Accounting – blog.fossasia.org

Implementing Search User Feature for Admins

Post author:PrP-11
Post published:August 21, 2018
Post category:API FOSSASIA GSoC SUSI.AI
Post comments:0 Comments

The users tab of admin panel of SUSI.AI provides a list of all users registered on SUSI. This helps admins to get an overview of users and also provides the admins option like change user roles and delete accounts. The list of users is displayed in a table which also uses pagination to handle larger number of users. But to find a particular user can be a difficult task if the user base is large. Therefore a feature to search for users by their email has been implement which searches for users on SUSI server and then sends the searched users to the client. In this post we will discuss both about the server and client side implementation of this feature. (more…)

Implementing User Stats for SUSI.AI Admin Panel

Post author:PrP-11
Post published:August 21, 2018
Post category:API FOSSASIA GSoC SUSI.AI
Post comments:0 Comments

SUSI.AI has an admin panel where users with roles operator or above get an overview of various stats and manage other users and skills. The admin panel allows the system admins to get a list of all users registered on susi and also provide an option to change their user roles as well. The admin tab provides us with the statistics of its users. In this post we will discuss how this is implemented on susi server. (more…)

How to Change a Password and Forgot Password Feature in the SUSI.AI Server

Post author:PrP-11
Post published:August 21, 2018
Post category:API FOSSASIA GSoC SUSI.AI Tutorial
Post comments:0 Comments

The accounting system of SUSI.AI provides its users the option to change the password of their accounts. This features gives us two options, either we can change our password by entering the older password or if the user forgot the password, they are provided a link on their email address through which we can change our password. Using either option, the user has to authenticate themselves before they can actually change their passwords. If the user has the current password, it is considered as a parameter of authentication. In other case the user has to check their email account for the link which also confirms the authenticity of user. In this post we will discuss how both options works on SUSI. (more…)

Delete User Account Service using LoginService.java API in SUSI.AI

Post author:PrP-11
Post published:August 20, 2018
Post category:API FOSSASIA GSoC SUSI.AI
Post comments:0 Comments

SUSI.AI has an api to handle all account related services called accounts.susi.ai. This API provides services like change password and delete account. the main goal of accounts.susi.ai is to centralise the accounts’ related settings from web, android and iOS clients into a single place like other accounting services. In this post we will discuss one of these features which is the delete user account from SUSI.AI.

The api accounts.susi.ai has a react file DeleteAccount.react.js. This file handle the delete account service and interacts with the LoginServce.java api, which is the core file for authentication. I will discuss in details how these two interact with each other and with other files. (more…)

Fetching Info of All Users and their connected devices for the SUSI.AI Admin Panel

Post author:Akshat-Jain
Post published:August 20, 2018
Post category:FOSSASIA SUSI.AI Tutorial
Post comments:0 Comments

Fetching the data of all users is required for displaying the list of users on the SUSI.AI Admin panel. It was also required to fetch the information of connected devices of the user along with the other user data. The right to fetch the data of all users should only be permitted to user roles “OPERATOR” and above. This blog post explains how the data of connected devices of all users is fetched, which can then be used in the Admin panel. How is user data stored on the server? All the personal accounting information of any user is stored in the user’s accounting object. This is stored in the “accounting.json” file. The structure of this file is as follows: { "email:akjn11@gmail.com": { "devices": { "8C-39-45-23-D8-95": { "name": "Device 2", "room": "Room 2", "geolocation": { "latitude": "54.34567", "longitude": "64.34567" } } }, "lastLoginIP": "127.0.0.1" }, "email:akjn22@gmail.com": { "devices": { "1C-29-46-24-D3-55": { "name": "Device 2", "room": "Room 2", "geolocation": { "latitude": "54.34567", "longitude": "64.34567" } } }, "lastLoginIP": "127.0.0.1" } } As can be seen from the above sample content of the “accounting.json” file, we need to fetch this data so that it can then be used to display the list of users along with their connected devices on the Admin panel. Implementing API to fetch user data and their connected devices The endpoint of the servlet is “/aaa/getUsers.json” and the minimum user role for this servlet is “OPERATOR”. This is implemented as follows: @Override public String getAPIPath() { return "/aaa/getUsers.json"; } @Override public UserRole getMinimalUserRole() { return UserRole.OPERATOR; } Let us go over the main method serviceImpl() of the servlet: We need to traverse through the user data of all authorized users. This is done by getting the data using DAO.getAuthorizedClients() and storing them in a Collection. Then we extract all the keys from this collection, which is then used to traverse into the Collection and fetch the user data. The implementation is as follows: Collection<ClientIdentity> authorized = DAO.getAuthorizedClients(); List<String> keysList = new ArrayList<String>(); authorized.forEach(client -> keysList.add(client.toString())); for (Client client : authorized) { // code } Then we traverse through each client and generate a client identity to get the user role of the client. This is done using the DAO.getAuthorization() method. The user role of the client is also put in the final object which we want to return. This is implemented as follows: JSONObject json = client.toJSON(); ClientIdentity identity = new ClientIdentity(ClientIdentity.Type.email, client.getName()); Authorization authorization = DAO.getAuthorization(identity); UserRole userRole = authorization.getUserRole(); json.put("userRole", userRole.toString().toLowerCase()); Then the client credentials are generated and it is checked whether the user is verified or not. If the user is verified, then in the final object, “confirmed” is set to true, else it is set to false. ClientCredential clientCredential = new ClientCredential (ClientCredential.Type.passwd_login, identity.getName()); Authentication authentication = DAO.getAuthentication(clientCredential); json.put("confirmed", authentication.getBoolean("activated", false)); Then we fetch the accounting object of the user using DAO.getAccounting(), and extract all the user data and put them in separate key value pairs in the final…

