Skip to content

Add user and refresh token entities#10

Merged
men229 merged 7 commits intomainfrom
men228/feature/database
Mar 22, 2026
Merged

Add user and refresh token entities#10
men229 merged 7 commits intomainfrom
men228/feature/database

Conversation

@men229
Copy link
Collaborator

@men229 men229 commented Mar 21, 2026

No description provided.

@coderabbitai
Copy link

coderabbitai bot commented Mar 21, 2026
edited
Loading

Important

Review skipped

This PR was authored by the user configured for CodeRabbit reviews. CodeRabbit does not review PRs authored by this user. It's recommended to use a dedicated user account to post CodeRabbit review feedback.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 0f1c8fd7-2740-4331-a2b3-ed2922ec7ee8

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

This PR introduces foundational JPA entities and Spring Data repositories for user authentication management. New entities include UserEntity with profile/authorization fields and RefreshTokenEntity for token storage. Supporting enums define user roles and token statuses. Repository interfaces provide standard CRUD and custom query operations for users and refresh tokens.

Changes

Cohort / File(s) Summary
Core Entities
backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/UserEntity.java, backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/RefreshTokenEntity.java		 Added two new JPA entities: UserEntity with UUID primary key, email/nickname/password fields, role-based authorization, and auditing timestamps; RefreshTokenEntity with tokenHash, user association, expiration, and status tracking.
Enumerations
backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/enums/Role.java, backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/enums/RefreshTokenStatus.java		 Added two simple enums: Role with STUDENT/TEACHER constants and RefreshTokenStatus with ACTIVE/INACTIVE constants for type-safe authorization and token state management.
Repository Interfaces
backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/repository/UserRepository.java, backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/repository/RefreshTokenRepository.java		 Added Spring Data JPA repositories for UserEntity (with email lookup methods) and RefreshTokenEntity (with token-hash lookup and transactional status update operations).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 Hop hop, the entities are born!
Users and tokens, well-formed and true,
Roles hopping high, statuses shining new,
Repositories ready to store and find—
Authentication's foundation, carefully designed! 🔐

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Description check ⚠️ Warning No pull request description was provided by the author, making it impossible to assess relevance to the changeset. Add a pull request description summarizing the changes, objectives, and any important context or considerations for reviewers.
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (1 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and concisely describes the main change: adding user and refresh token entities to the database layer.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Mar 21, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 13

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/RefreshTokenEntity.java`:
- Around line 31-32: The status field in RefreshTokenEntity is currently stored
as an ordinal; update the mapping by annotating the field with
`@Enumerated`(EnumType.STRING) to persist the enum name instead of its ordinal.
Modify the RefreshTokenEntity class to add the `@Enumerated`(EnumType.STRING)
annotation above the private StatusRefreshToken status; ensure you import
javax.persistence.Enumerated and javax.persistence.EnumType (or the project's
JPA equivalents) so the StatusRefreshToken values are stored as strings.
- Around line 14-15: Replace Lombok's `@Data` on RefreshTokenEntity with explicit
`@Getter` and `@Setter` (and keep `@NoArgsConstructor`) to avoid auto-generating
equals/hashCode/toString that touch lazy associations; remove `@Data` and add
`@Getter/`@Setter on the class, and implement equals() and hashCode() manually to
use only the identifier field (id) so comparisons don't trigger lazy load or
fail for detached entities; also avoid including association fields in any
toString() implementation or omit toString entirely to prevent accidental
initialization of `@ManyToOne`(fetch = FetchType.LAZY) relationships.
- Around line 12-33: The Spotless formatting violation is in the
RefreshTokenEntity class; run the Spotless formatter to fix code style issues
(e.g., run ./gradlew spotlessApply), reformat the file containing class
RefreshTokenEntity
(backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/RefreshTokenEntity.java),
review the resulting changes to ensure annotations and imports remain intact
(fields id, tokenHash, user, expiresAt, status and their JPA annotations
unchanged), then add and commit the formatted file.

In
`@backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/UserEntity.java`:
- Around line 16-60: The file UserEntity has a Spotless formatting violation;
run the formatter and apply changes (e.g., execute ./gradlew spotlessApply) to
reformat the class UserEntity and related source (preserving annotations like
`@Entity`, `@Table`, `@Id`, `@GeneratedValue`, fields such as id, nickname, email,
passwordHash, role, createdAt, updatedAt) so the file conforms to the project's
Spotless rules, then review and commit the resulting whitespace/formatting-only
changes.
- Around line 61-70: Remove the dead commented-out UserDetails implementation
inside the UserEntity class: delete the commented overrides for getAuthorities()
and getPassword() (the lines referencing SimpleGrantedAuthority, role, and
passwordHash) so the class no longer contains commented code; if the UserDetails
behavior is later required it can be restored from VCS.

In `@backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/enums/Role.java`:
- Around line 3-6: The Role enum (Role, STUDENT, TEACHER) fails Spotless
formatting; run the project's formatter (./gradlew spotlessApply) or reformat
the file to match Spotless rules, then stage and commit the updated Role enum
file so the formatting violation is resolved and CI passes.

In
`@backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/enums/StatusRefreshToken.java`:
- Around line 3-7: The Spotless formatting violation is in the
StatusRefreshToken enum; run the formatter and commit the change by executing
./gradlew spotlessApply (or apply your IDE's Java/Spotless formatting) to
reformat
backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/enums/StatusRefreshToken.java
so it meets project Spotless rules, then stage and push the updated file (ensure
enum StatusRefreshToken remains unchanged functionally).

In
`@backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/repository/RefreshTokenRepository.java`:
- Around line 31-34: The method name setStatusUsedRefreshToken is misleading
because it implies setting tokens to USED but the method accepts currentStatus
and newStatus; rename it to a clearer, generic name such as
updateStatusByUserAndCurrentStatus (or updateRefreshTokenStatusForUser) and
update all usages and repository/interface references accordingly; ensure the
method signature remains the same (params: UserEntity userEntity,
StatusRefreshToken currentStatus, StatusRefreshToken newStatus) and update any
JPQL/SQL query or mapping annotations that reference the old method name.
- Around line 15-35: Run code formatter to fix the Spotless Java violation in
RefreshTokenRepository by applying the project's Spotless rules (run ./gradlew
spotlessApply), then commit the formatted changes; specifically ensure the
interface RefreshTokenRepository and its methods findByTokenHash,
setStatusByRefreshToken, and setStatusUsedRefreshToken adhere to the project's
formatting style (spacing, indentation, and multiline `@Query` formatting) so CI
no longer fails.
- Around line 23-34: The `@Modifying` annotation on setStatusUsedRefreshToken is
missing the same options used by setStatusByRefreshToken; update the `@Modifying`
on setStatusUsedRefreshToken to include clearAutomatically = true and
flushAutomatically = true so it matches setStatusByRefreshToken and avoids
inconsistent persistence context behavior when updating RefreshTokenEntity.
- Around line 18-21: The JPQL query in RefreshTokenRepository's
setStatusByRefreshToken method contains an extra space before WHERE; edit the
`@Query` string in setStatusByRefreshToken to remove the double space so it reads
"UPDATE RefreshTokenEntity r SET r.status = :status WHERE r.tokenHash =
:tokenHash" (update the query literal only, leaving the method signature,
`@Transactional`, `@Modifying` and `@Param` annotations unchanged).

In
`@backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/repository/UserRepository.java`:
- Line 11: Rename the parameter in UserRepository's findByEmail method from
"login" to "email" so the signature reads findByEmail(String email), matching
the naming used by existsByEmail and improving clarity and consistency; update
any call sites or usages if necessary to use the new parameter name.
- Around line 9-14: The Spotless formatting violation is caused by Java source
formatting in UserRepository; run the formatter (./gradlew spotlessApply) and
commit the changes so the interface UserRepository (and its methods findByEmail
and existsByEmail) adhere to the project's Spotless rules; ensure any imports,
spacing, and line endings in UserRepository are corrected and then re-run the
Gradle build to confirm the violation is resolved.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 241c1830-f7b7-49ba-b174-31e03f91ec38

📥 Commits

Reviewing files that changed from the base of the PR and between 3a88d07 and b8c2d4f.

📒 Files selected for processing (6)
  • backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/RefreshTokenEntity.java
  • backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/UserEntity.java
  • backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/enums/Role.java
  • backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/enums/StatusRefreshToken.java
  • backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/repository/RefreshTokenRepository.java
  • backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/repository/UserRepository.java

coderabbitai[bot]
coderabbitai bot reviewed Mar 21, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

♻️ Duplicate comments (5)
backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/repository/RefreshTokenRepository.java (1)

23-24: 🧹 Nitpick | 🔵 Trivial

Use consistent @Modifying context synchronization options.

At Line 23, setStatusUsedRefreshToken should match Line 19 (clearAutomatically + flushAutomatically) to avoid stale persistence context behavior.

♻️ Suggested fix 
-    `@Modifying`
+    `@Modifying`(clearAutomatically = true, flushAutomatically = true)
     `@Transactional`
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In
`@backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/repository/RefreshTokenRepository.java`
around lines 23 - 24, The `@Modifying` annotation on setStatusUsedRefreshToken
must include the same context sync options as the other modifying method to
avoid stale persistence state; update the `@Modifying` on
setStatusUsedRefreshToken in RefreshTokenRepository to include
clearAutomatically = true and flushAutomatically = true so it matches the other
method (and ensure the `@Transactional` remains present).
backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/RefreshTokenEntity.java (2)

31-32: ⚠️ Potential issue | 🟠 Major

Persist status as STRING to prevent enum-order corruption.

At Line 31, without @Enumerated(EnumType.STRING), JPA stores ordinal values by default.

🛠️ Proposed fix 
+    `@Enumerated`(EnumType.STRING)
     `@Column`(nullable = false)
     private StatusRefreshToken status;
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In
`@backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/RefreshTokenEntity.java`
around lines 31 - 32, The status field in RefreshTokenEntity is currently a
StatusRefreshToken enum stored by ordinal which can break if enum order changes;
annotate the field with `@Enumerated`(EnumType.STRING) so JPA persists the enum
name instead of its ordinal (update the private StatusRefreshToken status
declaration in RefreshTokenEntity to include `@Enumerated`(EnumType.STRING) and
import javax.persistence.Enumerated and javax.persistence.EnumType accordingly).

14-26: 🛠️ Refactor suggestion | 🟠 Major

Avoid Lombok @Data on JPA entity with lazy association.

At Line 14, @Data can generate equals/hashCode/toString touching user (LAZY), causing unintended loads and fragile behavior.

♻️ Proposed refactor 
-import lombok.Data;
+import lombok.EqualsAndHashCode;
+import lombok.Getter;
 import lombok.NoArgsConstructor;
+import lombok.Setter;
@@
-@Data
+@Getter
+@Setter
+@EqualsAndHashCode(onlyExplicitlyIncluded = true)
 `@NoArgsConstructor`
 public class RefreshTokenEntity {
@@
+    `@EqualsAndHashCode.Include`
     `@Id`
     `@GeneratedValue`(strategy = GenerationType.UUID)
     private UUID id;
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In
`@backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/RefreshTokenEntity.java`
around lines 14 - 26, The entity RefreshTokenEntity uses Lombok's `@Data` which
generates equals/hashCode/toString that may access the LAZY user field and
trigger unintended loads; replace `@Data` with explicit Lombok annotations (e.g.,
`@Getter` and `@Setter`) and remove automatic generation of
equals/hashCode/toString, then implement or annotate safe versions that exclude
the user association (or use `@EqualsAndHashCode`(onlyExplicitlyIncluded = true)
and `@ToString`(onlyExplicitlyIncluded = true) with only id/tokenHash included) so
that equals, hashCode and toString do not reference the user field.
backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/UserEntity.java (1)

61-69: 🧹 Nitpick | 🔵 Trivial

Remove commented-out dead security code from the entity.

At Line 61, keeping commented implementations in UserEntity adds noise and obscures the security boundary.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In
`@backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/UserEntity.java`
around lines 61 - 69, Remove the commented-out security methods from UserEntity:
delete the commented blocks for getAuthorities() and getPassword() (which
reference SimpleGrantedAuthority, role, and passwordHash) so the entity no
longer contains dead/security-related commented code; if those behaviors are
required, implement them in a dedicated SecurityUser or a UserDetails adapter
instead of leaving commented methods in UserEntity.
backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/repository/UserRepository.java (1)

11-11: 🧹 Nitpick | 🔵 Trivial

Use email parameter name for consistency.

At Line 11, findByEmail(String login) is semantically correct but inconsistent with existsByEmail(String email) at Line 13.

