<?xml version="1.0"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
	<id>https://wiki.expertiza.ncsu.edu/api.php?action=feedcontributions&amp;feedformat=atom&amp;user=Agupta85</id>
	<title>Expertiza_Wiki - User contributions [en]</title>
	<link rel="self" type="application/atom+xml" href="https://wiki.expertiza.ncsu.edu/api.php?action=feedcontributions&amp;feedformat=atom&amp;user=Agupta85"/>
	<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=Special:Contributions/Agupta85"/>
	<updated>2026-07-01T22:51:37Z</updated>
	<subtitle>User contributions</subtitle>
	<generator>MediaWiki 1.41.0</generator>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2024_-_E2487._Reimplement_authorization_helper.rb&amp;diff=160235</id>
		<title>CSC/ECE 517 Fall 2024 - E2487. Reimplement authorization helper.rb</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2024_-_E2487._Reimplement_authorization_helper.rb&amp;diff=160235"/>
		<updated>2024-12-03T22:25:49Z</updated>

		<summary type="html">&lt;p&gt;Agupta85: /* Outcomes */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
Expertiza currently uses session-based authentication in its AuthorizationHelper module. However, the new back-end reimplementation adopts JSON Web Token (JWT) for authentication. This transition is necessary to make the system more scalable, stateless, and secure. JWT-based authentication will replace session-based methods, requiring updates to the AuthorizationHelper module and associated methods.&lt;br /&gt;
&lt;br /&gt;
== Background ==&lt;br /&gt;
The AuthorizationHelper module in Expertiza plays a critical role in managing user permissions and access control within the system. It provides methods to verify a user’s privileges based on their assigned roles, such as Super-Admin, Admin, Instructor, TA, or Student. These methods check if the user is authorized to perform actions like submitting assignments, reviewing work, or participating in quizzes. Additionally, it determines whether a user is involved in specific assignments, either as a participant, instructor, or through TA mappings.&lt;br /&gt;
&lt;br /&gt;
==Problem Statement==&lt;br /&gt;
&lt;br /&gt;
Expertiza currently uses session-based authentication in its [[https://github.com/expertiza/expertiza/blob/main/app/helpers/authorization_helper.rb AuthorizationHelper]] module. The [[https://github.com/expertiza/reimplementation-back-end reimplementation-back-end]] however, uses JWT (JSON Web Token) based authentication. This requires a reimplementation of an authorization concern module to accommodate JWT-based authentication&lt;br /&gt;
&lt;br /&gt;
===Concerns===&lt;br /&gt;
&lt;br /&gt;
A concern is a module that you extract to split the implementation of a class or module in coherent chunks, instead of having one big class body. Our new authorization module will be implemented as a concern which will work in tandem with the already-implemented [[https://github.com/expertiza/reimplementation-back-end/blob/main/app/controllers/concerns/jwt_token.rb JWT Concern]]&lt;br /&gt;
&lt;br /&gt;
The following points need to be taken care of as per the requirement&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt; Role Management &amp;lt;/strong&amp;gt;: &lt;br /&gt;
** Enable the system to process, verify, and decode roles from JWT Tokens.&lt;br /&gt;
** Use token role data to authenticate and authorize user actions.&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt; Privilege Verification &amp;lt;/strong&amp;gt;:&lt;br /&gt;
** Update methods to validate user privileges using JWT claims.&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt; Testing and Documentation &amp;lt;/strong&amp;gt;: &lt;br /&gt;
** Write comprehensive unit tests for all JWT-related methods.&lt;br /&gt;
** Include clear documentation and comments to aid future developers.&lt;br /&gt;
&lt;br /&gt;
=Implemented Changes=&lt;br /&gt;
&lt;br /&gt;
== JWT Token Overview ==&lt;br /&gt;
&lt;br /&gt;
A JSON Web Token (JWT) is a compact, URL-safe token format commonly used for securely transmitting information between parties. It is widely used in web applications for authentication and authorization, as it allows information to be verified and trusted. In the context of our reimplemented AuthorizationHelper module, JWT tokens will replace session-based authentication, enabling stateless and more secure access control.&lt;br /&gt;
&lt;br /&gt;
A JWT Token consists of three main parts:&lt;br /&gt;
&lt;br /&gt;
*Header: Contains metadata about the token, such as the type (JWT) and the hashing algorithm used (e.g., HS256 or RS256).&lt;br /&gt;
*Payload: Includes claims, which are statements about an entity (typically, the user) and additional data like the user’s role and permissions.&lt;br /&gt;
*Signature: A cryptographic signature generated by encoding the header and payload with a secret key or private key, ensuring data integrity.&lt;br /&gt;
These three sections are separated by dots (.), forming a token that looks like this: &amp;lt;Header&amp;gt;.&amp;lt;Payload&amp;gt;.&amp;lt;Signature&amp;gt;&lt;br /&gt;
&lt;br /&gt;
[[File:JWT-Workflow.png|500px|center]]&lt;br /&gt;
&lt;br /&gt;
==Overall Flow==&lt;br /&gt;
&lt;br /&gt;
[[File:Authorization_flow.png|500px|center]]&lt;br /&gt;
&lt;br /&gt;
==Methods Implemented==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;has_required_role?(required_role)&amp;lt;/strong&amp;gt;: &lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
 def has_required_role?(required_role)&lt;br /&gt;
    required_role = Role.find_by_name(required_role) if required_role.is_a?(String)&lt;br /&gt;
    current_user&amp;amp;.role&amp;amp;.all_privileges_of?(required_role) || false&lt;br /&gt;
 end&lt;br /&gt;
&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This function checks if the current user has the required role or higher privileges. The role name is passed down as a parameter in required_role which is the minimum required role level for an action&lt;br /&gt;
&lt;br /&gt;
For example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;has_required_role?('Administrator') # Checks if user is an admin or higher&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;has_required_role?(Role::INSTRUCTOR) # Checks if user is an instructor or higher&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
For exact role requirements, we also have:&lt;br /&gt;
* &amp;lt;strong&amp;gt;is_role?(required_role)&amp;lt;/strong&amp;gt;: &lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
 def is_role?(required_role)&lt;br /&gt;
    required_role = required_role.name if required_role.is_a?(Role)&lt;br /&gt;
    current_user&amp;amp;.role&amp;amp;.name == required_role&lt;br /&gt;
 end&lt;br /&gt;
&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
which checks if the user has exactly the specified role. For example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;is_role?('Student') # True only if user is exactly a student &amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
Finally, we have authorization methods which work with the ApplicationController as well as individual resource controllers:&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
  # Authorize all actions&lt;br /&gt;
  def authorize&lt;br /&gt;
    unless all_actions_allowed?&lt;br /&gt;
      render json: { &lt;br /&gt;
        error: &amp;quot;You are not authorized to #{params[:action]} this #{params[:controller]}&amp;quot;&lt;br /&gt;
      }, status: :forbidden&lt;br /&gt;
    end&lt;br /&gt;
  end&lt;br /&gt;
&lt;br /&gt;
  # Check if all actions are allowed&lt;br /&gt;
  def all_actions_allowed?&lt;br /&gt;
    return true if has_required_role?('Administrator')&lt;br /&gt;
    action_allowed?&lt;br /&gt;
  end&lt;br /&gt;
&lt;br /&gt;
  # Base action_allowed? - allows everything by default&lt;br /&gt;
  # Controllers should override this method to implement their authorization logic&lt;br /&gt;
  def action_allowed?&lt;br /&gt;
    true&lt;br /&gt;
