- Bumped version to 1.5.
- Copying only the jar file now.
- No longer creating temp directory for downloading files. Fixed that in this version 0.0.2 of backend.
- Changed port to 8080.
- Updated CMD accn to new jar file.
- Restricted public auth endpoints to only /login and /register in SecurityConfig
- Added contentLength header and improved error response in FileController download API
- Refactored JwtService to load secret key and expiration from application properties
- Improved signing key handling using Base64 decoding
- Updated RefreshTokenRepository with @Transactional @Modifying delete query
- Ensured proper refresh token cleanup with flush() in RefreshTokenService
- Annotated refresh token methods with @Transactional for consistency
- Changed file upload logic to:
- Generate random AES key per file
- Encrypt AES key using user's RSA public key
- Store encrypted AES key, IV, and salt in FileMetadata entity
- Changed file download logic to:
- Decrypt AES key using user's RSA private key (encrypted with password-derived AES)
- Use decrypted AES key and IV to decrypt file contents from HDFS
- Modified FileMetadata entity:
- Changed `encryptedKey` to @Lob byte[] to support large encrypted AES keys
- Updated User entity:
- Encrypted private RSA key with password-derived AES
- Stored associated salt and IV for decryption
- Updated AuthenticationService:
- Generate RSA keypair during sign-up
- Encrypt and store private key with AES (salt, IV)
- Create user folder in HDFS upon registration
- Updated FileService:
- Rewrote upload and download logic to support hybrid encryption
- Handled key wrapping and unwrapping securely
- Added logging for upload/download events
- Fixed FileController upload to remove password from endpoint
- Password now only required during download for private key decryption
- Updated EncryptionUtil and RSAKeyUtil:
- Added RSA OAEP support and helper methods
- Added AES key generation, encryption, decryption utilities
FILE UPLOAD AND ENCRYPTION WORKS! TESTED USING HEXDUMP.
- Replaced direct encryption logic in FileController with FileService delegation
- Added JWT-based username extraction in file operations
- Updated FileMetadata entity to include `uploadedAt` field and removed redundant getters/setters
- Refactored EncryptionUtil:
- Switched to AES-CBC with PBKDF2 key derivation
- Removed RSA-based encryption logic
- Added salt and IV generation helpers
- Changed JwtAuthenticationFilter to fetch user by username (not email)
- Renamed method in FileMetadataRepository to match new parameter order
FILE UPLOAD NOW WORKS! TESTED USING CURL.
- Implemented a new registration endpoint in AuthController to handle user sign-ups.
- Integrated AuthenticationService to save the user and create a corresponding HDFS directory for the user upon registration.
- Updated User entity to return the username instead of email in getUsername method.
- Set static MySQL connection with IP and password
- Changed server port from 8081 to 8080
- Enabled HTTPS with keystore configuration
- Exposed actuator endpoints for monitoring
- Removed old and unused commented-out configurations
- Updated pom.xml: removed redundant tags, grouped dependencies, added scopes, and upgraded plugins
- Enhanced RegisterUserDto with validation annotations and added missing fields (username, fullname)
- Updated User entity with builder constructor and removed redundant getters/setters
- Completed FileMetadata entity with Lombok and required setters/getters
- Improved HDFSConfig with correct annotation and clearer exception message
- Adjusted HTTP to HTTPS redirect port (8085 -> 8443)
- Allowed /actuator/** in SecurityConfig and disabled deprecated XSS protection
- Skipped JWT filter for /api/auth and /actuator paths
- Refactored AuthenticationService to use builder pattern and RSA key injection
- Fixed application.properties for static MySQL connection (removed ${MYSQL_PASSWORD})
- Added explicit getter/setter methods in User entity for use with service layer
- Implemented standard getters/setters in SignupRequest DTO
- Replaced incorrect imports from models.User to entity.User across services and repository
- Rewrote AuthController to inject all dependencies via constructor
- Fixed token refresh/login logic and added rate limiter and blacklist support
- Implemented getters in LoginRequest DTO
- Updated User model to implement UserDetails and extend entity.User
- Switched HDFScontroller to use entity.User instead of models.User
- Rewrote HDFSConfig to include static getHDFS() method and secure config via env vars
- Simplified JwtService, added overload for entity.User, and fixed key handling
- Caffeine cache used to allow max 5 login attempts per minute.
- Login endpoint blocks IPs exceeding rate, returns 429 status.
- Failed attempts are reset after successful login or after 1 minute.
- Intercepts all requests and checks for Bearer token.
- Validates token signature and expiry using JwtService.
- Loads user from DB and sets authentication context.
- Sends 401 Unauthorized if token is missing, invalid, or expired.
- POST /api/auth/login authenticates user and returns JWT token.
- POST /api/auth/logout is a placeholder (client deletes token).
- JwtService handles token creation and expiry validation.
- HTTP connector on port 8080 redirects to HTTPS (8443).
- Ensures users accessing http:// are forwarded to https://
- No need for external proxy (e.g., Nginx) for redirection.
- All requests now require HTTPS.
- Stateless sessions enabled for JWT-based auth.
- XSS, HSTS, and Frame-Options headers added.
- /api/auth/** is public, all other routes require authentication.
- CSRF disabled (assumes token-based auth).
- FileController encrypts uploads using AES-GCM with salt and IV.
- Downloads are decrypted on-the-fly using user-supplied password.
- File metadata (salt, IV, username, path) stored in DB.
- EncryptionService uses PBKDF2 to derive a key from user password and salt.
- AES-GCM encryption with 128-bit tag and 12-byte IV.
- Ready for streaming encryption to/from HDFS without temp files.
- Enforced alphanumeric-only usernames using regex validation.
- Passwords must be >= 8 chars and checked against haveibeenpwned.com.
- Improved SignupRequest DTO with validation annotations.
- Implemented UserService to handle password validation and encoding.
Kshitij
SonaliChaudhari