feat(security-post-mvp): Migrate to Spring Security OIDC and protect routes

[ArchILLtect]

Problem / context

MVP uses a servlet-based Cognito flow for speed. For robustness and standardized security, migrate to Spring Security OIDC, put user in SecurityContext, and secure routes centrally.

Proposed solution

• Configure Spring Security OIDC for Cognito (issuer-uri or full provider/client config).
• Replace servlet callback logic with Spring Security’s OAuth2 login flow (or run in parallel during transition).
• Add HttpSecurity rules: permitAll for public pages, authenticated for drill/submission, ADMIN for admin CRUD.
• Map OIDC claims to authorities (e.g., email/roles) and expose principal in controllers as needed.
• Keep secrets in env/SSM; remove any unused servlet auth code post-migration.

In scope / Out of scope

In scope

• Security config, route protection, principal mapping, docs updates.

Out of scope

• Advanced RBAC, custom user provisioning.

Acceptance criteria

• Visiting protected routes redirects to Cognito and returns successfully
• SecurityContext holds the authenticated principal; controllers can inject it
• Public vs. protected vs. admin routes behave as expected
• Secrets are read from env/SSM (no repo secrets)
• Legacy servlet-based auth removed (or clearly deprecated) after migration

Area

area:security

Dependencies / related issues

Relates to: Issue #10 - Protect Routes and Challenge Data - Supersedes: Issue #8 - Authentication (MVP) for long-term auth strategy

Checklist

• I’ve checked existing issues for duplicates.
• I can help implement this and open a PR.