Coder Social home page Coder Social logo

getyoti / yoti-java-sdk Goto Github PK

View Code? Open in Web Editor NEW
16.0 9.0 18.0 2.24 MB

The Java SDK for interacting with the Yoti Platform

Home Page: https://developers.yoti.com/yoti/getting-started-app

License: MIT License

Java 97.96% HTML 1.19% CSS 0.85%
yoti 2fa multifactor-authentication verification identity login register sdk java spring-boot

yoti-java-sdk's People

Contributors

bucky-boy avatar davidgoate avatar davidgrayston avatar dependabot-preview[bot] avatar dependabot[bot] avatar echarrod avatar emmas-yoti avatar gitplaneta avatar irotech avatar kiranbali avatar markmclaren avatar mrburtyyy avatar nikhilpank avatar qzagarese avatar vassyz avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

qzagarese markmclaren ruslan-tseliankevich kiranbali sidibos bootstrap-dev t8tcoin jlmartyres taikikawa morristech prakashgaikwad mrburtyyy anandatriari lafyoti radickinson cvedetect

yoti-java-sdk's Issues

Dependency org.yaml:snakeyaml, leading to CVE problem

Hi, In /examples/doc-scan,there is a dependency org.yaml:snakeyaml:1.30 that calls the risk method.

CVE-2022-25857

The scope of this CVE affected version is [0,1.31)

After further analysis, in this project, the main Api called is org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 8

com.yoti.docscan.demo.service.DocScanService: getMedia(java.lang.String,java.lang.String)Lcom.yoti.api.client.Media; /download/apache-maven-3.6.3/repository_mount/jakarta/annotation/jakarta.annotation-api/1.3.5/jakarta.annotation-api-1.3.5.jar
com.yoti.api.client.docs.DocScanClient: getMediaContent(java.lang.String,java.lang.String)Lcom.yoti.api.client.Media; /download/apache-maven-3.6.3/repository_mount/org/bouncycastle/bcprov-jdk15on/1.70/bcprov-jdk15on-1.70.jar
com.yoti.api.client.docs.DocScanService: getMediaContent(java.lang.String,java.security.KeyPair,java.lang.String,java.lang.String)Lcom.yoti.api.client.Media; /download/apache-maven-3.6.3/repository_mount/org/bouncycastle/bcprov-jdk15on/1.70/bcprov-jdk15on-1.70.jar
com.yoti.api.client.docs.DocScanService: findContentType(com.yoti.api.client.spi.remote.call.SignedRequestResponse)Ljava.lang.String; /download/apache-maven-3.6.3/repository_mount/org/bouncycastle/bcprov-jdk15on/1.70/bcprov-jdk15on-1.70.jar
org.yaml.snakeyaml.Yaml$2: next()Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/com/fasterxml/jackson/core/jackson-core/2.13.3/jackson-core-2.13.3.jar
org.yaml.snakeyaml.Yaml$2: next()Lorg.yaml.snakeyaml.nodes.Node; /download/apache-maven-3.6.3/repository_mount/com/fasterxml/jackson/core/jackson-core/2.13.3/jackson-core-2.13.3.jar
org.yaml.snakeyaml.composer.Composer: getNode()Lorg.yaml.snakeyaml.nodes.Node; /download/apache-maven-3.6.3/repository_mount/com/fasterxml/jackson/core/jackson-core/2.13.3/jackson-core-2.13.3.jar
org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;

