lealceldeiro / gms Goto Github PK

Replace all usages of java.util.Date in the whole codebase.

Some examples of classes using this are:

JWTService, JWTAuthenticationFilter, SecurityController

Is your feature request related to a problem? Please describe.

In classes such as PostgreSQLBAuthorizationDAO, when querying the DB, the arguments for the entity field names are being hardcoded, i.e.: eUsername.

Describe the solution you'd like

This should be handled, for example, using an entity metamodel.

Additional context

Some quick info can be found around there, see https://stackoverflow.com/questions/3037593/how-to-generate-the-jpa-entity-metamodel and https://www.baeldung.com/hibernate-criteria-queries-metamodel

Change service injected in storage.service.ts from LocalStorage to StorageMap as described at https://github.com/cyrilletuzi/angular-async-local-storage#api since LocalStorage is legacy.

Add a proper comment in some missing javadocs comments. i.e.:

Describe the bug
When the API server is being started it is automatically shutdown

To Reproduce
Steps to reproduce the behavior:

1. start the API application (server)

Expected behavior
The application to be kept running

Desktop (please complete the following information):

• OS: any

Additional context
the running application was put inside a try with resources which is causing an automatic close of the resources (the appl context), which shuts it down. See https://github.com/lealceldeiro/gms/blob/master/server/src/main/java/com/gms/Application.java#L39

Describe the bug
Check incompatiblity issues between @DaTa (from lombok) and @entity from Hibernate

To Reproduce

• Needs investigation

Expected behavior

• No incompatibility issues.

Is your feature request related to a problem? Please describe.
No

Describe the solution you'd like
Enhance banner with a piece of more descriptive information (nothing specific to add here, it's worth considering it having in mind the current state of the project) and an enhanced format using maybe https://devops.datenkollektiv.de/banner.txt/index.html

Describe alternatives you've considered
Another generator to consider is http://patorjk.com/software/taag. Also, some more related info is available in https://memorynotfound.com/spring-boot-create-custom-banner-example/ and https://stackoverflow.com/q/33797009/5640649

Additional context
Right now there is only a very basic text showing that the application is running and the version of spring boot over which it is running.

Describe the bug
While doing push, when the git hooks run, one of them is running some integration tests for the frontend and is failing on the Unix environment because it requires the chrome variable to be set.

To Reproduce
Steps to reproduce the behavior:

1. Try to do push
2. You'll se the error No binary for ChromeHeadless browser on your platform

Expected behavior
To run smoothly all the test (git hooks) and push properly.

Desktop (please complete the following information):

• OS Linux Mint

Additional context
Adding export CHROME_BIN=/usr/bin/chromium-browser before running the actual tests in the git hooks should solve the problem.

Is your feature request related to a problem? Please describe.
By default, all resources automatically managed by Spring when org.springframework.boot:spring-boot-starter-hateoas is present in the application are returned (on creation, for example) has hateoas resources. Some custom endpoints which are not handled by Spring repositories, but are custom endpoints, do no follow this approach.

All endpoints should be standardized to return the resources the same way, for example on Brole creation as a response body we get something like:

{
  "label": "Role label",
  "description": "Some descriptionr",
  "enabled": true,
  "id": 37,
  "_links": {
    "self": {
      "href": "<url>"
    },
    "bRole": {
      "href": "<url>/role/37"
    },
    "permissions": {
      "href": "url/role/37/permissions"
    }
  }
}

But, for other endpoints such as the one for user creation (custom ones) the response body is empty.

Describe the solution you'd like
Return the newly created|deleted|updated resource information as it is returned by the default spring hateoas project.

Is your feature request related to a problem? Please describe.
No, but if this is not automatically removed by the tree-shake, the bundle could be some kb more than needed.

Describe the solution you'd like
Remove these resources from the final bundle(s) if possible.

Describe the bug
Sensitive information stored in the local-storage can be stolen by using an XSS attack

To Reproduce

• Follow attack demos in the linked source

Expected behavior
Do not store sensitive information such as username, security tokens, etc, in local storage.

Instead it can be used:

• Cookies and use the HTTPOnly and Secure flags
• Session storage

Additional context
Consider modifying some of the classes involved in the front-end in storing this kind of sensitive information. i.e.:

• SessionService

Is your feature request related to a problem? Please describe.

For example, in the current logic, something like

EUser u = userService.signUp(
                user.getContent(),
                UserService.EmailStatus.VERIFIED,
                UserService.RegistrationPrivilege.SUPER_USER
        );

the third and fourth arguments are always VERIFIED for the email status and SUPER_USER for registration privilege.

Describe the solution you'd like
This should be reworked when the security system is fully functional, and proper permissions have been placed properly for each system role.

Describe the bug
The messages associated to their keys are not being resolved properly.

To Reproduce

1. Make a POST request to the login endpoint with an incorrect credentialas
2. In the response body see some similar to:

{
    "path": "<login path>",
    "message": "security.bad.credentials",
    "error": "security.unauthorized",
    ....
}

Expected behaviour
To see something like:

{
    "path": "<login path>",
    "message": "Bad credentials",
    "error": "Unauthorized",
    ....
}

Notice here the values for message and error are Bad credentials and Unauthorized, not their i18n keys security.bad.credentials and security.unauthorized

Additional context
Possible classes related in this issue:

• com.gms.util.i18n.MessageResolver
• com.gms.config.locale.LocaleConfig

Some classes which extend Serializable may be serialized and deserialized, compromising security. Some example of these classes are BAuthorization and GmsEntity (and all other extending from it such as EUser).

Some investigation should be done to remove this capability if possible.

Is your feature request related to a problem? Please describe.
Not a problem, but right now most of the test are e2e. It is necessary to write unit test for classes that require it.

Describe the solution you'd like
Implement unit test for backend classes using Mockito (maybe consider PowerMockito) for static methods.

Describe alternatives you've considered
https://site.mockito.org/
https://github.com/powermock/powermock/wiki/mockito

Is your feature request related to a problem? Please describe.
As an open source project anyone can get access to the keys hardcoded in client/src/app/core/session/session.service.ts (SessionService#keys.*). This may represent a serious security risk.

Describe the solution you'd like
These values should be generated randomly.

Describe alternatives you've considered
Math.random seems to be a good starting point.

Additional context
If there is any utility class that could do the job, that'd be great.

Describe the bug
On a Unix environment, when some changes are pushed the git hooks are not executed unless they are granted the execution permission manually through the console.

To Reproduce
Steps to reproduce the behavior:

1. Make some changes in the source code
2. Commit those changes
3. Push those changes
4. See how the changes are pushed but the git hooks are not executed. Additionally, you get a message in the console: The '.git/hooks/pre-push' hook was ignored because it's not set as executable.

Expected behavior
To get the git hooks executed before pushing unless some git options such as --no-verify is used.

Screenshots

Desktop (please complete the following information):

• OS: Linux Mint