[FEATURE] Priorities of Pull Requests?

[ip6li]

Is your feature request related to a problem? Please describe.
It would be very helpful to contribute if pull requests would become prioritized.

Describe the solution you'd like
Of course security related requests should be handled first, especially outdated dependencies, e.g. old Spring Security version. I would like to see an Alovoa version with fewer dependencies of external services like Google or Facebook.
To promote Expo frontend there should be built a headless version of Alovoa, this would be also a good reason to update class SecurityConfig to current Spring Security version.

Additional context
Some pull request will not break things, so they should be integrated now.

[Nonononoki]

Do you have a few examples of PRs that don't break stuff?
Usually every dependency update will have a risk that breaks some functionality.
The usual priority order are: Critical bug fixes, general bug fixes, features, dependency updates.
I am currently doing the alovoa-expo as frontend issue, but progress has been slow as I am currently busy with sickness, work and family.

[ip6li]

#311 should not break things. At least it adds some dependencies regarding tests only, so a unit test with a automated security test based on OWASP Zap becomes available.

Spring Boot 3.2.0 needs a little bit effort due to new Spring Security API, see https://github.com/ip6li/alovoa/blob/cf-full-featured/src/main/java/com/nonononoki/alovoa/config/SecurityConfig.java for required changes in that class. My version of that class contains also some code for full delegation of AuthN/AuthZ to my Keycloak instance (OIDC). This has advantage I do no longer have to care about 3rd party AuthN in Alovoa because Keycloak also handles 3rd party upstream auth providers. Best of it: Admin AuthN is configured for 2FA (based on smartcard with client certificate/pin). Keycloak also provides functions for password change and password forgotten. According to configurable entitlements, user may change other data, also.

If you are interested, I can provide a new pull request which matches you latest Alovoa master branch w/o my Keycloak extensions.

[Nonononoki]

@ip6li Pretty sure that the authentication process and several classes have been changed in that PR, as well as needed another PR that removes captchas. Changes in critical places like authentication need to be tested manually.

I have decided that Keycloak is a good auth solution and will implement it in the future, but it takes time to setup everything.

[ip6li]

If you need help to set up such an environment, I can help you. I am installed several dev, test and prod Keycloak installations with reverse proxy, prod is reachable in Internet. All installations are running as Docker containers with Postgres backend.
Branch "cf-full-featured" is a merge of some of my other branches to check if my changes are working together. Due to security reasons I would recommend following PR sequence:

1. Update of Spring Boot version with new Spring Security API and carefully tests with automated and manual tests.
2. If this was successful, configurable Captchas should be integrated
3. Now it would be time for Keycloak with OpenID/Connect protocol. Google/Facebook auth support can be dropped at this point.

I would consider Spring Security update as first PR because old API will be dropped in next time, which may yield into nasty security problems because Spring Security updates with old API becomes no longer available.