♻️ Suggested rename 
-    Optional<UserEntity> findByEmail(String login);
+    Optional<UserEntity> findByEmail(String email);
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In
`@backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/repository/UserRepository.java`
at line 11, In UserRepository, rename the parameter in the method signature
findByEmail(String login) to use the same name as existsByEmail — change it to
findByEmail(String email) in the UserRepository interface (affecting the
UserEntity lookup) and update any call sites or references to the old parameter
name to use "email" so the API is consistent.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In
`@backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/RefreshTokenEntity.java`:
- Around line 31-32: The status field in RefreshTokenEntity is currently a
StatusRefreshToken enum stored by ordinal which can break if enum order changes;
annotate the field with `@Enumerated`(EnumType.STRING) so JPA persists the enum
name instead of its ordinal (update the private StatusRefreshToken status
declaration in RefreshTokenEntity to include `@Enumerated`(EnumType.STRING) and
import javax.persistence.Enumerated and javax.persistence.EnumType accordingly).
- Around line 14-26: The entity RefreshTokenEntity uses Lombok's `@Data` which
generates equals/hashCode/toString that may access the LAZY user field and
trigger unintended loads; replace `@Data` with explicit Lombok annotations (e.g.,
`@Getter` and `@Setter`) and remove automatic generation of
equals/hashCode/toString, then implement or annotate safe versions that exclude
the user association (or use `@EqualsAndHashCode`(onlyExplicitlyIncluded = true)
and `@ToString`(onlyExplicitlyIncluded = true) with only id/tokenHash included) so
that equals, hashCode and toString do not reference the user field.

In
`@backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/UserEntity.java`:
- Around line 61-69: Remove the commented-out security methods from UserEntity:
delete the commented blocks for getAuthorities() and getPassword() (which
reference SimpleGrantedAuthority, role, and passwordHash) so the entity no
longer contains dead/security-related commented code; if those behaviors are
required, implement them in a dedicated SecurityUser or a UserDetails adapter
instead of leaving commented methods in UserEntity.

In
`@backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/repository/RefreshTokenRepository.java`:
- Around line 23-24: The `@Modifying` annotation on setStatusUsedRefreshToken must
include the same context sync options as the other modifying method to avoid
stale persistence state; update the `@Modifying` on setStatusUsedRefreshToken in
RefreshTokenRepository to include clearAutomatically = true and
flushAutomatically = true so it matches the other method (and ensure the
`@Transactional` remains present).

In
`@backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/repository/UserRepository.java`:
- Line 11: In UserRepository, rename the parameter in the method signature
findByEmail(String login) to use the same name as existsByEmail — change it to
findByEmail(String email) in the UserRepository interface (affecting the
UserEntity lookup) and update any call sites or references to the old parameter
name to use "email" so the API is consistent.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 83307d2f-5a60-4f0a-81a6-fe5e1e2481e5

📥 Commits

Reviewing files that changed from the base of the PR and between b8c2d4f and 93edee3.

📒 Files selected for processing (6)
  • backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/RefreshTokenEntity.java
  • backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/UserEntity.java
  • backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/enums/Role.java
  • backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/enums/StatusRefreshToken.java
  • backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/repository/RefreshTokenRepository.java
  • backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/repository/UserRepository.java

coderabbitai[bot]
coderabbitai bot reviewed Mar 21, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

♻️ Duplicate comments (2)
backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/repository/RefreshTokenRepository.java (2)

20-20: ⚠️ Potential issue | 🟡 Minor

Remove the extra space in JPQL string.

At Line 20, there is a double space before WHERE; it’s harmless but noisy and was already flagged previously.

✏️ Proposed fix 
-    `@Query`("UPDATE RefreshTokenEntity r SET r.status = :status  WHERE r.tokenHash = :tokenHash")
+    `@Query`("UPDATE RefreshTokenEntity r SET r.status = :status WHERE r.tokenHash = :tokenHash")
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In
`@backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/repository/RefreshTokenRepository.java`
at line 20, The JPQL string in the `@Query` annotation on RefreshTokenRepository
contains an extra space before WHERE; update the Query value in
RefreshTokenRepository (the `@Query`("UPDATE RefreshTokenEntity r SET r.status =
:status  WHERE r.tokenHash = :tokenHash")) to use a single space so it reads
"...:status WHERE r.tokenHash = :tokenHash" to remove the double space.

19-20: ⚠️ Potential issue | 🟠 Major

Flush before clearing persistence context in bulk updates.

At Line 19 and Line 24, @Modifying(clearAutomatically = true) can clear the persistence context without first flushing pending dirty entities, which risks silent data loss around bulk updates. Add flushAutomatically = true to both methods.

♻️ Proposed fix 
-    `@Modifying`(clearAutomatically = true)
+    `@Modifying`(clearAutomatically = true, flushAutomatically = true)
     `@Query`("UPDATE RefreshTokenEntity r SET r.status = :status  WHERE r.tokenHash = :tokenHash")
     void setStatusByRefreshToken(`@Param`("tokenHash") String tokenHash, `@Param`("status") StatusRefreshToken status);

     `@Transactional`
-    `@Modifying`(clearAutomatically = true)
+    `@Modifying`(clearAutomatically = true, flushAutomatically = true)
     `@Query`("""
     UPDATE RefreshTokenEntity r
#!/bin/bash
# Verify all `@Modifying` usages that clear but do not flush.
rg -nP --type=java '@Modifying\(\s*clearAutomatically\s*=\s*true(?![^)]*flushAutomatically)' -C2

Also applies to: 24-30

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In
`@backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/repository/RefreshTokenRepository.java`
around lines 19 - 20, Two repository methods in RefreshTokenRepository use
`@Modifying`(clearAutomatically = true) for bulk updates; add flushAutomatically =
true to those `@Modifying` annotations so the persistence context is flushed
before it’s cleared. Locate the `@Modifying` annotations that annotate the UPDATE
queries (the one for "UPDATE RefreshTokenEntity r SET r.status = :status WHERE
r.tokenHash = :tokenHash" and the other bulk-update method further down) and
change them to include flushAutomatically = true alongside clearAutomatically =
true.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In
`@backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/repository/RefreshTokenRepository.java`:
- Line 20: The JPQL string in the `@Query` annotation on RefreshTokenRepository
contains an extra space before WHERE; update the Query value in
RefreshTokenRepository (the `@Query`("UPDATE RefreshTokenEntity r SET r.status =
:status  WHERE r.tokenHash = :tokenHash")) to use a single space so it reads
"...:status WHERE r.tokenHash = :tokenHash" to remove the double space.
- Around line 19-20: Two repository methods in RefreshTokenRepository use
`@Modifying`(clearAutomatically = true) for bulk updates; add flushAutomatically =
true to those `@Modifying` annotations so the persistence context is flushed
before it’s cleared. Locate the `@Modifying` annotations that annotate the UPDATE
queries (the one for "UPDATE RefreshTokenEntity r SET r.status = :status WHERE
r.tokenHash = :tokenHash" and the other bulk-update method further down) and
change them to include flushAutomatically = true alongside clearAutomatically =
true.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 134d1173-5efb-41fe-8a80-3e57103f1bea

📥 Commits

Reviewing files that changed from the base of the PR and between 93edee3 and 72db2ee.

📒 Files selected for processing (4)
  • backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/RefreshTokenEntity.java
  • backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/UserEntity.java
  • backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/repository/RefreshTokenRepository.java
  • backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/repository/UserRepository.java

@Satlykovs
Copy link
Owner

Satlykovs commented Mar 21, 2026

@coderabbitai, can you add description to this PR?

@coderabbitai
Copy link

coderabbitai bot commented Mar 21, 2026

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

I'll compose and update the PR description now using the available context.

🏁 Script executed:

#!/bin/bash
gh pr edit 10 --repo Satlykovs/SmartJam --body "## Summary

This PR introduces the core database layer for user management and refresh token tracking in the SmartJam API.

---

## Changes

### Entities

#### \`UserEntity\`
- Mapped to the \`users\` table.
- UUID primary key generated via \`GenerationType.UUID\`.
- Fields:
  - \`nickname\`, \`email\` (unique), \`passwordHash\`
  - Optional: \`firstName\`, \`lastName\`, \`avatarUrl\`, \`fcmToken\`
  - \`role\` (persisted as string enum, defaults to \`Role.STUDENT\`)
  - Audit timestamps: \`createdAt\` (non-updatable), \`updatedAt\`
- Lombok: \`@Getter\`, \`@Setter\`, \`@NoArgsConstructor\`, \`@AllArgsConstructor\`

#### \`RefreshTokenEntity\`
- Mapped to the \`refresh_tokens\` table.
- UUID primary key generated via \`GenerationType.UUID\`.
- Fields:
  - \`tokenHash\` — unique, non-null hash of the refresh token
  - \`user\` — lazy \`@ManyToOne\` association to \`UserEntity\` via \`user_id\`
  - \`expiresAt\` — non-null \`Instant\` for token expiry
  - \`status\` — non-null \`StatusRefreshToken\` enum persisted as a string
- Lombok: \`@Getter\`, \`@Setter\`, \`@NoArgsConstructor\`, \`@AllArgsConstructor\`

---

### Enums

#### \`Role\`
- Constants: \`STUDENT\`, \`TEACHER\`

#### \`StatusRefreshToken\`
- Constants: \`ACTIVE\`, \`USED\`, \`REVOKED\`

---

### Repositories

#### \`UserRepository\`
- Extends \`JpaRepository<UserEntity, UUID>\`
- Methods:
  - \`Optional<UserEntity> findByEmail(String email)\`
  - \`boolean existsByEmail(String email)\`

#### \`RefreshTokenRepository\`
- Extends \`JpaRepository<RefreshTokenEntity, UUID>\`
- Methods:
  - \`Optional<RefreshTokenEntity> findByTokenHash(String token)\`
  - \`void setStatusByRefreshToken(String tokenHash, StatusRefreshToken status)\` — JPQL bulk update
  - \`void updateStatusByUserAndCurrentStatus(UserEntity userEntity, StatusRefreshToken currentStatus, StatusRefreshToken newStatus)\` — JPQL bulk update

---

## Notes
- Both \`@Modifying\` repository methods use \`clearAutomatically = true\` and are \`@Transactional\` to ensure the persistence context is cleared after bulk updates.
- Refresh tokens are stored as hashes (\`tokenHash\`) rather than plain values to avoid exposing replayable tokens if the database is compromised.
"

Length of output: 604

@Satlykovs, unfortunately the gh pr edit command is blocked by workflow restriction settings in this environment, so I'm unable to update the PR description automatically. You can copy the description below and paste it into the PR manually:

Summary

This PR introduces the core database layer for user management and refresh token tracking in the SmartJam API.

Changes

Entities

UserEntity

  • Mapped to the users table.
  • UUID primary key generated via GenerationType.UUID.
  • Fields:
    • nickname, email (unique, non-null), passwordHash
    • Optional: firstName, lastName, avatarUrl, fcmToken
    • role — persisted as a string enum, defaults to Role.STUDENT
    • Audit timestamps: createdAt (non-null, non-updatable), updatedAt (non-null)
  • Lombok: @Getter, @Setter, @NoArgsConstructor, @AllArgsConstructor

RefreshTokenEntity

  • Mapped to the refresh_tokens table.
  • UUID primary key generated via GenerationType.UUID.
  • Fields:
    • tokenHash — unique, non-null hash of the refresh token
    • user — lazy @ManyToOne association to UserEntity via user_id
    • expiresAt — non-null Instant for token expiry
    • status — non-null StatusRefreshToken enum persisted as a string
  • Lombok: @Getter, @Setter, @NoArgsConstructor, @AllArgsConstructor

Enums

Role

  • Constants: STUDENT, TEACHER

StatusRefreshToken

  • Constants: ACTIVE, USED, REVOKED

Repositories

UserRepository

  • Extends JpaRepository<UserEntity, UUID>
  • Methods:
    • Optional<UserEntity> findByEmail(String email)
    • boolean existsByEmail(String email)

RefreshTokenRepository

  • Extends JpaRepository<RefreshTokenEntity, UUID>
  • Methods:
    • Optional<RefreshTokenEntity> findByTokenHash(String token)
    • void setStatusByRefreshToken(String tokenHash, StatusRefreshToken status) — JPQL bulk update
    • void updateStatusByUserAndCurrentStatus(UserEntity userEntity, StatusRefreshToken currentStatus, StatusRefreshToken newStatus) — JPQL bulk update

Notes

  • Both @Modifying repository methods use clearAutomatically = true and are @Transactional to ensure the persistence context is cleared after bulk updates.
  • Refresh tokens are stored as hashes (tokenHash) rather than plain values to avoid exposing replayable tokens if the database is compromised.
🧠 Learnings used 
Learnt from: Satlykovs
Repo: Satlykovs/SmartJam PR: 0
File: :0-0
Timestamp: 2026-03-16T23:56:57.162Z
Learning: In SmartJam (Satlykovs/SmartJam), old refresh tokens are never deleted when a new token is issued in AuthService.getNewToken(). The fix is to call refreshTokenRepository.delete(refreshToken) before saving the new one. Applies to backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/service/AuthService.java.