Dependency tree--

[INFO] com.yoti.docscan.demo:doc-scan-demo:jar:1.0.0
[INFO] +- org.springframework.boot:spring-boot-starter-web:jar:2.7.1:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter:jar:2.7.1:compile
[INFO] |  |  +- org.springframework.boot:spring-boot:jar:2.7.1:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-autoconfigure:jar:2.7.1:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-starter-logging:jar:2.7.1:compile
[INFO] |  |  |  +- ch.qos.logback:logback-classic:jar:1.2.11:compile
[INFO] |  |  |  |  \- ch.qos.logback:logback-core:jar:1.2.11:compile
[INFO] |  |  |  +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.17.2:compile
[INFO] |  |  |  |  \- org.apache.logging.log4j:log4j-api:jar:2.17.2:compile
[INFO] |  |  |  \- org.slf4j:jul-to-slf4j:jar:1.7.36:compile
[INFO] |  |  +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:compile
[INFO] |  |  \- org.yaml:snakeyaml:jar:1.30:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-json:jar:2.7.1:compile
[INFO] |  |  +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.13.3:compile
[INFO] |  |  \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.13.3:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.7.1:compile
[INFO] |  |  +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.64:compile
[INFO] |  |  +- org.apache.tomcat.embed:tomcat-embed-el:jar:9.0.64:compile
[INFO] |  |  \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:9.0.64:compile
[INFO] |  +- org.springframework:spring-web:jar:5.3.21:compile
[INFO] |  |  \- org.springframework:spring-beans:jar:5.3.21:compile
[INFO] |  \- org.springframework:spring-webmvc:jar:5.3.21:compile
[INFO] |     +- org.springframework:spring-aop:jar:5.3.21:compile
[INFO] |     +- org.springframework:spring-context:jar:5.3.21:compile
[INFO] |     \- org.springframework:spring-expression:jar:5.3.21:compile
[INFO] +- org.springframework.boot:spring-boot-starter-thymeleaf:jar:2.7.1:compile
[INFO] |  +- org.thymeleaf:thymeleaf-spring5:jar:3.0.15.RELEASE:compile
[INFO] |  |  \- org.thymeleaf:thymeleaf:jar:3.0.15.RELEASE:compile
[INFO] |  |     +- org.attoparser:attoparser:jar:2.0.5.RELEASE:compile
[INFO] |  |     \- org.unbescape:unbescape:jar:1.1.6.RELEASE:compile
[INFO] |  \- org.thymeleaf.extras:thymeleaf-extras-java8time:jar:3.0.4.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-configuration-processor:jar:2.7.1:compile
[INFO] +- org.springframework.session:spring-session-core:jar:2.7.0:compile
[INFO] |  \- org.springframework:spring-jcl:jar:5.3.21:compile
[INFO] +- org.springframework.boot:spring-boot-starter-test:jar:2.7.1:test
[INFO] |  +- org.springframework.boot:spring-boot-test:jar:2.7.1:test
[INFO] |  +- org.springframework.boot:spring-boot-test-autoconfigure:jar:2.7.1:test
[INFO] |  +- com.jayway.jsonpath:json-path:jar:2.7.0:test
[INFO] |  |  \- net.minidev:json-smart:jar:2.4.8:test
[INFO] |  |     \- net.minidev:accessors-smart:jar:2.4.8:test
[INFO] |  |        \- org.ow2.asm:asm:jar:9.1:test
[INFO] |  +- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:test
[INFO] |  |  \- jakarta.activation:jakarta.activation-api:jar:1.2.2:test
[INFO] |  +- org.assertj:assertj-core:jar:3.22.0:test
[INFO] |  +- org.hamcrest:hamcrest:jar:2.2:test
[INFO] |  +- org.junit.jupiter:junit-jupiter:jar:5.8.2:test
[INFO] |  |  +- org.junit.jupiter:junit-jupiter-api:jar:5.8.2:test
[INFO] |  |  |  +- org.opentest4j:opentest4j:jar:1.2.0:test
[INFO] |  |  |  +- org.junit.platform:junit-platform-commons:jar:1.8.2:test
[INFO] |  |  |  \- org.apiguardian:apiguardian-api:jar:1.1.2:test
[INFO] |  |  +- org.junit.jupiter:junit-jupiter-params:jar:5.8.2:test
[INFO] |  |  \- org.junit.jupiter:junit-jupiter-engine:jar:5.8.2:test
[INFO] |  |     \- org.junit.platform:junit-platform-engine:jar:1.8.2:test
[INFO] |  +- org.mockito:mockito-core:jar:4.5.1:test
[INFO] |  |  +- net.bytebuddy:byte-buddy:jar:1.12.11:test
[INFO] |  |  +- net.bytebuddy:byte-buddy-agent:jar:1.12.11:test
[INFO] |  |  \- org.objenesis:objenesis:jar:3.2:test
[INFO] |  +- org.mockito:mockito-junit-jupiter:jar:4.5.1:test
[INFO] |  +- org.skyscreamer:jsonassert:jar:1.5.0:test
[INFO] |  |  \- com.vaadin.external.google:android-json:jar:0.0.20131108.vaadin1:test
[INFO] |  +- org.springframework:spring-core:jar:5.3.21:compile
[INFO] |  +- org.springframework:spring-test:jar:5.3.21:test
[INFO] |  \- org.xmlunit:xmlunit-core:jar:2.9.0:test
[INFO] \- com.yoti:yoti-sdk-api:jar:3.6.0:compile
[INFO]    +- org.bouncycastle:bcpkix-jdk15on:jar:1.70:compile
[INFO]    |  +- org.bouncycastle:bcprov-jdk15on:jar:1.70:compile
[INFO]    |  \- org.bouncycastle:bcutil-jdk15on:jar:1.70:compile
[INFO]    +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.3:compile
[INFO]    |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.3:compile
[INFO]    |  \- com.fasterxml.jackson.core:jackson-core:jar:2.13.3:compile
[INFO]    +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.13.3:compile
[INFO]    +- com.google.protobuf:protobuf-java:jar:3.21.12:compile
[INFO]    +- org.slf4j:slf4j-api:jar:1.7.36:compile
[INFO]    \- org.apache.httpcomponents:httpmime:jar:4.5.13:compile
[INFO]       \- org.apache.httpcomponents:httpclient:jar:4.5.13:compile
[INFO]          \- org.apache.httpcomponents:httpcore:jar:4.4.15:compile

