Authorize" button to Swagger UI.
+     * Users paste their accessToken once — all endpoints use it automatically.
+     */
+    private SecurityScheme buildSecurityScheme() {
+        return new SecurityScheme()
+                .name(SECURITY_SCHEME_NAME)
+                .type(SecurityScheme.Type.HTTP)
+                .scheme("bearer")
+                .bearerFormat("JWT")
+                .description("Paste your access token here (without 'Bearer ' prefix)");
+    }
+}

src/main/java/com/wallet/secure/config/SecurityConfig.java

@@ -49,7 +49,11 @@ public class SecurityConfig {
             "/auth/login",
             "/auth/register",
             "/auth/refresh",
-            "/actuator/health"
+            "/actuator/health",
+            "/swagger-ui/**",
+            "/swagger-ui.html",
+            "/v3/api-docs/**",
+            "/v3/api-docs"
     };
 
     /**

src/main/resources/application.yml

@@ -133,4 +133,17 @@ app:
     password-require-uppercase: true
     password-require-lowercase: true
     password-require-digit: true
-    password-require-special: true
+    password-require-special: true
+
+    # SPRINGDOC - OpenAPI / Swagger
+    springdoc:
+      api-docs:
+        path: /v3/api-docs
+      swagger-ui:
+        path: /swagger-ui/index.html
+        operations-sorter: method      # Sort by HTTP method (GET, POST, PUT, DELETE)
+        tags-sorter: alpha             # Sort tags alphabetically
+        display-request-duration: true # Show response time in UI
+        try-it-out-enabled: true       # Enable "Try it out" by default
+      show-actuator: false             # Don't expose actuator in Swagger
+      packages-to-scan: com.wallet.secure  # Only scan our packages