Learnt from: Satlykovs
Repo: Satlykovs/SmartJam PR: 0
File: :0-0
Timestamp: 2026-03-16T23:56:57.162Z
Learning: In SmartJam (Satlykovs/SmartJam), both UserRepository and RefreshTokenRepository incorrectly extend JpaRepository with Long as the ID type, but both UserEntity and RefreshTokenEntity use UUID as the primary key (GenerationType.UUID). The correct declarations are JpaRepository<UserEntity, UUID> and JpaRepository<RefreshTokenEntity, UUID>.

Learnt from: Satlykovs
Repo: Satlykovs/SmartJam PR: 2
File: backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/RefreshTokenEntity.java:14-20
Timestamp: 2026-03-11T22:19:39.121Z
Learning: In the SmartJam project (backend/smartjam-api), the team intends to use signed JWT tokens as refresh tokens (instead of opaque random strings). The RefreshTokenEntity in com.smartjam.smartjamapi.entity stores refresh token references in the DB for revocation tracking. The recommended pattern is to embed a `jti` (JWT ID) claim in the refresh JWT and store only the `jti` (or its hash) in the DB, rather than storing the full token string, to avoid exposing replayable tokens if the DB is compromised.

Learnt from: Satlykovs
Repo: Satlykovs/SmartJam PR: 2
File: backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/RefreshTokenEntity.java:14-20
Timestamp: 2026-03-12T21:20:40.707Z
Learning: In the SmartJam project, the JTI-based refresh token approach has been confirmed: store only the `jti` (UUID) from the refresh JWT in RefreshTokenEntity.jti (not the full token string). JwtService.generateRefreshToken() should build a signed JWT with a UUID jti claim. RefreshTokenRepository.findByJti(String jti) is used for lookups. AuthService extracts the jti after verifying the JWT signature and stores/validates against it. This applies to all relevant files under backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/.

Satlykovs
Satlykovs requested changes Mar 21, 2026
View reviewed changes
Copy link
Owner

@Satlykovs Satlykovs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Добавь документацию для классов, а так, вроде, почти все ок, есть мелкие поправки, посмотри

@Satlykovs
Copy link
Owner

Satlykovs commented Mar 21, 2026

@coderabbitai, and now? Can you add description? And pls check PR's code, if it's actually OK or not

@coderabbitai
Copy link

coderabbitai bot commented Mar 21, 2026

🧩 Analysis chain

Let me try updating the PR description and read the code files for review.

🏁 Script executed:

#!/bin/bash
# Try to update the PR description
gh pr edit 10 --repo Satlykovs/SmartJam --body "## Summary

This PR introduces the core database layer for user management and refresh token tracking in the SmartJam API.

---

## Changes

### Entities

#### \`UserEntity\`
- Mapped to the \`users\` table.
- UUID primary key generated via \`GenerationType.UUID\`.
- Fields:
  - \`nickname\`, \`email\` (unique, non-null), \`passwordHash\`
  - Optional: \`firstName\`, \`lastName\`, \`avatarUrl\`, \`fcmToken\`
  - \`role\` — persisted as a string enum, defaults to \`Role.STUDENT\`
  - Audit timestamps: \`createdAt\` (non-null, non-updatable), \`updatedAt\` (non-null)
- Lombok: \`@Getter\`, \`@Setter\`, \`@NoArgsConstructor\`, \`@AllArgsConstructor\`

#### \`RefreshTokenEntity\`
- Mapped to the \`refresh_tokens\` table.
- UUID primary key generated via \`GenerationType.UUID\`.
- Fields:
  - \`tokenHash\` — unique, non-null hash of the refresh token
  - \`user\` — lazy \`@ManyToOne\` association to \`UserEntity\` via \`user_id\`
  - \`expiresAt\` — non-null \`Instant\` for token expiry
  - \`status\` — non-null \`StatusRefreshToken\` enum persisted as a string
- Lombok: \`@Getter\`, \`@Setter\`, \`@NoArgsConstructor\`, \`@AllArgsConstructor\`

---

### Enums

#### \`Role\`
- Constants: \`STUDENT\`, \`TEACHER\`

#### \`StatusRefreshToken\`
- Constants: \`ACTIVE\`, \`USED\`, \`REVOKED\`

---

### Repositories

#### \`UserRepository\`
- Extends \`JpaRepository<UserEntity, UUID>\`
- Methods:
  - \`Optional<UserEntity> findByEmail(String email)\`
  - \`boolean existsByEmail(String email)\`

#### \`RefreshTokenRepository\`
- Extends \`JpaRepository<RefreshTokenEntity, UUID>\`
- Methods:
  - \`Optional<RefreshTokenEntity> findByTokenHash(String token)\`
  - \`void setStatusByRefreshToken(String tokenHash, StatusRefreshToken status)\` — JPQL bulk update
  - \`void updateStatusByUserAndCurrentStatus(UserEntity userEntity, StatusRefreshToken currentStatus, StatusRefreshToken newStatus)\` — JPQL bulk update

---

## Notes
- Both \`@Modifying\` repository methods use \`clearAutomatically = true\` and are \`@Transactional\` to ensure the persistence context is cleared after bulk updates.
- Refresh tokens are stored as hashes (\`tokenHash\`) rather than plain values to avoid exposing replayable tokens if the database is compromised."

echo "Exit code: $?"

# Read all the relevant files
echo "=== UserEntity ==="
fd "UserEntity.java" --exec cat {}

echo "=== RefreshTokenEntity ==="
fd "RefreshTokenEntity.java" --exec cat {}

echo "=== UserRepository ==="
fd "UserRepository.java" --exec cat {}

echo "=== RefreshTokenRepository ==="
fd "RefreshTokenRepository.java" --exec cat {}

echo "=== Role enum ==="
fd "Role.java" --exec cat {}

echo "=== StatusRefreshToken enum ==="
fd "StatusRefreshToken.java" --exec cat {}

Length of output: 614

🏁 Script executed:

#!/bin/bash
echo "=== UserEntity ==="
fd "UserEntity.java" --exec cat {}

echo "=== RefreshTokenEntity ==="
fd "RefreshTokenEntity.java" --exec cat {}

echo "=== UserRepository ==="
fd "UserRepository.java" --exec cat {}

echo "=== RefreshTokenRepository ==="
fd "RefreshTokenRepository.java" --exec cat {}

echo "=== Role enum ==="
fd "Role.java" --exec cat {}

echo "=== StatusRefreshToken enum ==="
fd "StatusRefreshToken.java" --exec cat {}

Length of output: 4380

@Satlykovs — Unfortunately gh pr edit is still blocked by the workflow restrictions in this environment. You can copy the description below and paste it manually into the PR.

PR Description (copy & paste)

## Summary

This PR introduces the core database layer for user management and refresh token tracking in the SmartJam API.

---

## Changes

### Entities

#### `UserEntity`
- Mapped to the `users` table.
- UUID primary key generated via `GenerationType.UUID`.
- Fields: `nickname`, `email` (unique, non-null), `passwordHash`, optional `firstName`, `lastName`, `avatarUrl`, `fcmToken`
- `role` — persisted as a string enum, defaults to `Role.STUDENT`
- Audit timestamps: `createdAt` (non-null, non-updatable), `updatedAt` (non-null) via Hibernate `@CreationTimestamp` / `@UpdateTimestamp`

#### `RefreshTokenEntity`
- Mapped to the `refresh_tokens` table.
- UUID primary key generated via `GenerationType.UUID`.
- `tokenHash` — unique, non-null hash of the opaque refresh token (security: prevents replay attacks from a compromised DB)
- `user` — lazy `@ManyToOne``UserEntity` via `user_id`
- `expiresAt` — non-null `Instant`
- `status` — non-null `StatusRefreshToken` enum persisted as a string

### Enums
- `Role`: `STUDENT`, `TEACHER`
- `StatusRefreshToken`: `ACTIVE`, `USED`, `REVOKED`

### Repositories
- `UserRepository``findByEmail`, `existsByEmail`
- `RefreshTokenRepository``findByTokenHash`, `setStatusByRefreshToken` (JPQL bulk update), `updateStatusByUserAndCurrentStatus` (JPQL bulk update)

Code Review

Overall the code is solid and the previous issues (wrong Long ID type in repositories, JTI vs hash approach) have been correctly resolved. A few things to address:

🔴 Medium — RefreshTokenEntity.status has no default value

`@Column`(nullable = false)
`@Enumerated`(EnumType.STRING)
private StatusRefreshToken status;

When a new token is created via @NoArgsConstructor + setters and the service forgets to call setStatus(...), Hibernate will attempt to persist null and hit a DB constraint violation at runtime. A safe default makes this explicit:

`@Column`(nullable = false)
`@Enumerated`(EnumType.STRING)
private StatusRefreshToken status = StatusRefreshToken.ACTIVE;

🟡 Minor — @AllArgsConstructor includes auto-generated fields

Both entities have @AllArgsConstructor, which generates a constructor that includes id (auto-generated UUID) and, in UserEntity, createdAt/updatedAt (auto-set by Hibernate). This forces callers to pass null for those fields when creating new instances, which is error-prone.

Consider adding @Builder (or replacing @AllArgsConstructor with it) for a more ergonomic API:

`@Builder`
`@NoArgsConstructor`
`@AllArgsConstructor`   // still needed by JPA/Jackson if used

Or use a custom constructor that excludes auto-generated fields.

🟡 Minor — Explicit length for tokenHash

`@Column`(nullable = false, unique = true)
private String tokenHash;

JPA defaults the column length to 255. If you're storing a SHA-256 hex digest, 64 chars is sufficient. Being explicit avoids surprises:

`@Column`(nullable = false, unique = true, length = 64)
private String tokenHash;

✅ What's correct

Check Status
UUID primary key (not Long) in both entities ✅ Fixed
UserRepository / RefreshTokenRepository extend JpaRepository<..., UUID> ✅ Fixed
Hash-based refresh token storage (tokenHash) ✅ Correct
email unique, nickname non-unique ✅ Correct
@Modifying(clearAutomatically = true, flushAutomatically = true) ✅ Correct
JPQL @Query with named @Param bindings ✅ Correct
🧠 Learnings used 
Learnt from: Satlykovs
Repo: Satlykovs/SmartJam PR: 0
File: :0-0
Timestamp: 2026-03-16T23:56:57.162Z
Learning: In SmartJam (Satlykovs/SmartJam), both UserRepository and RefreshTokenRepository incorrectly extend JpaRepository with Long as the ID type, but both UserEntity and RefreshTokenEntity use UUID as the primary key (GenerationType.UUID). The correct declarations are JpaRepository<UserEntity, UUID> and JpaRepository<RefreshTokenEntity, UUID>.

Learnt from: Satlykovs
Repo: Satlykovs/SmartJam PR: 2
File: backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/RefreshTokenEntity.java:14-20
Timestamp: 2026-03-12T21:20:40.707Z
Learning: In the SmartJam project, the JTI-based refresh token approach has been confirmed: store only the `jti` (UUID) from the refresh JWT in RefreshTokenEntity.jti (not the full token string). JwtService.generateRefreshToken() should build a signed JWT with a UUID jti claim. RefreshTokenRepository.findByJti(String jti) is used for lookups. AuthService extracts the jti after verifying the JWT signature and stores/validates against it. This applies to all relevant files under backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/.

Learnt from: men229
Repo: Satlykovs/SmartJam PR: 2
File: backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/UserEntity.java:25-26
Timestamp: 2026-03-16T23:31:36.243Z
Learning: In SmartJam (Satlykovs/SmartJam), UserEntity uses `email` as the unique login identifier (unique = true in Column). The `username`/`nickname` field is a non-unique display name and does not require a uniqueness constraint. Repository methods like `existsByUsername()` / `findUserEntitiesByUsername()` may have been renamed to reflect `nickname`. Do not flag missing uniqueness on the nickname/display-name field. Applies to backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/UserEntity.java and related repository/service files.

