Onboarding-service

Architecture

Prerequisites

• JDK 17
• Groovy
• Git
• Gradle
• Lombok
• IntelliJ
• Docker

Tech stack

Database

PostgreSQL

Running locally with Docker: docker-compose up database -d

Spring Profile

IMPORTANT: Set your Spring active profile to dev - this will also run DB schema/dev data migration

Backend

Java 17, Spring Boot, Gradle, Spock for testing

Running locally: ./gradlew bootRun

Frontend

React, TypeScript, scss, custom bootstrap, react-testing-library

Exception Monitoring

Sentry

Analytics

Google Analytics / Mixpanel

Hosting

AWS Elastic BeanStalk: EC2 and ELB

Continuous Integration

CircleCI

Production Logs

Papertrail

API

Authentication: oAuth2 with Mobile-ID, ID-card and Smart-ID

Swagger UI

Postman API collection (outdated)

Build pipeline

Production: Merge GitHub pull request to master -> build in CircleCI -> auto-redeploy (if build is green)

How to add new pension funds?

1. Add the new fund to the funds database table.

Development notes

Code style: Java, Kotlin

If you don't want to run epis-service, then you can mock TransferExchangeService.java, which calls epis-service.

Common Issues

error="unsupported_grant_type", error_description="Unsupported grant type: mobile_id"

Make sure you are running against the right backend environment (dev or prod).

• If you do npm run develop your package.json must proxy to http://localhost:9000
• If you do npm run develop-production your package.json must proxy to https://onboarding-service.tuleva.ee

Known Issues

• Digital signing does not work in the dev environment. Use the production configuration to test it locally. See DigiDocConfiguration.digiDocConfigDev() and smartid.hostUrl, smartid.relyingPartyUUID, smartid.relyingPartyName config values in application.yml and change them to production values. Use VPN for testing.

Caveats

When updating Spring Boot, sometimes you need to remove all of the existing access tokens from the oauth_access_token database table. However, there's one special token granted for tuleva.ee which allows it to fetch Fund NAV values and register new users. In order to generate a new token, you need to: token by

curl --location --request POST 'https://pension.tuleva.ee/api/oauth/token' \
--header 'Authorization: Basic <base64 of client_id:client_secret>' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=tuleva.ee'

and then update the token values in the WordPress Tuleva template.

Testing ID-card Locally

In order to test ID-card locally, you need to run nginx locally with the right certificates and the right domain names.

1. Add tuleva certs to ./nginx (4 files)
2. Update $frontend and $backend urls in etc/eb/.ebextensions/nginx/conf.d/01_ssl_proxy.conf
3. Add to hosts file:

   127.0.0.1 id.tuleva.ee
   127.0.0.1 pension.tuleva.ee
   127.0.0.1 onboarding-service.tuleva.ee
   

4. Run nginx with docker: docker-compose up nginx
5. Add DANGEROUSLY_DISABLE_HOST_CHECK=true to .env in onboarding-client
6. add server.servlet.session.cookie.domain: tuleva.ee to application.yml
7. Test through https://pension.tuleva.ee
8. Later, don't forget to clean up your hosts file

References

hwcrypto.js

hwcrypto Sequence Diagram

Test Authentication Methods

Test Mobile ID

Test ID Card

Test Smart ID