MCPcopy Index your code
hub / github.com/aidanwhiteley/books

github.com/aidanwhiteley/books @v0.14.0

Chat with this repo
repository ↗ · DeepWiki ↗ · release v0.14.0 ↗ · + Follow
440 symbols 1,353 edges 95 files 16 documented · 4%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

books

This project started as I wanted a simple "microservice" to use when trying out frameworks such as Docker, Docker Compose, Spring Cloud, Pivotal Cloud Foundy and AWS.

It has developed a little further such that it is starting to provide some functionality that may actually be useful.

So welcome to the "Cloudy Bookclub" microservice!

Actions CI Build Sonar Quality Gate Codacy Code Quality Total alerts codecov

Implementation

The main functionality included in the microservice includes * being based on latest Spring Boot 2 * Oauth2 based logon using * Google * Facebook * the oauth2 logon data is transmogrified into locally stored users - with associated roles - and into a JWT token - making the web application entirely free of http session state (which has its pros and cons!) * Spring Security for role based method level authorisation * Mongo based persistence with the use of Spring Data MongoRepository * next to no persistence code * except for some Mongo aggregation queries added to the Repository implementation * accessing the Google Books API with the Spring RestTemplate and, a work in progress, the reactive Spring WebClient * and Docker images and a docker-compose file that runs all the tiers of the application with one "docker-compose up --scale api-tier-java=N" command

Running in development

The checked in default Spring profile is "mongo-java-server". This uses the in memory mongo-java-server so there is no need to run MongoDb locally. So you should be able to just check out the code and run the application for development purposes with no other dependencies.

To develop Mongo related code you should switch to the "dev" profile which does expect to be able to connect to a real MongoDb instance.

Please check the console log when running the application. Any key constraints/warnings related to the Spring profile being used will be output to the console.

To run the application and access the "behind logon" functionality, see the "How to configure application logon security" section below.

Tests

All tests should run fine "out of the box".

By default, the tests run against mongo-java-server so there is no need to install MongDb to test most of the application. Functionality not supported by mogo-java-server such as full text indexes results in some tests being skipped when running with the monog-java-server Spring profile.

When running the CI builds with Githib Actions, tests run against a real Mongo instance.

Some of the integration tests make use of WireMock - see the /src/test/resources/mappings and __files directories for the configuration details.

The tests are probably about 50/50 between unit and integration tests...

Stress Test

To examine how the WebClient code is behaving there is a Maven plugin configured that runs a basic Gatling load test. After starting the Spring Boot application (i.e. mvn spring-boot:run or via your IDE) run the command:

mvn gatling:test

The (Scala) source code of this test in at test/scala/com/aidanwhiteley/books/loadtest/StressTestSimulation1.scala

This is currently a "work in progress" - the eventual aim being to compare the resource utilisation of the GoogleBooksDaoSync and GoogleBooksDaoAsync implementations.

How to configure application logon security

A lot of the functionality is protected behind oauth2 authentication (via Google and Facebook). To use this, you must set up credentials (oauth2 client ids) on Google and Facebook. You must then make the clientId and clientSecret available to the running code. There are "placeholders" for these in /src/main/resources/application.yml i.e. replace the existing "NotInSCMx" (Not In Source Code Management!) values with your own. There are lots of other ways to pass in these values e.g. they can be passed as program arguments

--spring.security.oauth2.client.registration.google.client-id=xxxx --spring.security.oauth2.client.registration.google.client-secret=xxxx --spring.security.oauth2.client.registration.facebook.client-id=xxxx --spring.security.oauth2.client.registration.facebook.client-secret=xxxx 

Otherwise, see the Spring documentation for more options.

