cleanup: trim oversized comments across recent SaaS fixes

Reduce multi-paragraph comment blocks to short two-line notes and drop
history-style references; no behaviour changes.
This commit is contained in:
Anthony Stirling
2026-06-10 14:30:29 +01:00
parent bf18af4708
commit 5b412c0fed
11 changed files with 30 additions and 95 deletions
@@ -39,12 +39,8 @@ public class EnhancedJwtAuthenticationToken extends JwtAuthenticationToken {
}
/**
* Shared proprietary/core code authorizes with {@code principal instanceof User} (e.g. {@code
* FileStorageService.requireAuthenticatedUser}, {@code FolderService}), which the default
* {@link JwtAuthenticationToken} principal — the decoded {@link Jwt} — can never satisfy, so
* every such endpoint 401'd valid Supabase sessions. When the filter resolved a local {@link
* User}, expose it as the principal so those checks behave exactly as under form login; fall
* back to the Jwt when no User was attached (anonymous sessions, converter-built tokens).
* Returns the resolved local {@link User} when available so shared {@code principal instanceof
* User} authorization works under JWT auth; falls back to the decoded Jwt.
*/
@Override
public Object getPrincipal() {
@@ -155,10 +155,8 @@ public class SupabaseAuthenticationFilter extends OncePerRequestFilter {
User user = getOrCreateUser(jwt);
// Attach the resolved User as the token principal for full accounts so shared
// `principal instanceof User` authorization (storage services, account data)
// works under JWT auth. Anonymous sessions keep the raw Jwt principal and stay
// locked out of those User-gated APIs, matching pre-existing behaviour.
// Full accounts carry the resolved User as principal for shared
// instanceof-User authorization; anonymous sessions keep the raw Jwt.
EnhancedJwtAuthenticationToken authToken =
new EnhancedJwtAuthenticationToken(
jwt,