diff --git a/1.1-TODO.md b/1.1-TODO.md index 064ab56..2d222d1 100644 --- a/1.1-TODO.md +++ b/1.1-TODO.md @@ -1,89 +1,88 @@ -# 1.1-TODO - ---- - -## Already Implemented - -### Authentication & Security - -- [x] JWT-based login/logout -- [x] Token blacklist for logout -- [x] Brute-force protection using RateLimiter -- [x] HTTPS enforced in Spring Security -- [x] `User` entity implementing `UserDetails` -- [x] Secure password storage using encoder -- [x] Strong AES + RSA hybrid file encryption -- [x] Encrypted RSA private key stored with salt & IV -- [x] Public RSA key stored per user -- [x] AES key generated per file upload - -### Encryption & Decryption - -- [x] RSA-encrypted AES key prepended to file -- [x] Private key decrypted with password-derived AES key -- [x] File decrypted using AES key after RSA unwrap - -### HDFS Integration - -- [x] File upload to HDFS -- [x] File download from HDFS -- [x] Folder creation, file/folder deletion -- [x] List files and folders recursively - ---- - -## Partially Done or In Progress - -### Refresh Token Support - -- [ ] Refresh token mechanism (JWT renewal without re-login) - - - Partially mentioned, but not yet implemented - -### Caching Decrypted Private Keys - -- [ ] Server-side caching of decrypted private key post-login - - - To avoid decrypting private key on every download - - Should auto-clear on logout or token expiry - ---- - -## Still Pending or Not Implemented - -### Input Validation - -- [ ] Username validation: must be alphanumeric -- [ ] Strong password policy: check against HaveIBeenPwned API -- [ ] File extension and path validation before HDFS operations - -### Secret Key Management - -- [ ] Move JWT secret & encryption secrets to `.env` or Spring config (externalized config for production) -- [ ] Ensure secret key is 32-byte base64 (already discussed but may need verifying) - -### Miscellaneous - -- [ ] Clean up obsolete code and files (e.g., old encryption logic, unused fields/methods) -- [ ] Unit & integration tests for: - - - Auth - - Encryption logic - - HDFS controller -- [ ] Error handling standardization across services - ---- - -## Future Scope - -### User Features - -- [ ] User profile update API (change fullname/password) -- [ ] Password reset (email or security question-based) - -### File Features - -- [ ] View/download logs per file (audit trail) -- [ ] File versioning or tagging - ---- +# 1.1-TODO + +--- + +## Already Implemented + +### Authentication & Security + +- [x] JWT-based login/logout +- [x] Token blacklist for logout +- [x] Brute-force protection using RateLimiter +- [x] HTTPS enforced in Spring Security +- [x] `User` entity implementing `UserDetails` +- [x] Secure password storage using encoder +- [x] Strong AES + RSA hybrid file encryption +- [x] Encrypted RSA private key stored with salt & IV +- [x] Public RSA key stored per user +- [x] AES key generated per file upload + +### Encryption & Decryption + +- [x] RSA-encrypted AES key prepended to file +- [x] Private key decrypted with password-derived AES key +- [x] File decrypted using AES key after RSA unwrap + +### HDFS Integration + +- [x] File upload to HDFS +- [x] File download from HDFS +- [x] Folder creation, file/folder deletion +- [x] List files and folders recursively + +--- + +## Done 👍 +### Refresh Token Support + +- [x] Refresh token mechanism (JWT renewal without re-login) + + - Partially mentioned, but not yet implemented + +### Caching Decrypted Private Keys + +- [x] Server-side caching of decrypted private key post-login + + - To avoid decrypting private key on every download + - Should auto-clear on logout or token expiry + +--- + +## Still Pending or Not Implemented + +### Input Validation + +- [ ] Username validation: must be alphanumeric +- [ ] Strong password policy: check against HaveIBeenPwned API +- [ ] File extension and path validation before HDFS operations + +### Secret Key Management + +- [ ] Move JWT secret & encryption secrets to `.env` or Spring config (externalized config for production) +- [ ] Ensure secret key is 32-byte base64 (already discussed but may need verifying) + +### Miscellaneous + +- [ ] Clean up obsolete code and files (e.g., old encryption logic, unused fields/methods) +- [ ] Unit & integration tests for: + + - Auth + - Encryption logic + - HDFS controller +- [ ] Error handling standardization across services + +--- + +## Future Scope + +### User Features + +- [ ] User profile update API (change fullname/password) +- [ ] Password reset (email or security question-based) + +### File Features + +- [ ] View/download logs per file (audit trail) +- [ ] File versioning or tagging + +---