Merge branch 'master' into add-tips-in-ug

docs/AboutUs.adoc

@@ -12,7 +12,7 @@ We are a team based in the http://www.comp.nus.edu.sg[School of Computing, Natio
 
 === Ang Wei Neng
 image::wn96.png[width="150", align="left"]
-{empty}[https://www.weineng.io[homepage]] [https://github.com/wn96[github]] [<<weineng#, portfolio>>]
+{empty}[https://www.weineng.io[homepage]] [https://github.com/wn96[github]] [<<wn96#, portfolio>>]
 
 Role: Team Lead +
 Responsibilities: Integration + Git expert

docs/DeveloperGuide.adoc

@@ -416,51 +416,99 @@ Before critical actions such as deleting a loan can be performed, admin authenti
 should be required. This ensures that only authorized users are able to perform critical actions.
 This is done by requiring a password before performing a critical action.
 
-* Current Implementation *
-There are three stages in this implementation:
+==== Current Implementation
+The authentication mechanism is provided by `Password`. It implements the following operations that facilitates authentications:
+
+* `Password#isSamePassword(currentPass, providedPass)` -- Checks if both `providedPass` and `currentPass` are the same password after decryption.
+* `Password#generateSalt()` -- Generate a hash salt for the app.
+* `Password#encrypt(providedPass, salt)` -- Encrypt `providedPass` using hashing `salt`.
+
+Given below is an example usage scenario and how the authentication mechanism behaves at each step:
+
+Step 1. The user launches the application for the first time. `UserPref` will be initialised with a randomly generated salt by calling `Password#generateSalt()`, and a default hashed password from `a12345`.
+
+Step 2. The user executes `setpass a12345 newP4sS` command to change the password to `newP4sS`.
 
-==== Allowing the `delete` command to accept a password
-1. To allow `delete` command to accept a password, we set a stub password of `a12345` and require all `delete` command to take in a password argument.
-* When password is wrong, we do not perform the deletion of the loans.
-* Only when password matches with stub password will the loan be deleted.
-2. Existing tests were edited to include and check for a valid password before deletion.
+Step 3. Input password will be checked against the app's password using `Password#isSamePassword()` to ensure that the user has sufficient elevation to change the password of the app.
+
+Step 4 `Password` class will encrypt the new password using `Password#encrypt()`, and call Model#setPass() to changes the password of the application in `UserPref`.
 
 [NOTE]
-The default password for a new app is `a12345`.
+If the current password input is wrong or if the current password is the same as the new password input, it will not call `Model#setPass()`, so the `UserPref` state will not be saved.
 
-The following sequence diagram shows how the new `delete` operation works.
+Step 5. Password in `UserPref` is saved to the encrypted value of the new password input.
 
-image::deleteLoanWithPass.png[width="1000"]
+The following sequence diagram shows how the `setpass` operation works:
 
-==== Allow changing of master password
+image::setPasswordLogic.png[width="800"]
 
-Given below is an example usage scenario and how the `setpass` mechanism behaves at each step.
+The following activity diagram summarizes what happens when a user executes `setpass`:
 
-Step 1. The user launches the application for the first time. `UserPref` file will initialise the password as `a12345`.
+image::setpassActivityDiagram.png[width="650"]
 
-Step 2. The user executes `setpass a12345 newP4sS` command to change the password to `newP4sS`.
+Step 6. The user executes a critical command `delete i/1 x/a12345`.
 
-Step 3. `Password` class will encrypt the password, and call Model#setPass, that changes the password of the application in `UserPref`.
+Step 7. This command runs `Model#getPass()` to retrieve the current password. It then call `Password#isSamePassword()` to determine if the input password in the command is the same as the existing password.
 
-[NOTE]
-If the current password input is wrong, it will not call Model#setPass, so the UserPref state will not be saved.
+Step 8. Deletion of loan at index 1 will occur.
 
 [NOTE]
-If the current password input the same as the new password input, it will not call Model#setPass, so the UserPref state will not be saved.
+If current password input is wrong, or if the index provided is invalid, deletion will not occur.
 
