wultra · banterCZ · Jul 26, 2024 · Apr 8, 2024 · Apr 8, 2024 · Apr 8, 2024
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -9,3 +9,8 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+  - package-ecosystem: "github-actions"
+    # Workflow files stored in the default location of `.github/workflows`. (You don't need to specify `/.github/workflows` for `directory`. You can use `directory: "/"`.)
+    directory: "/"
+    schedule:
+      interval: "weekly"
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -4,9 +4,6 @@ on:
   workflow_dispatch:
   push:
     branches: [ 'develop', 'master', 'releases/**' ]
-  pull_request:
-    # The branches below must be a subset of the branches above
-    branches: [ 'develop', 'master', 'releases/**' ]
   schedule:
     - cron: '0 2 * * 4'
 

diff --git a/.github/workflows/scp-deploy.yml b/.github/workflows/scp-deploy.yml
@@ -19,7 +19,7 @@ jobs:
           cache: maven
       - name: Run Maven Package Step
         run: |
-          mvn -B -U package -Dmaven.test.skip=true
+          mvn -B -U package -Dmaven.test.skip=true -DuseInternalRepo=true
         env:
           INTERNAL_USERNAME: ${{ secrets.JFROG_USERNAME }}
           INTERNAL_PASSWORD: ${{ secrets.JFROG_PASSWORD }}

diff --git a/docs-private/Developer-How-To-Start.md b/docs-private/Developer-How-To-Start.md
@@ -25,11 +25,28 @@ liquibase --changelog-file=./docs/db/changelog/changesets/powerauth-java-server/
 
 To generate SQL script run this command.
 
+
+#### Oracle
+
 ```shell
 liquibase --changeLogFile=./docs/db/changelog/changesets/powerauth-java-server/db.changelog-module.xml --output-file=./docs/sql/oracle/generated-oracle-script.sql updateSQL --url=offline:oracle
 ```
 
 
+#### MS SQL
+
+```shell
+liquibase --changeLogFile=./docs/db/changelog/changesets/powerauth-java-server/db.changelog-module.xml --output-file=./docs/sql/mssql/generated-mssql-script.sql updateSQL --url=offline:mssql
+```
+
+
+#### PostgreSQL
+
+```shell
+liquibase --changeLogFile=./docs/db/changelog/changesets/powerauth-java-server/db.changelog-module.xml --output-file=./docs/sql/postgresql/generated-postgresql-script.sql updateSQL --url=offline:postgresql
+```
+
+
 ## PowerAuth Admin Server
 
 

