Add Spring Boot backend module for DPC community data API with account management

[Copilot]

Adds a dpc-api Spring Boot module providing RESTful endpoints for cross-server community data, starting with Medieval Factions. Minecraft servers running DPC plugins can POST faction data; the website (and anyone) can GET it. Aligned with Medieval Factions PR #1959.

New module: dpc-api/

• Stack: Spring Boot 3.4.4, Spring Security, Spring Data JPA, PostgreSQL, Flyway 10.x (flyway-database-postgresql), Lombok, springdoc-openapi, JJWT 0.12.6, Java 17
• Endpoints:
  • POST /api/v1/factions — batch faction sync (API key required); accepts a JSON array of factions, de-duplicates and upserts by (name, serverId)
  • GET /api/v1/factions — paginated listing (public, default 20 / max 200 per page)
  • GET /api/v1/factions/{id} — single faction (public)
  • POST /api/v1/accounts/register — account registration (public); accepts { "username": "...", "password": "..." }, returns JWT token
  • POST /api/v1/accounts/login — account login (public); accepts { "username": "...", "password": "..." }, returns JWT token (supports headless Minecraft plugin auth via command line)
  • GET /api/v1/accounts/me — account profile (JWT required); returns account details and linked API keys
  • POST /api/v1/accounts/me/api-keys — create API key linked to account (JWT required); accepts { "serverName": "..." }, returns one-time raw key
  • DELETE /api/v1/accounts/me/api-keys/{keyId} — delete an API key (JWT required)
• Auth: Dual auth model — X-API-Key header filter on write methods, validated against SHA-256 hashes in the api_keys table; Spring Security with stateless JWT for account management endpoints. BCrypt password hashing for accounts. Single registration flow through account system (no standalone API key registration endpoint).
• Schema: Flyway-managed (V1__create_factions_table.sql, V2__create_api_keys_and_faction_fields.sql, V3__create_accounts_table.sql), UNIQUE constraint on (name, server_id), api_keys.owner_id NOT NULL FK to accounts, entity uses @PrePersist/@PreUpdate lifecycle callbacks, UUIDs generated by Hibernate
• Data model: faction name, server ID, member count, description (TEXT), optional serverIp and discordLink, timestamps; accounts with username/password (BCrypt), API keys linked to accounts via owner_id
• Lombok: @Getter/@Setter/@NoArgsConstructor/@RequiredArgsConstructor on entities, services, controllers, and filters to reduce boilerplate
• OpenAPI/Swagger: springdoc-openapi integration with Swagger UI at /swagger-ui.html, OpenAPI spec at /v3/api-docs, @Operation/@Tag/@SecurityScheme annotations on all endpoints (both API key and JWT bearer token)
• Global exception handler: @RestControllerAdvice with handlers for validation errors (400), malformed JSON (400), type mismatches (400), and a catch-all (500) returning consistent JSON error responses. ApiKeyAuthFilter error responses also use the same structured format (timestamp/status/error/message) for consistency.
• Shared utilities: HashUtil consolidates SHA-256 hashing used by both AccountService and ApiKeyService into a single security-critical code path
• JWT secret validation: Startup check ensures dpc.jwt.secret meets the minimum 256-bit (32-byte) length requirement for HS256, with a clear error message on misconfiguration
• CORS: Configurable cross-origin support via dpc.cors.allowed-origins property (defaults to *), enabling the Next.js frontend to call the API from a different origin. Allows Authorization, X-API-Key, and Content-Type headers.
• Maven Wrapper: Includes maven-wrapper.jar in .mvn/wrapper/ for reliable Docker builds on Alpine Linux without requiring curl or wget

Account management

• Account system: Users (including Minecraft players via plugins) can register and log in with username/password via REST API, receiving a JWT token for authenticated operations. This is the single entry point for registration — API keys are created through the account profile after authentication.
• Headless CLI support: Login and registration endpoints accept JSON POST requests, making them compatible with Minecraft plugin command-line flows (no browser required)
• API key association: API keys created through the account system are linked to the user's profile via owner_id NOT NULL foreign key
• Profile management: Authenticated users can view their profile and manage (create/delete) their API keys
• Website UI: Account management page at /account (Next.js/MUI) with login, registration, profile view, and API key CRUD. Clipboard copy with error handling, proper error feedback for all non-OK HTTP responses, and accessible aria-label attributes on all interactive IconButtons.

