dudiic / scheduler Goto Github PK

View Code? Open in Web Editor NEW

0.0 0.0 0.0 327 KB

App for managing the timetable (rejected)

License: MIT License

Java 100.00%

java spring-boot spring-data-jpa spring-framework spring-platform

scheduler's Introduction

💻 JAVA DEVELOPER

⭐ programming enthusiast 🎧 music fanatic

Main tech stack

scheduler's People

Contributors

Watchers

scheduler's Issues

Wrong date format in errors

Change the date format to 24-hour (currently 12-hour) and fix incorrectly specifying minutes (do not match the actual state of affairs).

Sonarqube issue #3

Add at least one assertion to this test case.

scheduler/src/test/java/com/md/scheduler/SchedulerApplicationTests.java

Lines 6 to 13 in 699287c

 @SpringBootTest 

 class SchedulerApplicationTests { 

 @Test 

 void contextLoads() { 

 } 

 }

SonarCloud linked issue

That test class should be removed.

Visible password

When attempting to register a user, if the password is not correct, the JSON returns an unhashed string containing the proposed password in response. For example:

{
    "timestamp": "2021-05-03 13:06:33",
    "status": "400 BAD_REQUEST",
    "message": "Validation error",
    "details": [
        {
            "object": "registerDto",
            "field": "password",
            "rejectedValue": "PROPOSED PASSWORD", <<<=== visible password here 
            "message": "password must be 8-24 characters long"
        }
    ]
}

Empty fields in JSON to registration

For example for JSON:

{
    "email": "[email protected]",
    "username": "exampleUser"
}

Server returns status INTERNAL_SERVER_ERROR instead of information from validator with BAD_REQUEST status.

Build-in Spring Validation annotations instead of own @Password annotation

All implemented password validation fragments in your own @Password annotation can be solved with the help of annotations provided by spring validator.

Sonarqube issue #4

Remove this unused imports

scheduler/src/main/java/com/md/scheduler/configuration/security/SecurityConfig.java

Line 7 in 699287c

import org.springframework.http.HttpStatus;

scheduler/src/main/java/com/md/scheduler/configuration/security/SecurityConfig.java

Line 16 in 699287c

import org.springframework.security.web.authentication.HttpStatusEntryPoint;

SonarCloud linked issue 1
SonarCloud linked issue 2

Refactoring `JwtAuthTest`

After getting to know the libraries for testing better, I noticed a lot of anomalies and bad practices in this test class.

First, instead of marking everything with @Autowired annotation, you can provide implementations using mockito, not using the entire spring, and an additional database for testing (because these are no longer unit tests). Like here:

scheduler/src/test/java/com/md/scheduler/configuration/security/JwtAuthTest.java

Lines 43 to 44 in 813db83

 @Autowired 

 private UserRepository userRepository;

This should have a significant impact on the test execution time because at the moment you can see a big difference to the other test classes.

Sonarqube Security Hotspot #2

Make sure the regex used here, which is vulnerable to polynomial runtime due to backtracking, cannot lead to denial of service.

scheduler/src/main/java/com/md/scheduler/users/registration/NewUser.java

Lines 23 to 24 in 703b4ea

 @Pattern(regexp = "^[a-zA-Z0-9]+$", message = "username can only consist of alphanumeric characters") 

 private String username;

scheduler/src/main/java/com/md/scheduler/users/registration/NewUser.java

Lines 31 to 35 in 703b4ea

 @Pattern(regexp = ".*[a-z].*", message = "password must contains at least one lowercase") 

 @Pattern(regexp = ".*[A-Z].*", message = "password must contains at least one lowercase") 

 @Pattern(regexp = ".*\\d.*", message = "password must contains at least one digit") 

 @Pattern(regexp = ".*[!@#$%&*()_+=|<>?{}\\[\\]~-].*", message = "password must contains at least one special character") 

 private String password;

SonarCloud linked hotspot

Sonarqube issue #2

Use try-with-resources or close this "ServletServerHttpResponse" in a "finally" clause.

scheduler/src/main/java/com/md/scheduler/configuration/security/RestAccessDeniedHandler.java

Lines 27 to 34 in 699287c

 public void handle( 

 HttpServletRequest request, 

 HttpServletResponse response, 

 AccessDeniedException accessDeniedException) 

 throws IOException, ServletException { 

 ServletServerHttpResponse res = new ServletServerHttpResponse(response); 

 res.setStatusCode(HttpStatus.FORBIDDEN); 

 res.getServletResponse().setHeader(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE);

SonarCloud linked issue 1

scheduler/src/main/java/com/md/scheduler/configuration/security/RestAuthenticationEntryPoint.java

Lines 27 to 34 in 699287c

 public void commence( 

 HttpServletRequest request, 

 HttpServletResponse response, 

 AuthenticationException exception) 

 throws IOException, ServletException { 

 ServletServerHttpResponse res = new ServletServerHttpResponse(response); 

 res.setStatusCode(HttpStatus.UNAUTHORIZED); 

 res.getServletResponse().setHeader(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE);

SonarCloud linked ussue 2

Login endpoint in OpenAPI

To generate the documentation, a controller without implementation was created.

scheduler/src/main/java/com/md/scheduler/configuration/security/LoginController.java

Lines 9 to 18 in 251423c

 @RestController 

 @RequestMapping("/api/v1/login") 

 @Tag(name = "login") 

 class LoginController { 

 @PostMapping 

 public BearerToken login(@RequestBody AuthCredentials authCredentials){ 

 return new BearerToken(); 

 } 

 }

There is no information that the logic is implemented elsewhere.

The best solution is to rebuild so that authorization is done with a dedicated service instead of a request handler (based on this post).

Sonarqube issue #7

This class has 6 parents which is greater than 5 authorized.

scheduler/src/main/java/com/md/scheduler/users/registration/UserAlreadyExistAuthenticationException.java

Lines 5 to 10 in 699287c

 public class UserAlreadyExistAuthenticationException extends AuthenticationException { 

 UserAlreadyExistAuthenticationException(final String msg) { 

 super(msg); 

 } 

 }