CCredentials API with Spring Secure Vault usage as storage
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
credentialsAPI_0.0.1
src/main
.gitignore
README.md
credentialsAPI.raml
credentialsAPI.yaml
pom.xml
readme.txt

README.md

Authentication API (Credentials API ) generated by Reprezen, APIMATIC from RAML--> Swagger--> Spring MVC annotations Java code

Spring Boot Server

Overview

Authentification API (Credentials API) deployed to http://credentialsapi.us-east-2.elasticbeanstalk.com/CredentialsAPI H2 Database instance : http://credentialsapi.us-east-2.elasticbeanstalk.com/CredentialsAPI/h2-console

Here there are a few workflows :

Registration and authnentication (encoding is off for testing sake).

POST /register

Register user by  "user:password" as Base64 encode pair (/register)

POST /auth-password

Authenticate the user by   "user:password" as Base64 encode pair

GET /signin

Signin by secureToken ( returned in body of /register or  /auth-password end pints)

Password reset eMail validation and password update

POST /reset-password

Initiate password reset flow (secureToken passed in header) If user securetoken still valid. (/reset-password).  
It will send eMail validation  which will have link to update password endpoint.

POST /send-validation-email

Initiate password reset flow initiated by user because user forgot password.  (eMail passed in header)  (/send-validation-email).  
It will send eMail validation  which will have link  to update password endpoint.

GET /validate-by-email

Call the /validate-by-email endpoint  from eMail link sent by /reset-password endpoint.
If we come to this point then user already received the link from Email which has eMail validation secureToken with.
User profile will be disabled until user will change the password. Its required to prevent hacker to use validation 
token from eMail  

POST /update-password

After successefull secureToken (this token used only for eMail validation) validateion redirect to update password screen post old 'user:password' and newpassword  by Base64 encoded 

Other flows: "Signout", "Unregister", "PasswordStrength", "Oauth"

These flows are very atomic , and will be specify after

There is subfolder credentialsAPI_0.0.1 which contains the same API but persistance base on Spring Security Vault

Password, securetoken encryption and decryption rules

Basic rule of strong encryption is encrypting the password in one way. It's means if user's password encrypted then only the same user will decrypted this password by the his password iself. If user lost the password only reset password which initiated by the same user (check by eMail validation) can help. It help preventing to decrypt all others users if somehow hackers will findout the passsword or key. Match input and stored passwords by comparing digests, not unencrypted strings. Use the salt (binary numbers before password before its started encrypted) Recomendations: http://www.jasypt.org/howtoencryptuserpasswords.html

#CORS issue which may happened because cloud deploying For AMazon: Adding CORS settings to Nginx on AWS Elastic Beanstalk

API Generation details

This server was generated by the swagger-codegen project.
By using the OpenAPI-Spec, you can easily generate a server stub.
This is an example of building a swagger-enabled server in Java using the SpringBoot framework.

The underlying library integrating swagger to SpringBoot is springfox

Start your server as an simple java application

You can view the api documentation in swagger-ui by pointing to
http://localhost:8080/CredentialsAPI/swagger

Change default port value in application.properties