-Step 4. Password in `UserPref` is set to new password input.
+The following sequence diagram shows how the new `delete` operation works:
 
-The following sequence diagram shows how the `setpass` operation works:
+image::deleteLoanWithPass.png[width="800"]
 
-image::setPasswordLogic.png[width="800"]
+The following activity diagram summarizes what happens when a user executes `delete`:
+
+image::deleteActivityDiagram.png[width="650"]
 
-==== Encrypt current password for security
-To ensure that others are unable to retrieve the app's password from the preference.json, we encrypt the password before storing. Decryption of password can only be done by the `Password` class.
+==== Design Considerations
+
+===== Aspect: How to authenticate users
+* *Alternative 1 (current choice)*: Require a password every time a critical command is executed
 
-This is currently done by appending `-encrypt` to the password, and removing it when
-decrypting. For version 2.0, we plan to utilise existing libraries to encrypt and
-decrypt our stored password.
+** Pros:
+.. Ensures that each command authenticates the user before executing
+.. Easy to implement
+
+** Cons:
+.. Might be inconvenient to perform multiple critical commands as repeated typing of password is required.
+
+* *Alternative 2*: A login page to authenticate each user
+
+** Pros:
+.. Customized to each staff
+.. Provides accountability of each command execution as we can now track which staff ran which commands
+.. Scalable for a large company.
 
+** Cons:
+.. Difficult to implement
+.. Not effective for our target audience as bicycle shop owners are often family-owned business, which does not have a large manpower.
+.. If a staff did not log out, non-authorized users will be able to execute critical commands, making the app's data vulnerable.
+
+===== Aspect: Method of encryption
+* *Alternative 1 (current choice)*: Generate a salt to encrypt password, and store the salt locally
+
+** Pros:
+.. Does not require the internet, ensuring that any hack attempts to the app has to be done physically.
+.. Much less complicated to implement as compared to alternatives solutions.
+
+** Cons:
+.. Encrypted password and salt can be accessed in `preference.json`.
+
+* *Alternative 2*: Send a POST request to an online server to authenticate each login request
+
+** Pros:
+.. If done properly, ensures that hashed password cannot be intercepted/retrieved by hackers.
+
+** Cons:
+.. Requires the internet, which might not be available to bicycle shop owners as parks are not fibre-optic ready.
+.. Difficult to implement.
+.. Data can be intercepted and manipulated during POST request, as opposed to a local storage of password.
+
+[NOTE]
+We used a less secure alternative due to the nature of the target audience. It is highly improbable for hackers to be targeting a bicycle shop.
 // end::adminauthentication[]
 
 // tag::returnfeature[]
@@ -1433,6 +1481,9 @@ Given below are instructions to test the app manually.
 [NOTE]
 These instructions only provide a starting point for testers to work on; testers are expected to do more _exploratory_ testing.
 
+[TIP]
+If this is your first time using the app, note that the default password of the app is set to `a12345`.
+
 === Launch and Shutdown
 
 . Initial launch
@@ -1447,8 +1498,6 @@ These instructions only provide a starting point for testers to work on; testers
 .. Re-launch the app by double-clicking the jar file. +
    Expected: The most recent window size and location is retained.
 
-_{ more test cases ... }_
-
 === Adding a bike
 
 . Adding a bike whose name contains alphanumeric characters, spaces, and hyphens
@@ -1500,7 +1549,6 @@ _{ more test cases ... }_
    Expected: Similar to previous.
 
 === Deleting a loan
-
 . Deleting a loan while all loans are listed
 
 .. Prerequisites: List all loans using the `list` command. Multiple loans in the list.
@@ -1513,7 +1561,31 @@ _{ more test cases ... }_
 .. Other incorrect delete commands to try: `delete`, `delete i/x x/a12345` (where x is larger than the list size) +
    Expected: Similar to previous.
 
