feat(jans-auth-server): stat RDN must have date to be unique under RDBMS #8825

[yuriyz]

Description

feat(jans-auth-server): stat RDN must have date to be unique under RDBMS

Target issue

closes #8825

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Server-Side Request Forgery Analyzer	✅	0 findings
Configured Codepaths Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings
Authn/Authz Analyzer	❕	1 finding
SQL Injection Analyzer	✅	0 findings
Sensitive Files Analyzer	✅	0 findings
IDOR Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The code changes in this pull request are related to the implementation of a statistics service in the Jans Auth Server application. The changes focus on the StatService class, which is responsible for managing and updating the statistics data. The key aspects of the changes include the initialization and setup of the statistics data structures, the management of the current stat entry, the updating of statistics (such as token usage and unique user tracking), and the reporting of active users and token usage.

From an application security perspective, the changes demonstrate a consideration for security and privacy. The use of the HyperLogLog (HLL) data structure to track unique users is a space-efficient way to estimate the number of unique users without storing individual user IDs, which helps protect user privacy. The tracking of different token types (access token, ID token, refresh token, and UMA token) can provide valuable insights into the application's usage patterns and potential security risks, such as detecting unusual token usage. Additionally, the persistence storage of the statistics data and the handling of initialization and concurrent access are important to ensure the security and integrity of the collected statistics.

Files Changed:

• jans-auth-server/server/src/main/java/io/jans/as/server/service/stat/StatService.java: This file contains the implementation of the StatService class, which is responsible for managing and updating the statistics data in the Jans Auth Server application. The changes include the initialization and setup of the statistics data structures, the management of the current stat entry, the updating of statistics (such as token usage and unique user tracking), and the reporting of active users and token usage.

Powered by DryRun Security