How to integrate SUSI.AI with Google Sign In API

Post author:PrP-11
Post published:July 29, 2018
Post category:API FOSSASIA GSoC SUSI.AI Tutorial
Post comments:0 Comments

Google Sign-In manages the OAuth 2.0 flow and token lifecycle, simplifying our integration with Google APIs. A user always has the option to revoke access to an application at any time. Users can see a list of all the apps which they have given permission to access their account details and are using the login API. In this blog post I will discuss how to integrate this API with susi server API to enhance our AAA system. More on Google API here. (more…)

Using SUSI.AI Accounting Model to store Device information on Server

Post author:Akshat-Jain
Post published:July 28, 2018
Post category:FOSSASIA GSoC SUSI.AI
Post comments:0 Comments

Just like with Google Home devices and Amazon Alexa devices, SUSI.AI Users should have a way to add and store the information of their devices (Smart Speakers) on SUSI Server, so that it could be displayed to them on various clients. Hence, we needed a Servlet which could add and store the User data on the Server. Implementation of Servlets in SUSI.AI All servlets in SUSI extend AbstractAPIHandler class and implement APIHandler. All servlets have 4 methods, which we overwrite depending on what we want the servlet to do. They are as follows : @Override public String getAPIPath() { return null; } @Override public BaseUserRole getMinimalBaseUserRole() { return null; } @Override public JSONObject getDefaultPermissions(BaseUserRole baseUserRole) { return null; } @Override public ServiceResponse serviceImpl(Query post, HttpServletResponse response, Authorization rights, JsonObjectWithDefault permissions) throws APIException { Return null; } How these 4 methods work together? First method is getAPIPath(). It returns the endpoint of the servlet. The second method is getMinimalBaseUserRole(). It returns the minimum privilege level required to access the endpoint. The third method is getDefaultPermissions(). It gets the Default Permissions of a UserRole in SUSI Server. Different UserRoles have different permissions defined in SUSI Server. Whenever the endpoint defined in the getAPIPath() method is called properly, it responds with whatever is defined in the fourth method, which is serviceImpl(). How is User data stored on SUSI Server? Before we move on to the actual implementation of the API required to store the device information, we should get a brief idea of how exactly User data is stored on SUSI Server. Every SUSI User has an Accounting Object. It is a JSONObject which stores the Settings of the particular User on the Server. For example, every time you change some setting on the Web Client https://chat.susi.ai, an API call is made to aaa/changeUserSettings.json with appropriate parameters with information of the changed setting, and the User settings are stored to the Server in the Accounting Object of the User. Implementation of a Servlet to store Device information on Server The task of this servlet is to store the information of a new device (Smart speaker) whenever it is initially set up using the Android/iOS app. This is the implementation of the 4 methods of a servlet which is used to store information of connected devices: @Override public String getAPIPath() { return "/aaa/addNewDevice.json"; } @Override public UserRole getMinimalUserRole() { return UserRole.USER; } @Override public JSONObject getDefaultPermissions(UserRole baseUserRole) { return null; } @Override public ServiceResponse serviceImpl(Query query, HttpServletResponse response, Authorization authorization, JsonObjectWithDefault permissions) throws APIException { JSONObject value = new JSONObject(); String key = query.get("macid", null); String name = query.get("name", null); String device = query.get("device", null); if (key == null || name == null || device == null) { throw new APIException(400, "Bad service call, missing arguments"); } else { value.put(name, device); } if (authorization.getIdentity() == null) { throw new APIException(400, "Specified user data not found, ensure you are logged in"); } else { Accounting accounting = DAO.getAccounting(authorization.getIdentity()); if (accounting.getJSON().has("devices")) { accounting.getJSON().getJSONObject("devices").put(key, value); }…