-_{ more test cases ... }_
+=== Changing password
+. Changing the password of the application
+
+.. Prerequisites: Both existing and new password should be alphanumeric of length between 6 and 10 inclusive. Existing password is currently `a12345`.
+.. Test case: `setpass wrongPass newWorld` +
+   Expected: Password remains the same as current password entered is wrong.
+.. Test case: `setpass a12345 $$$$$$$$` +
+   Expected: Password remains the same as new password entered is not alphanumeric.
+.. Test case: `setpass a12345 newPass` +
+   Expected: Password is now changed to `newPass`.
+.. Other incorrect setpass commands to try: `setpass`, `setpass a12345`.
+
+=== Search loans
+. Search loans within a specific time frame
+
+.. Prerequisites: Input date is of the correct format (YYYY-MM-DD)
+.. Test case: `search 2018-01-01 2018-01-01`
+   Expected: Shows loan that was created on 2018-01-01.
+.. Test case: `search 2018-02-30 2018-02-30`
+   Expected: Does not filter loans as 2018-02-30 is not a valid date.
+.. Test case: `search 2018-01-02 2018-01-01`
+   Expected: Does not filter loans as start date should be before end date.
+.. Test case: `search 2018-01-01 2018-12-31`
+   Expected: Shows all loan created in year 2018.
+.. Other incorrect search commands to try: `search`, `search 2018-01-01`.
 
 === Return a loan functionality
 
@@ -1580,14 +1652,6 @@ Expected: The displayed page should report the following:
 ** Total product loan time: 4 minutes
 ** Total revenue: $6.50
 
-=== Saving data
-
-. Dealing with missing/corrupted data files
-
-.. _{explain how to simulate a missing/corrupted file and the expected behavior}_
-
-_{ more test cases ... }_
-
 === Sending Reminder Emails
 
 Prerequisites: Make sure the system is connected to the internet. The email must be gmail and its `Less secure apps` option is enabled.

docs/UserGuide.adoc

@@ -240,7 +240,7 @@ Examples:
 Deletes the loan with that has been indexed at position 1.
 
 // tag::setpass[]
-=== Changing the password of the app: `setpass`
+=== Change the password of the app: `setpass`.
 
 Change the current password of the app to `NEW_PASSWORD`. This ensures that critical commands such as `delete` and `resetall` may be performed by authorized personnel only. +
 [big]#*Format*: `setpass CURRENT_PASSWORD NEW_PASSWORD`#
@@ -253,8 +253,12 @@ Note that you only need to use spaces to seperate the two passwords. There is no
 ****
 * Set the password of the app to `NEW_PASSWORD`
 * Password change will not occur if `CURRENT_PASSWORD` is incorrect.
+* Password should be alphanumeric of length between 6 and 10, inclusive.
 ****
 
+[NOTE]
+Default password for the app is `a12345`. To change the default password, type `setpass a12345 newpass`.
+
 Examples:
 
 * `setpass a12345 n3wP4sS` +
@@ -309,13 +313,13 @@ Marks the loan that has been indexed at position 55 as returned. Also automatica
 // tag::searchcommand[]
 === Locating loans by date of loan: `search`
 
-Returns all loans that were created between the range provided
+Populate all loans that were created between the range provided.
 [big]#*Format*: `search START_DATE END_DATE`#
 
 [big red]#List of Parameters#:
 
 START_DATE and END_DATE: The date range in which you want to search for. +
-Note that you only need to use spaces to seperate the two dates. There is no prefix for this command!
+
 