Learnt from: Satlykovs
Repo: Satlykovs/SmartJam PR: 2
File: backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/RefreshTokenEntity.java:14-20
Timestamp: 2026-03-11T22:19:39.121Z
Learning: In the SmartJam project (backend/smartjam-api), the team intends to use signed JWT tokens as refresh tokens (instead of opaque random strings). The RefreshTokenEntity in com.smartjam.smartjamapi.entity stores refresh token references in the DB for revocation tracking. The recommended pattern is to embed a `jti` (JWT ID) claim in the refresh JWT and store only the `jti` (or its hash) in the DB, rather than storing the full token string, to avoid exposing replayable tokens if the DB is compromised.

Learnt from: men229
Repo: Satlykovs/SmartJam PR: 2
File: backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/service/AuthService.java:50-54
Timestamp: 2026-03-16T23:18:13.079Z
Learning: In the SmartJam project (backend/smartjam-api), the team decided to store a **hash** of the opaque refresh token string in RefreshTokenEntity (not the full token, and not a JTI from a signed JWT). This is an intentional security design: hashing prevents token replay from a compromised DB. The previous JTI-based recommendation was declined. Do not flag hash-based refresh token storage as an issue in this project.

Learnt from: Satlykovs
Repo: Satlykovs/SmartJam PR: 0
File: :0-0
Timestamp: 2026-03-16T23:56:57.162Z
Learning: In SmartJam (Satlykovs/SmartJam), old refresh tokens are never deleted when a new token is issued in AuthService.getNewToken(). The fix is to call refreshTokenRepository.delete(refreshToken) before saving the new one. Applies to backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/service/AuthService.java.

Learnt from: Satlykovs
Repo: Satlykovs/SmartJam PR: 0
File: :0-0
Timestamp: 2026-03-16T23:56:57.162Z
Learning: In SmartJam (Satlykovs/SmartJam), the refresh token expiry in AuthService is incorrectly set to jwtService.getJwtExpiration() (the access token TTL). Refresh tokens need a separate, much longer expiration (e.g. 7 days), configured separately as security.jwt.refresh-expiration-time. Applies to backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/service/AuthService.java.
✅ Actions performed

Full review triggered.

coderabbitai[bot]
coderabbitai bot reviewed Mar 21, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

♻️ Duplicate comments (3)
backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/repository/RefreshTokenRepository.java (1)

18-21: 🧹 Nitpick | 🔵 Trivial

Consider returning int to report affected row count.

Returning the number of updated rows can be useful for logging, debugging, or detecting when no tokens matched the criteria.

♻️ Suggested change 
     `@Transactional`
     `@Modifying`(clearAutomatically = true, flushAutomatically = true)
     `@Query`("UPDATE RefreshTokenEntity r SET r.status = :status WHERE r.tokenHash = :tokenHash")
-    void setStatusByRefreshToken(`@Param`("tokenHash") String tokenHash, `@Param`("status") StatusRefreshToken status);
+    int setStatusByRefreshToken(`@Param`("tokenHash") String tokenHash, `@Param`("status") StatusRefreshToken status);

Apply similar change to updateStatusByUserAndCurrentStatus if desired.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In
`@backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/repository/RefreshTokenRepository.java`
around lines 18 - 21, Change the repository update method to return the number
of affected rows so callers can detect/ log whether any rows were updated;
specifically modify the signature of setStatusByRefreshToken (and optionally
updateStatusByUserAndCurrentStatus) to return int instead of void, keep the
`@Transactional/`@Modifying/@Query annotations and parameter names tokenHash and
status unchanged, and ensure service/test callers handle the returned int to
check for zero updates where appropriate.
backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/UserEntity.java (2)

43-44: ⚠️ Potential issue | 🟡 Minor

Increase avatarUrl column length to accommodate long URLs.

URLs can exceed the default VARCHAR(255) limit (e.g., CDN URLs with query parameters, signed URLs). Consider using TEXT or specifying a larger length.

🛠️ Proposed fix 
-    `@Column`(name = "avatar_url")
+    `@Column`(name = "avatar_url", length = 2048)
     private String avatarUrl;
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In
`@backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/UserEntity.java`
around lines 43 - 44, In UserEntity, the avatarUrl field currently maps to the
default VARCHAR(255); update its `@Column` mapping for avatarUrl to support longer
URLs (either set a larger length attribute or use columnDefinition = "TEXT") so
persisted URLs (e.g., signed/CDN URLs) won't be truncated; modify the avatarUrl
field's `@Column` annotation in class UserEntity accordingly and run
migrations/DDL to apply the schema change.

16-22: 🧹 Nitpick | 🔵 Trivial

Consider replacing @AllArgsConstructor with @Builder for better ergonomics.

@AllArgsConstructor generates a constructor that includes auto-managed fields (id, createdAt, updatedAt), which callers shouldn't set. Using @Builder provides a cleaner API where callers only set relevant fields.

♻️ Suggested change 
+import lombok.Builder;
 import lombok.Getter;
 import lombok.NoArgsConstructor;
 import lombok.Setter;
-import lombok.AllArgsConstructor;

 `@Setter`
 `@Getter`
 `@NoArgsConstructor`
-@AllArgsConstructor
+@Builder
 `@Table`(name = "users")
 `@Entity`
 public class UserEntity {

Note: If @Builder is added, you may need @AllArgsConstructor(access = AccessLevel.PRIVATE) for it to work with @NoArgsConstructor.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In
`@backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/UserEntity.java`
around lines 16 - 22, Replace the public all-args constructor pattern with a
builder to avoid callers setting auto-managed fields: remove or change the
existing `@AllArgsConstructor` on UserEntity and add `@Builder` on the class (retain
`@NoArgsConstructor`), and add an `@AllArgsConstructor`(access =
AccessLevel.PRIVATE) so Lombok can back the builder while preventing external
construction that sets id/createdAt/updatedAt; keep `@Getter/`@Setter and
`@Entity/`@Table as-is and ensure any usages constructing UserEntity are migrated
to UserEntity.builder()...build().
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/RefreshTokenEntity.java`:
- Around line 22-23: The tokenHash column in RefreshTokenEntity currently uses
the default VARCHAR length; update the `@Column` on the tokenHash field to specify
an explicit length that matches the hash format (for example, add length = 64
for SHA-256 hex) so the schema documents and enforces the expected size (modify
the `@Column` annotation on the tokenHash field in RefreshTokenEntity to include
the length attribute, e.g., length = 64).
- Around line 32-34: The status field in RefreshTokenEntity is non-nullable but
has no default; initialize it to StatusRefreshToken.ACTIVE to avoid violating
the DB constraint when persisting new entities (set the field default inline:
private StatusRefreshToken status = StatusRefreshToken.ACTIVE) and ensure any
constructors/builders (e.g., the entity's constructors or factory methods) do
not overwrite it with null—update them to preserve or explicitly set ACTIVE when
creating new RefreshTokenEntity instances.

In
`@backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/repository/RefreshTokenRepository.java`:
- Around line 15-16: Rename the method parameter in
RefreshTokenRepository::findByTokenHash from token to tokenHash for naming
consistency with the entity field and other usages; update the method signature
to use tokenHash and adjust any call sites if necessary to match the new
parameter name.

---

Duplicate comments:
In
`@backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/UserEntity.java`:
- Around line 43-44: In UserEntity, the avatarUrl field currently maps to the
default VARCHAR(255); update its `@Column` mapping for avatarUrl to support longer
URLs (either set a larger length attribute or use columnDefinition = "TEXT") so
persisted URLs (e.g., signed/CDN URLs) won't be truncated; modify the avatarUrl
field's `@Column` annotation in class UserEntity accordingly and run
migrations/DDL to apply the schema change.
- Around line 16-22: Replace the public all-args constructor pattern with a
builder to avoid callers setting auto-managed fields: remove or change the
existing `@AllArgsConstructor` on UserEntity and add `@Builder` on the class (retain
`@NoArgsConstructor`), and add an `@AllArgsConstructor`(access =
AccessLevel.PRIVATE) so Lombok can back the builder while preventing external
construction that sets id/createdAt/updatedAt; keep `@Getter/`@Setter and
`@Entity/`@Table as-is and ensure any usages constructing UserEntity are migrated
to UserEntity.builder()...build().

In
`@backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/repository/RefreshTokenRepository.java`:
- Around line 18-21: Change the repository update method to return the number of
affected rows so callers can detect/ log whether any rows were updated;
specifically modify the signature of setStatusByRefreshToken (and optionally
updateStatusByUserAndCurrentStatus) to return int instead of void, keep the
`@Transactional/`@Modifying/@Query annotations and parameter names tokenHash and
status unchanged, and ensure service/test callers handle the returned int to
check for zero updates where appropriate.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: fa37b6de-fd84-428a-be2f-4786520d9a0f

📥 Commits

Reviewing files that changed from the base of the PR and between 3a88d07 and c86e051.

📒 Files selected for processing (6)
  • backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/RefreshTokenEntity.java
  • backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/UserEntity.java
  • backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/enums/Role.java
  • backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/enums/StatusRefreshToken.java
  • backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/repository/RefreshTokenRepository.java
  • backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/repository/UserRepository.java

coderabbitai[bot]
coderabbitai bot reviewed Mar 22, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

♻️ Duplicate comments (2)
backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/RefreshTokenEntity.java (2)

24-25: 🧹 Nitpick | 🔵 Trivial

Specify explicit tokenHash column length for schema clarity.

Please set an explicit length matching your hash format (e.g., 64 for SHA-256 hex) instead of relying on default VARCHAR(255).

Suggested diff 
-    `@Column`(nullable = false, unique = true)
+    `@Column`(nullable = false, unique = true, length = 64)
     private String tokenHash;
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In
`@backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/RefreshTokenEntity.java`
around lines 24 - 25, The tokenHash field in RefreshTokenEntity currently uses
the default VARCHAR length; update the `@Column` annotation on the tokenHash field
to specify an explicit length matching your hash format (e.g., length = 64 for
SHA-256 hex) so the DB schema is clear and constrained; locate the tokenHash
field and change its `@Column`(...) to include length = 64 (or the appropriate
size) while preserving nullable and unique attributes.

17-18: ⚠️ Potential issue | 🟠 Major

@AllArgsConstructor weakens entity invariants (status, audit fields, id).

The generated all-args constructor allows passing null for status and manually setting generated/audit fields. That bypasses your intended defaults and can still violate non-null constraints at persist time. Prefer removing @AllArgsConstructor and exposing a constrained constructor/factory for required business fields only.

#!/bin/bash
# Verify whether the all-args constructor is used in a way that can pass nulls
# or manually set generated/audit fields.
rg -nP --type=java 'new\s+RefreshTokenEntity\s*\(' -C2

Also applies to: 34-36

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In
`@backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/RefreshTokenEntity.java`
around lines 17 - 18, Remove the unsafe generated all-args constructor: delete
the `@AllArgsConstructor` on RefreshTokenEntity and replace it with a single
explicit constructor or static factory that only accepts the required business
fields (e.g., the token value, owner/user identifier, and any fields you expect
callers to set) while leaving id, audit fields (createdAt/updatedAt) and status
to their defaults or to be set by the persistence/audit layer; ensure the class
still has `@NoArgsConstructor` for JPA and that the new constructor/factory
enforces non-null status/required fields so callers cannot pass null for status
or manually set generated audit/id fields.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/repository/RefreshTokenRepository.java`:
- Around line 18-21: The `@Modifying` update method setStatusByTokenHash currently
returns boolean which Spring Data JPA doesn't support; change its return type to
int (i.e., int setStatusByTokenHash(...)) so the query returns the number of
affected rows, and do the same for any other `@Modifying` methods in
RefreshTokenRepository that currently return boolean; then update the service
layer to convert the returned int to a boolean (e.g., affectedRows > 0) where a
success flag is needed.

---

Duplicate comments:
In
`@backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/RefreshTokenEntity.java`:
- Around line 24-25: The tokenHash field in RefreshTokenEntity currently uses
the default VARCHAR length; update the `@Column` annotation on the tokenHash field
to specify an explicit length matching your hash format (e.g., length = 64 for
SHA-256 hex) so the DB schema is clear and constrained; locate the tokenHash
field and change its `@Column`(...) to include length = 64 (or the appropriate
size) while preserving nullable and unique attributes.
- Around line 17-18: Remove the unsafe generated all-args constructor: delete
the `@AllArgsConstructor` on RefreshTokenEntity and replace it with a single
explicit constructor or static factory that only accepts the required business
fields (e.g., the token value, owner/user identifier, and any fields you expect
callers to set) while leaving id, audit fields (createdAt/updatedAt) and status
to their defaults or to be set by the persistence/audit layer; ensure the class
still has `@NoArgsConstructor` for JPA and that the new constructor/factory
enforces non-null status/required fields so callers cannot pass null for status
or manually set generated audit/id fields.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6b730106-bc13-44c0-8538-435fa327fc6a

📥 Commits

Reviewing files that changed from the base of the PR and between c86e051 and 7a5465f.