Store User’s Personal Information with SUSI

Post author:DravitLochan
Post published:October 21, 2017
Post category:API CodeHeat FOSSASIA SUSI.AI Tutorial
Post comments:0 Comments

In this blog, I discuss how SUSI.AI stores personal information of it’s users. This personal information is mostly about usernames/links to different websites like LinkedIn, GitHub, Facebook, Google/Gmail etc. To store such details, we have a dedicated API. Endpoint is : https://api.susi.ai/aaa/storePersonalInfo.json In this API/Servlet, storing the details and getting the details, both the aspects are covered. At the time of making the API call, user has an option either to ask the server for a list of available store names along with their values or request the server to store the value for a particular store name. If a store name already exists and a client makes a call with new/updated value, The servlet will update the value for that particular store name. The reason you are looking at minimal user role as USER is quite obvious, i.e. these details correspond to a particular user. Hence neither we want someone writing such information anonymously nor we want this information to be visible to anonymous user until allowed by the user. In the next steps, we start evaluating the API call made by the client. We look at the combination of the parameters present in the request. If the request is to fetch list of available stores, server first checks if Accounting object even has a JSONObject for “stores” or not. If not found, it sends an error message “No personal information is added yet.” and error code 420. Prior to all these steps, server first generates an accounting object for the user. If found, details are encoded as JSONObject’s parameter. Look at the code below to understand things fairly. Accounting accounting = DAO.getAccounting(authorization.getIdentity()); if(post.get("fetchDetails", false)) { if(accounting.getJSON().has("stores")){ JSONObject jsonObject = accounting.getJSON().getJSONObject("stores"); json.put("stores", jsonObject); json.put("accepted", true); json.put("message", "details fetched successfully."); return new ServiceResponse(json); } else { throw new APIException(420, "No personal information is added yet."); } } If the request was not to fetch the list of available stores, It means client wants server to save a new field or update a previous value for that of a store name. A combination of If-else evaluates whether the call even contains required parameters. if (post.get("storeName", null) == null) { throw new APIException(422, "Bad store name encountered!"); } String storeName = post.get("storeName", null); if (post.get("value", null) == null) { throw new APIException(422, "Bad store name value encountered!"); } If request contains all the required data, then store name & value are extracted as key-value pair from the request. In the next steps, since the server is expected to store list of the store names for a particular user, First the identity is gathered from the already present authorization object in “serviceImpl” method. If the server finds a “null” identity, It throws an error with error code 400 and error message “Specified User Setting not found, ensure you are logged in”. Else, server first checks if a JSONObject with key “stores” exists or not. If not, It will create an object and will put the key value pair in the new JSONObject. Otherwise…

Implementation of SUSI.AI Signup Service

Post author:DravitLochan
Post published:August 27, 2017
Post category:API FOSSASIA GSoC SUSI.AI
Post comments:0 Comments

