A new "timestamp" entry for the JSON POST request (/api/v1/store) was added.
The timestamp must be formatted following ISO_OFFSET_DATE_TIME, eg:
YYYY-MM-DDTHH:mm:ss.SSSZ.
The storage request will be denied in case the timestamp is missing, or if
it's more than 5 minutes old (or more than 1 minute into the future).
This update brings a huge change to the whole system's structure.
A new RESTful API has been implemented, which allows users to register, login
and store data.
The API only supports HTTP POST, and can be accessed via /api/v1/. Requests must
contain a JSON body with the necessary entries, which are:
/api/v1/register AND /api/v1/login:
{
"username": "username",
"password": "password",
"encoding": "plaintext/base64"
}
(Note: passwords can be encoded via "base64" or "plaintext".)
/api/v1/store:
{
"jwt": "encrypted_key_here",
"url": "https://google.com/"
}
The flow is:
- register via /api/v1/register;
- login via /api/v1/login, listen for JWT token in response;
- store via /api/v1/store, by sending JWT and URL to store.
The SQLite database now has 2 tables, "users" and "history".
The "users" table is used to store user data:
- username;
- password, secured via bcrypt;
- random user UUID.
The "history" table is used to store browsing history:
- user UUID, to identify the user;
- browsed url.
The secret used to sign JWTs is stored in the config.yml file.
Other new features include SQL-injection protection,
multiple validity/security checks on usernames and passwords, etc.
Signed-off-by: Lorenzo Dellacà <lorenzo.dellaca@mind-overflow.net>
A config.yml file has been added, to allow configuring server settings.
It will be expanded with new settings in the future.
Also, SQLite support has been added, with a "database.sqlite" file.
A basic table with user/pass/userid columns has been added for testing
purposes.
A very simple sketch of what the basic server should be able to do has
been set up with Maven. The main package and class, and important
dependencies were added. The project is based on the Pippo Java framework.
A very simple GET test has been implemented, to store/read/remove data
from a list of users and their visited urls.
This is obviously not secure and not ready for anything that can be
considered pre-alpha state.