  end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The individual resource controllers can then override the method 'action_allowed?' to manage access. For example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
  def action_allowed?&lt;br /&gt;
    has_required_role?('Instructor')&lt;br /&gt;
  end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Existing File Updates==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;[[https://github.com/expertiza/reimplementation-back-end/blob/main/app/controllers/application_controller.rb application_controller.rb]]&amp;lt;/strong&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This file was updated to include the new authorization module&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 class ApplicationController &amp;lt; ActionController::API&lt;br /&gt;
   include Authorization&lt;br /&gt;
   include JwtToken&lt;br /&gt;
  &lt;br /&gt;
   before_action :authorize&lt;br /&gt;
 end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
This ensures that the [[https://github.com/rarchitgupta/reimplementation-back-end/blob/jwt_authorization/app/controllers/concerns/authorization.rb 'has_required_role?']] method is available globally along with [[https://github.com/rarchitgupta/reimplementation-back-end/blob/jwt_authorization/app/controllers/concerns/authorization.rb 'is_role?']]. These methods can then be used to override 'action_allowed?' to override the base implementation and provide more granular control&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;[[https://github.com/rarchitgupta/reimplementation-back-end/blob/jwt_authorization/app/controllers/api/v1/courses_controller.rb courses_controller.rb]]&amp;lt;/strong&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
To test the functionality, based on the old Expertiza, the method was also overridden in the courses_controller.rb file:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 class Api::V1::CoursesController &amp;lt; ApplicationController&lt;br /&gt;
   before_action :set_course, only: %i[ show update destroy add_ta view_tas remove_ta copy ]&lt;br /&gt;
   rescue_from ActiveRecord::RecordNotFound, with: :course_not_found&lt;br /&gt;
   rescue_from ActionController::ParameterMissing, with: :parameter_missing&lt;br /&gt;
&lt;br /&gt;
   def action_allowed?&lt;br /&gt;
     has_required_role?('Instructor')&lt;br /&gt;
   end&lt;br /&gt;
&lt;br /&gt;
   ...&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Outcomes==&lt;br /&gt;
1. '''Modular Authentication and Authorization System'''&lt;br /&gt;
* Separate JwtToken and Authorization concerns with distinct responsibilities&lt;br /&gt;
* Integration through ApplicationController middleware&lt;br /&gt;
* Flexible role-based access control per controller&lt;br /&gt;
* Clean separation between authentication and authorization components&lt;br /&gt;
* Independent scaling and maintenance capability&lt;br /&gt;
2. '''Role-Based Access Control (RBAC)'''&lt;br /&gt;
* Hierarchical role system with administrator override&lt;br /&gt;
* Controller-specific role requirements through action-specific checks&lt;br /&gt;
* Granular permission control at the action level&lt;br /&gt;
* Fine-grained access control while maintaining system flexibility&lt;br /&gt;
* Custom role requirements for different resources&lt;br /&gt;
3. '''Secure Authentication Flow'''&lt;br /&gt;
* JWT-based stateless authentication&lt;br /&gt;
* Token verification precedes protected actions&lt;br /&gt;
* Automatic current user loading from verified tokens&lt;br /&gt;
* Protection against unauthorized access and token tampering&lt;br /&gt;
* Maintains stateless architecture for scalability&lt;br /&gt;
4. '''Standardized Error Handling'''&lt;br /&gt;
* Consistent HTTP status codes (401 for authentication, 403 for authorization)&lt;br /&gt;
* Clear error messages for debugging&lt;br /&gt;
* Uniform error response format across the application&lt;br /&gt;
* Improved debugging experience&lt;br /&gt;
* Standardized client-side error handling&lt;br /&gt;
4. '''Developer-Friendly Design'''&lt;br /&gt;
* Rails conventions and idioms throughout&lt;br /&gt;
* Clear, purpose-indicating method names&lt;br /&gt;
* Modular design with extension points&lt;br /&gt;
* Reduced learning curve for new developers&lt;br /&gt;
* Minimal configuration required for new controllers&lt;br /&gt;
&lt;br /&gt;
== Design Principles ==&lt;br /&gt;
The redesign of the `AuthorizationHelper` module for JWT-based authentication will follow well-established design principles to ensure the solution is secure, maintainable, and scalable. Below are the key principles to be applied and how they will shape this redesign:&lt;br /&gt;
&lt;br /&gt;
1. '''Single Responsibility Principle (SRP)'''&lt;br /&gt;
* '''Definition''': Each module or class should have one clear responsibility.&lt;br /&gt;
* '''Implementation''': &lt;br /&gt;
** JwtToken concern handles only authentication&lt;br /&gt;
** Authorization concern manages only authorization rules&lt;br /&gt;
* '''Benefit''': Changes to authentication logic don't affect authorization rules and vice versa&lt;br /&gt;
&lt;br /&gt;
2. '''Open / Closed Principle'''&lt;br /&gt;
* '''Definition''': Software entities should be open for extension but closed for modification&lt;br /&gt;
* '''Implementation''': &lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 # Base authorization in Authorization concern&lt;br /&gt;
 def action_allowed?&lt;br /&gt;
   true  # Base implementation&lt;br /&gt;
 end&lt;br /&gt;
&lt;br /&gt;
 # Extended in CoursesController without modifying base&lt;br /&gt;
 def action_allowed?&lt;br /&gt;
   has_required_role?('Instructor')&lt;br /&gt;
 end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* '''Benefit''': New controllers can implement their own authorization rules without changing existing code&lt;br /&gt;
&lt;br /&gt;
3. '''Inheritance and Polymorphism'''&lt;br /&gt;
* '''Definition''': Ability to present the same interface for different underlying forms (implementations)&lt;br /&gt;
* '''Implementation''': &lt;br /&gt;
** All controllers inherit from ApplicationController&lt;br /&gt;
** Each can override action_allowed? with its implementation&lt;br /&gt;
** System treats all action_allowed? calls polymorphically&lt;br /&gt;
&lt;br /&gt;
* '''Benefit''': Consistent interface while allowing specialized behavior&lt;br /&gt;
&lt;br /&gt;
4. '''Composition'''&lt;br /&gt;
* '''Implementation''': &lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 class ApplicationController &amp;lt; ActionController::API&lt;br /&gt;
   include Authorization  # Composition through modules&lt;br /&gt;
   include JwtToken&lt;br /&gt;
 end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* '''Benefit''': More flexible than deep inheritance hierarchies, allows mixing in different behaviors&lt;br /&gt;
&lt;br /&gt;
5. '''Don't Repeat Yourself (DRY)'''&lt;br /&gt;
* '''Definition''': Every piece of knowledge should have a single, unambiguous representation&lt;br /&gt;
* '''Implementation''': &lt;br /&gt;
** Common authentication logic in JwtToken&lt;br /&gt;
** Shared authorization behavior in Authorization&lt;br /&gt;
** Base controller provides default implementations&lt;br /&gt;
&lt;br /&gt;
* '''Benefit''': Reduces code duplication and maintenance overhead&lt;br /&gt;
&lt;br /&gt;
== Test Plan ==&lt;br /&gt;
&lt;br /&gt;
=== Unit Tests ===&lt;br /&gt;
'''Definition''': Unit tests verify that individual methods work correctly in isolation under different scenarios.&lt;br /&gt;
&lt;br /&gt;
==== Tests for jwt_verify_and_decode ====&lt;br /&gt;
'''Valid Token Test:'''&lt;br /&gt;
* '''Input''': A valid JWT token with claims like `id`, `role`, and `exp`.&lt;br /&gt;
* '''Expected Output''': Decoded payload as a `HashWithIndifferentAccess`.&lt;br /&gt;
* '''Validation''': Ensure the returned payload matches the expected data.&lt;br /&gt;
&lt;br /&gt;
'''Expired Token Test:'''&lt;br /&gt;
* '''Input''': A token with an `exp` claim that has already passed.&lt;br /&gt;
* '''Expected Output''': `nil` with an appropriate error logged.&lt;br /&gt;
