DecryptSession requires a session to continue the request.

Write a Optional DecryptSession that would only read and decrypt the session if its there, else it just continues.

This would be used for resources that would optionally render user's content if they were logged in.

Betweens or Resources should be able to throw an Exception or return an Either that would result in a error handler being executed. These would be for any status code.

• 401, 403, etc.

Candidate is add, statusCode to HaltException.

add user agent and ip address to request.

The Request object's user instance variable type should be a generic.

The Response object's session instance variable should be a generic.

The Response object should have a user instance variable and it should be a generic

Allow groups to be added without adding a target. This reduce target builder methods.

Given a post request with a request body
When the request body contains data the will help route the request
Then the dispatcher should inspect the request body to determine how to route the request.

https://github.com/FasterXML/jackson-docs/wiki/Presentation:-Jackson-Performance

Allow the ability to use plain text sessions via:

• Unsecured JWT
• Secured JWT (signed)

I think it should follow this RFC. There may be other RFS out there too.

Dispatch Errors that occur in engine

• When a ask's url is not found.
• When a ask has a invalid content-type
• 404, 415, ...

Given a request
with the header Content-Type: application/json
When the url is matched and it expects Content-Type: application/json; charset=utf-8
Then add the header X-Reasons which is a unsecure jwt with the payload

[
  {
    "k": "Content-Type",
    "v": "application/json",
    "src": "hdr", 
    "exp": ["application/json; charset=utf-8"], 
    "msg": ""
  },
]

And set the status code to 415
And dispatch the request to a configured Unsupported Media Type Route.

Async chunk size should be configurable.

the interface for adding error handlers/resources to groups and targets should be named the same.

Given a request url with url parameters
When the url parameters help to determine which resource should handle the request
Then the dispatcher should look at the url parameters for routing.

Rename RestResource to RestController
Rename Resource to Resource.

There may also be other builders, etc that need to be renamed too.

At the moment building a executable war works with one limitation.

I have noticed that if there is the possibility of namespace collision for packaged files. This prevents starting the application via the executable war . I've beeb able to get around this issue by doing the following in a project's war task, `exclude "path/to/file.txt". This can only be done for files that are not needed, such as text files.

Package the war file to eliminate namespace collision modify the class path so jetty knows how to find everything.

Ultimately there should be a HtmlResource and RestResource which do not extend a base class from one another.

Will have separe paths to configure the application.
Will have two interfaces to add a target, HTML and Rest.

Will require unique:

• Request
• Response
• Between
• Betweens
• LocationTranslators
• Route
• Resource
• Target
• Group
• Global Errors may need to be deprecated because otter wont know if it was a Rest or Html Ask.

Use the Maven Publish Plugin with gradle to publish artifacts to maven central

Should JsonTranslator have a parameterized type?

Add typical header values as constants.

The embedded container should be able to be configured with a location to its request log.
http://www.eclipse.org/jetty/documentation/9.3.x/configuring-jetty-request-logs.html

The entry servlet should delegate configuration and routes via a Configure.

public interface Configure {
    void configure(Gateway gateway);
    void routes(Gateway gateway);
}

Consider:

• GZIPOutputStream Could be used some how.
• Jetty has an implementation to compress responses.

Make a CSRF strategy that is stateless. Perhaps the Double Submit Cookie. Optionally the cookie can be a secure jwt.

Given a Request
When its routed to a RestResource
Then the Request and Response should have a ivar payload
And the payload's data type is a Java class that represents it's shape

Review unchecked casts and see if they can be checked.
Culprits are shown in build.

The example app should be a sub project/module in this repo

because reflection is no longer used the session interface is no longer needed

Can the session and user definitions be unique to a resource?

Given the Engine
When a not found, unsupported media type, or unexpected exception occurs
And the coordinate has the appropriate error route
Then execute the the coordinate's error route.

Document how to write an app.

ReadListener can throw a NPE when either are null:

• gatewayResponse.getPayload()
• gatewayResponse.getTemplate()

Then the AsyncContext never completes.

upgrade to jdk 12 and gradle 5.5

Resources should be able to specify the content types it accepts.
If a request fails to validate then return a 415 unsupported media type.

Given XSS
When I attempt to make a request to another url
And I have access to CSRF cookie
And I don't have access to form input value
Then prevent the request via CSRF protection.

Unable to protect
XSS same page attacks cannot be protected.
Because attacker has access to cookie and form value.

Framework Errors

• Unexpected errors that occur in the Otter Framework.
• 500

These will require configuring the underlying i/o framework.

use servlet api 4.0

When a request enters the entry servlet add a fishtag with thread context.

When a request enters otter then check for a trace id header, X-Correlation-ID, and add it to the thread context.

Processing Errors

• Currently in RouteRun
• RuntimeException from a Resource
• 400, 500, ...

When adding groups
Then allow a custom authentication between to be assigned to that group.

When the label for authentication is used
Then reference that groups authentication between.

Two labels are needed, required and optional.

When a resource is registered with the gateway
Then return it's route.

This feature will allow modifying the before or after betweens configure.

Implement a way to auto scaffold a project.
Maybe through a gradle plugin?