diff --git a/docs/Admin-Deploying-Wildfly.md b/docs/Admin-Deploying-Wildfly.md
@@ -6,7 +6,7 @@ PowerAuth Admin contains the following configuration in `jboss-deployment-struct
 
 ```xml
 <?xml version="1.0"?>
-<jboss-deployment-structure xmlns="urn:jboss:deployment-structure:1.2">
+<jboss-deployment-structure xmlns="urn:jboss:deployment-structure:1.3">
     <deployment>
         <exclude-subsystems>
             <!-- disable the logging subsystem because the application manages its own logging independently -->

diff --git a/docs/Configuration-Properties-Admin.md b/docs/Configuration-Properties-Admin.md
@@ -42,5 +42,9 @@ The PowerAuth Admin application uses the following public configuration properti
 
 ## Monitoring and Observability
 
+| Property                                  | Default | Note                                                                                                                                                                        |
+|-------------------------------------------|---------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `management.tracing.sampling.probability` | `1.0`   | Specifies the proportion of requests that are sampled for tracing. A value of 1.0 means that 100% of requests are sampled, while a value of 0 effectively disables tracing. |
+
 The WAR file includes the `micrometer-registry-prometheus` dependency.
 Discuss its configuration with the [Spring Boot documentation](https://docs.spring.io/spring-boot/docs/3.1.x/reference/html/actuator.html#actuator.metrics).
diff --git a/docs/Configuration-Properties.md b/docs/Configuration-Properties.md
@@ -70,6 +70,7 @@ The PowerAuth Server uses the following public configuration properties:
 
 
 ## Monitoring and Observability
+
 | Property                                  | Default | Note                                                                                                                                                                        |
 |-------------------------------------------|---------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | `management.tracing.sampling.probability` | `1.0`   | Specifies the proportion of requests that are sampled for tracing. A value of 1.0 means that 100% of requests are sampled, while a value of 0 effectively disables tracing. |
@@ -82,6 +83,7 @@ Discuss its configuration with the [Spring Boot documentation](https://docs.spri
 | Property                                                                    | Default   | Note                                                                                               |
 |-----------------------------------------------------------------------------|-----------|----------------------------------------------------------------------------------------------------|
 | `powerauth.service.scheduled.job.operationCleanup`                          | `5000`    | Time delay in milliseconds between two consecutive tasks that expire long pending operations.      |
+| `powerauth.service.scheduled.job.expireOperationsLimit`                     | `100`     | Number of long pending operations that will be set expired in single scheduled job run.            |
 | `powerauth.service.scheduled.job.activationsCleanup`                        | `5000`    | Time delay in milliseconds between two consecutive tasks that expire abandoned activations.        |
 | `powerauth.service.scheduled.job.activationsCleanup.lookBackInMilliseconds` | `3600000` | Number of milliseconds to look back in the past when looking for abandoned activations.            |
 | `powerauth.service.scheduled.job.uniqueValueCleanup`                        | `60000`   | Time delay in milliseconds between two consecutive tasks that delete expired unique values.        |

diff --git a/docs/Database-Structure.md b/docs/Database-Structure.md
@@ -140,7 +140,7 @@ CREATE TABLE pa_activation
     device_info                   VARCHAR(255),
     flags                         VARCHAR(255),
     external_id                   VARCHAR(255),
-    protocol                      VARCHAR(32) DEFAULT 'powerauth',
+    protocol                      VARCHAR(32) DEFAULT 'powerauth' NOT NULL,
     failed_attempts               INTEGER NOT NULL,
     max_failed_attempts           INTEGER DEFAULT 5 NOT NULL,
     server_private_key_base64     VARCHAR(255) NOT NULL,
@@ -519,6 +519,7 @@ CREATE TABLE pa_operation (
     parameters            TEXT,
     additional_data       TEXT,
     status                INTEGER NOT NULL,
+    status_reason         VARCHAR(32),
     signature_type        VARCHAR(255) NOT NULL,
     failure_count         BIGINT DEFAULT 0 NOT NULL,
     max_failure_count     BIGINT NOT NULL,
@@ -532,24 +533,25 @@ CREATE TABLE pa_operation (
 
 #### Columns
 
-| Name                | Type         | Info        | Note                                                                                            |
-|---------------------|--------------|-------------|-------------------------------------------------------------------------------------------------|
-| id                  | varchar(37)  | primary key | Unique operation ID.                                                                            |
-| user_id             | varchar(255) | -           | Related user ID.                                                                                |
-| template_id         | bigint       | -           | Template ID used for creating the operation.                                                    |
-| external_id         | varchar(255) | -           | Identifier in external system.                                                                  |
-| operation_type      | varchar(255) | -           | Name of the type of operation.                                                                  |
-| data                | text         | -           | Data of the operation that enter the final signature.                                           |
-| parameters          | text         | -           | JSON-encoded parameters that were used while creating the operation.                            |
-| status              | integer      | -           | Status of the operation.                                                                        |
-| signature_type      | varchar(255) | -           | Comma-separated list of allowed signature types.                                                |