Available Spring profiles

There are Spring profile files for a range of development and test scenarios.

default

- sets active profile to dev-mongo-java-server - otherwise
- requires oauth configured correctly for access to update operations
- configured to disallow CORS access to APIs
- does not clear down DB or reload test data on every restart

dev-mongo-java-server

- uses an in memory mongo-java-server rather than a real MongoDb
- requires oauth configured correctly for access to update operations
- configured to allow CORS access to APIs
- clears down the DB and reloads test data on every restart

dev-mongo-java-server-no-auth

- uses an in memory mongo-java-server rather than a real MongoDb
- configured such that all request have admin access. No oauth set up required and no logon
- configured to allow CORS access to APIs
- clears down the DB and reloads test data on every restart

dev-mongodb-no-auth

- uses a real MongoDb
- configured such that all request have admin access. No oauth set up required and no logon
- configured to allow CORS access to APIs
- clears down the DB and reloads test data on every restart

dev-mongodb

- uses a real MongoDb
- requires oauth configured correctly for access to update operations
- configured to allow CORS access to APIs
- clears down DB and reloads test data on every restart

CI

- uses a real MongoDb
- configured to allow CORS access to APIs
- clears down the DB and reloads test data on every restart

container-demo-no-auth

- requires the use of "docker compose up" to start Docker containers - see later
- uses a real MongoDb
- configured such that all request have admin access and oauth config is not required
- does not allow CORS access to APIs
- clears down the Mongo DB and reloads test data on every restart of the Docker containers

Configuring for production

"Out of the box" the code runs with the "mongo-java-server" Spring profile - see the first lines of application.yml. None of the checked in available Spring profiles are intended for production use. You will need to decide the required functionality for your environment and configure your Spring profile accordingly. For instance, you WILL want to set/change the secretKey used for the JWT token signing (see books:jwt:secretKey in the yml files).

You will also need access to a Mongo instance. The connection URL (in the yml files) will result in the automatic creation of a Mongo database and the two required collections (dependant on the security config of your Mongo install).

Check the console log when running in production - you should see NO warning messages!

How to build and run

This project makes use of the excellent Lombok project. So to build in your favourite IDE, if necessary head on over to Lombok and click the appropriate "Install" link (tested with IntelliJ and Eclipse).

The project CI build uses Github Actions and currently on runs on JDK11. The project Maven depedencies have been updated to include JAXB depedencies that are no longer included by default in the JDK SE. So no JDK8 support any longer I'm afraid.

With appropriate versions of the JDK, Maven and a Mongo installed, start with

mvn clean compile test

and then try

mvn spring-boot:run

To run a client to access the microservice, head on over to https://github.com/aidanwhiteley/books-web

Sample data

There is some sample data provided to make initial understanding of the functionality a bit easier. It is is the /src/main/resources/sample_data. See the #README.txt in that directory. The the details of above for the available Spring profiles to see when this sample data is auto loaded.

Indexes

The Mongo indexes required by the application are not "auto created" (except when running in Docker containers). You should manually apply the indexes defined in /src/main/resources/indexes. In particular, the application's Search functionality won't work unless you run the command to build the weighted full text index across various fields of the Book collection. The rest of the application will run without indexes - just more slowly as the data volumes increase!

Admin emails

There is functionality to send an email to an admin when a new user has logged on. This is intended to prompt the admin to give the new user the ROLE_EDITOR role (or delete the user!). This functionality must be enabled - see the books.users.registrationAdminEmail entries in application.yml (where it is disabled by default). There's also a strong argument that having scheduled tasks runnable on each node is a poor option in an app that is trying to be "twelve factor" compliant - see https://12factor.net/admin-processes

Levels of access

The code supports five access levels * anonymous (never logged in) * ROLE_USER (logged in but no more permissions than anonymous) * ROLE_EDITOR (logged in with permission to create book reviews and comment on other people's book reviews) * ROLE_ADMIN (logged in with full admin access) * ROLE_ACTUATOR (logged in but with no permissions except to access Actuator endpoints)

The application-.yml files can be edited to automatically give a logged on user admin access by specifying their email on Google / Facebook. See the books:users:default:admin:email setting.

Security

Lots of to and froing on this as the two of the main JWT related companies can't seem to agree on where to store a JWT token. Stormpath (who joined forces with Okta) say use cookies. Auth0 say use local storage.