* '''Validation''': Confirm that the method gracefully handles expired tokens.&lt;br /&gt;
&lt;br /&gt;
'''Invalid Token Test:'''&lt;br /&gt;
* '''Input''': A tampered JWT token with an invalid signature.&lt;br /&gt;
* '''Expected Output''': `nil`.&lt;br /&gt;
* '''Validation''': Ensure an appropriate error message is logged, and sensitive information is not exposed.&lt;br /&gt;
&lt;br /&gt;
'''Missing Claims Test:'''&lt;br /&gt;
* '''Input''': A valid token missing critical claims like `role`.&lt;br /&gt;
* '''Expected Output''': `nil`.&lt;br /&gt;
* '''Validation''': Ensure the method flags the token as invalid due to missing data.&lt;br /&gt;
&lt;br /&gt;
==== Tests for check_user_privileges ====&lt;br /&gt;
'''Sufficient Privileges Test:'''&lt;br /&gt;
* '''Input''': User info with `role` as `Admin` and a `required_privilege` of `Student`.&lt;br /&gt;
* '''Expected Output''': `true`.&lt;br /&gt;
* '''Validation''': Verify the method correctly interprets hierarchical roles.&lt;br /&gt;
&lt;br /&gt;
'''Insufficient Privileges Test:'''&lt;br /&gt;
* '''Input''': User info with `role` as `Student` and a `required_privilege` of `Instructor`.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Ensure the method denies access for insufficient privileges.&lt;br /&gt;
&lt;br /&gt;
'''Missing Role Test:'''&lt;br /&gt;
* '''Input''': User info without a `role` claim.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Ensure the method handles missing roles gracefully.&lt;br /&gt;
&lt;br /&gt;
==== Tests for current_user_is_a? ====&lt;br /&gt;
'''Correct Role Test:'''&lt;br /&gt;
* '''Input''': Token with `role` as `Instructor` and `role_name` as `Instructor`.&lt;br /&gt;
* '''Expected Output''': `true`.&lt;br /&gt;
* '''Validation''': Verify the method returns `true` when roles match exactly.&lt;br /&gt;
&lt;br /&gt;
'''Incorrect Role Test:'''&lt;br /&gt;
* '''Input''': Token with `role` as `TA` and `role_name` as `Instructor`.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Ensure the method denies access when roles don’t match.&lt;br /&gt;
&lt;br /&gt;
'''Missing Token Test:'''&lt;br /&gt;
* '''Input''': `nil` token.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Confirm that the method handles missing tokens properly.&lt;br /&gt;
&lt;br /&gt;
---&lt;br /&gt;
&lt;br /&gt;
=== Integration Tests ===&lt;br /&gt;
'''Definition''': Integration tests validate that the `AuthorizationHelper` module functions correctly within the context of the overall system.&lt;br /&gt;
&lt;br /&gt;
==== Approach Options ====&lt;br /&gt;
1. '''Creating a Dummy API''':&lt;br /&gt;
* A lightweight API will be created specifically for testing the `AuthorizationHelper` methods.&lt;br /&gt;
* This API will simulate requests requiring token authentication and privilege checks.&lt;br /&gt;
* '''Advantages''':&lt;br /&gt;
** Fully isolated testing environment.&lt;br /&gt;
** Flexibility to simulate different roles, tokens, and scenarios.&lt;br /&gt;
* '''Disadvantages''':&lt;br /&gt;
** Requires additional setup and may not reflect real-world behavior perfectly.&lt;br /&gt;
&lt;br /&gt;
2. '''Implementing a New Controller in Expertiza''':&lt;br /&gt;
* A controller will be added to the existing Expertiza application that uses the refactored `AuthorizationHelper`.&lt;br /&gt;
* This ensures that tests occur in a real-world context, validating interactions with the actual system.&lt;br /&gt;
* '''Advantages''':&lt;br /&gt;
** Validates the actual behavior of the module within the system.&lt;br /&gt;
** Reflects real application workflows and edge cases.&lt;br /&gt;
* '''Disadvantages''':&lt;br /&gt;
** Potentially affects other parts of the application during testing.&lt;br /&gt;
** Requires effort to ensure test isolation.&lt;br /&gt;
&lt;br /&gt;
==== Integration Test Cases ====&lt;br /&gt;
'''API Endpoint Authentication'''&lt;br /&gt;
* '''Valid Token Test''':&lt;br /&gt;
** '''Scenario''': Send a valid JWT token to a protected endpoint.&lt;br /&gt;
** '''Expected Outcome''': HTTP 200 OK with access granted.&lt;br /&gt;
** '''Validation''': Confirm the user is authenticated and receives the correct resource.&lt;br /&gt;
&lt;br /&gt;
* '''Expired Token Test''':&lt;br /&gt;
** '''Scenario''': Send an expired JWT token to a protected endpoint.&lt;br /&gt;
** '''Expected Outcome''': HTTP 401 Unauthorized.&lt;br /&gt;
** '''Validation''': Ensure the system blocks access and provides a proper error message.&lt;br /&gt;
&lt;br /&gt;
* '''Tampered Token Test''':&lt;br /&gt;
** '''Scenario''': Send a tampered token with an invalid signature.&lt;br /&gt;
** '''Expected Outcome''': HTTP 401 Unauthorized.&lt;br /&gt;
** '''Validation''': Confirm the system denies access and logs the attempt securely.&lt;br /&gt;
&lt;br /&gt;
* '''Missing Token Test''':&lt;br /&gt;
** '''Scenario''': Make a request without providing a token.&lt;br /&gt;
** '''Expected Outcome''': HTTP 401 Unauthorized.&lt;br /&gt;
** '''Validation''': Verify that token authentication is strictly enforced.&lt;br /&gt;
&lt;br /&gt;
== Team ==&lt;br /&gt;
===Mentor===&lt;br /&gt;
*Kashika Mallick (kmallick@ncsu.edu)&lt;br /&gt;
&lt;br /&gt;
===Members===&lt;br /&gt;
*Shafa Hassan (shassa22@ncsu.edu)&lt;br /&gt;
*Archit Gupta (agupta85@ncsu.edu)&lt;br /&gt;
*Ansh Ganatra (aganatr@ncsu.edu)&lt;/div&gt;</summary>
		<author><name>Agupta85</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2024_-_E2487._Reimplement_authorization_helper.rb&amp;diff=160234</id>
		<title>CSC/ECE 517 Fall 2024 - E2487. Reimplement authorization helper.rb</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2024_-_E2487._Reimplement_authorization_helper.rb&amp;diff=160234"/>
		<updated>2024-12-03T22:25:38Z</updated>

		<summary type="html">&lt;p&gt;Agupta85: /* Anticipated Outcomes */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
Expertiza currently uses session-based authentication in its AuthorizationHelper module. However, the new back-end reimplementation adopts JSON Web Token (JWT) for authentication. This transition is necessary to make the system more scalable, stateless, and secure. JWT-based authentication will replace session-based methods, requiring updates to the AuthorizationHelper module and associated methods.&lt;br /&gt;
&lt;br /&gt;
== Background ==&lt;br /&gt;
The AuthorizationHelper module in Expertiza plays a critical role in managing user permissions and access control within the system. It provides methods to verify a user’s privileges based on their assigned roles, such as Super-Admin, Admin, Instructor, TA, or Student. These methods check if the user is authorized to perform actions like submitting assignments, reviewing work, or participating in quizzes. Additionally, it determines whether a user is involved in specific assignments, either as a participant, instructor, or through TA mappings.&lt;br /&gt;
&lt;br /&gt;
==Problem Statement==&lt;br /&gt;
&lt;br /&gt;
Expertiza currently uses session-based authentication in its [[https://github.com/expertiza/expertiza/blob/main/app/helpers/authorization_helper.rb AuthorizationHelper]] module. The [[https://github.com/expertiza/reimplementation-back-end reimplementation-back-end]] however, uses JWT (JSON Web Token) based authentication. This requires a reimplementation of an authorization concern module to accommodate JWT-based authentication&lt;br /&gt;
&lt;br /&gt;
===Concerns===&lt;br /&gt;
&lt;br /&gt;
A concern is a module that you extract to split the implementation of a class or module in coherent chunks, instead of having one big class body. Our new authorization module will be implemented as a concern which will work in tandem with the already-implemented [[https://github.com/expertiza/reimplementation-back-end/blob/main/app/controllers/concerns/jwt_token.rb JWT Concern]]&lt;br /&gt;
&lt;br /&gt;
The following points need to be taken care of as per the requirement&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt; Role Management &amp;lt;/strong&amp;gt;: &lt;br /&gt;
