# radar-covid-backend-verification-server
**Repository Path**: mirrors_trending/radar-covid-backend-verification-server
## Basic Information
- **Project Name**: radar-covid-backend-verification-server
- **Description**: Radar COVID Verification Service
- **Primary Language**: Unknown
- **License**: MPL-2.0
- **Default Branch**: develop
- **Homepage**: None
- **GVP Project**: No
## Statistics
- **Stars**: 0
- **Forks**: 0
- **Created**: 2020-09-12
- **Last Updated**: 2025-09-27
## Categories & Tags
**Categories**: Uncategorized
**Tags**: None
## README
# RadarCOVID Verification Service
## Introduction
Verification Service in terms of the Radar COVID project enables:
- Autonomous Communities are able to request verification codes so then they can give them to COVID-19 patients.
- Once COVID-19 patients have the verification code, they can use the mobile application to send this verification code so Verification Service can:
- Check if the verification code is correct, exists in database, is not redeemed and is not expired.
- Once verified, Verification Service returns a [JSON Web Token (JWT)](https://jwt.io/) so mobile application can send the exposition keys to the DP3T service.
## Prerequisites
These are the frameworks and tools used to develop the solution:
- [Java 11](https://openjdk.java.net/).
- [Maven](https://maven.apache.org/).
- [Spring Boot](https://spring.io/projects/spring-boot) version 2.3.
- [Lombok](https://projectlombok.org/), to help programmer. Developers have to include the IDE plugin to support Lombok features (ie, for Eclipse based IDE, go [here](https://projectlombok.org/setup/eclipse)).
- [ArchUnit](https://www.archunit.org/) is used to check Java architecture.
- [PostgreSQL](https://www.postgresql.org/).
- [Redis](https://redis.io/) is used for caching.
- Testing:
- [Spock Framework](http://spockframework.org/).
- [Docker](https://www.docker.com/), because of using Testcontainers.
- [Testcontainers](https://www.testcontainers.org/).
- Monitoring:
- [Micrometer](https://micrometer.io/).
## Installation and Getting Started
### Sample code
Before you continue reading, let us let you know that there is sample code:
- [`CheckSumUtil`](./verification-server-api/src/main/java/es/gob/radarcovid/verification/util/CheckSumUtil.java). Both methods (`checkSum` and `validateChecksum`) are not real in order to avoid Production requests, since _some people_ is sending incorrect verification codes.
- [`JwtAuthorizationFilter`](./verification-server-service/src/main/java/es/gob/radarcovid/verification/security/JwtAuthorizationFilter.java). These properties are not real in order to avoid _illegal_ requests: `AUTHORIZATION_HEADER`, `AUTHORIZATION_BEARER` and `RADAR_PREFIX`.
### Building from Source
To build the project, you need to run this command:
```shell
mvn clean package -P
```
Where `` has these possible values:
- `local-env`. To run the application from local (eg, from IDE o from Maven using `mvn spring-boot:run`). It is the default profile, using [`application.yml`](./verification-server-boot/src/main/resources/application.yml) configuration file. If any properties need to be modified, you can create application-local.yml configuration file.
- `docker-env`. To run the application in a Docker container with `docker-compose`, using [`application.yml`](./verification-server-boot/src/main/resources/application.yml) configuration file. If any properties need to be modified, you can create application-docker.yml configuration file.
- `pre-env`. To run the application in the Preproduction environment. Preproduction environment properties are configured in the infrastructure.
- `pro-env`. To run the application in the Production environment. Production environment properties are configured in the infrastructure.
The project also uses Maven profile `aws-env` to include dependencies when it is running on AWS environment, so the compilation command for Preproduction and Production environments would be:
```shell
mvn clean package -P pre-env,aws-env
mvn clean package -P pro-env,aws-env
```
All profiles will load the default [configuration file](./verification-server-boot/src/main/resources/application.yml).
Private and public keys located on [`application.yml`](./verification-server-boot/src/main/resources/application.yml) are only for testing on local (running inside IDE or Docker).
### Running the Project
Depends on the environment you selected when you built the project, you can run the project:
- From the IDE, if you selected `local-env` environment (or you didn't select any Maven profile).
- From Docker. Once you build the project, you will have in `verification-server-boot/target/docker` the files you would need to run the application from a container (`Dockerfile` and the Spring Boot fat-jar).
If you want to run the application inside a docker in local, once you built it, you should run:
```shell
docker-compose up -d postgres
docker-compose up -d redis
docker-compose up -d backend
```
#### Database
This project doesn't use either [Liquibase](https://www.liquibase.org/) or [Flyway](https://flywaydb.org/) because:
1. DB-Admins should only have database privileges to maintain the database model ([DDL](https://en.wikipedia.org/wiki/Data_definition_language)).