Suggested solutions:

Update dependency version

Thank you very much.

Exceptions & Error Handling

Hi guys,

I've been thinking that from a client perspective, using the Yoti Client to call getActivityDetails(token) can be a somewhat confusing operation to deal with when it comes to failure modes.

The method signature does helpfully document the checked exception com.yoti.api.client.ProfileException. However the JavaDoc is somewhat vague about when and why this might happen and who may be at fault.

I'm not suggesting we necessarily should change the method signature or even necessarily the JavaDoc. However, what might be good to know from a documentation perspective (even the project README.md) is what main/likely scenarios cause this.

E.g. even with a little internal knowledge I'm not entirely clear whether this exception could be raised due to:

  • An issue connecting to Yoti Connect.
  • Some type of deserialization issue or runtime issue constructing the objects required to build the ActivityDetails.
  • An invalid token being supplied.
  • An issue with the profile of the user using the application. E.g. if my Yoti app required name, selife, DOB and email and one or more of these attributes is not present in the users profile can I identify this scenario with this exception?

The importance of the distinction can be as simple as "what error message I want to display to the user (i.e. is it something they did wrong and I can provide them a tip/help to fix it) or is it something wrong on the server or intermittent issue talking to Yoti".

However, this may also impact developers at a more technical level, e.g. whether I pick a HTTP 4xx or 5xx series response code and whether I'd choose to log the error or not.

It may also impact whether I'd want alerting tools to pick this up, e.g. if it's a user error probably not - but if it's some connectivity issue or server-side problem perhaps I want proactive alerting.

Just want to open a dialog for discussion on this guys. Thanks.

Full name attribute returns null

Unexpected Behaviour For Getting Full Name With Client SDK

In version 1.1 of the Java SDK, the com.yoti.api.client.HumanProfile#getFullName method return null even though given names and family name attributes contain values.

Expected Behaviour

I have looked into the default Yoti Client Impl module and although the JavaDoc says:

/**
     * Equal to ${given_names} + " " + ${family_name}.
     * 
     * @return the given names + the surname
     */
    String getFullName();

Implementation Details

In reality it is actually trying to load another attribute (rather than being a convenience method that appends two String values).

The code does this (com.yoti.api.client.spi.remote.HumanProfileAdapter#getFullName)

private static final String ATTRIBUTE_FULL_NAME = "full_name";
 return wrapped.getAttribute(ATTRIBUTE_FULL_NAME);

So it would seem that in fact there was no value for that attribute.

Questions

  1. Not sure whether the cause is that the SDK is trying to load the incorrect attribute value or if, in fact, that attribute isn't provided by the backend.
  2. Perhaps we should change the JavaDoc to more strongly indicate that it's not a convenience method.
  3. If this attribute doesn't exist we should decide to either; deprecate the method, remove the method making it a breaking change for version 1.2 of the Java client SDK or change the implementation to just append the first and last names.

Edits

@vassyz has also indicated that this attribute value is referenced in the PHP SDK, so we should ensure the decision to move forward is consistent across all SDK implementations so that developers are not confused by inconsistent behaviour.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.