BE Study 13th

Receiving JSON body of the HTTP request


1. @RequestBody

Using RequestBody, you can receive the body of the request as a JSON: Content-Type: application/json

Without RequestBody, the parameter will be mapped via @RequestParam(@RequestParam is omitted).



@PrePersist Problem

Two ways of initializing the field of the entity.

1.
public Comment(
@NonNull String postId,
@NonNull String authorId,
String content
) {
this.postId = postId;
this.authorId = authorId;
this.content = content;
this.createdDate = LocalDate.now();
}


2.
public Comment(
@NonNull String postId,
@NonNull String authorId,
String content
) {
this.postId = postId;
this.authorId = authorId;
this.content = content;
}

@PrePersist
public void prePersist() {
createdDate = LocalDate.now();
}


The latter(2) is recommended, in terms of entity lifecycle and persistence context and DB's consistence.

3. Bi-Directional VS Uni-Directional


4.
@Column(name = "POST_ID")

The above means that you will set the name of the column as "post_id".

@JoinColumn(name = "BOARD_ID")

The above means that you will set the field of the given attribute's primary key as a foreign key, and set the name of the column as "Board_id".


    @OneToMany(mappedBy = "board")

The above means that the opponent(which has @ManyToOne)'s attribute name is "board".


5. Use of DTO
When we should use DTO? view-controller? controller-service? both? 
There's no magic-answer. But there's one good practice.
1. calling an entity from field is preferred to be held in service layer.
2. you can use many DTOs for dependency elimination between layers.

6. JWT

JWT is a most used token-based sign-in method. It's process is simple
1. When the sign-in is successful, the server grants the client the 'access token'
    Access token has data like expiration date, issued date, etc.
2. Client holds the access token, and every time when it sends API Request, it sends the token attached to the request's header.
3. If the access token is valid(not expired, and carries the right key), sends the response

However, you might see the problem. You don't have any solution if the token is stolen. You can set the lifetime of the access token very short, but it'll be very interrupting because it requires frequent sign-in.

So, there's a solution called 'Refresh Token'. The access token expires in very short time, while the lifetime of refresh token is much longer.
1. When the sign-in is successful, the server grants the client two different tokens, 'access token' and 'refresh token'.
2. Client holds two tokens, but every time when it sends API Request, it sends only the access token attached to the request's header.
3. If the access token is valid(not expired, and carries the right key), the server sends the response
4. If the client didn't get the fair response(if got 401 unauthorized response), the client sends the same request again, but this time with the refresh token attached.
5. If the refresh token is valid, the server sends the response and the new access token.

As you can see, the access token which is frequently transmitted expires in very short time, while the lifetime of refresh token is much longer; amazon's access token only lasts for an hour. You should also keep in mind that the server that gets API Request(resource server) and the server that issues the refresh token(authorization server) can be different.

This helped preventing access token stolen during transmission. However, as you can see, still the problem exists: what if the refresh token is stolen?

To solve such problem, there's an algorithm called 'refresh token rotation'. With RTR, refresh token is disposable: when the new access token is issued with refresh token, the refresh token is expired immediately and issues new refresh token for the client. So, you can know that the refresh token might be stolen if someone uses expired refresh token; either the client or the thief would use the expired refresh token. However, what would you do if you know the refresh token is stolen? There's several solutions.

1. You can expire all of the tokens issued for the client. For such expiration process, the server should make and hold a 'token chain'.
2. You can expire the token so that it cannot be used next time. For such, you should use db or storage that holds the valid refresh token mapped with each client. 

 However, the hacker can still steel the unexpired refresh token and use it and both the solutions have to give up the advantages of statelessness.

댓글

댓글 쓰기

이 블로그의 인기 게시물

Interface of Java

 You can define(declare + initialize) variable like interface_name variable_name = new class_name() In such cases, the variable can only use method overriding the interfaces methods. Also, the language does not recognized it as the class; the language recognizes it as interface. Still, it does have member variables of the class and there are some libraries that enables the programmer to tell what class it is constructed(i.e. Reflection) Interface can be used as parameter of functions or return types of functions. When interface is a parameter, the class that implements the interface should be given to the function. When interface is a return type, it can be used for polymorphism. Also, variable of java(in case its not primitive type like int, float), it is rather closer to pointer of C++; it refers to the value, not contains value itself. The important point is that, when the class implements the interface, all of its public methods should be the interface's methods. If not, client...
자세한 내용 보기

Data Analytics Overview(OLTP vs OLAP)

You’ve likely heard about the lucrative careers of high-level Data Analysts, but have you ever wondered how they actually handle "Big Data"? Of course, they aren’t just using Microsoft Excel. To understand the technology behind it, we must first distinguish between the two primary ways we process information:  OLTP  and  OLAP . 1. OLTP OLTP (Online Transactional Processing)  is the DB used for company’s daily operations. Whenever you post on Reddit or place an order on Amazon, you are interacting with an OLTP database. It is triggered by the business's customer and handled by the backend server so that it can provide the business. Fast:  It handles millions of requests with millisecond response times. Small&Frequent:  It focuses on small, frequent transactions—usually just a few rows at a time. Write-intensive:  Its primary job is to record or update new data as it happens. 2. OLAP OLAP (Online Analytical Processing)  is the very technology we...
자세한 내용 보기

Leetcode

이미지
1. Two Sum: find a pair with specific sum   class Solution : def twoSum ( self , nums : List [ int ] , target : int ) - > List [ int ] : numMap = { } n = len ( nums ) # Build the hash table for i in range ( n ) : numMap [ nums [ i ] ] = i # Find the complement for i in range ( n ) : complement = target - nums [ i ] if complement in numMap and numMap [ complement ] != i : return [ i , numMap [ complement ] ] return [ ] # No solution found You might wonder how does the code deals with duplicates. As you can see, in the iteration of building the hash table, always the latter(with bigger index) will be saved in the hash table. In the latter iteration finding the complement, the former one(with smaller index) always goes through the iteration earlier, so the [i, numMap[complement]] can return two different indexes, carrying duplicate...
자세한 내용 보기