← projects
$ Spring Boot Monolith Boilerplate
Hexagonal architecture backend boilerplate with JWT, TOTP 2FA, and Meilisearch. Private repository.
- →Built a Spring Boot 3 / Java 21 monolith following strict hexagonal architecture (ports & adapters) — application layer never imports infrastructure, enforced through package boundaries (domain, application, infrastructure, presentation) and dependency inversion on every output port.
- →Implemented JWT authentication with refresh token rotation and family-based reuse detection: refresh tokens are hashed with SHA-256 in the database, and reusing an invalidated token immediately terminates the entire token family.
- →Added TOTP-based two-factor authentication with AES-256-GCM encrypted secrets, Base32 encoding, and Redis-backed replay protection. Login is a two-phase flow — a short-lived TOTP_PENDING token is issued first, then exchanged for a full session after code verification.
- →Designed a JWT key versioning system using a kid header claim, allowing graceful secret rotation without logging out active users — old keys remain valid for verification until their token TTL expires.
- →Integrated Meilisearch as a search index with a Postgres-first, eventually-consistent Smart* fallback pattern (same approach used for Redis-backed token blacklisting), plus a reconciliation cron that diffs Postgres against Meilisearch every 30 minutes and a checkpoint table for delta sync.
- →Added Google OAuth login with PKCE, Resilience4j rate limiting and circuit breakers on all authentication endpoints, and a generic file upload module backed by Cloudflare R2 or local storage.
- →Account deletion is handled through an outbox pattern — a UserDeletedEvent is written transactionally before commit and processed asynchronously, keeping deletion side effects consistent even under failure.
- →Set up a two-way isolated SSH CI/CD pipeline: GitHub Actions triggers deploy via a command-restricted, passphrase-less key that can only run the deploy script, while the server pulls the private repo through a separate read-only deploy key — neither key can be used for anything beyond its single purpose.
JavaSpring BootHexagonal ArchitectureJWTTOTPMeilisearchRedisPostgreSQLResilience4jDockerCI/CD