From 25f4afcddceb4dde3db41c0d87596eca62225874 Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Mon, 27 Apr 2026 08:42:59 +0200
Subject: [PATCH] feat: add vendor auth policy REST endpoints

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../vendor/VendorAuthPolicyController.java    | 59 +++++++++++++++++++
 1 file changed, 59 insertions(+)
 create mode 100644 src/main/java/net/siegeln/cameleer/saas/vendor/VendorAuthPolicyController.java

diff --git a/src/main/java/net/siegeln/cameleer/saas/vendor/VendorAuthPolicyController.java b/src/main/java/net/siegeln/cameleer/saas/vendor/VendorAuthPolicyController.java
new file mode 100644
index 0000000..fa03ee3
--- /dev/null
+++ b/src/main/java/net/siegeln/cameleer/saas/vendor/VendorAuthPolicyController.java
@@ -0,0 +1,59 @@
+package net.siegeln.cameleer.saas.vendor;
+
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.web.bind.annotation.*;
+
+import java.util.Set;
+
+@RestController
+@RequestMapping("/api/vendor/auth-policy")
+@PreAuthorize("hasAuthority('SCOPE_platform:admin')")
+public class VendorAuthPolicyController {
+
+    private static final Set<String> VALID_MFA_MODES = Set.of("off", "optional", "required");
+    private static final Set<String> VALID_PASSKEY_MODES = Set.of("optional", "preferred", "required");
+
+    private final VendorAuthPolicyRepository repository;
+
+    public VendorAuthPolicyController(VendorAuthPolicyRepository repository) {
+        this.repository = repository;
+    }
+
+    public record AuthPolicyResponse(String mfaMode, boolean passkeyEnabled, String passkeyMode) {
+        static AuthPolicyResponse from(VendorAuthPolicyEntity entity) {
+            return new AuthPolicyResponse(entity.getMfaMode(), entity.isPasskeyEnabled(), entity.getPasskeyMode());
+        }
+    }
+
+    public record AuthPolicyUpdateRequest(String mfaMode, Boolean passkeyEnabled, String passkeyMode) {}
+
+    @GetMapping
+    public ResponseEntity<AuthPolicyResponse> getPolicy() {
+        return ResponseEntity.ok(AuthPolicyResponse.from(repository.getPolicy()));
+    }
+
+    @PutMapping
+    public ResponseEntity<AuthPolicyResponse> updatePolicy(@RequestBody AuthPolicyUpdateRequest request) {
+        var policy = repository.getPolicy();
+
+        if (request.mfaMode() != null) {
+            if (!VALID_MFA_MODES.contains(request.mfaMode())) {
+                return ResponseEntity.badRequest().build();
+            }
+            policy.setMfaMode(request.mfaMode());
+        }
+        if (request.passkeyEnabled() != null) {
+            policy.setPasskeyEnabled(request.passkeyEnabled());
+        }
+        if (request.passkeyMode() != null) {
+            if (!VALID_PASSKEY_MODES.contains(request.passkeyMode())) {
+                return ResponseEntity.badRequest().build();
+            }
+            policy.setPasskeyMode(request.passkeyMode());
+        }
+
+        repository.save(policy);
+        return ResponseEntity.ok(AuthPolicyResponse.from(policy));
+    }
+}