** Enable the system to process, verify, and decode roles from JWT Tokens.&lt;br /&gt;
** Use token role data to authenticate and authorize user actions.&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt; Privilege Verification &amp;lt;/strong&amp;gt;:&lt;br /&gt;
** Update methods to validate user privileges using JWT claims.&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt; Testing and Documentation &amp;lt;/strong&amp;gt;: &lt;br /&gt;
** Write comprehensive unit tests for all JWT-related methods.&lt;br /&gt;
** Include clear documentation and comments to aid future developers.&lt;br /&gt;
&lt;br /&gt;
=Implemented Changes=&lt;br /&gt;
&lt;br /&gt;
== JWT Token Overview ==&lt;br /&gt;
&lt;br /&gt;
A JSON Web Token (JWT) is a compact, URL-safe token format commonly used for securely transmitting information between parties. It is widely used in web applications for authentication and authorization, as it allows information to be verified and trusted. In the context of our reimplemented AuthorizationHelper module, JWT tokens will replace session-based authentication, enabling stateless and more secure access control.&lt;br /&gt;
&lt;br /&gt;
A JWT Token consists of three main parts:&lt;br /&gt;
&lt;br /&gt;
*Header: Contains metadata about the token, such as the type (JWT) and the hashing algorithm used (e.g., HS256 or RS256).&lt;br /&gt;
*Payload: Includes claims, which are statements about an entity (typically, the user) and additional data like the user’s role and permissions.&lt;br /&gt;
*Signature: A cryptographic signature generated by encoding the header and payload with a secret key or private key, ensuring data integrity.&lt;br /&gt;
These three sections are separated by dots (.), forming a token that looks like this: &amp;lt;Header&amp;gt;.&amp;lt;Payload&amp;gt;.&amp;lt;Signature&amp;gt;&lt;br /&gt;
&lt;br /&gt;
[[File:JWT-Workflow.png|500px|center]]&lt;br /&gt;
&lt;br /&gt;
==Overall Flow==&lt;br /&gt;
&lt;br /&gt;
[[File:Authorization_flow.png|500px|center]]&lt;br /&gt;
&lt;br /&gt;
==Methods Implemented==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;has_required_role?(required_role)&amp;lt;/strong&amp;gt;: &lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
 def has_required_role?(required_role)&lt;br /&gt;
    required_role = Role.find_by_name(required_role) if required_role.is_a?(String)&lt;br /&gt;
    current_user&amp;amp;.role&amp;amp;.all_privileges_of?(required_role) || false&lt;br /&gt;
 end&lt;br /&gt;
&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This function checks if the current user has the required role or higher privileges. The role name is passed down as a parameter in required_role which is the minimum required role level for an action&lt;br /&gt;
&lt;br /&gt;
For example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;has_required_role?('Administrator') # Checks if user is an admin or higher&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;has_required_role?(Role::INSTRUCTOR) # Checks if user is an instructor or higher&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
For exact role requirements, we also have:&lt;br /&gt;
* &amp;lt;strong&amp;gt;is_role?(required_role)&amp;lt;/strong&amp;gt;: &lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
 def is_role?(required_role)&lt;br /&gt;
    required_role = required_role.name if required_role.is_a?(Role)&lt;br /&gt;
    current_user&amp;amp;.role&amp;amp;.name == required_role&lt;br /&gt;
 end&lt;br /&gt;
&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
which checks if the user has exactly the specified role. For example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;is_role?('Student') # True only if user is exactly a student &amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
Finally, we have authorization methods which work with the ApplicationController as well as individual resource controllers:&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
  # Authorize all actions&lt;br /&gt;
  def authorize&lt;br /&gt;
    unless all_actions_allowed?&lt;br /&gt;
      render json: { &lt;br /&gt;
        error: &amp;quot;You are not authorized to #{params[:action]} this #{params[:controller]}&amp;quot;&lt;br /&gt;
      }, status: :forbidden&lt;br /&gt;
    end&lt;br /&gt;
  end&lt;br /&gt;
&lt;br /&gt;
  # Check if all actions are allowed&lt;br /&gt;
  def all_actions_allowed?&lt;br /&gt;
    return true if has_required_role?('Administrator')&lt;br /&gt;
    action_allowed?&lt;br /&gt;
  end&lt;br /&gt;
&lt;br /&gt;
  # Base action_allowed? - allows everything by default&lt;br /&gt;
  # Controllers should override this method to implement their authorization logic&lt;br /&gt;
  def action_allowed?&lt;br /&gt;
    true&lt;br /&gt;
  end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The individual resource controllers can then override the method 'action_allowed?' to manage access. For example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
  def action_allowed?&lt;br /&gt;
    has_required_role?('Instructor')&lt;br /&gt;
  end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Existing File Updates==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;[[https://github.com/expertiza/reimplementation-back-end/blob/main/app/controllers/application_controller.rb application_controller.rb]]&amp;lt;/strong&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This file was updated to include the new authorization module&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 class ApplicationController &amp;lt; ActionController::API&lt;br /&gt;
   include Authorization&lt;br /&gt;
   include JwtToken&lt;br /&gt;
  &lt;br /&gt;
   before_action :authorize&lt;br /&gt;
 end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
This ensures that the [[https://github.com/rarchitgupta/reimplementation-back-end/blob/jwt_authorization/app/controllers/concerns/authorization.rb 'has_required_role?']] method is available globally along with [[https://github.com/rarchitgupta/reimplementation-back-end/blob/jwt_authorization/app/controllers/concerns/authorization.rb 'is_role?']]. These methods can then be used to override 'action_allowed?' to override the base implementation and provide more granular control&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;[[https://github.com/rarchitgupta/reimplementation-back-end/blob/jwt_authorization/app/controllers/api/v1/courses_controller.rb courses_controller.rb]]&amp;lt;/strong&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
To test the functionality, based on the old Expertiza, the method was also overridden in the courses_controller.rb file:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 class Api::V1::CoursesController &amp;lt; ApplicationController&lt;br /&gt;
   before_action :set_course, only: %i[ show update destroy add_ta view_tas remove_ta copy ]&lt;br /&gt;
   rescue_from ActiveRecord::RecordNotFound, with: :course_not_found&lt;br /&gt;
   rescue_from ActionController::ParameterMissing, with: :parameter_missing&lt;br /&gt;
&lt;br /&gt;
   def action_allowed?&lt;br /&gt;
     has_required_role?('Instructor')&lt;br /&gt;
   end&lt;br /&gt;
&lt;br /&gt;
   ...&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Anticipated Outcomes==&lt;br /&gt;
1. '''Modular Authentication and Authorization System'''&lt;br /&gt;
* Separate JwtToken and Authorization concerns with distinct responsibilities&lt;br /&gt;
* Integration through ApplicationController middleware&lt;br /&gt;
* Flexible role-based access control per controller&lt;br /&gt;
* Clean separation between authentication and authorization components&lt;br /&gt;
* Independent scaling and maintenance capability&lt;br /&gt;
2. '''Role-Based Access Control (RBAC)'''&lt;br /&gt;
* Hierarchical role system with administrator override&lt;br /&gt;
* Controller-specific role requirements through action-specific checks&lt;br /&gt;
* Granular permission control at the action level&lt;br /&gt;
* Fine-grained access control while maintaining system flexibility&lt;br /&gt;
* Custom role requirements for different resources&lt;br /&gt;
3. '''Secure Authentication Flow'''&lt;br /&gt;
* JWT-based stateless authentication&lt;br /&gt;