Infrastructure

• Docker Compose: dpc-db (PostgreSQL 16 Alpine) and dpc-api services with multi-stage Dockerfile (JDK builder + JRE runtime). Maven wrapper JAR included for offline builds.
• CI: build-api job in build.yml runs ./mvnw verify with Java 17 (Temurin) on push/PR to main and develop
• Tests: 69 tests total — AccountControllerTest (20), FactionControllerTest (20), AccountServiceTest (8), FactionServiceTest (9), ApiKeyServiceTest (5), JwtServiceTest (6), DpcApiApplicationTests (1). Integration tests use MockMvc + H2 in-memory DB.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[Copilot]

Pull request overview

Adds a new dpc-api/ Spring Boot module to serve a community data REST API (starting with Factions) alongside the existing Next.js website, plus local-dev infrastructure via Docker Compose.

Changes:

• Introduces a Spring Boot 3.2.x + JPA + Flyway + PostgreSQL-backed API module with /api/v1/factions endpoints and API-key auth on write methods.
• Adds Flyway migration + JPA entity/DTO/service/controller layers for faction ingestion and public reads.
• Adds Docker Compose services for dpc-db (Postgres) and dpc-api, plus MockMvc + H2 integration tests.

Reviewed changes

Copilot reviewed 21 out of 22 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
dpc-api/src/test/resources/application-test.yml	Test profile config for H2 + disables Flyway.
dpc-api/src/test/java/com/dansplugins/api/controller/FactionControllerTest.java	MockMvc integration tests for auth/validation/paging/read endpoints.
dpc-api/src/test/java/com/dansplugins/api/DpcApiApplicationTests.java	Basic Spring context load test.
dpc-api/src/main/resources/db/migration/V1__create_factions_table.sql	Flyway migration to create factions table + index.
dpc-api/src/main/resources/application.yml	Runtime configuration for Postgres/Flyway and API key property.
dpc-api/src/main/java/com/dansplugins/api/service/FactionService.java	Service layer for create/list/get faction(s).
dpc-api/src/main/java/com/dansplugins/api/repository/FactionRepository.java	Spring Data JPA repository for Faction.
dpc-api/src/main/java/com/dansplugins/api/filter/ApiKeyAuthFilter.java	API-key auth filter applied to write HTTP methods.
dpc-api/src/main/java/com/dansplugins/api/entity/Faction.java	JPA entity mapping and timestamp lifecycle hooks.
dpc-api/src/main/java/com/dansplugins/api/dto/FactionResponse.java	API response DTO mapping from entity.
dpc-api/src/main/java/com/dansplugins/api/dto/FactionRequest.java	Request DTO with Bean Validation constraints.
dpc-api/src/main/java/com/dansplugins/api/controller/FactionController.java	REST controller for create/list/get endpoints.
dpc-api/src/main/java/com/dansplugins/api/config/ApiKeyConfig.java	Fail-fast validation that API key is configured.
dpc-api/src/main/java/com/dansplugins/api/DpcApiApplication.java	Spring Boot application entrypoint.
dpc-api/pom.xml	Maven build definition and dependencies.
dpc-api/mvnw.cmd	Maven wrapper script (Windows).
dpc-api/mvnw	Maven wrapper script (Unix).
dpc-api/README.md	Module documentation (local dev, config, endpoints).
dpc-api/Dockerfile	Container image definition for the API.
dpc-api/.mvn/wrapper/maven-wrapper.properties	Maven wrapper distribution configuration.
compose.yml	Adds dpc-db and dpc-api services for local dev.
.gitignore	Ignores Maven build outputs and un-ignores dpc-api/pom.xml.

[Copilot]

The image build expects a pre-built JAR at target/dpc-api-*.jar, but docker compose up --build will run docker build without running Maven first (and dpc-api/target/ is gitignored). Use a multi-stage Dockerfile that builds the JAR (e.g., run ./mvnw -DskipTests package in a builder stage) or adjust Compose to build the JAR before building the image.

Suggested change

	FROM eclipse-temurin:17-jre-alpine
	WORKDIR /app
	COPY target/dpc-api-*.jar app.jar
	FROM eclipse-temurin:17-jdk-alpine AS builder
	WORKDIR /build
	COPY mvnw pom.xml ./
	COPY .mvn .mvn
	COPY src src
	RUN ./mvnw -DskipTests package
	FROM eclipse-temurin:17-jre-alpine
	WORKDIR /app
	COPY --from=builder /build/target/dpc-api-*.jar app.jar

[Copilot]

DPC_API_KEY defaults to changeme in Compose, which makes it easy to accidentally deploy/run with a known API key. Consider removing the default and failing fast (let the API refuse to start when the key isn’t provided), or at minimum generate a random dev-only key and document it.

Suggested change

	DPC_API_KEY: ${DPC_API_KEY:-changeme}
	DPC_API_KEY: ${DPC_API_KEY:?DPC_API_KEY must be set}

[Copilot]

gen_random_uuid() requires the pgcrypto extension in Postgres; on a fresh postgres:16-alpine instance this migration can fail unless the extension is enabled. Either add CREATE EXTENSION IF NOT EXISTS pgcrypto; in the migration or remove the DB-side default if UUIDs are generated by Hibernate.

