Summary

Remediates 5 confirmed security vulnerabilities identified by the Hunter Agent Pipeline security audit:

Critical — Dynamically Confirmed Exploitable:

1. AUTH-AUTHZ-001: CSRF Protection Globally Disabled — Re-enabled Spring Security CSRF protection (was csrf.disable()). Updated all Thymeleaf forms to use th:action for automatic CSRF token injection.
2. FINOPS-AUTHZ-002: Negative Amount Exploit — Added server-side validation that all financial amounts (deposit, withdraw, transfer) must be strictly positive. Previously, POST /withdraw amount=-5000 created $5,000 from nothing.

Critical — Code-Confirmed:
3. FINOPS-RACE-001: Concurrent Withdraw Double-Spend — Added @Transactional + PESSIMISTIC_WRITE locking on all financial operations.
4. FINOPS-RACE-002: Concurrent Transfer Double-Spend — Same fix pattern applied to transfer operations, with deterministic lock ordering (alphabetical by username) to prevent ABBA deadlocks.

Additional Hardening:
5. Input validation on registration (username format, password length, enumeration mitigation)
6. Error handling added to deposit controller endpoint
7. HTML min="1" constraint on amount input fields
8. H2 in-memory database profile added for local security testing
9. Register template updated to show dynamic error messages instead of hardcoded text

Files Changed (9)

• SecurityConfig.java — CSRF re-enabled
• AccountService.java — Amount validation, @transactional, pessimistic locking with deterministic ordering, input validation
• BankController.java — Deposit error handling
• AccountRepository.java — Pessimistic locking query
• dashboard.html, login.html, register.html — th:action for CSRF tokens, min amount, dynamic errors
• application-h2.properties — H2 test profile
• pom.xml — H2 dependency for testing

Review & Testing Checklist for Human

• Verify CSRF protection works: attempt any POST (deposit/withdraw/transfer) without a CSRF token — should get HTTP 403
• Verify negative amounts rejected: try POST /deposit amount=-100 and POST /withdraw amount=-500 — both should show error, balance unchanged
• Verify legitimate transactions still work: deposit, withdraw, and transfer with positive amounts and valid CSRF tokens
• Verify registration validation: try registering with password < 8 chars — should see "Password must be at least 8 characters" (not "User already present")
• Review pessimistic locking in AccountService.java — all financial methods use findByUsernameForUpdate() with @Lock(PESSIMISTIC_WRITE), transfer uses deterministic lock ordering

Recommended test plan: Start the app with H2 profile (./mvnw spring-boot:run -Dspring-boot.run.profiles=h2), register two accounts, deposit funds, then verify all the above checklist items.

Notes

• Account lockout (AUTH-AUTHZ-003) is deferred — requires infrastructure-level changes (AuthenticationFailureHandler + attempt counter). Tracked as a follow-up recommendation.
• The H2 profile (application-h2.properties) is for local testing only and does not affect the production MySQL configuration.
• All 6 revalidation tests passed after remediation.
• Addressed Devin Review findings: deterministic lock ordering in transferAmount() and dynamic error messages in register.html.

Link to Devin session: https://app.devin.ai/sessions/24fd567d7b324669bcf46b04821b01a0
Requested by: @angelalincog