In this blog, I discuss the complete implementation of SUSI server when a user signs up with SUSI. Since public signup is enabled, minimal user role to access the servlet is ANONYMOUS. Given below is the API endpoint at which a signup request has to be made. http://api.susi.ai/aaa/signup.json Here we do not have much options unlike Login service. . Requests can be made in following ways with different parameters: http://api.susi.ai/aaa/signup.json?signup=test@fossasia.com&password=Rest@123 http://api.susi.ai/aaa/signup.json?getParameters=true http://api.susi.ai/aaa/signup.json?access_token={30 characters long access token}&validateEmail=test@fossasia.com&request_session=true First one is the request which client makes, asking the server to register the user with email id test@fossasia.com and password as Reset@123. On receiving a request which has parameters signup and password, server looks back in the database and verifies that a user with same email id exists or not. If email id already exists, server throws an error stating “email already taken”. Given below is a small code snippet for better understanding. ClientCredential credential = new ClientCredential(ClientCredential.Type.passwd_login, signup); Authentication authentication = DAO.getAuthentication(credential); if (authentication.getIdentity() != null) { throw new APIException(422, "email already taken"); } If client is not found in the database, a new identity is generated for the user and is set in authentication.json file. Next, a random salt string is generated which acts as salt to hash the user’s password. Since the same salt will be required at the time of matching the password for validation, we store both the salt and password hash in authentication.json file. Now, if the database is going to encounter it’s first user, Automatically, BUREAUCRAT (Role with maximum power) will be assigned as his/her user role. To do this, we first get a list of all the users with the help of DAO class and count number of users present in it. Take a look at the code given below, Authorization authorization = DAO.getAuthorization(identity); Collection<ClientIdentity> authorized = DAO.getAuthorizedClients(); List<String> keysList = new ArrayList<String>(); authorized.forEach(client -> keysList.add(client.toString())); String[] keysArray = keysList.toArray(new String[keysList.size()]); if(keysArray.length == 1) { authorization.setUserRole(UserRole.BUREAUCRAT); } else { authorization.setUserRole(UserRole.USER); } In further steps, a random token is generated and marked as the verification token for the user who just signed-up. Other attributes for the token are also set like expiry time. Finally, account verification mail’s template is picked from “conf/templates/verification-mail” file and used as the body for the user verification email. The second type of request is quite simple which is just to request a regular expression from the server to give proper information to the user. It’s code is quite easy and self understandable. Third type of request is sent to the server when user clicks on the link received in the account verification email. Taking a closer look at the account verification link, one could easily decode that the request would be redirected to /aaa/signup.json with parameters Access_token : 30 characters long access token validateEmail : user’s email id request_session : true Access_token makes up the unique id for the user. ValidateEmail is to make it easier for server…

SUSI Account Verification – From JSON to Accounts

Post author:DravitLochan
Post published:August 27, 2017
Post category:FOSSASIA GSoC SUSI.AI
Post comments:0 Comments

In this blog post, I'll be telling on how SUSI-server synchronizes with SUSI accounts front-end and enable users to have a SUSI verified account. Apart from how server processes the query and responds to it, I also discuss the role of SUSI accounts as a client in it. Beginning with server, at the time of signup, a mail is sent to user’s email id {only is user is not already registered}. This email contains a link, clicking on which a request is sent to server to check if the combination of email id and the access_token passed matches or not. Let us quickly look at the email and decode it. http://accounts.susi.ai/verify-account?access_token=hU86imBzXP3hcLgBgN6x4ShLuDopyH&validateEmail=dlochangupta@gmail.com&request_session=true As you can see, the base URL is http://accounts.susi.ai and the route to which the user is redirected ‘/verify-account’. What does the rest of the parameters do? access _token ---> access token validateEmail ---> email id of the user request_session ---> boolean value to request a session access_token contains a key which will be valid for 7 days (i.e. 604800 seconds) since the account was registered. Since signing up and verifying user’s account, both share Signup.java servlet, As a first step, server checks if the request contains ‘validateEmail’ in the parameter list. If yes, AND it is not a null parameter, server is sure that it is a account verification request. Next it proceeds with checking if user has even registered or not. If not, user is notified with error code 400 and error message “Bad request”. Otherwise, by now server has found the client ID already and only steps left are to make “activated” attribute set to true. Once done successfully, server responds with a similar type of JSON response : { "accepted": true, "message": "You successfully verified your account!", "session": {"identity": { "type": "email", "name": "test@fossasia.com", "anonymous": false }} } But you did not come across a similar type of JSON response. Did you? Here comes the role of client. If you replace http://accounts.susi.ai/verify-account with http://api.susi.ai/aaa/signup.json in the link you received, you will indeed find this JSON response. Since a user is redirected to http://accounts.susi.ai/verify-account with above mentioned 3 parameters, in componentDidMount() function, list of these parameters is extracted from component props. componentDidMount() { const { accessToken, validateEmail, requestSession } = this.props; This list was declared and initialized with some values initially so that if these are not found in the parameter list, client would be able to figure it out. const urlPropsQueryConfig = { accessToken: { type: UrlQueryParamTypes.string, queryParam: 'access_token' }, requessession: { type: UrlQueryParamTypes.string}, validateEmail: { type: UrlQueryParamTypes.string }, }; static defaultProps = { token: 'null', validateEmail: 'null', requestSession: false, } Additional Resources Site: npmjs.com on How to extract url query parameters from a link? (official documentation) Site: daveceddia.com on How to make an AJAX call in ReactJS. Blog post by Dave Ceddia