Skip to content

Latest commit

 

History

History
53 lines (46 loc) · 3.57 KB

ARCHITECTURE.md

File metadata and controls

53 lines (46 loc) · 3.57 KB

Technology

The following frameworks and technologies have been selected to implement the application

Framework / Technology Description
Spring Boot Spring Application Framework in addition to Spring Boot has been selected for streamlining the development process
Spring Data Rest This Spring module is used to minimise the amount of boilerplate code around REST API endpoints and persistence
Spring Security + Spring OAuth Security Framework
HATEOAS (Hypermedia as the Engine of Application State) For stricter REST compliance including navigation and pagination and more control on the server side
JWT (JSON web token) format Refer to official documentation
JPA / Hibernate Persistence
JSR - 303 Bean Validation Validation technology at the domain model class field level
Error & Exception Handling Spring ResponseEntityExceptionHandler and ControllerAdvice features are used for fine-tuning error and exception handling

Security

The OAuth 2.0 standard has been selected for securing API for authorised access from mobile applications:

  • OAuth Authorisation Code flow without client secret has been chosen as stipulated from the official document OAuth 2.0 for Native Apps
  • PKCE mechanism not introduced due to sheer amount of work and lack of immediate support from the Spring Security OAuth module (refer to the open ticket )
  • Full stack of automated end-to-end integration tests is available in the source code

Authorisation Code Flow

The end-to-end flow is depicted below.

The API application has co-located Authorisation Server and Resource Server.

       +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+
       |          User Device          |
       |                               |
       | +--------------------------+  | (5) Authorization  +---------------+
       | |                          |  |     Code           |               |
       | |        Client App        |---------------------->|     Token     |
       | |                          |<----------------------|    Endpoint   |
       | +--------------------------+  | (6) Access Token,  |               |
       |   |             ^             |     Refresh Token  +---------------+
       |   |             |             |
       |   |             |             |
       |   | (1)         | (4)         |
       |   | Authorizat- | Authoriza-  |
       |   | ion Request | tion Code   |
       |   |             |             |
       |   |             |             |
       |   v             |             |
       | +---------------------------+ | (2) Authorization  +---------------+
       | |                           | |     Request        |               |
       | |          Browser          |--------------------->| Authorization |
       | |                           |<---------------------|    Endpoint   |
       | +---------------------------+ | (3) Authorization  |               |
       |                               |     Code           +---------------+
       +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+