[Copilot]

The migration defines description as TEXT, but the entity maps it as a default String (typically VARCHAR(255)), and spring.jpa.hibernate.ddl-auto is set to validate. This can cause schema validation failures at startup. Align the mappings (e.g., mark the field as @Lob / @Column(columnDefinition = "TEXT") or change the column type in the migration).

Suggested change

	@Column(columnDefinition = "TEXT")

[Copilot]

The startup validation message says the DPC_API_KEY environment variable must be set, but the actual requirement is that dpc.api.key is configured (which could come from other property sources). Consider wording this as “dpc.api.key must be configured (e.g., via DPC_API_KEY env var)” to avoid misleading operators.

Suggested change

	"DPC_API_KEY environment variable must be set. "
	"`dpc.api.key` must be configured (e.g., via DPC_API_KEY environment variable). "

[Copilot]

Pageable parameters are fully client-controlled here; without a configured max page size, callers can request extremely large size values and force expensive DB queries. Consider setting spring.data.web.pageable.max-page-size (and possibly a default page size) in application.yml to put an upper bound on size.

Suggested change

	enabled: true
	enabled: true
	data:
	web:
	pageable:
	default-page-size: 20
	max-page-size: 200

[Copilot]

With Spring Boot 3.2.x the managed Flyway version is in the 10.x line, where several databases (including PostgreSQL) require an additional flyway-database-postgresql dependency. With only flyway-core present, Flyway can fail at runtime with an “Unsupported Database: PostgreSQL …” error. Add the PostgreSQL Flyway database module (or pin Flyway to a version where Postgres support is bundled).

[dmccoystephenson]

@copilot address comments

[Copilot]

@copilot address comments

All 7 review comments addressed in 7b85b1b:

1. Dockerfile → multi-stage build (JDK builder stage + JRE runtime stage) so docker compose up --build works without pre-building the JAR
2. compose.yml → DPC_API_KEY now uses ${DPC_API_KEY:?DPC_API_KEY must be set} — Compose will fail if unset
3. Flyway migration → removed DEFAULT gen_random_uuid() since Hibernate generates UUIDs, no pgcrypto needed
4. Faction entity → added @Column(columnDefinition = "TEXT") on description to match the migration
5. ApiKeyConfig → updated error message to reference dpc.api.key property name
6. application.yml → added spring.data.web.pageable.default-page-size: 20 and max-page-size: 200
7. pom.xml → upgraded to Spring Boot 3.4.4 (Flyway 10.x) and added flyway-database-postgresql dependency

All 9 tests pass.

[dmccoystephenson]

@copilot How do operators get an API key are we gonna have account creation in this PR?

[Copilot]

@copilot How do operators get an API key are we gonna have account creation in this PR?

No account creation in this PR. The current auth model is a single shared secret: the person deploying the API sets DPC_API_KEY as an environment variable, then distributes that same key to Minecraft server operators who need write access (they send it via the X-API-Key header on POST requests). GET endpoints are public — no key needed.

If per-operator keys or self-service registration is needed down the road, that would be a separate feature (e.g., an api_keys table with hashed keys, scopes, and an admin UI or CLI to issue them).

[dmccoystephenson]

@copilot the ability to auto register is a requirement; ensure this PR aligns with Dans-Plugins/Medieval-Factions#1959

[dmccoystephenson]

@copilot there should only be one register endpoint

[Copilot]

@copilot there should only be one register endpoint

Consolidated to a single register endpoint in 582166d. Removed the standalone POST /api/v1/register (legacy API key registration). All registration now goes through POST /api/v1/accounts/register, and API keys are created via POST /api/v1/accounts/me/api-keys (JWT-authenticated).

Removed: RegisterController, RegisterRequest, RegisterResponse, RegisterControllerTest (8 tests). Updated: SecurityConfig, ApiKeyAuthFilter, ApiKeyService (removed register() method), ApiKey entity, FactionControllerTest, ApiKeyServiceTest, README. 69 tests pass, 0 CodeQL alerts.

@copilot Backwards compatibility is not a concern here as this is all new

Understood — since this is all new code, I'm not maintaining backwards compatibility with any prior API contract. The standalone POST /api/v1/register endpoint has been removed in 582166d to consolidate to a single register endpoint at POST /api/v1/accounts/register.

[Copilot]

Pull request overview

Copilot reviewed 47 out of 48 changed files in this pull request and generated 5 comments.

[Copilot]

fetchProfile only handles res.ok and 401; for other non-OK statuses it silently does nothing, leaving the UI without feedback. Consider handling the else case by setting an error message (and optionally clearing profile) so failed requests don’t appear to succeed.

