Built with Spring Boot 4.1.0 and Java 21.
No deprecated APIs. No tutorial-level shortcuts.
🔐
JWT Authentication
Access tokens in response body (15 min). Refresh tokens in HTTP-only cookie (7 days). Token type enforcement.
📧
Email Verification
Users must verify email before logging in. 24 hour expiry. Resend endpoint included. Async — does not block registration.
🔑
Password Reset
Secure forgot password flow. One-time token, 1 hour expiry. Always returns success — prevents user enumeration.
🌐
Google OAuth2
Sign in with Google. Auto-generates username. Email conflict handling built in. Same JWT flow as regular login.
🛡️
Argon2 Hashing
OWASP recommended Argon2id via Password4j. Memory-hard against GPU brute force. Not the deprecated Spring encoder.
👤
User Management
Get profile, update name and username, change password, delete account with cascade cleanup.
📦
Example CRUD
Full Items CRUD to learn from. Ownership enforced at database level. Rename to your domain in minutes.
🔢
API Versioning
All endpoints under /api/v1/. ApiVersion constant in one place. Add /v2/ without breaking existing clients.
🐳
Docker Ready
Multi-stage Dockerfile. Docker Compose for local PostgreSQL. Full stack compose for testing. Non-root container.
⚙️
GitHub Actions CI
Runs on every push to main. Java 21 with Maven cache. 42 tests automatically. Reports uploaded on failure.
📖
Swagger UI
Auto-generated at /api/swagger-ui. Authorize button — paste JWT and test all endpoints interactively.
📚
7 Doc Guides
Setup, structure, env vars, auth flows, adding features, deployment, and customization — all inside the private repo.