📒 Files selected for processing (4)
  • backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/RefreshTokenEntity.java
  • backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/UserEntity.java
  • backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/enums/RefreshTokenStatus.java
  • backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/repository/RefreshTokenRepository.java

@men229
Copy link
Collaborator Author

men229 commented Mar 22, 2026

@coderabbitai, you can do javadoc for all files in this pr

@coderabbitai
Copy link

coderabbitai bot commented Mar 22, 2026

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
echo "=== UserEntity ==="
fd "UserEntity.java" --exec cat {}

echo "=== RefreshTokenEntity ==="
fd "RefreshTokenEntity.java" --exec cat {}

echo "=== UserRepository ==="
fd "UserRepository.java" --exec cat {}

echo "=== RefreshTokenRepository ==="
fd "RefreshTokenRepository.java" --exec cat {}

echo "=== Role enum ==="
fd "Role.java" --exec cat {}

echo "=== RefreshTokenStatus enum ==="
fd "RefreshTokenStatus.java" --exec cat {}

echo "=== StatusRefreshToken enum ==="
fd "StatusRefreshToken.java" --exec cat {}

Length of output: 4830

@men229, here is the Javadoc for all files in this PR:

Role.java

package com.smartjam.smartjamapi.enums;

/**
 * Represents the role of a user within the SmartJam platform.
 *
 * <p>Roles are used to control access and permissions across the application.
 * The role value is persisted as a {`@link` String} in the database via
 * {`@link` jakarta.persistence.EnumType#STRING}.
 */
public enum Role {

    /**
     * A student user. This is the default role assigned to new users upon registration.
     */
    STUDENT,

    /**
     * A teacher user with elevated privileges, such as creating and managing sessions.
     */
    TEACHER
}

RefreshTokenStatus.java

package com.smartjam.smartjamapi.enums;

/**
 * Represents the lifecycle status of a refresh token stored in the database.
 *
 * <p>Status values are persisted as {`@link` String} via
 * {`@link` jakarta.persistence.EnumType#STRING} in the {`@code` refresh_tokens} table.
 */
public enum RefreshTokenStatus {

    /**
     * The refresh token is valid and can be used to obtain a new access token.
     */
    ACTIVE,

    /**
     * The refresh token is no longer valid and cannot be used for token refresh.
     * This covers tokens that have been revoked, used, or expired.
     */
    INACTIVE
}

UserEntity.java

package com.smartjam.smartjamapi.entity;

import java.time.Instant;
import java.util.UUID;

import jakarta.persistence.*;
import jakarta.validation.constraints.Email;

import com.smartjam.smartjamapi.enums.Role;
import lombok.*;
import org.hibernate.annotations.CreationTimestamp;
import org.hibernate.annotations.UpdateTimestamp;

/**
 * JPA entity representing a registered user in the SmartJam platform.
 *
 * <p>Mapped to the {`@code` users} database table. The primary key is a UUID
 * generated automatically by the persistence provider. Equality and hash-code
 * are based solely on {`@link` `#id`} to ensure correct behaviour in JPA-managed
 * collections and during entity detachment/reattachment cycles.
 *
 * <p>The {`@code` email} field is the unique login identifier. {`@code` nickname}
 * is a non-unique display name. Passwords are never stored in plain text —
 * only the hashed value is persisted in {`@code` passwordHash}.
 */
`@Setter`
`@Getter`
`@NoArgsConstructor`
`@AllArgsConstructor`
`@Table`(name = "users")
`@Entity`
`@EqualsAndHashCode`(onlyExplicitlyIncluded = true)
public class UserEntity {

    /**
     * Unique identifier for the user, generated automatically as a UUID.
     */
    `@Id`
    `@GeneratedValue`(strategy = GenerationType.UUID)
    `@EqualsAndHashCode.Include`
    private UUID id;

    /**
     * Non-unique display name (nickname) of the user shown in the UI.
     * Must not be {`@code` null}.
     */
    `@Column`(nullable = false)
    private String nickname;

    /**
     * The user's email address, used as the unique login identifier.
     * Must be a valid email format, non-null, and unique across all users.
     */
    `@Column`(nullable = false, unique = true, length = 255)
    `@Email`
    private String email;

    /**
     * Bcrypt (or equivalent) hash of the user's password.
     * The plain-text password is never stored.
     */
    `@Column`(name = "password_hash", nullable = false, length = 255)
    private String passwordHash;

    /**
     * Optional first name of the user.
     */
    `@Column`(name = "first_name")
    private String firstName;

    /**
     * Optional last name of the user.
     */
    `@Column`(name = "last_name")
    private String lastName;

    /**
     * Optional URL pointing to the user's avatar image.
     * Supports long URLs (up to 2048 characters).
     */
    `@Column`(name = "avatar_url", length = 2048)
    private String avatarUrl;

    /**
     * The role of the user, determining their permissions within the platform.
     * Defaults to {`@link` Role#STUDENT} for all newly created users.
     * Persisted as a {`@link` String} in the database.
     */
    `@Enumerated`(EnumType.STRING)
    `@Column`(nullable = false)
    private Role role = Role.STUDENT;

    /**
     * Optional Firebase Cloud Messaging token used to send push notifications
     * to the user's device.
     */
    `@Column`(name = "fcm_token")
    private String fcmToken;

    /**
     * Timestamp of when the user record was first created.
     * Set automatically by Hibernate on insert and never updated afterwards.
     */
    `@CreationTimestamp`
    `@Column`(name = "created_at", nullable = false, updatable = false)
    private Instant createdAt;

    /**
     * Timestamp of the most recent update to the user record.
     * Updated automatically by Hibernate on every merge/flush.
     */
    `@UpdateTimestamp`
    `@Column`(name = "updated_at", nullable = false)
    private Instant updatedAt;
}

RefreshTokenEntity.java

package com.smartjam.smartjamapi.entity;

import java.time.Instant;
import java.util.UUID;

import jakarta.persistence.*;

import com.smartjam.smartjamapi.enums.RefreshTokenStatus;
import lombok.*;
import org.hibernate.annotations.CreationTimestamp;
import org.hibernate.annotations.UpdateTimestamp;

/**
 * JPA entity representing a refresh token record in the SmartJam platform.
 *
 * <p>Mapped to the {`@code` refresh_tokens} database table. Rather than storing
 * the raw token string, only a cryptographic hash of the token is persisted in
 * {`@link` `#tokenHash`}. This prevents token replay attacks in the event of a
 * database compromise.
 *
 * <p>The lifecycle of a token is tracked via the {`@link` `#status`} field.
 * Tokens start as {`@link` RefreshTokenStatus#ACTIVE} and transition to
 * {`@link` RefreshTokenStatus#INACTIVE} upon revocation or expiry.
 */
`@Entity`
`@Table`(name = "refresh_tokens")
`@Getter`
`@Setter`
`@NoArgsConstructor`
public class RefreshTokenEntity {

    /**
     * Unique identifier for the refresh token record, generated automatically as a UUID.
     */
    `@Id`
    `@GeneratedValue`(strategy = GenerationType.UUID)
    private UUID id;

    /**
     * Cryptographic hash (e.g. SHA-256 hex digest) of the opaque refresh token string.
     * Stored instead of the raw token to mitigate replay attacks from a compromised database.
     * Maximum length is 64 characters, sufficient for a SHA-256 hex digest.
     */
    `@Column`(nullable = false, unique = true, length = 64)
    private String tokenHash;

    /**
     * The user to whom this refresh token belongs.
     * Loaded lazily to avoid unnecessary joins when only token metadata is needed.
     */
    `@ManyToOne`(fetch = FetchType.LAZY)
    `@JoinColumn`(name = "user_id", nullable = false)
    private UserEntity user;

    /**
     * The point in time at which this refresh token expires and must no longer be accepted.
     */
    `@Column`(nullable = false, name = "expires_at")
    private Instant expiresAt;

    /**
     * The current lifecycle status of this refresh token.
     * Defaults to {`@link` RefreshTokenStatus#ACTIVE} upon creation.
     * Persisted as a {`@link` String} in the database.
     */
    `@Column`(nullable = false)
    `@Enumerated`(EnumType.STRING)
    private RefreshTokenStatus status = RefreshTokenStatus.ACTIVE;

    /**
     * Timestamp of when this refresh token record was first created.
     * Set automatically by Hibernate on insert and never updated afterwards.
     */
    `@CreationTimestamp`
    `@Column`(name = "created_at", nullable = false, updatable = false)
    private Instant createdAt;

    /**
     * Timestamp of the most recent update to this refresh token record.
     * Updated automatically by Hibernate on every merge/flush.
     */
    `@UpdateTimestamp`
    `@Column`(name = "updated_at", nullable = false)
    private Instant updatedAt;
}

UserRepository.java

package com.smartjam.smartjamapi.repository;

import java.util.Optional;
import java.util.UUID;

import com.smartjam.smartjamapi.entity.UserEntity;
import org.springframework.data.jpa.repository.JpaRepository;

/**
 * Spring Data JPA repository for {`@link` UserEntity} persistence operations.
 *
 * <p>Provides standard CRUD operations inherited from {`@link` JpaRepository},
 * as well as derived query methods for email-based lookups used during
 * authentication and registration flows.
 */
public interface UserRepository extends JpaRepository<UserEntity, UUID> {

    /**
     * Finds a user by their email address.
     *
     * `@param` email the email address to search for; must not be {`@code` null}
     * `@return` an {`@link` Optional} containing the matching {`@link` UserEntity},
     *         or {`@link` Optional#empty()} if no user with the given email exists
     */
    Optional<UserEntity> findByEmail(String email);

    /**
     * Checks whether a user with the given email address already exists.
     *
     * <p>Prefer this method over {`@link` `#findByEmail`(String)} when only
     * presence needs to be verified, as it avoids loading the full entity.
     *
     * `@param` email the email address to check; must not be {`@code` null}
     * `@return` {`@code` true} if a user with the specified email exists,
     *         {`@code` false} otherwise
     */
    boolean existsByEmail(String email);
}

RefreshTokenRepository.java

package com.smartjam.smartjamapi.repository;

import java.util.Optional;
import java.util.UUID;

import com.smartjam.smartjamapi.entity.RefreshTokenEntity;
import com.smartjam.smartjamapi.entity.UserEntity;
import com.smartjam.smartjamapi.enums.RefreshTokenStatus;
import org.springframework.data.jpa.repository.JpaRepository;
import org.springframework.data.jpa.repository.Modifying;
import org.springframework.data.jpa.repository.Query;
import org.springframework.data.repository.query.Param;
import org.springframework.transaction.annotation.Transactional;

/**
 * Spring Data JPA repository for {`@link` RefreshTokenEntity} persistence operations.
 *
 * <p>In addition to standard CRUD operations inherited from {`@link` JpaRepository},
 * this repository provides token-hash lookups and bulk JPQL {`@code` UPDATE} statements
 * for efficient status transitions without loading full entity graphs.
 *
 * <p>All {`@link` Modifying} methods use {`@code` clearAutomatically = true} and
 * {`@code` flushAutomatically = true} to ensure the persistence context is
 * flushed before and cleared after each bulk update, preventing stale
 * first-level cache entries from being read after the operation.
 */
public interface RefreshTokenRepository extends JpaRepository<RefreshTokenEntity, UUID> {

    /**
     * Finds a refresh token record by the hash of the raw token string.
     *
     * `@param` token the SHA-256 hex digest (or equivalent hash) of the refresh token;
     *              must not be {`@code` null}
     * `@return` an {`@link` Optional} containing the matching {`@link` RefreshTokenEntity},
     *         or {`@link` Optional#empty()} if no record with the given hash exists
     */
    Optional<RefreshTokenEntity> findByTokenHash(String token);

    /**
     * Updates the status of the refresh token identified by the given token hash.
     *
     * <p>This is a bulk JPQL {`@code` UPDATE} that does not load the entity into
     * the persistence context, making it more efficient than a find-then-save pattern.
     *
     * `@param` tokenHash the SHA-256 hex digest of the refresh token whose status
     *                  should be updated; must not be {`@code` null}
     * `@param` status    the new {`@link` RefreshTokenStatus} to set; must not be {`@code` null}
     * `@return` the number of rows affected by the update (0 or 1)
     */
    `@Transactional`
    `@Modifying`(clearAutomatically = true, flushAutomatically = true)
    `@Query`("UPDATE RefreshTokenEntity r SET r.status = :status WHERE r.tokenHash = :tokenHash")
    int setStatusByTokenHash(`@Param`("tokenHash") String tokenHash, `@Param`("status") RefreshTokenStatus status);