In my mind, it comes down to whether you are more scared of XSS or XSRF. Given the average marketing departments predilection to use their tag managers to include all sorts of random JavaScript, I'm more scared of XSS.

So this demo application stores the JWT token in a secure and "httpOnly" cookie. So that hopefully blocks XSS exploits (as the rogue JavaScript can't read the httpOnly cookie containing the JWT logon token). However, it leaves the application open to XSRF exploits. To mitigate that, the application uses an XSRF filter and expects that a (non httpOnly) cookie will be re-sent to the server side and, for state changing (non GET) requests, the value of the XSRF token must be added, via JavaScript, as an X-XSRF-TOKEN request header. The application will check that the two values are the same.

This works well (or seems to!) when the API and the HTML is on the same domain. When CORS is needed to call the API, this doesn't currently work. So only use this application with CORS configured (i.e. with no "front proxy") in development. Don't use this application with CORS in production - it will leave you open to XSRF based attacks.

Swagger API documentation

Swagger Documentation

The public read only part of the application's REST API is automatically documented using the Springfox tool to auto create Swagger 2 JSON. The API can be explored and tested using the Swagger UI available here.

Stateless Apps

A lot of the time developing this microservice was spent in making it entirely independant of HTTP session state - based around issuing a JWT after the user has authenticated via Google / Facebook.

This turned out to be suprisingly difficult - with the cause of the difficulty mainly being in the Spring Boot OAuth2 implementation in Spring Boot 1.x. The Google/Facebook re-direct back to the microservice needed to hit the same session / JVM as I think that the Oauth2ClientContext was storing some state in http session.

The current version of this application has moved to the Oauth2 functionality in Spring Security 5. While this greatly reduces the "boilerplate" code needed to logon via Google or Facebook it still, by default, stores data in the HTTP session (to validate the data in the redirect back from Google / Facebook). However, it does allow configuration of your own AuthorizationRequestRepository meaning that it is possible to implement a cookie based version. So, finally, this application is completely free of any HTTP session state! Which was the point of originally starting to write this microservice as I wanted to try it out on cloud implementations such as the Pivotal Cloud Foundry and AWS.

Docker

Docker images are available for the various tiers that make up the full application.

Docker web tier

An nginx based Docker image (aidanwhiteley/books-web-angular) is available that hosts the AngularJS single page app and

Extension points exported contracts — how you extend this code

Core symbols most depended-on inside this repo

Shape

Method 345
Class 88
Interface 4
Enum 3

Languages

Java100%

Modules by API surface

src/main/java/com/aidanwhiteley/books/service/UserService.java16 symbols
src/test/java/com/aidanwhiteley/books/controller/BookControllerTest.java15 symbols
src/main/java/com/aidanwhiteley/books/controller/jwt/JwtAuthentication.java15 symbols
src/main/java/com/aidanwhiteley/books/domain/User.java13 symbols
src/test/java/com/aidanwhiteley/books/controller/BookSecureControllerTest.java12 symbols
src/test/java/com/aidanwhiteley/books/repository/BookRepositoryTest.java11 symbols
src/main/java/com/aidanwhiteley/books/repository/BookRepositoryImpl.java11 symbols
src/main/java/com/aidanwhiteley/books/controller/BookSecureController.java11 symbols
src/main/java/com/aidanwhiteley/books/controller/BookController.java11 symbols
src/test/java/com/aidanwhiteley/books/service/UserServiceTest.java10 symbols
src/main/java/com/aidanwhiteley/books/repository/BookRepositoryCustomMethods.java10 symbols
src/main/java/com/aidanwhiteley/books/controller/aspect/LimitDataVisibilityAspect.java10 symbols

Datastores touched

(mongodb)Database · 1 repos
booksDatabase · 1 repos
books-ciDatabase · 1 repos
books-dev-mongo-java-serverDatabase · 1 repos
books-dev-mongo-java-server-no-authDatabase · 1 repos
books-mongo-devDatabase · 1 repos
books-mongodb-no-authDatabase · 1 repos

For agents

$ claude mcp add books \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page