* Token verification precedes protected actions&lt;br /&gt;
* Automatic current user loading from verified tokens&lt;br /&gt;
* Protection against unauthorized access and token tampering&lt;br /&gt;
* Maintains stateless architecture for scalability&lt;br /&gt;
4. '''Standardized Error Handling'''&lt;br /&gt;
* Consistent HTTP status codes (401 for authentication, 403 for authorization)&lt;br /&gt;
* Clear error messages for debugging&lt;br /&gt;
* Uniform error response format across the application&lt;br /&gt;
* Improved debugging experience&lt;br /&gt;
* Standardized client-side error handling&lt;br /&gt;
4. '''Developer-Friendly Design'''&lt;br /&gt;
* Rails conventions and idioms throughout&lt;br /&gt;
* Clear, purpose-indicating method names&lt;br /&gt;
* Modular design with extension points&lt;br /&gt;
* Reduced learning curve for new developers&lt;br /&gt;
* Minimal configuration required for new controllers&lt;br /&gt;
&lt;br /&gt;
== Design Principles ==&lt;br /&gt;
The redesign of the `AuthorizationHelper` module for JWT-based authentication will follow well-established design principles to ensure the solution is secure, maintainable, and scalable. Below are the key principles to be applied and how they will shape this redesign:&lt;br /&gt;
&lt;br /&gt;
1. '''Single Responsibility Principle (SRP)'''&lt;br /&gt;
* '''Definition''': Each module or class should have one clear responsibility.&lt;br /&gt;
* '''Implementation''': &lt;br /&gt;
** JwtToken concern handles only authentication&lt;br /&gt;
** Authorization concern manages only authorization rules&lt;br /&gt;
* '''Benefit''': Changes to authentication logic don't affect authorization rules and vice versa&lt;br /&gt;
&lt;br /&gt;
2. '''Open / Closed Principle'''&lt;br /&gt;
* '''Definition''': Software entities should be open for extension but closed for modification&lt;br /&gt;
* '''Implementation''': &lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 # Base authorization in Authorization concern&lt;br /&gt;
 def action_allowed?&lt;br /&gt;
   true  # Base implementation&lt;br /&gt;
 end&lt;br /&gt;
&lt;br /&gt;
 # Extended in CoursesController without modifying base&lt;br /&gt;
 def action_allowed?&lt;br /&gt;
   has_required_role?('Instructor')&lt;br /&gt;
 end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* '''Benefit''': New controllers can implement their own authorization rules without changing existing code&lt;br /&gt;
&lt;br /&gt;
3. '''Inheritance and Polymorphism'''&lt;br /&gt;
* '''Definition''': Ability to present the same interface for different underlying forms (implementations)&lt;br /&gt;
* '''Implementation''': &lt;br /&gt;
** All controllers inherit from ApplicationController&lt;br /&gt;
** Each can override action_allowed? with its implementation&lt;br /&gt;
** System treats all action_allowed? calls polymorphically&lt;br /&gt;
&lt;br /&gt;
* '''Benefit''': Consistent interface while allowing specialized behavior&lt;br /&gt;
&lt;br /&gt;
4. '''Composition'''&lt;br /&gt;
* '''Implementation''': &lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 class ApplicationController &amp;lt; ActionController::API&lt;br /&gt;
   include Authorization  # Composition through modules&lt;br /&gt;
   include JwtToken&lt;br /&gt;
 end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* '''Benefit''': More flexible than deep inheritance hierarchies, allows mixing in different behaviors&lt;br /&gt;
&lt;br /&gt;
5. '''Don't Repeat Yourself (DRY)'''&lt;br /&gt;
* '''Definition''': Every piece of knowledge should have a single, unambiguous representation&lt;br /&gt;
* '''Implementation''': &lt;br /&gt;
** Common authentication logic in JwtToken&lt;br /&gt;
** Shared authorization behavior in Authorization&lt;br /&gt;
** Base controller provides default implementations&lt;br /&gt;
&lt;br /&gt;
* '''Benefit''': Reduces code duplication and maintenance overhead&lt;br /&gt;
&lt;br /&gt;
== Test Plan ==&lt;br /&gt;
&lt;br /&gt;
=== Unit Tests ===&lt;br /&gt;
'''Definition''': Unit tests verify that individual methods work correctly in isolation under different scenarios.&lt;br /&gt;
&lt;br /&gt;
==== Tests for jwt_verify_and_decode ====&lt;br /&gt;
'''Valid Token Test:'''&lt;br /&gt;
* '''Input''': A valid JWT token with claims like `id`, `role`, and `exp`.&lt;br /&gt;
* '''Expected Output''': Decoded payload as a `HashWithIndifferentAccess`.&lt;br /&gt;
* '''Validation''': Ensure the returned payload matches the expected data.&lt;br /&gt;
&lt;br /&gt;
'''Expired Token Test:'''&lt;br /&gt;
* '''Input''': A token with an `exp` claim that has already passed.&lt;br /&gt;
* '''Expected Output''': `nil` with an appropriate error logged.&lt;br /&gt;
* '''Validation''': Confirm that the method gracefully handles expired tokens.&lt;br /&gt;
&lt;br /&gt;
'''Invalid Token Test:'''&lt;br /&gt;
* '''Input''': A tampered JWT token with an invalid signature.&lt;br /&gt;
* '''Expected Output''': `nil`.&lt;br /&gt;
* '''Validation''': Ensure an appropriate error message is logged, and sensitive information is not exposed.&lt;br /&gt;
&lt;br /&gt;
'''Missing Claims Test:'''&lt;br /&gt;
* '''Input''': A valid token missing critical claims like `role`.&lt;br /&gt;
* '''Expected Output''': `nil`.&lt;br /&gt;
* '''Validation''': Ensure the method flags the token as invalid due to missing data.&lt;br /&gt;
&lt;br /&gt;
==== Tests for check_user_privileges ====&lt;br /&gt;
'''Sufficient Privileges Test:'''&lt;br /&gt;
* '''Input''': User info with `role` as `Admin` and a `required_privilege` of `Student`.&lt;br /&gt;
* '''Expected Output''': `true`.&lt;br /&gt;
* '''Validation''': Verify the method correctly interprets hierarchical roles.&lt;br /&gt;
&lt;br /&gt;
'''Insufficient Privileges Test:'''&lt;br /&gt;
* '''Input''': User info with `role` as `Student` and a `required_privilege` of `Instructor`.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Ensure the method denies access for insufficient privileges.&lt;br /&gt;
&lt;br /&gt;
'''Missing Role Test:'''&lt;br /&gt;
* '''Input''': User info without a `role` claim.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Ensure the method handles missing roles gracefully.&lt;br /&gt;
&lt;br /&gt;
==== Tests for current_user_is_a? ====&lt;br /&gt;
'''Correct Role Test:'''&lt;br /&gt;
* '''Input''': Token with `role` as `Instructor` and `role_name` as `Instructor`.&lt;br /&gt;
* '''Expected Output''': `true`.&lt;br /&gt;
* '''Validation''': Verify the method returns `true` when roles match exactly.&lt;br /&gt;
&lt;br /&gt;
'''Incorrect Role Test:'''&lt;br /&gt;
* '''Input''': Token with `role` as `TA` and `role_name` as `Instructor`.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Ensure the method denies access when roles don’t match.&lt;br /&gt;
&lt;br /&gt;
'''Missing Token Test:'''&lt;br /&gt;
* '''Input''': `nil` token.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Confirm that the method handles missing tokens properly.&lt;br /&gt;
&lt;br /&gt;
---&lt;br /&gt;
&lt;br /&gt;
=== Integration Tests ===&lt;br /&gt;
'''Definition''': Integration tests validate that the `AuthorizationHelper` module functions correctly within the context of the overall system.&lt;br /&gt;
&lt;br /&gt;
==== Approach Options ====&lt;br /&gt;
1. '''Creating a Dummy API''':&lt;br /&gt;
* A lightweight API will be created specifically for testing the `AuthorizationHelper` methods.&lt;br /&gt;
* This API will simulate requests requiring token authentication and privilege checks.&lt;br /&gt;
* '''Advantages''':&lt;br /&gt;
** Fully isolated testing environment.&lt;br /&gt;
** Flexibility to simulate different roles, tokens, and scenarios.&lt;br /&gt;
* '''Disadvantages''':&lt;br /&gt;
** Requires additional setup and may not reflect real-world behavior perfectly.&lt;br /&gt;
&lt;br /&gt;
2. '''Implementing a New Controller in Expertiza''':&lt;br /&gt;
* A controller will be added to the existing Expertiza application that uses the refactored `AuthorizationHelper`.&lt;br /&gt;