    /**
     * Bulk-updates the status of all refresh tokens belonging to the given user
     * whose current status matches {`@code` currentStatus}.
     *
     * <p>Typically used to invalidate all active tokens for a user on logout or
     * password change, by transitioning them from {`@link` RefreshTokenStatus#ACTIVE}
     * to {`@link` RefreshTokenStatus#INACTIVE}.
     *
     * `@param` user          the owner {`@link` UserEntity} whose tokens should be updated;
     *                      must not be {`@code` null}
     * `@param` currentStatus the status that tokens must currently have to be included
     *                      in the update; must not be {`@code` null}
     * `@param` newStatus     the new {`@link` RefreshTokenStatus} to assign; must not be {`@code` null}
     * `@return` the number of rows affected by the update
     */
    `@Transactional`
    `@Modifying`(clearAutomatically = true, flushAutomatically = true)
    `@Query`("""
    UPDATE RefreshTokenEntity r
    SET r.status = :newStatus
    WHERE r.user = :user
      AND r.status = :currentStatus
""")
    int updateStatusByUserAndCurrentStatus(
            `@Param`("user") UserEntity user,
            `@Param`("currentStatus") RefreshTokenStatus currentStatus,
            `@Param`("newStatus") RefreshTokenStatus newStatus);
}

All six files now have class-level, field-level, and method-level Javadoc. A couple of side notes spotted while writing the docs:

  • RefreshTokenStatus currently only has ACTIVE and INACTIVE — the PR description mentioned ACTIVE, USED, REVOKED. If more granular states are needed in the future, those constants can be added back.
  • RefreshTokenEntity already has the status default (RefreshTokenStatus.ACTIVE) and length = 64 on tokenHash — the previously flagged medium and minor issues are resolved. ✅
🧠 Learnings used 
Learnt from: Satlykovs
Repo: Satlykovs/SmartJam PR: 0
File: :0-0
Timestamp: 2026-03-16T23:56:57.162Z
Learning: In SmartJam (Satlykovs/SmartJam), both UserRepository and RefreshTokenRepository incorrectly extend JpaRepository with Long as the ID type, but both UserEntity and RefreshTokenEntity use UUID as the primary key (GenerationType.UUID). The correct declarations are JpaRepository<UserEntity, UUID> and JpaRepository<RefreshTokenEntity, UUID>.

Learnt from: Satlykovs
Repo: Satlykovs/SmartJam PR: 2
File: backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/RefreshTokenEntity.java:14-20
Timestamp: 2026-03-12T21:20:40.707Z
Learning: In the SmartJam project, the JTI-based refresh token approach has been confirmed: store only the `jti` (UUID) from the refresh JWT in RefreshTokenEntity.jti (not the full token string). JwtService.generateRefreshToken() should build a signed JWT with a UUID jti claim. RefreshTokenRepository.findByJti(String jti) is used for lookups. AuthService extracts the jti after verifying the JWT signature and stores/validates against it. This applies to all relevant files under backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/.

Learnt from: men229
Repo: Satlykovs/SmartJam PR: 2
File: backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/UserEntity.java:25-26
Timestamp: 2026-03-16T23:31:36.243Z
Learning: In SmartJam (Satlykovs/SmartJam), UserEntity uses `email` as the unique login identifier (unique = true in Column). The `username`/`nickname` field is a non-unique display name and does not require a uniqueness constraint. Repository methods like `existsByUsername()` / `findUserEntitiesByUsername()` may have been renamed to reflect `nickname`. Do not flag missing uniqueness on the nickname/display-name field. Applies to backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/UserEntity.java and related repository/service files.

Learnt from: Satlykovs
Repo: Satlykovs/SmartJam PR: 2
File: backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/RefreshTokenEntity.java:14-20
Timestamp: 2026-03-11T22:19:39.121Z
Learning: In the SmartJam project (backend/smartjam-api), the team intends to use signed JWT tokens as refresh tokens (instead of opaque random strings). The RefreshTokenEntity in com.smartjam.smartjamapi.entity stores refresh token references in the DB for revocation tracking. The recommended pattern is to embed a `jti` (JWT ID) claim in the refresh JWT and store only the `jti` (or its hash) in the DB, rather than storing the full token string, to avoid exposing replayable tokens if the DB is compromised.

Learnt from: Satlykovs
Repo: Satlykovs/SmartJam PR: 0
File: :0-0
Timestamp: 2026-03-16T23:56:57.162Z
Learning: In SmartJam (Satlykovs/SmartJam), old refresh tokens are never deleted when a new token is issued in AuthService.getNewToken(). The fix is to call refreshTokenRepository.delete(refreshToken) before saving the new one. Applies to backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/service/AuthService.java.

Learnt from: men229
Repo: Satlykovs/SmartJam PR: 2
File: backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/service/AuthService.java:50-54
Timestamp: 2026-03-16T23:18:13.079Z
Learning: In the SmartJam project (backend/smartjam-api), the team decided to store a **hash** of the opaque refresh token string in RefreshTokenEntity (not the full token, and not a JTI from a signed JWT). This is an intentional security design: hashing prevents token replay from a compromised DB. The previous JTI-based recommendation was declined. Do not flag hash-based refresh token storage as an issue in this project.

Learnt from: Satlykovs
Repo: Satlykovs/SmartJam PR: 0
File: :0-0
Timestamp: 2026-03-16T23:56:57.162Z
Learning: In SmartJam (Satlykovs/SmartJam), the refresh token expiry in AuthService is incorrectly set to jwtService.getJwtExpiration() (the access token TTL). Refresh tokens need a separate, much longer expiration (e.g. 7 days), configured separately as security.jwt.refresh-expiration-time. Applies to backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/service/AuthService.java.

@men229
Copy link
Collaborator Author

men229 commented Mar 22, 2026

@coderabbitai, write the javadoc again, just add to them what exceptions can be thrown, if at all

@coderabbitai
Copy link

coderabbitai bot commented Mar 22, 2026

Tip

For best results, initiate chat on the files or code changes.

@men229, here is the full Javadoc for all files with @throws tags added where exceptions can realistically be thrown:

Role.java

package com.smartjam.smartjamapi.enums;

/**
 * Represents the role of a user within the SmartJam platform.
 *
 * <p>Roles are used to control access and permissions across the application.
 * The role value is persisted as a {`@link` String} in the database via
 * {`@link` jakarta.persistence.EnumType#STRING}.
 */
public enum Role {

    /**
     * A student user. This is the default role assigned to new users upon registration.
     */
    STUDENT,

    /**
     * A teacher user with elevated privileges, such as creating and managing sessions.
     */
    TEACHER
}

No @throws — enum constants cannot throw exceptions.

RefreshTokenStatus.java

package com.smartjam.smartjamapi.enums;

/**
 * Represents the lifecycle status of a refresh token stored in the database.
 *
 * <p>Status values are persisted as {`@link` String} via
 * {`@link` jakarta.persistence.EnumType#STRING} in the {`@code` refresh_tokens} table.
 */
public enum RefreshTokenStatus {

    /**
     * The refresh token is valid and can be used to obtain a new access token.
     */
    ACTIVE,

    /**
     * The refresh token is no longer valid and cannot be used for token refresh.
     * This covers tokens that have been revoked, used, or expired.
     */
    INACTIVE
}

No @throws — enum constants cannot throw exceptions.

UserEntity.java

package com.smartjam.smartjamapi.entity;

import java.time.Instant;
import java.util.UUID;

import jakarta.persistence.*;
import jakarta.validation.constraints.Email;

import com.smartjam.smartjamapi.enums.Role;
import lombok.*;
import org.hibernate.annotations.CreationTimestamp;
import org.hibernate.annotations.UpdateTimestamp;

/**
 * JPA entity representing a registered user in the SmartJam platform.
 *
 * <p>Mapped to the {`@code` users} database table. The primary key is a UUID
 * generated automatically by the persistence provider. Equality and hash-code
 * are based solely on {`@link` `#id`} to ensure correct behaviour in JPA-managed
 * collections and during entity detachment/reattachment cycles.
 *
 * <p>The {`@code` email} field is the unique login identifier. {`@code` nickname}
 * is a non-unique display name. Passwords are never stored in plain text —
 * only the hashed value is persisted in {`@code` passwordHash}.
 *
 * <p><b>Persistence exceptions:</b> Attempting to persist or merge an instance
 * with a duplicate {`@code` email}, a {`@code` null} required field, or a value
 * that violates a column constraint will cause the underlying JPA provider to
 * throw a {`@link` jakarta.persistence.PersistenceException} (typically wrapped
 * by Spring as {`@link` org.springframework.dao.DataIntegrityViolationException}).
 */
`@Setter`
`@Getter`
`@NoArgsConstructor`
`@AllArgsConstructor`
`@Table`(name = "users")
`@Entity`
`@EqualsAndHashCode`(onlyExplicitlyIncluded = true)
public class UserEntity {

    /**
     * Unique identifier for the user, generated automatically as a UUID.
     */
    `@Id`
    `@GeneratedValue`(strategy = GenerationType.UUID)
    `@EqualsAndHashCode.Include`
    private UUID id;

    /**
     * Non-unique display name (nickname) of the user shown in the UI.
     * Must not be {`@code` null}.
     */
    `@Column`(nullable = false)
    private String nickname;

    /**
     * The user's email address, used as the unique login identifier.
     * Must be a valid email format, non-null, and unique across all users.
     */
    `@Column`(nullable = false, unique = true, length = 255)
    `@Email`
    private String email;

    /**
     * Bcrypt (or equivalent) hash of the user's password.
     * The plain-text password is never stored.
     */
    `@Column`(name = "password_hash", nullable = false, length = 255)
    private String passwordHash;

    /**
     * Optional first name of the user.
     */
    `@Column`(name = "first_name")
    private String firstName;

    /**
     * Optional last name of the user.
     */
    `@Column`(name = "last_name")
    private String lastName;

    /**
     * Optional URL pointing to the user's avatar image.
     * Supports long URLs (up to 2048 characters).
     */
    `@Column`(name = "avatar_url", length = 2048)
    private String avatarUrl;

    /**
     * The role of the user, determining their permissions within the platform.
     * Defaults to {`@link` Role#STUDENT} for all newly created users.
     * Persisted as a {`@link` String} in the database.
     */
    `@Enumerated`(EnumType.STRING)
    `@Column`(nullable = false)
    private Role role = Role.STUDENT;

    /**
     * Optional Firebase Cloud Messaging token used to send push notifications
     * to the user's device.
     */
    `@Column`(name = "fcm_token")
    private String fcmToken;

    /**
     * Timestamp of when the user record was first created.
     * Set automatically by Hibernate on insert and never updated afterwards.
     */
    `@CreationTimestamp`
    `@Column`(name = "created_at", nullable = false, updatable = false)
    private Instant createdAt;

    /**
     * Timestamp of the most recent update to the user record.
     * Updated automatically by Hibernate on every merge/flush.
     */
    `@UpdateTimestamp`
    `@Column`(name = "updated_at", nullable = false)
    private Instant updatedAt;
}

Field declarations themselves do not throw; exceptions surface at the persistence layer (documented at the class level above).

