(pre condition - valid token in Request header)

@path("/tank/list")
@get
@produces("application/json")
JsonObject listTanks()
result: OK
tanks : [
{
"id":"1",
"name":"MyMiniReef"
},
{
"id":"2",
"name":"MyBigReef"
}
]

 result: ERROR
 message: Error description

@path("/tank/create")
@post
@consumes("application/json")
@produces("application/json")
JsonObject createTank(JsonObject psJson) # tank: name

  result: OK
  tankId: 2

  result: ERROR
  message: Error description

Providing internal objects database IDs as resource IDs are a potential security risk.
To minimize this risk all ResourceIDs that will be published to the clients needs to be obfuscated, such that a client won't be able to access a different object just by incrementing the ID. In addition any invalid ID provided by the client should be logged in a special fraud-detection log with the clients IP.

Lockback is the successor of log4j, see https://www.baeldung.com/logback

The register process takes some secs because of the included email (which takes a bit on the pi because of the TLS handshake).

The user currently hardly see that the button has been pressed and tends to press it again.
This should be somehow improved.

This seems to be a bit tricky, as because of relying on eclipselink we need to provide a link into mavens build repository, see servers pom.xml

                   <jvmArguments>
                        -javaagent:${settings.localRepository}/org/springframework/spring-instrument/${spring.instrument.version}/spring-instrument-${spring.instrument.version}.jar
                    </jvmArguments>

for the git runner we may use ~/.m2/ but then again it wouldn't match my local repository setup.
Hm....working with maven profile here?

If this happens we need to redirect the user to an expired xhtml info page.

See testInvalidatedUserCanNotSignIn()

Needs to be investigated. currently results in an HttpRetryException, instead of retrning a
proper status-code. Needs to be adopted in such way, that the user get's a message about the incomplete registration process instead.

Reproduce with a registered user, who has not been validated yet.

you can't go live without it.

Currently the email address is being as login.
Shall we keep the email address as login and only identifier, or shall we use the username as possible login, too?

Current swagger-ui is not working. See springfox/springfox#1615
if we can fix the configuration here.

This is a rather an edge case, but for educational reasons I require to do a first iOS App to get a feeling about development costs here which might help me on business cases in my other life...

In addition the tasks for a major WebApp which will be most commonly used is currently taken by @Alexander-voss

To avoid DoS by spilling the database with new users the register process required a captcha token.
In addition we should limit the amount of new users per minute and provide an internal alert if the threshold is being exceeded.

Unexpected result by the test below is:

org.springframework.http.InvalidMediaTypeException: Invalid mime type "text;charset=ISO-8859-1": does not contain '/'

@Test
/**
 * Test to check that our WebSecurityConfig is effective.
 */
public void testUnauthorizedListUsersTankRequest() throws Exception {

    // Given User presentation by a faked auth token
    String authToken = "faked";

    // when this authorized user requests his aquarium list
    HttpHeaders headers = new HttpHeaders();
   // headers.setContentType(MediaType.APPLICATION_JSON);
    headers.add("Authorization", "Bearer " + authToken);

    HttpEntity<String> requestEntity = new HttpEntity<>(headers);
    ResponseEntity<String> responseEntity = restTemplate.exchange("/api/tank/list" , HttpMethod.GET, requestEntity, String.class);

    // then we should get a 403 as result.
    assertThat(responseEntity.getStatusCode(), equalTo(HttpStatus.FORBIDDEN));

}

Strange is that this testcase was derived by this one which is running with no complains:

@Test
public void testListUsersTank() throws Exception {
    // given some Testdata via mocking

    UserTo userTo = new UserTo();
    userTo.setEmail(MOCKED_USER);
    userTo.setId(1L);
    given(this.userDao.loadUserByEmail(MOCKED_USER)).willReturn(userTo);

    List<AquariumTo> testAquariums = new ArrayList<>(1);
    AquariumTo aquariumTo = getTestAquariumFor(userTo);
    testAquariums.add(aquariumTo);

    given(this.aquariumDao.findUsersTanks(userTo.getId())).willReturn(testAquariums);

    // and we need a valid authentication token for oure mocked user
    String authToken = TokenAuthenticationService.createAuthorizationTokenFor(MOCKED_USER);

    // when this authorized user requests his aquarium list
    HttpHeaders headers = new HttpHeaders();
    headers.setContentType(MediaType.APPLICATION_JSON);
    headers.add("Authorization", "Bearer " + authToken);

    HttpEntity<String> requestEntity = new HttpEntity<>(headers);

    // Notice the that the controller defines a list, the resttemplate will get it as array.
    ResponseEntity<String> responseEntity = restTemplate.exchange("/api/tank/list" , HttpMethod.GET, requestEntity, String.class);

    // then we should get a 202 as result.
    assertThat(responseEntity.getStatusCode(), equalTo(HttpStatus.ACCEPTED));

    // and our test aquarium
    AquariumTo[] myObjects = objectMapper.readValue(responseEntity.getBody(), AquariumTo[].class);
    assertThat(Arrays.asList(myObjects), hasItem(aquariumTo));

}

the generated swagger doc version 2.9.2 starts inserting the default return codes 200

See springfox ticket

e.g. Alveopora are told to hold often no longer than half a year. It would be interessting to see a difference in average water parameters between those with a short live and those who last longer...