* This ensures that tests occur in a real-world context, validating interactions with the actual system.&lt;br /&gt;
* '''Advantages''':&lt;br /&gt;
** Validates the actual behavior of the module within the system.&lt;br /&gt;
** Reflects real application workflows and edge cases.&lt;br /&gt;
* '''Disadvantages''':&lt;br /&gt;
** Potentially affects other parts of the application during testing.&lt;br /&gt;
** Requires effort to ensure test isolation.&lt;br /&gt;
&lt;br /&gt;
==== Integration Test Cases ====&lt;br /&gt;
'''API Endpoint Authentication'''&lt;br /&gt;
* '''Valid Token Test''':&lt;br /&gt;
** '''Scenario''': Send a valid JWT token to a protected endpoint.&lt;br /&gt;
** '''Expected Outcome''': HTTP 200 OK with access granted.&lt;br /&gt;
** '''Validation''': Confirm the user is authenticated and receives the correct resource.&lt;br /&gt;
&lt;br /&gt;
* '''Expired Token Test''':&lt;br /&gt;
** '''Scenario''': Send an expired JWT token to a protected endpoint.&lt;br /&gt;
** '''Expected Outcome''': HTTP 401 Unauthorized.&lt;br /&gt;
** '''Validation''': Ensure the system blocks access and provides a proper error message.&lt;br /&gt;
&lt;br /&gt;
* '''Tampered Token Test''':&lt;br /&gt;
** '''Scenario''': Send a tampered token with an invalid signature.&lt;br /&gt;
** '''Expected Outcome''': HTTP 401 Unauthorized.&lt;br /&gt;
** '''Validation''': Confirm the system denies access and logs the attempt securely.&lt;br /&gt;
&lt;br /&gt;
* '''Missing Token Test''':&lt;br /&gt;
** '''Scenario''': Make a request without providing a token.&lt;br /&gt;
** '''Expected Outcome''': HTTP 401 Unauthorized.&lt;br /&gt;
** '''Validation''': Verify that token authentication is strictly enforced.&lt;br /&gt;
&lt;br /&gt;
== Team ==&lt;br /&gt;
===Mentor===&lt;br /&gt;
*Kashika Mallick (kmallick@ncsu.edu)&lt;br /&gt;
&lt;br /&gt;
===Members===&lt;br /&gt;
*Shafa Hassan (shassa22@ncsu.edu)&lt;br /&gt;
*Archit Gupta (agupta85@ncsu.edu)&lt;br /&gt;
*Ansh Ganatra (aganatr@ncsu.edu)&lt;/div&gt;</summary>
		<author><name>Agupta85</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2024_-_E2487._Reimplement_authorization_helper.rb&amp;diff=160232</id>
		<title>CSC/ECE 517 Fall 2024 - E2487. Reimplement authorization helper.rb</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2024_-_E2487._Reimplement_authorization_helper.rb&amp;diff=160232"/>
		<updated>2024-12-03T22:17:38Z</updated>

		<summary type="html">&lt;p&gt;Agupta85: /* Design Principles */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
Expertiza currently uses session-based authentication in its AuthorizationHelper module. However, the new back-end reimplementation adopts JSON Web Token (JWT) for authentication. This transition is necessary to make the system more scalable, stateless, and secure. JWT-based authentication will replace session-based methods, requiring updates to the AuthorizationHelper module and associated methods.&lt;br /&gt;
&lt;br /&gt;
== Background ==&lt;br /&gt;
The AuthorizationHelper module in Expertiza plays a critical role in managing user permissions and access control within the system. It provides methods to verify a user’s privileges based on their assigned roles, such as Super-Admin, Admin, Instructor, TA, or Student. These methods check if the user is authorized to perform actions like submitting assignments, reviewing work, or participating in quizzes. Additionally, it determines whether a user is involved in specific assignments, either as a participant, instructor, or through TA mappings.&lt;br /&gt;
&lt;br /&gt;
==Problem Statement==&lt;br /&gt;
&lt;br /&gt;
Expertiza currently uses session-based authentication in its [[https://github.com/expertiza/expertiza/blob/main/app/helpers/authorization_helper.rb AuthorizationHelper]] module. The [[https://github.com/expertiza/reimplementation-back-end reimplementation-back-end]] however, uses JWT (JSON Web Token) based authentication. This requires a reimplementation of an authorization concern module to accommodate JWT-based authentication&lt;br /&gt;
&lt;br /&gt;
===Concerns===&lt;br /&gt;
&lt;br /&gt;
A concern is a module that you extract to split the implementation of a class or module in coherent chunks, instead of having one big class body. Our new authorization module will be implemented as a concern which will work in tandem with the already-implemented [[https://github.com/expertiza/reimplementation-back-end/blob/main/app/controllers/concerns/jwt_token.rb JWT Concern]]&lt;br /&gt;
&lt;br /&gt;
The following points need to be taken care of as per the requirement&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt; Role Management &amp;lt;/strong&amp;gt;: &lt;br /&gt;
** Enable the system to process, verify, and decode roles from JWT Tokens.&lt;br /&gt;
** Use token role data to authenticate and authorize user actions.&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt; Privilege Verification &amp;lt;/strong&amp;gt;:&lt;br /&gt;
** Update methods to validate user privileges using JWT claims.&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt; Testing and Documentation &amp;lt;/strong&amp;gt;: &lt;br /&gt;
** Write comprehensive unit tests for all JWT-related methods.&lt;br /&gt;
** Include clear documentation and comments to aid future developers.&lt;br /&gt;
&lt;br /&gt;
=Implemented Changes=&lt;br /&gt;
&lt;br /&gt;
== JWT Token Overview ==&lt;br /&gt;
&lt;br /&gt;
A JSON Web Token (JWT) is a compact, URL-safe token format commonly used for securely transmitting information between parties. It is widely used in web applications for authentication and authorization, as it allows information to be verified and trusted. In the context of our reimplemented AuthorizationHelper module, JWT tokens will replace session-based authentication, enabling stateless and more secure access control.&lt;br /&gt;
&lt;br /&gt;
A JWT Token consists of three main parts:&lt;br /&gt;
&lt;br /&gt;
*Header: Contains metadata about the token, such as the type (JWT) and the hashing algorithm used (e.g., HS256 or RS256).&lt;br /&gt;
*Payload: Includes claims, which are statements about an entity (typically, the user) and additional data like the user’s role and permissions.&lt;br /&gt;
*Signature: A cryptographic signature generated by encoding the header and payload with a secret key or private key, ensuring data integrity.&lt;br /&gt;
These three sections are separated by dots (.), forming a token that looks like this: &amp;lt;Header&amp;gt;.&amp;lt;Payload&amp;gt;.&amp;lt;Signature&amp;gt;&lt;br /&gt;
&lt;br /&gt;
[[File:JWT-Workflow.png|500px|center]]&lt;br /&gt;
&lt;br /&gt;
==Overall Flow==&lt;br /&gt;
&lt;br /&gt;
[[File:Authorization_flow.png|500px|center]]&lt;br /&gt;
&lt;br /&gt;
==Methods Implemented==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;has_required_role?(required_role)&amp;lt;/strong&amp;gt;: &lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
 def has_required_role?(required_role)&lt;br /&gt;
    required_role = Role.find_by_name(required_role) if required_role.is_a?(String)&lt;br /&gt;
    current_user&amp;amp;.role&amp;amp;.all_privileges_of?(required_role) || false&lt;br /&gt;
 end&lt;br /&gt;
&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This function checks if the current user has the required role or higher privileges. The role name is passed down as a parameter in required_role which is the minimum required role level for an action&lt;br /&gt;
&lt;br /&gt;
For example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;has_required_role?('Administrator') # Checks if user is an admin or higher&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;has_required_role?(Role::INSTRUCTOR) # Checks if user is an instructor or higher&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
For exact role requirements, we also have:&lt;br /&gt;
* &amp;lt;strong&amp;gt;is_role?(required_role)&amp;lt;/strong&amp;gt;: &lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
 def is_role?(required_role)&lt;br /&gt;
    required_role = required_role.name if required_role.is_a?(Role)&lt;br /&gt;
    current_user&amp;amp;.role&amp;amp;.name == required_role&lt;br /&gt;