2. Applications should only have privileges to maintain the data ([DML](https://en.wikipedia.org/wiki/Data_manipulation_language)).
Because of this, there are two scripts:
- [`01-VERIFICATION-DDL.sql`](sql/total/01-VERIFICATION-DDL.sql). Script to create the model.
- [`02-VERIFICATION-DML.sql`](sql/total/02-VERIFICATION-DML.sql). Script with inserts. This file (and also [`data.sql`](./verification-server-boot/src/test/resources/data.sql)) contains sample data for record `01` corresponding to `AndalucĂa`.
### API Documentation
Along with the application there comes with [OpenAPI Specification](https://www.openapis.org/), which you can access in your web browser when the Verification Service is running (unless in Production environment, where it is inactive by default):
```shell
/openapi/api-docs
```
You can download the YAML version in `/openapi/api-docs.yaml`
If running in local, you can get:
- OpenAPI: http://localhost:8080/openapi/api-docs
- Swagger UI: http://localhost:8080/openapi/ui
#### Endpoints
| Endpoint | Description |
| -------- | ----------- |
| `/generate?n=` | Generates `n` verification codes to be used by Autonomous Communities |
| '/redemption' | Saves redemption information provided by Autonomous Communities |
| `/verification/code` | Verify provided code. The provided Code is verified to be formerly issued by the Health Authority |
| `/verification/tan` | Verify provided TAN. Used internally (for DP3T) to verify the TAN provided in the JWT token, which is sent in the positive notification |
### Generate codes
When an Autonomous Community (CCAA) asks for generating `n` codes to the Verification Service, firstly the CCAA needs to generate a private key to create the [JSON Web Token (JWT)](https://jwt.io) and sends the corresponding public key to the Verification Service.
#### Keys generation
This service uses [Elliptic Curve (EC)](https://en.wikipedia.org/wiki/Elliptic-curve_cryptography) keys to allow Autonomous Communities to request verification codes and to sign the given response.
To generate the keys you can use these commands ([OpenSSL](https://www.openssl.org/) tool is required):
1. Generate private key:
```shell
openssl ecparam -name secp521r1 -genkey -noout -out generated_private.pem
```
2. Converse private key to new PEM format:
```shell
openssl pkcs8 -topk8 -inform pem -in generated_private.pem -outform pem -nocrypt -out generated_private_new.pem
```
3. Get Base64 from private key:
```shell
openssl base64 -in generated_private_new.pem > generated_private_base64.pem
```
4. Generate public key:
```shell
openssl ec -in generated_private_new.pem -pubout -out generated_pub.pem
```
5. Get Base64 from public key:
```shell
openssl base64 -in generated_pub.pem > generated_pub_base64.pem
```
#### Creating JWT from CCAA
Once CCAA has generated its private/public keys, CCAA has to send the public key to the Verification Service. The Verification Service will save this public key in the `VERIFICATION.CCAA` table, with the record that corresponds with the code (`DE_CCAA_ID`) for that CCAA.
The CCAA will create a JWT code (ie, [`CCAATokenGeneratorTest.java`](./verification-server-boot/src/test/java/es.gob.radarcovid.verification.test.CCAATokenGeneratorTest.java)) and use it to invoke to `/generate` endpoint. The JWT token has to be in the `X-RadarCovid-Authorization` header (NOTE: the name of this header is an example; in Production environment, it is different).
#### Generation codes signature
The `generate` response has a `signature` so client applications can verify if the response is valid. Verification Service will provide his public key to the CCAA so then they are able to check the signature.
[`GenerationControllerTestSpec`](./verification-server-boot/src/test/groovy/es/gob/radarcovid/verification/controller/test/GenerationControllerTestSpec.groovy) is a good example that shows how it works.
### Modules
Verification Service has four modules:
- `verification-server-parent`. Parent Maven project to define dependencies and plugins.
- `verification-server-api`. [DTOs](https://en.wikipedia.org/wiki/Data_transfer_object) exposed.
- `verification-server-boot`. Main application, global configurations and properties. This module also has integration tests and Java architecture tests with ArchUnit.
- `verification-server-service`. Business and data layers.
## Support and Feedback
The following channels are available for discussions, feedback, and support requests:
| Type | Channel |
| ---------- | ------------------------------------------------------ |
| **Issues** |
|
## Contribute
If you want to contribute with this exciting project follow the steps in [How to create a Pull Request in GitHub](https://opensource.com/article/19/7/create-pull-request-github).
More details in [CONTRIBUTING.md](./CONTRIBUTING.md).
## License
This Source Code Form is subject to the terms of the [Mozilla Public License, v. 2.0](https://www.mozilla.org/en-US/MPL/2.0/).