Those tasks needs to be finished, before going live:

Configuration

• Application Properties: change Development to Production
• Add Nginx for Port 80 before the SpringBootApp
• Use Let's encrypt
• Automatically save production configs to local NAS

Establish Backup & Recovery Plan

• Setting up Database replication
• Recovery by Ansible deployment and documented Pi setup plus DB from replica

Operational

• Wrote a small "Don't panic" operational guide.
• Some Monitoring and Alerting?

Final QA

• Write manual regression testplan for further releases
• Conduct first regression QA according testplan

I love Spain. Beneath my mother tongue and english for i18n capabilities, we shouldn't miss Spain here.
So the task is translating the existing resource bundle to provide a spanish version of sabi.

BackenAPI should be already sufficient for it.

• Just a nice chart page, showing users own measurements.
• Capability to downloads own measures as CSV-File as Backup for the user or further processing

There are certain remedies against cyano bacteria. However they do not lead to success in all cases. It would be good to see if the remedy success rate depends on the type of cyano bacteria (thesis).

Example remedy:
Microbe special blend in combination with nite out II

Could not connect to the captcha service http://sabi.bluewhale.de:8081/captcha/api/check/{code}
java.io.IOException: Could not connect to the captcha service http://sabi.bluewhale.de:8081/captcha/api/check/{code}

This happens from time to time during a registration process.

This happens if the JSON is invalid. Should be listed as possible result code in the API.

Some kind of business monitoring. Would be nice for being able to track when user counts rises, to learn which promotions are successful and which are not.

(I already have prometheus running).

If the username already exists, a 409 is expected as return code according to APIdoc.
Instead we get an HTTP 500.

sabi.log shows that the situation has been recognized:
java.sql.SQLException: Duplicate entry 'mezzoMix' for key 'UQ_USERNAME'

For being able to notify the users on scheduled updates etc. we require to have a modt like info service on the backend.

rest api, locale based
messages are created manually in the database. They will have a valid date.

Currently we have scientific name and a description as well as an uri to further reference, whereas the further reference may be a wiki which is again in a specific language.

For being able to really use the fish catalogue we nee to offer
i18n to (description, url)

Using spring boot application is better for the desired target runtime environment - a raspberryPI.

Is your feature request related to a problem? Please describe.
Often I'm just too busy and forgot to do measurements on a regular basis.

Describe the solution you'd like
It would be nice to have this possibility through sabi, e.g. located in the user profile.
Triggering a email reminder every week or x days.

Describe alternatives you've considered
This is just a calendar trigger. Users could choose their favorite calender solution.

Additional context
An email trigger could also be used to inform about maintenance windows, or even to place the Add of a project sponsor.

Despite the fact of setting on a very mature frontend technology (jsf/primefaces) here, I'm trying to set on a mobile first approach. However some users my use their laptop.

Currently I'm focus on the functionality for the MVP.

For this task it would be just great, to have some help by a senior jsf/primefaces frontend engineer(in) to give it the right responsive shape.

The current stylesheet I have in place ist just a dummy. The primary goal is to have it look OK on a PCs browser, and the secondary it should be readable without the need to zoom in on a mobiles device screen.

I habe to admit, that this is no mobile first approach, you may persuade me to do it the other way round. But for now I'm playing with the idea to go native with the mobile option later on.

Go through the REST API and add the swagger annotations and provide the required ecosystem, so that users have access to the API.

Currently we have one UserTo for all: register and login - with optional values.
This is confusing for API developer. The task is to provide specialized TOs for the API usage. Internal it can still be mapped to a common user representation.

There can't be an import through one of the wiki resources to avoid any copyright issues.
Also sabi aims not be be just another wiki. The fishes are far more better described in the many official wikis that are maintained by the different aquarists groups.

However, as the wikis are often "implement" a closed character, I will enable the users to describe the individual behavior of their fishes within sabi, which in turn will be subjected to the BI process in future. For being able to compare data about fishes we need a unique reference of them. This is the purpose of the fish catalogue.

How to build the catalogue? The idea is user generated content. Each tank owner knows his fishes, will be able to link them to the existing ones of the catalogue and make a proposal for new entries.
A new proposal can be instantly used by the user who makes it. However for public uses the proposal needs to be approved by a user with admin role (Responsibility of that user is: to avoid duplicates or any other legal issue).

A challenge will be to allow users to maintain the i18n aspects of the fish catalogue (description, url).

This is required to protect the JWTs.

Describe the bug
Subsequent request after session timeout is not handled correctly.

To Reproduce
Steps to reproduce the behavior:

1. Login
2. Go to a view, wait 30+ min (or reduce the session value for testing)
3. Navigate to another view
4. See error, e.g. view not reacting

Expected behavior
Navigation to a view explaning the problem to the user and offer a link to the login page.

To be able to monitor the JVM we integrate the actuator/prometheus endpoint.

e.g. see email-validation workflow. the validated flag will be updates, but the lastmod_on date won't be set.

See UserServiceImpl.java:

    // todo integrate pw-policy and throw an Password_Too_Weak

-> wiki docu and swagger API needs to be updates on that as well
-> clients needs to be adapted as well if there are any yet.

BackendAPI should be sufficient for it.

Just an overview of users profile, with the ability to change settings like language, country, password.
Not more for the beginning. Will be extended with future releases.

• Do some developer documentation on the used i18n design-concept on the wiki
• Implement the concept (as example) for the login/registration dialog ( #12)

BackendAPI is already available for it

They shouldn't be open to the world, as they may reveal to much about the environment to a possible attacker.