 end&lt;br /&gt;
&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
which checks if the user has exactly the specified role. For example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;is_role?('Student') # True only if user is exactly a student &amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
Finally, we have authorization methods which work with the ApplicationController as well as individual resource controllers:&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
  # Authorize all actions&lt;br /&gt;
  def authorize&lt;br /&gt;
    unless all_actions_allowed?&lt;br /&gt;
      render json: { &lt;br /&gt;
        error: &amp;quot;You are not authorized to #{params[:action]} this #{params[:controller]}&amp;quot;&lt;br /&gt;
      }, status: :forbidden&lt;br /&gt;
    end&lt;br /&gt;
  end&lt;br /&gt;
&lt;br /&gt;
  # Check if all actions are allowed&lt;br /&gt;
  def all_actions_allowed?&lt;br /&gt;
    return true if has_required_role?('Administrator')&lt;br /&gt;
    action_allowed?&lt;br /&gt;
  end&lt;br /&gt;
&lt;br /&gt;
  # Base action_allowed? - allows everything by default&lt;br /&gt;
  # Controllers should override this method to implement their authorization logic&lt;br /&gt;
  def action_allowed?&lt;br /&gt;
    true&lt;br /&gt;
  end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The individual resource controllers can then override the method 'action_allowed?' to manage access. For example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
  def action_allowed?&lt;br /&gt;
    has_required_role?('Instructor')&lt;br /&gt;
  end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Existing File Updates==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;[[https://github.com/expertiza/reimplementation-back-end/blob/main/app/controllers/application_controller.rb application_controller.rb]]&amp;lt;/strong&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This file was updated to include the new authorization module&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 class ApplicationController &amp;lt; ActionController::API&lt;br /&gt;
   include Authorization&lt;br /&gt;
   include JwtToken&lt;br /&gt;
  &lt;br /&gt;
   before_action :authorize&lt;br /&gt;
 end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
This ensures that the [[https://github.com/rarchitgupta/reimplementation-back-end/blob/jwt_authorization/app/controllers/concerns/authorization.rb 'has_required_role?']] method is available globally along with [[https://github.com/rarchitgupta/reimplementation-back-end/blob/jwt_authorization/app/controllers/concerns/authorization.rb 'is_role?']]. These methods can then be used to override 'action_allowed?' to override the base implementation and provide more granular control&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;[[https://github.com/rarchitgupta/reimplementation-back-end/blob/jwt_authorization/app/controllers/api/v1/courses_controller.rb courses_controller.rb]]&amp;lt;/strong&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
To test the functionality, based on the old Expertiza, the method was also overridden in the courses_controller.rb file:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 class Api::V1::CoursesController &amp;lt; ApplicationController&lt;br /&gt;
   before_action :set_course, only: %i[ show update destroy add_ta view_tas remove_ta copy ]&lt;br /&gt;
   rescue_from ActiveRecord::RecordNotFound, with: :course_not_found&lt;br /&gt;
   rescue_from ActionController::ParameterMissing, with: :parameter_missing&lt;br /&gt;
&lt;br /&gt;
   def action_allowed?&lt;br /&gt;
     has_required_role?('Instructor')&lt;br /&gt;
   end&lt;br /&gt;
&lt;br /&gt;
   ...&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Anticipated Outcomes==&lt;br /&gt;
1. Enhanced AuthorizationHelper Module with JWT Integration: &amp;lt;br&amp;gt;&lt;br /&gt;
Updated and operational AuthorizationHelper module that would use JWT-based authentication. The module would be restructured to incorporate token-based authentication checks, replacing prior session-based methods.&lt;br /&gt;
&lt;br /&gt;
2. Updated Associated Methods: &amp;lt;br&amp;gt;&lt;br /&gt;
Methods within the module will have to be updated to leverage JWT claims, ensuring authentication and authorization are handled based on token data. This will allow the module to verify user roles and permissions effectively through JWT claims.&lt;br /&gt;
&lt;br /&gt;
3. Comprehensive JWT Error Handling: &amp;lt;br&amp;gt;&lt;br /&gt;
Built-in error handling to manage potential JWT-related issues, such as token expiration, tampering, or invalid claims. This ensures that unauthorized access is &lt;br /&gt;
blocked, and clear error messages are provided when issues arise.&lt;br /&gt;
&lt;br /&gt;
4. Robust Unit Tests for Validation: &amp;lt;br&amp;gt;&lt;br /&gt;
A full suite of unit tests covering various scenarios, including normal, boundary, and edge cases, to validate each method’s functionality and confirm that all &lt;br /&gt;
JWT-based authentication flows work reliably.&lt;br /&gt;
&lt;br /&gt;
5. Detailed Documentation and Code Comments: &amp;lt;br&amp;gt;&lt;br /&gt;
In-depth documentation and comments would be added to each function, explaining purpose, usage, and JWT-related adjustments, aiding in code readability and future &lt;br /&gt;
maintenance.&lt;br /&gt;
&lt;br /&gt;
== Design Principles ==&lt;br /&gt;
The redesign of the `AuthorizationHelper` module for JWT-based authentication will follow well-established design principles to ensure the solution is secure, maintainable, and scalable. Below are the key principles to be applied and how they will shape this redesign:&lt;br /&gt;
&lt;br /&gt;
1. '''Single Responsibility Principle (SRP)'''&lt;br /&gt;
* '''Definition''': Each module or class should have one clear responsibility.&lt;br /&gt;
* '''Implementation''': &lt;br /&gt;
** JwtToken concern handles only authentication&lt;br /&gt;
** Authorization concern manages only authorization rules&lt;br /&gt;
* '''Benefit''': Changes to authentication logic don't affect authorization rules and vice versa&lt;br /&gt;
&lt;br /&gt;
2. '''Open / Closed Principle'''&lt;br /&gt;
* '''Definition''': Software entities should be open for extension but closed for modification&lt;br /&gt;
* '''Implementation''': &lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 # Base authorization in Authorization concern&lt;br /&gt;
 def action_allowed?&lt;br /&gt;
   true  # Base implementation&lt;br /&gt;
 end&lt;br /&gt;
&lt;br /&gt;
 # Extended in CoursesController without modifying base&lt;br /&gt;
 def action_allowed?&lt;br /&gt;
   has_required_role?('Instructor')&lt;br /&gt;
 end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* '''Benefit''': New controllers can implement their own authorization rules without changing existing code&lt;br /&gt;
&lt;br /&gt;
3. '''Inheritance and Polymorphism'''&lt;br /&gt;
* '''Definition''': Ability to present the same interface for different underlying forms (implementations)&lt;br /&gt;
* '''Implementation''': &lt;br /&gt;
** All controllers inherit from ApplicationController&lt;br /&gt;
** Each can override action_allowed? with its implementation&lt;br /&gt;
** System treats all action_allowed? calls polymorphically&lt;br /&gt;
&lt;br /&gt;
* '''Benefit''': Consistent interface while allowing specialized behavior&lt;br /&gt;
&lt;br /&gt;
4. '''Composition'''&lt;br /&gt;
* '''Implementation''': &lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 class ApplicationController &amp;lt; ActionController::API&lt;br /&gt;
   include Authorization  # Composition through modules&lt;br /&gt;
   include JwtToken&lt;br /&gt;
 end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* '''Benefit''': More flexible than deep inheritance hierarchies, allows mixing in different behaviors&lt;br /&gt;
&lt;br /&gt;
5. '''Don't Repeat Yourself (DRY)'''&lt;br /&gt;
* '''Definition''': Every piece of knowledge should have a single, unambiguous representation&lt;br /&gt;
