Onboarding-service Architecture Prerequisites JDK 17 Groovy Git Gradle Lombok IntelliJ AWS Toolkit for IntelliJ Docker Tech stack Database PostgreSQL Running locally with Docker: docker compose up database -d Spring Profile IMPORTANT: Set your Spring active profile to dev - this will also run DB schema/dev data migration Backend Java 17, Spring Boot, Gradle, Spock for testing Running locally: ./gradlew bootRun Frontend React, TypeScript, scss, custom bootstrap, react-testing-library Exception Monitoring Sentry Analytics Google Analytics / Mixpanel Hosting AWS Elastic BeanStalk: EC2 and ELB Continuous Integration CircleCI Production Logs Papertrail API Authentication: oAuth2 with Mobile-ID, ID-card and Smart-ID Swagger UI Postman API collection (outdated) Build pipeline Production: Merge GitHub pull request to master -> build in CircleCI -> auto-redeploy (if build is green) How to add new pension funds? Add the new fund to the funds database table. Development notes Code style: Java , Kotlin If you don't want to run epis-service, then you can use mock spring profile to mock EpisService, and adjust MockEpisService to your needs. Common Issues error="unsupported_grant_type", error_description="Unsupported grant type: mobile_id" Make sure you are running against the right backend environment (dev or prod). If you do npm run develop your package.json must proxy to http://localhost:9000 If you do npm run develop-production your package.json must proxy to https://onboarding-service.tuleva.ee Known Issues Digital signing does not work in the dev environment. Use the production configuration to test it locally. See DigiDocConfiguration.digiDocConfigDev() and smartid.hostUrl , smartid.relyingPartyUUID , smartid.relyingPartyName config values in application.yml and change them to production values. Use VPN for testing. Caveats When updating Spring Boot, sometimes you need to remove all of the existing access tokens from the oauth_access_token database table. However, there's one special token granted for tuleva.ee which allows it to fetch Fund NAV values and register new users. In order to generate a new token, you need to: token by curl --location --request POST 'https://pension.tuleva.ee/api/oauth/token' \ --header 'Authorization: Basic <base64 of client_id:client_secret>' \ --data-urlencode 'grant_type=client_credentials' \ --data-urlencode 'client_id=tuleva.ee' and then update the token values in the WordPress Tuleva template. Testing ID-card Locally In order to test ID-card locally, you need to run nginx locally with the right certificates and the right domain names. Add tuleva certs to ./nginx (4 files) Update $frontend and $backend urls in etc/eb/.ebextensions/nginx/conf.d/01_ssl_proxy.conf Add to hosts file: 127.0.0.1 id.tuleva.ee 127.0.0.1 pension.tuleva.ee 127.0.0.1 onboarding-service.tuleva.ee Run nginx with docker: docker compose up nginx Add DANGEROUSLY_DISABLE_HOST_CHECK=true to .env in onboarding-client add server.servlet.session.cookie.domain: tuleva.ee to application.yml Test through https://pension.tuleva.ee Later, don't forget to clean up your hosts file AWS Profile WE use AWS SSO, to get it working properly you need to configure the profile first either by running aws configure sso or pasting the following into ~/.aws/config : [profile tuleva] region = eu-central-1 output = json sso_start_url = https://tuleva.awsapps.com/start sso_region = eu-central-1 sso_account_id = 641866833894 sso_role_name = AdministratorAccess VPN We use AWS Client VPN. To get started, log into AWS SSO Portal and follow VPN Client Self Service instructions. Connecting to the database Establish VPN connection Configure AWS Profile and login aws sso login Connect to the DB using AWS IAM authentication where user is iamuser and profile tuleva . References hwcrypto.js hwcrypto Sequence Diagram Test Authentication Methods Test Mobile ID Test ID Card Test Smart ID