feat: fix backend issues with state and memory leak

Author: RMCampos

docker-compose.dev.yml

@@ -39,7 +39,7 @@ services:
     ports:
       - "8585:8585"
       - "5005:5005"
-    image: maven:3.9.9-eclipse-temurin-25
+    image: maven:3.9.12-eclipse-temurin-25
     entrypoint: './mvnw -ntp spring-boot:run -Dspring-boot.run.jvmArguments="-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=*:5005" -Dmaven.plugin.validation=VERBOSE'
     working_dir: /app
     volumes:

server/pom.xml

@@ -173,7 +173,7 @@
             <configuration>
               <enableLazyInitialization>true</enableLazyInitialization>
               <enableDirtyTracking>true</enableDirtyTracking>
-              <enableAssociationManagement>true</enableAssociationManagement>
+              <enableAssociationManagement>false</enableAssociationManagement>
             </configuration>
           </execution>
         </executions>

server/src/main/java/br/com/tasknoteapp/server/config/SecurityConfig.java

@@ -14,6 +14,7 @@
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.SecurityFilterChain;
@@ -59,6 +60,8 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
                     .permitAll())
         .httpBasic(AbstractHttpConfigurer::disable)
         .formLogin(AbstractHttpConfigurer::disable)
+        .sessionManagement(
+            session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
         .exceptionHandling(
             exceptionHandling ->
                 exceptionHandling.authenticationEntryPoint(

server/src/main/java/br/com/tasknoteapp/server/controller/NoteController.java

@@ -1,6 +1,5 @@
 package br.com.tasknoteapp.server.controller;
 
-import br.com.tasknoteapp.server.entity.NoteEntity;
 import br.com.tasknoteapp.server.exception.NoteNotFoundException;
 import br.com.tasknoteapp.server.request.NotePatchRequest;
 import br.com.tasknoteapp.server.request.NoteRequest;
@@ -77,8 +76,8 @@ public ResponseEntity<NoteResponse> patchNote(
    */
   @PostMapping
   public ResponseEntity<NoteResponse> postNotes(@RequestBody @Valid NoteRequest noteRequest) {
-    NoteEntity createdNote = noteService.createNote(noteRequest);
-    return ResponseEntity.status(HttpStatus.CREATED).body(NoteResponse.fromEntity(createdNote));
+    NoteResponse createdNote = noteService.createNote(noteRequest);
+    return ResponseEntity.status(HttpStatus.CREATED).body(createdNote);
   }
 
   /**

server/src/main/java/br/com/tasknoteapp/server/entity/NoteEntity.java

@@ -8,7 +8,6 @@
 import jakarta.persistence.Id;
 import jakarta.persistence.JoinColumn;
 import jakarta.persistence.ManyToOne;
-import jakarta.persistence.OneToOne;
 import jakarta.persistence.Table;
 import java.time.LocalDateTime;
 
@@ -30,9 +29,6 @@ public class NoteEntity {
   @ManyToOne(fetch = FetchType.LAZY)
   private UserEntity user;
 
-  @OneToOne(mappedBy = "note", fetch = FetchType.LAZY)
-  private NoteUrlEntity noteUrl;
-
   @Column(name = "tag", nullable = true, length = 30)
   private String tag;
 
@@ -77,14 +73,6 @@ public void setUser(UserEntity user) {
     this.user = user;
   }
 
-  public NoteUrlEntity getNoteUrl() {
-    return noteUrl;
-  }
-
-  public void setNoteUrl(NoteUrlEntity noteUrl) {
-    this.noteUrl = noteUrl;
-  }
-
   public String getTag() {
     return tag;
   }

server/src/main/java/br/com/tasknoteapp/server/entity/UserEntity.java

@@ -5,7 +5,6 @@
 import jakarta.persistence.GeneratedValue;
 import jakarta.persistence.GenerationType;
 import jakarta.persistence.Id;
-import jakarta.persistence.OneToMany;
 import jakarta.persistence.Table;
 import java.time.LocalDateTime;
 import java.util.Collection;
@@ -41,9 +40,6 @@ public class UserEntity implements UserDetails {
   @Column(name = "name", length = 20)
   private String name;
 