[Copilot]

navigator.clipboard.writeText returns a Promise and can reject (e.g., insecure context/permissions). This call isn’t awaited or caught, which can cause unhandled promise rejections; handle the Promise and surface a failure message when copy isn’t available.

[Copilot]

AccountService re-implements SHA-256 hashing logic that already exists in ApiKeyService, creating duplicated security-critical code paths. Consolidate hashing into a single shared method/service so changes (e.g., salting/encoding) can’t accidentally diverge.

[Copilot]

Keys.hmacShaKeyFor(...) will throw at runtime if dpc.jwt.secret is too short for the chosen HMAC algorithm; right now that failure will be a somewhat opaque startup exception. Add an explicit length/strength check with a clear error message so misconfiguration is easier to diagnose.

[Copilot]

owner_id is nullable in the schema, but the application logic assumes API keys are account-owned (e.g., deletion checks key.getOwner() != null). Consider enforcing owner_id as NOT NULL (after any needed backfill) to prevent creating keys that can’t be managed through the account APIs.

[dmccoystephenson]

@copilot address comments and ensure that the backend has a global exception handler

[Copilot]

@copilot address comments and ensure that the backend has a global exception handler

All 5 review comments addressed and global exception handler added in e9de2d3:

1. fetchProfile → handles all non-OK HTTP statuses (not just 200/401)
2. copyToClipboard → properly awaits clipboard Promise with error handling
3. SHA-256 hashing → consolidated into shared HashUtil utility (removed duplication between AccountService and ApiKeyService)
4. JWT secret → validates minimum 32-byte length at startup with clear error message
5. owner_id → NOT NULL constraint in V3 migration, entity updated with optional = false

Global exception handler (GlobalExceptionHandler.java): @RestControllerAdvice with handlers for MethodArgumentNotValidException, HandlerMethodValidationException, ConstraintViolationException, HttpMessageNotReadableException, MethodArgumentTypeMismatchException, IllegalArgumentException, and a catch-all Exception handler. All return structured JSON error responses with timestamp, status, error, and message.

69 tests pass, 0 CodeQL alerts.

[Copilot]

Pull request overview

Copilot reviewed 49 out of 50 changed files in this pull request and generated 4 comments.

[Copilot]

The frontend calls the API on a different origin by default (API_BASE falls back to http://localhost:8080 while the site runs on :3000). The API currently has no CORS configuration, so browser requests from the website will be blocked. Add explicit CORS support (e.g., enable http.cors() and provide a CorsConfigurationSource that allows the website origin(s) and required headers like Authorization and X-API-Key).

[Copilot]

This filter writes a hard-coded JSON body ("{"error":...}") directly to the response for invalid/missing API keys, which is inconsistent with the structured error format returned elsewhere (GlobalExceptionHandler). Consider routing this through Spring’s exception handling (e.g., throw an authentication/authorization exception) or use a shared error-response builder/ObjectMapper so clients get consistent fields (timestamp/status/message) and content-type/encoding are handled uniformly.

[Copilot]

The copy IconButton is missing an accessible label. Add an aria-label (and/or title) so screen readers can announce the action (e.g., "Copy API key to clipboard").

[Copilot]

The delete IconButton is missing an accessible label. Add an aria-label (and/or title) so assistive tech users know this deletes the API key.

[dmccoystephenson]

@copilot address comments

[Copilot]

@copilot address comments

All 4 review comments addressed in 19ff1a1 and 5d001fc:

1. CORS → CorsConfigurationSource bean in SecurityConfig with configurable dpc.cors.allowed-origins property (defaults to http://localhost:3000). Allows Authorization, Content-Type, and X-API-Key headers. Uses allowedOriginPatterns for safe wildcard+credential support with whitespace trimming.
2. ApiKeyAuthFilter → error responses now use structured JSON body matching GlobalExceptionHandler format (timestamp/status/error/message) via Jackson ObjectMapper instead of hard-coded string.
3. Copy IconButton → added aria-label="Copy API key to clipboard"
4. Delete IconButton → added aria-label="Delete API key"

69 tests pass, 0 CodeQL alerts.

[dmccoystephenson]

@copilot Ran into the following while building Docker image

=> ERROR [dpc-website_dpc-api builder 6/6] RUN ./mvnw -DskipTests package

Add maven wrapper to prevent this

[Copilot]

@copilot Ran into the following while building Docker image

=> ERROR [dpc-website_dpc-api builder 6/6] RUN ./mvnw -DskipTests package

...

Added the Maven wrapper JAR (v3.3.4) to .mvn/wrapper/ and removed distributionType=only-script from maven-wrapper.properties in 261b2e2. The Alpine-based Docker image was failing because only-script mode requires curl/wget to download Maven, but Alpine doesn't have either. With the wrapper JAR included, ./mvnw works without network download tools.