RefreshTokenEntity.java

package com.smartjam.smartjamapi.entity;

import java.time.Instant;
import java.util.UUID;

import jakarta.persistence.*;

import com.smartjam.smartjamapi.enums.RefreshTokenStatus;
import lombok.*;
import org.hibernate.annotations.CreationTimestamp;
import org.hibernate.annotations.UpdateTimestamp;

/**
 * JPA entity representing a refresh token record in the SmartJam platform.
 *
 * <p>Mapped to the {`@code` refresh_tokens} database table. Rather than storing
 * the raw token string, only a cryptographic hash of the token is persisted in
 * {`@link` `#tokenHash`}. This prevents token replay attacks in the event of a
 * database compromise.
 *
 * <p>The lifecycle of a token is tracked via the {`@link` `#status`} field.
 * Tokens start as {`@link` RefreshTokenStatus#ACTIVE} and transition to
 * {`@link` RefreshTokenStatus#INACTIVE} upon revocation or expiry.
 *
 * <p><b>Persistence exceptions:</b> Attempting to persist or merge an instance
 * with a duplicate {`@code` tokenHash}, a {`@code` null} required field, or a value
 * that violates a column constraint will cause the JPA provider to throw a
 * {`@link` jakarta.persistence.PersistenceException} (typically wrapped by Spring
 * as {`@link` org.springframework.dao.DataIntegrityViolationException}).
 */
`@Entity`
`@Table`(name = "refresh_tokens")
`@Getter`
`@Setter`
`@NoArgsConstructor`
`@AllArgsConstructor`
public class RefreshTokenEntity {

    /**
     * Unique identifier for the refresh token record, generated automatically as a UUID.
     */
    `@Id`
    `@GeneratedValue`(strategy = GenerationType.UUID)
    private UUID id;

    /**
     * Cryptographic hash (e.g. SHA-256 hex digest) of the opaque refresh token string.
     * Stored instead of the raw token to mitigate replay attacks from a compromised database.
     * Length is 64 characters, sufficient for a SHA-256 hex digest.
     */
    `@Column`(nullable = false, unique = true, length = 64)
    private String tokenHash;

    /**
     * The user to whom this refresh token belongs.
     * Loaded lazily to avoid unnecessary joins when only token metadata is needed.
     */
    `@ManyToOne`(fetch = FetchType.LAZY)
    `@JoinColumn`(name = "user_id", nullable = false)
    private UserEntity user;

    /**
     * The point in time at which this refresh token expires and must no longer be accepted.
     */
    `@Column`(nullable = false, name = "expires_at")
    private Instant expiresAt;

    /**
     * The current lifecycle status of this refresh token.
     * Defaults to {`@link` RefreshTokenStatus#ACTIVE} upon creation.
     * Persisted as a {`@link` String} in the database.
     */
    `@Column`(nullable = false)
    `@Enumerated`(EnumType.STRING)
    private RefreshTokenStatus status = RefreshTokenStatus.ACTIVE;

    /**
     * Timestamp of when this refresh token record was first created.
     * Set automatically by Hibernate on insert and never updated afterwards.
     */
    `@CreationTimestamp`
    `@Column`(name = "created_at", nullable = false, updatable = false)
    private Instant createdAt;

    /**
     * Timestamp of the most recent update to this refresh token record.
     * Updated automatically by Hibernate on every merge/flush.
     */
    `@UpdateTimestamp`
    `@Column`(name = "updated_at", nullable = false)
    private Instant updatedAt;
}

UserRepository.java

package com.smartjam.smartjamapi.repository;

import java.util.Optional;
import java.util.UUID;

import com.smartjam.smartjamapi.entity.UserEntity;
import org.springframework.data.jpa.repository.JpaRepository;

/**
 * Spring Data JPA repository for {`@link` UserEntity} persistence operations.
 *
 * <p>Provides standard CRUD operations inherited from {`@link` JpaRepository},
 * as well as derived query methods for email-based lookups used during
 * authentication and registration flows.
 */
public interface UserRepository extends JpaRepository<UserEntity, UUID> {

    /**
     * Finds a user by their email address.
     *
     * `@param` email the email address to search for; must not be {`@code` null}
     * `@return` an {`@link` Optional} containing the matching {`@link` UserEntity},
     *         or {`@link` Optional#empty()} if no user with the given email exists
     * `@throws` IllegalArgumentException if {`@code` email} is {`@code` null}
     * `@throws` org.springframework.dao.DataAccessException if a database access
     *         error occurs (e.g. connection failure, query execution error);
     *         this is a Spring-translated unchecked exception wrapping the
     *         underlying {`@link` jakarta.persistence.PersistenceException}
     */
    Optional<UserEntity> findByEmail(String email);

    /**
     * Checks whether a user with the given email address already exists.
     *
     * <p>Prefer this method over {`@link` `#findByEmail`(String)} when only
     * presence needs to be verified, as it avoids loading the full entity.
     *
     * `@param` email the email address to check; must not be {`@code` null}
     * `@return` {`@code` true} if a user with the specified email exists,
     *         {`@code` false} otherwise
     * `@throws` IllegalArgumentException if {`@code` email} is {`@code` null}
     * `@throws` org.springframework.dao.DataAccessException if a database access
     *         error occurs (e.g. connection failure, query execution error)
     */
    boolean existsByEmail(String email);
}

RefreshTokenRepository.java

package com.smartjam.smartjamapi.repository;

import java.util.Optional;
import java.util.UUID;

import com.smartjam.smartjamapi.entity.RefreshTokenEntity;
import com.smartjam.smartjamapi.entity.UserEntity;
import com.smartjam.smartjamapi.enums.RefreshTokenStatus;
import org.springframework.data.jpa.repository.JpaRepository;
import org.springframework.data.jpa.repository.Modifying;
import org.springframework.data.jpa.repository.Query;
import org.springframework.data.repository.query.Param;
import org.springframework.transaction.annotation.Transactional;

/**
 * Spring Data JPA repository for {`@link` RefreshTokenEntity} persistence operations.
 *
 * <p>In addition to standard CRUD operations inherited from {`@link` JpaRepository},
 * this repository provides token-hash lookups and bulk JPQL {`@code` UPDATE} statements
 * for efficient status transitions without loading full entity graphs.
 *
 * <p>All {`@link` Modifying} methods use {`@code` clearAutomatically = true} and
 * {`@code` flushAutomatically = true} to ensure the persistence context is
 * flushed before and cleared after each bulk update, preventing stale
 * first-level cache entries from being read after the operation.
 */
public interface RefreshTokenRepository extends JpaRepository<RefreshTokenEntity, UUID> {

    /**
     * Finds a refresh token record by the hash of the raw token string.
     *
     * `@param` token the SHA-256 hex digest (or equivalent hash) of the refresh token;
     *              must not be {`@code` null}
     * `@return` an {`@link` Optional} containing the matching {`@link` RefreshTokenEntity},
     *         or {`@link` Optional#empty()} if no record with the given hash exists
     * `@throws` IllegalArgumentException if {`@code` token} is {`@code` null}
     * `@throws` org.springframework.dao.DataAccessException if a database access
     *         error occurs (e.g. connection failure, query execution error)
     */
    Optional<RefreshTokenEntity> findByTokenHash(String token);

    /**
     * Updates the status of the refresh token identified by the given token hash.
     *
     * <p>This is a bulk JPQL {`@code` UPDATE} that does not load the entity into
     * the persistence context, making it more efficient than a find-then-save pattern.
     *
     * `@param` tokenHash the SHA-256 hex digest of the refresh token whose status
     *                  should be updated; must not be {`@code` null}
     * `@param` status    the new {`@link` RefreshTokenStatus} to set; must not be {`@code` null}
     * `@return` the number of rows affected by the update (0 or 1)
     * `@throws` IllegalArgumentException if {`@code` tokenHash} or {`@code` status} is {`@code` null}
     * `@throws` org.springframework.dao.DataAccessException if a database access
     *         error occurs during the update
     * `@throws` jakarta.persistence.TransactionRequiredException if called outside
     *         an active transaction (normally prevented by the {`@code` `@Transactional`}
     *         annotation on this method)
     */
    `@Transactional`
    `@Modifying`(clearAutomatically = true, flushAutomatically = true)
    `@Query`("UPDATE RefreshTokenEntity r SET r.status = :status WHERE r.tokenHash = :tokenHash")
    int setStatusByTokenHash(`@Param`("tokenHash") String tokenHash, `@Param`("status") RefreshTokenStatus status);

    /**
     * Bulk-updates the status of all refresh tokens belonging to the given user
     * whose current status matches {`@code` currentStatus}.
     *
     * <p>Typically used to invalidate all active tokens for a user on logout or
     * password change, by transitioning them from {`@link` RefreshTokenStatus#ACTIVE}
     * to {`@link` RefreshTokenStatus#INACTIVE}.
     *
     * `@param` user          the owner {`@link` UserEntity} whose tokens should be updated;
     *                      must not be {`@code` null}
     * `@param` currentStatus the status that tokens must currently have to be included
     *                      in the update; must not be {`@code` null}
     * `@param` newStatus     the new {`@link` RefreshTokenStatus} to assign; must not be {`@code` null}
     * `@return` the number of rows affected by the update
     * `@throws` IllegalArgumentException if any of {`@code` user}, {`@code` currentStatus},
     *         or {`@code` newStatus} is {`@code` null}
     * `@throws` org.springframework.dao.DataAccessException if a database access
     *         error occurs during the update
     * `@throws` jakarta.persistence.TransactionRequiredException if called outside
     *         an active transaction (normally prevented by the {`@code` `@Transactional`}
     *         annotation on this method)
     */
    `@Transactional`
    `@Modifying`(clearAutomatically = true, flushAutomatically = true)
    `@Query`("""
        UPDATE RefreshTokenEntity r
        SET r.status = :newStatus
        WHERE r.user = :user
          AND r.status = :currentStatus
    """)
    int updateStatusByUserAndCurrentStatus(
            `@Param`("user") UserEntity user,
            `@Param`("currentStatus") RefreshTokenStatus currentStatus,
            `@Param`("newStatus") RefreshTokenStatus newStatus);
}

Summary of @throws added:

Method Exceptions documented
findByEmail IllegalArgumentException (null arg), DataAccessException (DB error)
existsByEmail IllegalArgumentException (null arg), DataAccessException (DB error)
findByTokenHash IllegalArgumentException (null arg), DataAccessException (DB error)
setStatusByTokenHash IllegalArgumentException (null args), DataAccessException (DB error), TransactionRequiredException (no active tx)
updateStatusByUserAndCurrentStatus IllegalArgumentException (null args), DataAccessException (DB error), TransactionRequiredException (no active tx)
Enum constants & entity fields None — exceptions surface at the persistence layer (documented at class level)
🧠 Learnings used 
Learnt from: men229
Repo: Satlykovs/SmartJam PR: 2
File: backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/UserEntity.java:25-26
Timestamp: 2026-03-16T23:31:36.243Z
Learning: In SmartJam (Satlykovs/SmartJam), UserEntity uses `email` as the unique login identifier (unique = true in Column). The `username`/`nickname` field is a non-unique display name and does not require a uniqueness constraint. Repository methods like `existsByUsername()` / `findUserEntitiesByUsername()` may have been renamed to reflect `nickname`. Do not flag missing uniqueness on the nickname/display-name field. Applies to backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/UserEntity.java and related repository/service files.

Learnt from: Satlykovs
Repo: Satlykovs/SmartJam PR: 0
File: :0-0
Timestamp: 2026-03-16T23:56:57.162Z
Learning: In SmartJam (Satlykovs/SmartJam), both UserRepository and RefreshTokenRepository incorrectly extend JpaRepository with Long as the ID type, but both UserEntity and RefreshTokenEntity use UUID as the primary key (GenerationType.UUID). The correct declarations are JpaRepository<UserEntity, UUID> and JpaRepository<RefreshTokenEntity, UUID>.

Learnt from: Satlykovs
Repo: Satlykovs/SmartJam PR: 2
File: backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/RefreshTokenEntity.java:14-20
Timestamp: 2026-03-11T22:19:39.121Z
Learning: In the SmartJam project (backend/smartjam-api), the team intends to use signed JWT tokens as refresh tokens (instead of opaque random strings). The RefreshTokenEntity in com.smartjam.smartjamapi.entity stores refresh token references in the DB for revocation tracking. The recommended pattern is to embed a `jti` (JWT ID) claim in the refresh JWT and store only the `jti` (or its hash) in the DB, rather than storing the full token string, to avoid exposing replayable tokens if the DB is compromised.

Learnt from: Satlykovs
Repo: Satlykovs/SmartJam PR: 2
File: backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/RefreshTokenEntity.java:14-20
Timestamp: 2026-03-12T21:20:40.707Z
Learning: In the SmartJam project, the JTI-based refresh token approach has been confirmed: store only the `jti` (UUID) from the refresh JWT in RefreshTokenEntity.jti (not the full token string). JwtService.generateRefreshToken() should build a signed JWT with a UUID jti claim. RefreshTokenRepository.findByJti(String jti) is used for lookups. AuthService extracts the jti after verifying the JWT signature and stores/validates against it. This applies to all relevant files under backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/.

Learnt from: Satlykovs
Repo: Satlykovs/SmartJam PR: 0
File: :0-0
Timestamp: 2026-03-16T23:56:57.162Z
Learning: In SmartJam (Satlykovs/SmartJam), old refresh tokens are never deleted when a new token is issued in AuthService.getNewToken(). The fix is to call refreshTokenRepository.delete(refreshToken) before saving the new one. Applies to backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/service/AuthService.java.

Learnt from: Satlykovs
Repo: Satlykovs/SmartJam PR: 0
File: :0-0
Timestamp: 2026-03-16T23:56:57.162Z
Learning: In SmartJam (Satlykovs/SmartJam), the refresh token expiry in AuthService is incorrectly set to jwtService.getJwtExpiration() (the access token TTL). Refresh tokens need a separate, much longer expiration (e.g. 7 days), configured separately as security.jwt.refresh-expiration-time. Applies to backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/service/AuthService.java.