 ****
 * Date format must be YYYY-MM-DD.

docs/team/wn96.adoc

@@ -0,0 +1,72 @@
+= Ang Wei Neng - Project Portfolio
+:site-section: AboutUs
+:imagesDir: ../images
+:stylesDir: ../stylesheets
+
+== PROJECT: LoanBook
+This portfolio page serves to showcases my contributions to the project, [https://github.com/CS2103-AY1819S1-F10-2/main[LoanBook]]. My resume and full portfolio can be found [https://weineng.io[here]].
+
+== Overview of LoanBook
+
+AddressBook - Level 4 is a desktop address book application used for teaching Software Engineering principles. The user interacts with it using a CLI, and it has a GUI created with JavaFX. It is written in Java, and has about 10 kLoC.
+
+== Summary of contributions
+
+This section provides a brief summary on the contributions of major and minor enhancement I made for the project.
+
+* *Major enhancement*: Added a password feature to improve the integrity of the app's data.
+** What it does:
+**** Allow user to set password and change password for the app, so that critical comments that affects statistical integrity (Transaction summery & Tax-filing) cannot be performed by unauthorised personnel. Password stored is also encrypted to prevent hackers from retrieving the password.
+** Justification:
+**** This feature improves the product significantly because now, only authorized users are able use the critical commands (E.g. `delete` command) to delete loans. Without this, the data from the summary report may be incorrect, affecting tax-filling, revenue management.
+** Highlights:
+*** Allow users to change the password of the app, ensuring that the same password is not used for a long time.
+*** Encryption using randomly generated salts provide a higher level of encryption as hackers will not be able to reverse engineer the password. Used existing code by http://www.appsdeveloperblog.com/encrypt-user-password-example-java/[Sergey Kargopolov].
+*** Inputs of commands requiring password no longer appears in the command history.
+*** Existing commands was modified to require a password input. (E.g. `delete`)
+
+* *Minor enhancement*:
+** Create NRIC class to store Singapore issued NRIC. Also include a checksum validation to ensure correct NRIC. [https://github.com/CS2103-AY1819S1-F10-2/main/pull/36[#36]]
+** Allow searching for loans of specific date. [https://github.com/CS2103-AY1819S1-F10-2/main/pull/158[#158]]
+** Using tags to notify users on the status of loans. [https://github.com/CS2103-AY1819S1-F10-2/main/pull/163[#163]]
+
+* *Other contributions*:
+
+** Project management:
+*** Managed releases `v1.1` - `v1.4` (4 releases) on GitHub.
+*** Added badges to show CI status, code quality and type of licence for the master branch [https://github.com/CS2103-AY1819S1-F10-2/main/pull/2[#2]][https://github.com/CS2103-AY1819S1-F10-2/main/pull/32[#32]]
+** Enhancements to existing features:
+*** Add colour to tags [https://github.com/CS2103-AY1819S1-F10-2/main/pull/90[#90]]
+** Documentation:
+*** Maintained the issue tracker
+*** Changed the gradle build script to display team name: [https://github.com/CS2103-AY1819S1-F10-2/main/pull/1[#1]]
+** Community:
+*** PRs reviewed (with non-trivial review comments): [https://github.com/CS2103-AY1819S1-F10-2/main/pull/35[#35]], [https://github.com/CS2103-AY1819S1-F10-2/main/pull/24[#24]][https://github.com/CS2103-AY1819S1-F10-2/main/pull/125[#125]]
+
+** Tools:
+*** Integrated TravisCI, AppVeyor, Coveralls, Codacy, and Netlify to the team repo. [https://github.com/CS2103-AY1819S1-F10-2/main/pull/23[#23]]
+**** Ensures that all code that was pushed adhere to coding standards, and does not break existing code.
+**** Automatic deployment of website with Netlify to ensure that team's web page is always up to date.
+*** Set up [https://cs2103-ay1819s1-f10-2.github.io/main/[team website]]
+*** Set up slack notification and web hook for team.
+**** This provides notification to developers on any updates to the repository.
+
+* https://nus-cs2103-ay1819s1.github.io/cs2103-dashboard/#=undefined&search=wn96&sort=displayName&since=2018-09-12&until=2018-11-09&timeframe=day&reverse=false&repoSort=true[Code contributed]
+
+== Contributions to the User Guide
+
+|===
+|_Given below are sections I contributed to the User Guide. They showcase my ability to write documentation targeting end-users._
+|===
+
+include::../UserGuide.adoc[tag=searchcommand]
+
+include::../UserGuide.adoc[tag=setpass]
+
+== Contributions to the Developer Guide
+
+|===
+|_Given below are sections I contributed to the Developer Guide. They showcase my ability to write technical documentation and the technical depth of my contributions to the project._
+|===
+
+include::../DeveloperGuide.adoc[tag=adminauthentication]