-| failure_count       | bigint       | -           | Number of already failed attempts to approve the operation.                                     |
-| max_failure_count   | bigint       | -           | Maximum allowed number of failed attempts when approving the operation.                         |
-| timestamp_created   | timestamp    | -           | Timestamp of when the operation was created.                                                    |
-| timestamp_expires   | timestamp    | -           | Timestamp of when the operation will expire.                                                    |
-| timestamp_finalized | timestamp    | -           | Timestamp of when the operation reached the terminal state (approved, rejected, expired, etc.). |
-| risk_flages         | varchar(255) | -           | Risk flags for offline QR code. Uppercase letters without separator, e.g. `XFC`.                |
-| totp_seed           | varchar(24)  | -           | Optional TOTP seed used for proximity check, base64 encoded.                                    |
+| Name                | Type         | Info        | Note                                                                                                                             |
+|---------------------|--------------|-------------|----------------------------------------------------------------------------------------------------------------------------------|
+| id                  | varchar(37)  | primary key | Unique operation ID.                                                                                                             |
+| user_id             | varchar(255) | -           | Related user ID.                                                                                                                 |
+| template_id         | bigint       | -           | Template ID used for creating the operation.                                                                                     |
+| external_id         | varchar(255) | -           | Identifier in external system.                                                                                                   |
+| operation_type      | varchar(255) | -           | Name of the type of operation.                                                                                                   |
+| data                | text         | -           | Data of the operation that enter the final signature.                                                                            |
+| parameters          | text         | -           | JSON-encoded parameters that were used while creating the operation.                                                             |
+| status              | integer      | -           | Status of the operation.                                                                                                         |
+| status_reason       | varchar(32)  | -           | Optional details why the status changed. The value should be sent in the form of a computer-readable code, not a free-form text. |
+| signature_type      | varchar(255) | -           | Comma-separated list of allowed signature types.                                                                                 |
+| failure_count       | bigint       | -           | Number of already failed attempts to approve the operation.                                                                      |
+| max_failure_count   | bigint       | -           | Maximum allowed number of failed attempts when approving the operation.                                                          |
+| timestamp_created   | timestamp    | -           | Timestamp of when the operation was created.                                                                                     |
+| timestamp_expires   | timestamp    | -           | Timestamp of when the operation will expire.                                                                                     |
+| timestamp_finalized | timestamp    | -           | Timestamp of when the operation reached the terminal state (approved, rejected, expired, etc.).                                  |
+| risk_flages         | varchar(255) | -           | Risk flags for offline QR code. Uppercase letters without separator, e.g. `XFC`.                                                 |
+| totp_seed           | varchar(24)  | -           | Optional TOTP seed used for proximity check, base64 encoded.                                                                     |
 <!-- end -->
 
 <!-- begin database table pa_operation_template -->
@@ -623,6 +625,7 @@ CREATE TABLE pa_fido2_authenticator (
     aaguid          VARCHAR(255)    NOT NULL,
     description     VARCHAR(255)    NOT NULL,
     signature_type  VARCHAR(255)    NOT NULL,
+    transports      VARCHAR(255),
     CONSTRAINT pa_fido2_authenticator_pkey PRIMARY KEY (aaguid)
 );
 ```
@@ -634,4 +637,5 @@ CREATE TABLE pa_fido2_authenticator (
 | aaguid         | varchar(255) | primary key | Identifier of the FIDO2 authenticator.                 |
 | description    | varchar(255) | -           | Human-readable description of the FIDO2 authenticator. |
 | signature_type | varchar(255) | -           | Signature type provided by the FIDO2 authenticator.    |
+| transport      | varchar(255) | -           | JSON array of transport hints for WebAuthn ceremonies. |
 <!-- end -->
diff --git a/docs/Deploying-Wildfly.md b/docs/Deploying-Wildfly.md
@@ -6,22 +6,13 @@ PowerAuth server contains the following configuration in `jboss-deployment-struc
 
 ```xml
 <?xml version="1.0"?>
-<jboss-deployment-structure xmlns="urn:jboss:deployment-structure:1.2">
+<jboss-deployment-structure xmlns="urn:jboss:deployment-structure:1.3">
     <deployment>
-        <exclusions>
-            <module name="org.apache.xerces" />
-            <module name="org.apache.xalan" />
-        </exclusions>
         <exclude-subsystems>
             <!-- disable the logging subsystem because the application manages its own logging independently -->
             <subsystem name="logging" />
         </exclude-subsystems>
 
-        <resources>
-            <!-- use WAR provided Bouncy Castle -->
-            <resource-root path="WEB-INF/lib/bcprov-jdk18on-${BC_VERSION}.jar" use-physical-code-source="true"/>
-        </resources>
-
         <dependencies>
             <module name="com.wultra.powerauth.server.conf" />
         </dependencies>
@@ -93,12 +84,14 @@ The `application-ext.properties` file is used to override default configuration
 
 ```
 # Database Configuration - Oracle
-spring.datasource.url=jdbc:oracle:thin:@//[host]:[port]/[servicename]
-spring.datasource.username=powerauth
-spring.datasource.password=powerauth
+spring.datasource.jndi-name=java:/jdbc/powerauth
 
 # Application Service Configuration
 powerauth.service.applicationEnvironment=TEST
 ```
 
+Mind that you should specify `spring.datasource.jndi-name` to use the application server datasource (its declaration is out of the scope of this guideline).
+When configure `spring.datasource.url`, the hikari connection pool is used.
+Spring Boot running on WildFly or JBoos initializes [JtaTransactionManager](https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/transaction/jta/JtaTransactionManager.html).
+
 PowerAuth Server Spring application uses the `ext` Spring profile which activates overriding of default properties by `application-ext.properties`.
diff --git a/docs/FIDO2-API.md b/docs/FIDO2-API.md
@@ -84,7 +84,7 @@ List of authenticators for provided user and application.
 }
 ```
 
-##### Response Params
+##### Description of Response Params
 
 | Attribute           | Type       | Description                                                 |
 |---------------------|------------|-------------------------------------------------------------|
@@ -149,7 +149,7 @@ Challenge for new FIDO2 authenticator registration.
 }
 ```
 
-##### Response Params
+##### Description of Response Params
 
 | Attribute           | Type       | Description                                                 |
 |---------------------|------------|-------------------------------------------------------------|
@@ -253,7 +253,7 @@ A new FIDO2 authenticator registration.
 }
 ```
 
-##### Response Params
+##### Description of Response Params
 
 | Attribute           | Type       | Description                                                 |
 |---------------------|------------|-------------------------------------------------------------|
@@ -344,7 +344,7 @@ If the challenge is successfully created, API returns the following response:
 }
 ```
 
-##### Response Params
+##### Description of Response Params
 
 | Attribute                                                        | Type                 | Description                                                                     |
 |------------------------------------------------------------------|----------------------|---------------------------------------------------------------------------------|
@@ -433,7 +433,7 @@ If the challenge is successfully verified, API returns the following response:
 }
 ```
 
-##### Response Params
+##### Description of Response Params
 
 | Attribute                                                        | Type       | Description                                                                         |
 |------------------------------------------------------------------|------------|-------------------------------------------------------------------------------------|

diff --git a/docs/Migration-Instructions.md b/docs/Migration-Instructions.md
@@ -6,6 +6,7 @@ This page contains PowerAuth Server migration instructions.
 When updating across multiple versions, you need to perform all migration steps additively.
 <!-- end -->
 
+- [PowerAuth Server 1.8.0](./PowerAuth-Server-1.8.0.md)
 - [PowerAuth Server 1.7.0](./PowerAuth-Server-1.7.0.md)
 - [PowerAuth Server 1.6.0](./PowerAuth-Server-1.6.0.md)
 - [PowerAuth Server 1.5.0](./PowerAuth-Server-1.5.0.md)

diff --git a/docs/PowerAuth-Server-1.7.0.md b/docs/PowerAuth-Server-1.7.0.md
@@ -2,6 +2,21 @@
 
 This guide contains instructions for migration from PowerAuth Server version `1.6.x` to version `1.7.0`.
 
+## API
+
+### Attribute `additionalData` modification
+
+In version 1.7.x, the structure of the attribute `additionalData` has changed across numerous objects:
+
+Previous versions used `Map<String, String>` to store `additionalData`, which restricted values to
+string types.
+Version 1.7.x changes `additionalData` to `Map<String, Object>`. This update allows for a more versatile data structure,
+accommodating complex objects in addition to simple string values.
+
+If your application interacts with objects containing the `additionalData` attribute and expects only string values, this
+type change may lead to runtime errors or data parsing exceptions. It is crucial to update your data handling code to
+accommodate potentially complex object structures within `additionalData`.
+
 ## Database Changes
 
 For convenience you can use liquibase for your database migration.