Learnt from: men229
Repo: Satlykovs/SmartJam PR: 2
File: backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/service/AuthService.java:50-54
Timestamp: 2026-03-16T23:18:13.079Z
Learning: In the SmartJam project (backend/smartjam-api), the team decided to store a **hash** of the opaque refresh token string in RefreshTokenEntity (not the full token, and not a JTI from a signed JWT). This is an intentional security design: hashing prevents token replay from a compromised DB. The previous JTI-based recommendation was declined. Do not flag hash-based refresh token storage as an issue in this project.

@Satlykovs Satlykovs self-requested a review March 22, 2026 09:36
Satlykovs
Satlykovs approved these changes Mar 22, 2026
View reviewed changes
Copy link
Owner

@Satlykovs Satlykovs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Теперь ок

coderabbitai[bot]
coderabbitai bot reviewed Mar 22, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

♻️ Duplicate comments (1)
backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/UserEntity.java (1)

31-33: ⚠️ Potential issue | 🟡 Minor

@AllArgsConstructor weakens entity invariants for generated/defaulted fields.

This constructor allows callers to pass null for role and set persistence-managed fields (id, createdAt, updatedAt) directly. Prefer a builder or explicit constructor over required business fields only.

♻️ Suggested direction 
-@AllArgsConstructor
+@Builder
// Or add an explicit constructor with only required inputs:
// public UserEntity(String nickname, String email, String passwordHash) { ... }

Also applies to: 78-78

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In
`@backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/UserEntity.java`
around lines 31 - 33, Remove the blanket `@AllArgsConstructor` from UserEntity
because it allows callers to set persistence-managed fields (id, createdAt,
updatedAt) and nullable business fields like role; instead provide an explicit
constructor or builder that only accepts required business inputs (e.g.,
nickname, email, passwordHash) and leave persistence fields and defaults managed
by JPA, or add a static builder/factory to enforce non-null role and defaulted
fields—update the class by removing `@AllArgsConstructor` and adding the named
explicit constructor or builder method to preserve entity invariants.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/RefreshTokenEntity.java`:
- Line 29: Add database indexes to the RefreshTokenEntity JPA mapping to support
queries like updateStatusByUserAndCurrentStatus(...) and cleanup by expiration:
update the `@Table`(...) annotation on class RefreshTokenEntity to include `@Index`
entries for the user+status lookup and for expires_at (e.g. index on columnList
"user_id, status" and index on "expires_at"). Ensure index names are unique
(e.g. idx_refresh_token_user_status, idx_refresh_token_expires_at) and that the
column names match the entity mapping for the user relationship and the
expiresAt field.

In
`@backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/repository/RefreshTokenRepository.java`:
- Line 36: Update the Javadoc in RefreshTokenRepository for the method that
accepts tokenHash: change the `@throws` clause to reference the actual parameter
name tokenHash (i.e., "@throws IllegalArgumentException if {`@code` tokenHash} is
{`@code` null}") so the documentation matches the method signature.

---

Duplicate comments:
In
`@backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/UserEntity.java`:
- Around line 31-33: Remove the blanket `@AllArgsConstructor` from UserEntity
because it allows callers to set persistence-managed fields (id, createdAt,
updatedAt) and nullable business fields like role; instead provide an explicit
constructor or builder that only accepts required business inputs (e.g.,
nickname, email, passwordHash) and leave persistence fields and defaults managed
by JPA, or add a static builder/factory to enforce non-null role and defaulted
fields—update the class by removing `@AllArgsConstructor` and adding the named
explicit constructor or builder method to preserve entity invariants.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3d9d3f34-0995-40d5-8103-853998d316aa

📥 Commits

Reviewing files that changed from the base of the PR and between c86e051 and 68a7215.

📒 Files selected for processing (6)
  • backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/RefreshTokenEntity.java
  • backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/UserEntity.java
  • backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/enums/RefreshTokenStatus.java
  • backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/enums/Role.java
  • backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/repository/RefreshTokenRepository.java
  • backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/repository/UserRepository.java

backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/RefreshTokenEntity.java
* {@link org.springframework.dao.DataIntegrityViolationException}).
*/
@Entity
@Table(name = "refresh_tokens")
Copy link

@coderabbitai coderabbitai bot Mar 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial

Add table indexes for token lifecycle query paths.

updateStatusByUserAndCurrentStatus(...) filters by user + status; adding an index avoids full scans as token volume grows. An expires_at index also helps cleanup jobs.

⚙️ Proposed schema tuning 
-@Table(name = "refresh_tokens")
+@Table(
+        name = "refresh_tokens",
+        indexes = {
+            `@Index`(name = "idx_refresh_tokens_user_status", columnList = "user_id,status"),
+            `@Index`(name = "idx_refresh_tokens_expires_at", columnList = "expires_at")
+        })
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
@Table(name = "refresh_tokens")
`@Entity`
`@Table`(
name = "refresh_tokens",
indexes = {
`@Index`(name = "idx_refresh_tokens_user_status", columnList = "user_id,status"),
`@Index`(name = "idx_refresh_tokens_expires_at", columnList = "expires_at")
})
`@Getter`
`@Setter`
`@EqualsAndHashCode`(onlyExplicitlyIncluded = true)
`@NoArgsConstructor`
public class RefreshTokenEntity {
`@Id`
`@GeneratedValue`(strategy = GenerationType.UUID)
`@EqualsAndHashCode.Include`
private UUID id;
`@Column`(nullable = false, unique = true, length = 64)
private String tokenHash;
`@ManyToOne`(fetch = FetchType.LAZY)
`@JoinColumn`(name = "user_id", nullable = false)
private UserEntity user;
`@Column`(nullable = false)
private LocalDateTime expiresAt;
`@Column`(nullable = false)
`@Enumerated`(EnumType.STRING)
private StatusRefreshToken status = StatusRefreshToken.ACTIVE;
}
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In
`@backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/RefreshTokenEntity.java`
at line 29, Add database indexes to the RefreshTokenEntity JPA mapping to
support queries like updateStatusByUserAndCurrentStatus(...) and cleanup by
expiration: update the `@Table`(...) annotation on class RefreshTokenEntity to
include `@Index` entries for the user+status lookup and for expires_at (e.g. index
on columnList "user_id, status" and index on "expires_at"). Ensure index names
are unique (e.g. idx_refresh_token_user_status, idx_refresh_token_expires_at)
and that the column names match the entity mapping for the user relationship and
the expiresAt field.

...d/smartjam-api/src/main/java/com/smartjam/smartjamapi/repository/RefreshTokenRepository.java
* @param tokenHash the SHA-256 hex digest (or equivalent hash) of the refresh token; must not be {@code null}
* @return an {@link Optional} containing the matching {@link RefreshTokenEntity}, or {@link Optional#empty()} if no
* record with the given hash exists
* @throws IllegalArgumentException if {@code token} is {@code null}
Copy link

@coderabbitai coderabbitai bot Mar 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Fix Javadoc parameter name in @throws clause.

The method parameter is tokenHash, but Javadoc says token.

✏️ Proposed fix 
-     * `@throws` IllegalArgumentException if {`@code` token} is {`@code` null}
+     * `@throws` IllegalArgumentException if {`@code` tokenHash} is {`@code` null}
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In
`@backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/repository/RefreshTokenRepository.java`
at line 36, Update the Javadoc in RefreshTokenRepository for the method that
accepts tokenHash: change the `@throws` clause to reference the actual parameter
name tokenHash (i.e., "@throws IllegalArgumentException if {`@code` tokenHash} is
{`@code` null}") so the documentation matches the method signature.

coderabbitai[bot]
coderabbitai bot reviewed Mar 22, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

♻️ Duplicate comments (1)
backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/RefreshTokenEntity.java (1)

28-38: 🛠️ Refactor suggestion | 🟠 Major

Add @EqualsAndHashCode based on id for consistent JPA behavior.

Unlike UserEntity, this entity lacks @EqualsAndHashCode(onlyExplicitlyIncluded = true) with @EqualsAndHashCode.Include on the id field. Without explicit equals/hashCode, Lombok's default (from Object) uses identity, which can cause inconsistent behavior in JPA-managed collections during detachment/reattachment cycles.

♻️ Proposed fix 
 `@Entity`
 `@Table`(name = "refresh_tokens")
 `@Getter`
 `@Setter`
 `@NoArgsConstructor`
+@EqualsAndHashCode(onlyExplicitlyIncluded = true)
 public class RefreshTokenEntity {

     /** Unique identifier for the refresh token record, generated automatically as a UUID. */
     `@Id`
     `@GeneratedValue`(strategy = GenerationType.UUID)
+    `@EqualsAndHashCode.Include`
     private UUID id;
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In
`@backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/RefreshTokenEntity.java`
around lines 28 - 38, The RefreshTokenEntity class is missing explicit
equals/hashCode leading to identity-based comparisons; add Lombok's
`@EqualsAndHashCode`(onlyExplicitlyIncluded = true) on the RefreshTokenEntity
class and mark the id field with `@EqualsAndHashCode.Include` so equals/hashCode
are based solely on the UUID id; ensure imports and annotation placement match
existing Lombok annotations (e.g., alongside `@Getter/`@Setter/@NoArgsConstructor)
to provide consistent JPA behavior.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/UserEntity.java`:
- Around line 29-36: The entity UserEntity currently uses Lombok's
`@AllArgsConstructor` which exposes auto-managed fields (id, createdAt,
updatedAt); replace `@AllArgsConstructor` with a safer pattern (e.g., Lombok's
`@Builder` or a custom constructor) so callers can only set user-controlled
fields: remove `@AllArgsConstructor` from the class declaration, add `@Builder` (or
add a constructor that accepts only username/email/password/etc.), and ensure
id, createdAt, and updatedAt remain managed by JPA and are not present in the
public constructor or builder API.

---

Duplicate comments:
In
`@backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/RefreshTokenEntity.java`:
- Around line 28-38: The RefreshTokenEntity class is missing explicit
equals/hashCode leading to identity-based comparisons; add Lombok's
`@EqualsAndHashCode`(onlyExplicitlyIncluded = true) on the RefreshTokenEntity
class and mark the id field with `@EqualsAndHashCode.Include` so equals/hashCode
are based solely on the UUID id; ensure imports and annotation placement match
existing Lombok annotations (e.g., alongside `@Getter/`@Setter/@NoArgsConstructor)
to provide consistent JPA behavior.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: c3807f10-39b0-417d-a6d8-ec5a1af911ce

📥 Commits

Reviewing files that changed from the base of the PR and between c86e051 and 68a7215.

📒 Files selected for processing (6)
  • backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/RefreshTokenEntity.java
  • backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/UserEntity.java
  • backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/enums/RefreshTokenStatus.java
  • backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/enums/Role.java
  • backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/repository/RefreshTokenRepository.java
  • backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/repository/UserRepository.java

backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/UserEntity.java
Comment on lines +29 to +36
@Setter
@Getter
@NoArgsConstructor
@AllArgsConstructor
@Table(name = "users")
@Entity
@EqualsAndHashCode(onlyExplicitlyIncluded = true)
public class UserEntity {
Copy link

@coderabbitai coderabbitai bot Mar 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial

Consider replacing @AllArgsConstructor with @Builder or a custom constructor.

The @AllArgsConstructor annotation generates a constructor that accepts id, createdAt, and updatedAt, which are auto-generated fields. Callers could inadvertently set these, potentially causing conflicts with JPA's lifecycle management. A @Builder pattern or a custom constructor with only user-settable fields would be safer for entity creation.

♻️ Proposed alternative using `@Builder` 
 `@Setter`
 `@Getter`
 `@NoArgsConstructor`
-@AllArgsConstructor
+@Builder
 `@Table`(name = "users")
 `@Entity`
 `@EqualsAndHashCode`(onlyExplicitlyIncluded = true)
 public class UserEntity {
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In
`@backend/smartjam-api/src/main/java/com/smartjam/smartjamapi/entity/UserEntity.java`
around lines 29 - 36, The entity UserEntity currently uses Lombok's
`@AllArgsConstructor` which exposes auto-managed fields (id, createdAt,
updatedAt); replace `@AllArgsConstructor` with a safer pattern (e.g., Lombok's
`@Builder` or a custom constructor) so callers can only set user-controlled
fields: remove `@AllArgsConstructor` from the class declaration, add `@Builder` (or
add a constructor that accepts only username/email/password/etc.), and ensure
id, createdAt, and updatedAt remain managed by JPA and are not present in the
public constructor or builder API.

@men229 men229 merged commit ac56284 into main Mar 22, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@Satlykovs Satlykovs Satlykovs approved these changes

Assignees

@men229 men229

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@men229 @Satlykovs @abebe1