-  @OneToMany(mappedBy = "user")
-  private List<TaskEntity> tasks;
-
   @Column(name = "email_confirmed_at", nullable = true)
   private LocalDateTime emailConfirmedAt;
 
@@ -147,14 +143,6 @@ public void setName(String name) {
     this.name = name;
   }
 
-  public List<TaskEntity> getTasks() {
-    return tasks;
-  }
-
-  public void setTasks(List<TaskEntity> tasks) {
-    this.tasks = tasks;
-  }
-
   public LocalDateTime getEmailConfirmedAt() {
     return emailConfirmedAt;
   }

server/src/main/java/br/com/tasknoteapp/server/repository/NoteUrlRepository.java

@@ -1,10 +1,13 @@
 package br.com.tasknoteapp.server.repository;
 
 import br.com.tasknoteapp.server.entity.NoteUrlEntity;
+import java.util.Optional;
 import org.springframework.data.jpa.repository.JpaRepository;
 
 /** This interface represents a note url repository, for database access. */
 public interface NoteUrlRepository extends JpaRepository<NoteUrlEntity, Long> {
 
+  Optional<NoteUrlEntity> findByNote_id(Long noteId);
+
   void deleteByNote_id(Long noteId);
 }

server/src/main/java/br/com/tasknoteapp/server/repository/UserPwdLimitRepository.java

@@ -12,6 +12,8 @@ public interface UserPwdLimitRepository extends JpaRepository<UserPwdLimitEntity
 
   List<UserPwdLimitEntity> findAllByUser_id(Long userId, Sort sort);
 
+  List<UserPwdLimitEntity> findTop3ByUser_idOrderByWhenHappenedDesc(Long userId);
+
   @Modifying
   @Query("delete UserPwdLimitEntity u where u.user.id = ?1")
   void deleteAllForUser(Long userId);

server/src/main/java/br/com/tasknoteapp/server/response/NoteResponse.java

@@ -1,9 +1,7 @@
 package br.com.tasknoteapp.server.response;
 
 import br.com.tasknoteapp.server.entity.NoteEntity;
-import br.com.tasknoteapp.server.entity.NoteUrlEntity;
 import br.com.tasknoteapp.server.util.TimeAgoUtil;
-import java.util.Objects;
 
 /** This record represents a task and its urls object to be returned. */
 public record NoteResponse(
@@ -16,9 +14,7 @@ public record NoteResponse(
    * @param entity The NoteEntity source data.
    * @return NoteResponse instance with all note data and urls, if any.
    */
-  public static NoteResponse fromEntity(NoteEntity entity) {
-    NoteUrlEntity noteUrl = entity.getNoteUrl();
-    String url = Objects.isNull(noteUrl) ? null : noteUrl.getUrl();
+  public static NoteResponse fromEntity(NoteEntity entity, String url) {
     String timeAgoFmt = TimeAgoUtil.format(entity.getLastUpdate());
 
     return new NoteResponse(

server/src/main/java/br/com/tasknoteapp/server/service/AuthService.java

@@ -36,8 +36,6 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.core.env.Environment;
-import org.springframework.data.domain.Sort;
-import org.springframework.data.domain.Sort.Direction;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
@@ -513,8 +511,10 @@ private Optional<String> getGravatarImageUrl(String email) {
   }
 
   private void checkLoginAttemptLimit(Long userId) {
-    Sort sort = Sort.by(Direction.DESC, "whenHappened");
-    List<UserPwdLimitEntity> userPwdList = userPwdLimitRepository.findAllByUser_id(userId, sort);
+    // Fetch only the 3 most recent failed attempts to avoid loading unbounded rows for
+    // targeted/brute-forced accounts.
+    List<UserPwdLimitEntity> userPwdList =
+        userPwdLimitRepository.findTop3ByUser_idOrderByWhenHappenedDesc(userId);
 
     logger.warn("login count attempt for user {}: {}", userId, userPwdList.size());