Authentication API (Credentials API ) generated by Reprezen, APIMATIC from RAML--> Swagger--> Spring MVC annotations Java code
Spring Boot Server
Authentification API (Credentials API) deployed to http://credentialsapi.us-east-2.elasticbeanstalk.com/CredentialsAPI H2 Database instance : http://credentialsapi.us-east-2.elasticbeanstalk.com/CredentialsAPI/h2-console
Here there are a few workflows :
Registration and authnentication (encoding is off for testing sake).
Register user by "user:password" as Base64 encode pair (/register)
Authenticate the user by "user:password" as Base64 encode pair
Signin by secureToken ( returned in body of /register or /auth-password end pints)
Password reset eMail validation and password update
Initiate password reset flow (secureToken passed in header) If user securetoken still valid. (/reset-password). It will send eMail validation which will have link to update password endpoint.
Initiate password reset flow initiated by user because user forgot password. (eMail passed in header) (/send-validation-email). It will send eMail validation which will have link to update password endpoint.
Call the /validate-by-email endpoint from eMail link sent by /reset-password endpoint. If we come to this point then user already received the link from Email which has eMail validation secureToken with. User profile will be disabled until user will change the password. Its required to prevent hacker to use validation token from eMail
After successefull secureToken (this token used only for eMail validation) validateion redirect to update password screen post old 'user:password' and newpassword by Base64 encoded
Other flows: "Signout", "Unregister", "PasswordStrength", "Oauth"
These flows are very atomic , and will be specify after
There is subfolder credentialsAPI_0.0.1 which contains the same API but persistance base on Spring Security Vault
Password, securetoken encryption and decryption rules
Basic rule of strong encryption is encrypting the password in one way. It's means if user's password encrypted then only the same user will decrypted this password by the his password iself. If user lost the password only reset password which initiated by the same user (check by eMail validation) can help. It help preventing to decrypt all others users if somehow hackers will findout the passsword or key. Match input and stored passwords by comparing digests, not unencrypted strings. Use the salt (binary numbers before password before its started encrypted) Recomendations: http://www.jasypt.org/howtoencryptuserpasswords.html
#CORS issue which may happened because cloud deploying For AMazon: Adding CORS settings to Nginx on AWS Elastic Beanstalk
API Generation details
This server was generated by the swagger-codegen project.
By using the OpenAPI-Spec, you can easily generate a server stub.
This is an example of building a swagger-enabled server in Java using the SpringBoot framework.
The underlying library integrating swagger to SpringBoot is springfox
Start your server as an simple java application
You can view the api documentation in swagger-ui by pointing to
Change default port value in application.properties