Bump com.codeheadsystems:hofmann-dropwizard from 1.2.2 to 1.3.0 in the dev-dependencies group

[dependabot]

Bumps the dev-dependencies group with 1 update: com.codeheadsystems:hofmann-dropwizard.

Updates com.codeheadsystems:hofmann-dropwizard from 1.2.2 to 1.3.0

Release notes

Sourced from com.codeheadsystems:hofmann-dropwizard's releases.

Release 1.3.0

Hofmann Elimination 1.3.0

Maven Central

Sample dependency for Maven:

<dependency>
  <groupId>com.codeheadsystems</groupId>
  <artifactId>hofmann-rfc</artifactId>
  <version>1.3.0</version>
</dependency>

implementation("com.codeheadsystems:hofmann-rfc:1.3.0")

Modules Published

• com.codeheadsystems:hofmann-rfc:1.3.0
• com.codeheadsystems:hofmann-server:1.3.0
• com.codeheadsystems:hofmann-client:1.3.0
• com.codeheadsystems:hofmann-dropwizard:1.3.0
• com.codeheadsystems:hofmann-springboot:1.3.0

What's Changed

See commits since last release for details.

Note: Artifacts may take up to 2 hours to appear in Maven Central after release.

Full Changelog: codeheadsystems/hofmann-elimination@v1.2.2...v1.3.0

Changelog

Sourced from com.codeheadsystems:hofmann-dropwizard's changelog.

[1.3.0] - 2026-03-09

Added

Account recovery (hofmann-server, hofmann-springboot, hofmann-dropwizard)

• RecoveryChallenger SPI — pluggable interface for out-of-band identity verification (email codes, SMS OTP, TOTP, admin approval); implementations define sendChallenge() and verifyResponse() with constant-time comparison guidance
• RecoveryTokenStore interface — single-use, TTL-limited token storage for recovery authorization; InMemoryRecoveryTokenStore reference implementation with capacity limits
• Recovery endpoints — POST /opaque/recovery/start (sends challenge), POST /opaque/recovery/verify (validates response, issues recovery token); recovery token authorizes re-registration for the same credential identifier
• Recovery DTOs — RecoveryStartRequest, RecoveryVerifyRequest, RecoveryVerifyResponse in hofmann-model
• Wired into both Spring Boot (OpaqueController, HofmannAutoConfiguration) and Dropwizard (OpaqueResource, HofmannBundle); recovery is disabled when no RecoveryChallenger bean is provided

Rate limiting (hofmann-server)

• RateLimiter interface — token-bucket rate limiting with tryConsume(key) and pluggable implementations; default InMemoryRateLimiter suitable for single-node deployments
• RateLimitConfig — configurable maxTokens, refillPerSecond, and maxEntries (prevents OOM from key enumeration)
• RateLimitConfigSupplier — allows dynamic reconfiguration of rate limit parameters
• Applied to authentication endpoints by default; overridable via @Bean (Spring Boot) or withAuthRateLimiter() (Dropwizard)

PendingSessionStore interface (hofmann-server)

• Extracted pending OPAQUE session storage into a dedicated PendingSessionStore interface with InMemoryPendingSessionStore reference implementation; enables distributed session storage (e.g. Redis-backed) for multi-node clusters where authStart and authFinish may hit different nodes

Rust implementation (hofmann-rust)

• New crate hofmann-rfc — Rust library implementing RFC 9380, RFC 9497, and RFC 9807
• Supports P-256/SHA-256, P-384/SHA-384, P-521/SHA-512, and Ristretto255/SHA-512 cipher suites
• Uses RustCrypto ecosystem: p256, p384, p521, sha2, hmac, hkdf, argon2, curve25519-dalek, subtle, zeroize
• Full OPAQUE registration + authentication, fake KE2, Argon2id KSF, deterministic test APIs
• Recovery module with RecoveryChallenger trait and InMemoryTokenStore
• Test suite: RFC vector tests (hash-to-curve, OPRF, OPAQUE), roundtrip tests across all four cipher suites, recovery flow tests

Security

... (truncated)

Commits

• 82834bc v1.3.0
• b0aa045 Added a recovery mechanism across all projects
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions