castle / castle-java Goto Github PK

Sending "include": "timestamps" in authenticate request bodies results additional info in the response, for example:

{
  "action": "deny",
  "user_id": "1234",
  "device_token": "5678",
  "created_at": "2019-02-14T02:43:53.405Z",
  "last_seen_at": "2019-03-06T01:55:51.839Z",
  "approved_at": null,
  "escalated_at": "2019-02-26T10:12:43.836Z",
  "mitigated_at": null
}

I understand these were introduced experimentally, however they are quite useful for measuring timing, and aid in tracking things on the client side.

We use Spring and it would be good to have a way to programmatically create the client instance.

We don't want for example to use the CASTLE_SDK_API_SECRET env to configure the sdk, we have our own configuration provider for that.

It could be something like this:

CastleSdk.builder()
    .withApiSecret("XXX")
    .withAppId("YYY")
    .build();

When manually setting the value for User Agent and Client Id, our SDK only supports String types. However, our docs recommend setting the values to Boolean False if those values on not available.

We need to add support for manually setting both String and Boolean values for User Agent and Client ID

The guava library version is 23, and this only supports java 8.
A switch to version 'com.google.guava:guava:jar:23.0-android' should be done to be compatible with java 7.

Add support for custom authenticate and track payloads. Add methods buildTrackRequest(CastleMessage request), sendTrackRequest(JsonElement request), buildAuthenticateRequest(CastleMessage request), sendAuthenticateRequest(JsonElement request).

Build methods are used to get the standard payload json object, which can be expanded with custom fields. The JsonElement is then sent using the send methods.

Reported by Anders:

If an async callback is sent to "track" but "doNotTrack" is set to "true" then async callback will never be called and thus never complete. This is because of the "return" that probably should be a "asyncCallbackHandler.onResponse(true)". But I guess it has to do with how you interpret "doNotTrack", is it a no-operation call that should not trigger callbacks or is it a mocked "all is good call".

  public void track(String event, @Nullable String userId, @Nullable String reviewId, @Nullable Object properties, @Nullable Object trait, AsyncCallbackHandler<Boolean> asyncCallbackHandler) {
        Preconditions.checkNotNull(event);
        if (doNotTrack) {
            return;
        }

These tests are found flaky:

io.castle.client.model.CastleContextTest.minimalContextAsJson
io.castle.client.model.CastleDeviceTest.fullBuilderJson
io.castle.client.model.CastleDeviceTest.jsonSerialized
io.castle.client.model.CastleMessageTest.fullBuilderJson
io.castle.client.model.CastleMessageTest.jsonSerialized
io.castle.client.model.CastleMessageTest.properties
io.castle.client.model.CastleUserAddressTest.jsonSerialized
io.castle.client.model.CastleUserDeviceContextTest.fullBuilderJson
io.castle.client.model.CastleUserDevicesTest.fullBuilderJson
io.castle.client.model.CastleUserDeviceTest.fullBuilderJson
io.castle.client.model.CastleUserDeviceTest.jsonSerialized
io.castle.client.model.CastleUserTest.jsonSerialized
io.castle.client.model.DeviceUserAgentTest.fullBuilderJson

when running mvn -pl ./ edu.illinois:nondex-maven-plugin:1.1.2:nondex -Dtest=TESTNAME .

Here is an example of the error log:

[ERROR] Failures:

[ERROR]   CastleMessageTest.fullBuilderJson:72 expected:<"{"[created_at":"2018-01-01","timestamp":"2018-01-01","device_token":"1234","event":"event","properties":{"key":"val"},"review_id":"2345","user_id":"3456","user_traits":{"key":"val"}]}"> but was:<"{"[user_id":"3456","user_traits":{"key":"val"},"timestamp":"2018-01-01","review_id":"2345","properties":{"key":"val"},"event":"event","device_token":"1234","created_at":"2018-01-01"]}">

After taking a closer look, I found the problems could be using gson.tojsontree(), it produces non-deterministic like above for each NonDex run. I would recommend sort or using other serialize strategies, or change the test method instead of using simply equals() to avoid flaky tests.

Our new APIs allow Admins to directly approve and report a device with a device token, not need to collect the request context. However, these APIs, included the Device fetching API, are not available via our SDK.

Can we add methods to the SDK that can handle these three APIs:
GET https://api.castle.io/v1/users/{user-id}/devices
PUT https://api.castle.io/v1/devices/{device_token}/approve
PUT https://api.castle.io/v1/devices/{device_token}/report
PUT https://api.castle.io/v1/users/{user_id}/archive_devices

See more on each API here: https://castle.io/docs/device_management_tool

Was looking to replace the generic CastleMessage and CastleResponse with the Log/Filter/Risk FilterResponse/RiskResponse models. Risk seems ok but Log and Filter are missing required status values that we use.

According to Castle api docs.
Log.StatusEnum should have "$requested" as an option (for challenge)
Filter.StatuesEnum should have "$attempted" as an option

See

Castle Api docs
https://reference.castle.io/#operation/log
https://reference.castle.io/#operation/filter

My hypothesis is when the Castle jdk is added to a repo using okhttp 3.4.1, since the pom.xml defines the minimum version as 3.13.1 it does not update okhttp.

However, 3.4.1 is actually an older version than 3.13.1 as illustrated here.

This causes a compilation error as this jdk references TLSv1.3 here, which exists in 3.13.1 as we can see here, but not in 3.4.1 as we can see here.

Team noticed several Null pointer exceptions being thrown by the Castle SDK.

java.lang.NullPointerException: null
	at io.castle.client.internal.backend.OkRestApiBackend.sendAuthenticateSync(OkRestApiBackend.java:67)
	at io.castle.client.internal.CastleApiImpl.authenticate(CastleApiImpl.java:82)

May be caused when user_id is not available in the following call:
final String userId = ((JsonObject) payloadJson).get(“user_id”).getAsString();

Add internal field to Verdict class which contains the raw server response as a JsonElement. This can be used to access all fields in the response.

We should offer a simple way to configure the header that should be checked for the true client ip via our SDKs.

For example, in our Java SDK, we automatically set the client ip to the value of REMOTE_ADDRESS. This is done here:

However, many customers need to change this to X-Forwarded-For or true-client-ip for example. It would be great if they could easily change that in a config file

Add CastleApiInternalServerErrorException and CastleApiTimeoutException to represent server error and timeout exceptions.

I am getting the following log message for every call to archive a user device.

A connection to https://api.castle.io/ was leaked. Did you forget to close a response body?

The stack trace is:

java.lang.Throwable: response.body().close()
	at okhttp3.internal.platform.Platform.getStackTraceForCloseable(Platform.java:143)
	at okhttp3.RealCall.captureCallStackTrace(RealCall.java:78)
	at okhttp3.RealCall.execute(RealCall.java:66)
	at io.castle.client.internal.backend.OkRestApiBackend.sendArchiveUserDevicesRequestSync(OkRestApiBackend.java:274)
	at io.castle.client.internal.CastleApiImpl.archiveUserDevices(CastleApiImpl.java:289)

We are using castle-java 1.5.1

See:

Any Plans to Migrate from javax (Java EE 8) to Jakarta namespace (Java EE 9+). The javax packages are now renamed to Jakarta.

We are upgrading our java services to Spring Boot 3 and this is not fully compatible anymore.

To get around it I have had to use custom versions of io.castle.client.Castle and io.castle.client.internal.utils.CastleContextBuilder and either replace imports of javax.servlet.http.* with jakarta.servlet.http.*. or remove references to javax namespace.

See
https://spring.io/blog/2022/05/24/preparing-for-spring-boot-3-0

Also see that you have an open PR to upgrade to Spring 6.
#122