Add tests for security layer and exception handling

[devin-ai-integration]

Summary

Adds unit tests for 5 previously untested classes in the security and exception handling layers:

1. JwtTokenFilterTest (5 tests) — null Authorization header, malformed header (no space), valid token with user in DB, valid token with user not in DB, already-authenticated SecurityContext
2. WebSecurityConfigTest (10 tests) — OPTIONS permitted, graphql/graphiql public, GET articles public, GET articles/feed requires auth, POST users/login public, other endpoints require auth, authenticated user can access protected endpoint
3. CustomizeExceptionHandlerTest (4 tests) — handleInvalidRequest with field errors, handleInvalidAuthentication, handleMethodArgumentNotValid, handleConstraintViolation with multiple violations
4. ErrorResourceSerializerTest (3 tests) — single field error serialization, multiple errors on same field grouped, errors on different fields
5. AuthorizationServiceTest (5 tests) — owner can write article, non-owner cannot, article owner can delete any comment, comment author can delete own comment, unrelated user cannot delete

All 94 tests pass locally (84 existing + 10 new test classes with 27 total test methods).

Review & Testing Checklist for Human

• Run ./gradlew test to confirm all tests pass in your environment
• Verify test coverage aligns with expectations for the 5 target classes

Notes

• WebSecurityConfigTest uses @SpringBootTest + @AutoConfigureMockMvc to load the full security filter chain, while other tests use lightweight @ExtendWith(MockitoExtension.class) or plain JUnit
• Public endpoint tests assert status is not 401 (rather than a specific success code) since the controllers may return 404 in the test context — the key verification is that security doesn't block the request

Link to Devin session: https://app.devin.ai/sessions/10dd396ee2f24d20b6aadf313126b78f
Requested by: @choikh0423

---

Devin Review

Status	Commit
⚪ Not started	—

Run Devin Review

💡 Connect your GitHub account to enable automatic code reviews.

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[devin-ai-integration]

Devin Review found 1 potential issue.

View 4 additional findings in Devin Review.

[devin-ai-integration]

🟡 Java assert keyword used instead of JUnit assertions makes security test verifications unreliable

All 6 verification statements in JwtTokenFilterTest use the Java assert keyword instead of JUnit assertions (assertNull, assertNotNull, assertEquals, etc.). Java assert statements are only evaluated when the JVM is started with the -ea flag. While Gradle's test task defaults to enableAssertions=true, these assertions will be silently skipped in environments that don't set -ea (e.g., some IDE test runners, non-Gradle CI pipelines). This means the tests could pass without actually verifying any security behavior — authentication could be set when it shouldn't be, or not set when it should be, and the tests would still be green. Every other test file in this PR correctly uses JUnit assertions.

All affected lines in JwtTokenFilterTest.java

• Line 46: assert SecurityContextHolder.getContext().getAuthentication() == null;
• Line 56: assert SecurityContextHolder.getContext().getAuthentication() == null;
• Line 71: assert SecurityContextHolder.getContext().getAuthentication() != null;
• Line 72: assert SecurityContextHolder.getContext().getAuthentication().getPrincipal().equals(user);
• Line 87: assert SecurityContextHolder.getContext().getAuthentication() == null;
• Line 105: assert SecurityContextHolder.getContext().getAuthentication() == existingAuth;

Prompt for agents

Replace all Java `assert` statements in JwtTokenFilterTest.java with proper JUnit 5 assertions. The file is missing JUnit assertion imports entirely.

Add the following import:
import static org.junit.jupiter.api.Assertions.*;

Then replace each `assert` statement:
- Line 46: `assert X == null` → `assertNull(SecurityContextHolder.getContext().getAuthentication())`
- Line 56: same as line 46
- Line 71: `assert X != null` → `assertNotNull(SecurityContextHolder.getContext().getAuthentication())`
- Line 72: `assert X.equals(user)` → `assertEquals(user, SecurityContextHolder.getContext().getAuthentication().getPrincipal())`
- Line 87: same as line 46
- Line 105: `assert X == existingAuth` → `assertSame(existingAuth, SecurityContextHolder.getContext().getAuthentication())`

This ensures assertions are always evaluated regardless of JVM flags, provides informative failure messages, and aligns with the convention used in every other test file in this PR.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

Fixed in c259130 — replaced all 6 Java assert statements with proper JUnit 5 assertions (assertNull, assertNotNull, assertEquals, assertSame).