* '''Implementation''': &lt;br /&gt;
** Common authentication logic in JwtToken&lt;br /&gt;
** Shared authorization behavior in Authorization&lt;br /&gt;
** Base controller provides default implementations&lt;br /&gt;
&lt;br /&gt;
* '''Benefit''': Reduces code duplication and maintenance overhead&lt;br /&gt;
&lt;br /&gt;
== Test Plan ==&lt;br /&gt;
&lt;br /&gt;
=== Unit Tests ===&lt;br /&gt;
'''Definition''': Unit tests verify that individual methods work correctly in isolation under different scenarios.&lt;br /&gt;
&lt;br /&gt;
==== Tests for jwt_verify_and_decode ====&lt;br /&gt;
'''Valid Token Test:'''&lt;br /&gt;
* '''Input''': A valid JWT token with claims like `id`, `role`, and `exp`.&lt;br /&gt;
* '''Expected Output''': Decoded payload as a `HashWithIndifferentAccess`.&lt;br /&gt;
* '''Validation''': Ensure the returned payload matches the expected data.&lt;br /&gt;
&lt;br /&gt;
'''Expired Token Test:'''&lt;br /&gt;
* '''Input''': A token with an `exp` claim that has already passed.&lt;br /&gt;
* '''Expected Output''': `nil` with an appropriate error logged.&lt;br /&gt;
* '''Validation''': Confirm that the method gracefully handles expired tokens.&lt;br /&gt;
&lt;br /&gt;
'''Invalid Token Test:'''&lt;br /&gt;
* '''Input''': A tampered JWT token with an invalid signature.&lt;br /&gt;
* '''Expected Output''': `nil`.&lt;br /&gt;
* '''Validation''': Ensure an appropriate error message is logged, and sensitive information is not exposed.&lt;br /&gt;
&lt;br /&gt;
'''Missing Claims Test:'''&lt;br /&gt;
* '''Input''': A valid token missing critical claims like `role`.&lt;br /&gt;
* '''Expected Output''': `nil`.&lt;br /&gt;
* '''Validation''': Ensure the method flags the token as invalid due to missing data.&lt;br /&gt;
&lt;br /&gt;
==== Tests for check_user_privileges ====&lt;br /&gt;
'''Sufficient Privileges Test:'''&lt;br /&gt;
* '''Input''': User info with `role` as `Admin` and a `required_privilege` of `Student`.&lt;br /&gt;
* '''Expected Output''': `true`.&lt;br /&gt;
* '''Validation''': Verify the method correctly interprets hierarchical roles.&lt;br /&gt;
&lt;br /&gt;
'''Insufficient Privileges Test:'''&lt;br /&gt;
* '''Input''': User info with `role` as `Student` and a `required_privilege` of `Instructor`.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Ensure the method denies access for insufficient privileges.&lt;br /&gt;
&lt;br /&gt;
'''Missing Role Test:'''&lt;br /&gt;
* '''Input''': User info without a `role` claim.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Ensure the method handles missing roles gracefully.&lt;br /&gt;
&lt;br /&gt;
==== Tests for current_user_is_a? ====&lt;br /&gt;
'''Correct Role Test:'''&lt;br /&gt;
* '''Input''': Token with `role` as `Instructor` and `role_name` as `Instructor`.&lt;br /&gt;
* '''Expected Output''': `true`.&lt;br /&gt;
* '''Validation''': Verify the method returns `true` when roles match exactly.&lt;br /&gt;
&lt;br /&gt;
'''Incorrect Role Test:'''&lt;br /&gt;
* '''Input''': Token with `role` as `TA` and `role_name` as `Instructor`.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Ensure the method denies access when roles don’t match.&lt;br /&gt;
&lt;br /&gt;
'''Missing Token Test:'''&lt;br /&gt;
* '''Input''': `nil` token.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Confirm that the method handles missing tokens properly.&lt;br /&gt;
&lt;br /&gt;
---&lt;br /&gt;
&lt;br /&gt;
=== Integration Tests ===&lt;br /&gt;
'''Definition''': Integration tests validate that the `AuthorizationHelper` module functions correctly within the context of the overall system.&lt;br /&gt;
&lt;br /&gt;
==== Approach Options ====&lt;br /&gt;
1. '''Creating a Dummy API''':&lt;br /&gt;
* A lightweight API will be created specifically for testing the `AuthorizationHelper` methods.&lt;br /&gt;
* This API will simulate requests requiring token authentication and privilege checks.&lt;br /&gt;
* '''Advantages''':&lt;br /&gt;
** Fully isolated testing environment.&lt;br /&gt;
** Flexibility to simulate different roles, tokens, and scenarios.&lt;br /&gt;
* '''Disadvantages''':&lt;br /&gt;
** Requires additional setup and may not reflect real-world behavior perfectly.&lt;br /&gt;
&lt;br /&gt;
2. '''Implementing a New Controller in Expertiza''':&lt;br /&gt;
* A controller will be added to the existing Expertiza application that uses the refactored `AuthorizationHelper`.&lt;br /&gt;
* This ensures that tests occur in a real-world context, validating interactions with the actual system.&lt;br /&gt;
* '''Advantages''':&lt;br /&gt;
** Validates the actual behavior of the module within the system.&lt;br /&gt;
** Reflects real application workflows and edge cases.&lt;br /&gt;
* '''Disadvantages''':&lt;br /&gt;
** Potentially affects other parts of the application during testing.&lt;br /&gt;
** Requires effort to ensure test isolation.&lt;br /&gt;
&lt;br /&gt;
==== Integration Test Cases ====&lt;br /&gt;
'''API Endpoint Authentication'''&lt;br /&gt;
* '''Valid Token Test''':&lt;br /&gt;
** '''Scenario''': Send a valid JWT token to a protected endpoint.&lt;br /&gt;
** '''Expected Outcome''': HTTP 200 OK with access granted.&lt;br /&gt;
** '''Validation''': Confirm the user is authenticated and receives the correct resource.&lt;br /&gt;
&lt;br /&gt;
* '''Expired Token Test''':&lt;br /&gt;
** '''Scenario''': Send an expired JWT token to a protected endpoint.&lt;br /&gt;
** '''Expected Outcome''': HTTP 401 Unauthorized.&lt;br /&gt;
** '''Validation''': Ensure the system blocks access and provides a proper error message.&lt;br /&gt;
&lt;br /&gt;
* '''Tampered Token Test''':&lt;br /&gt;
** '''Scenario''': Send a tampered token with an invalid signature.&lt;br /&gt;
** '''Expected Outcome''': HTTP 401 Unauthorized.&lt;br /&gt;
** '''Validation''': Confirm the system denies access and logs the attempt securely.&lt;br /&gt;
&lt;br /&gt;
* '''Missing Token Test''':&lt;br /&gt;
** '''Scenario''': Make a request without providing a token.&lt;br /&gt;
** '''Expected Outcome''': HTTP 401 Unauthorized.&lt;br /&gt;
** '''Validation''': Verify that token authentication is strictly enforced.&lt;br /&gt;
&lt;br /&gt;
== Team ==&lt;br /&gt;
===Mentor===&lt;br /&gt;
*Kashika Mallick (kmallick@ncsu.edu)&lt;br /&gt;
&lt;br /&gt;
===Members===&lt;br /&gt;
*Shafa Hassan (shassa22@ncsu.edu)&lt;br /&gt;
*Archit Gupta (agupta85@ncsu.edu)&lt;br /&gt;
*Ansh Ganatra (aganatr@ncsu.edu)&lt;/div&gt;</summary>
		<author><name>Agupta85</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2024_-_E2487._Reimplement_authorization_helper.rb&amp;diff=160225</id>
		<title>CSC/ECE 517 Fall 2024 - E2487. Reimplement authorization helper.rb</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2024_-_E2487._Reimplement_authorization_helper.rb&amp;diff=160225"/>
		<updated>2024-12-03T22:00:43Z</updated>

		<summary type="html">&lt;p&gt;Agupta85: /* Overall Flow */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
Expertiza currently uses session-based authentication in its AuthorizationHelper module. However, the new back-end reimplementation adopts JSON Web Token (JWT) for authentication. This transition is necessary to make the system more scalable, stateless, and secure. JWT-based authentication will replace session-based methods, requiring updates to the AuthorizationHelper module and associated methods.&lt;br /&gt;
&lt;br /&gt;
== Background ==&lt;br /&gt;
The AuthorizationHelper module in Expertiza plays a critical role in managing user permissions and access control within the system. It provides methods to verify a user’s privileges based on their assigned roles, such as Super-Admin, Admin, Instructor, TA, or Student. These methods check if the user is authorized to perform actions like submitting assignments, reviewing work, or participating in quizzes. Additionally, it determines whether a user is involved in specific assignments, either as a participant, instructor, or through TA mappings.&lt;br /&gt;
&lt;br /&gt;
==Problem Statement==&lt;br /&gt;
&lt;br /&gt;
Expertiza currently uses session-based authentication in its [[https://github.com/expertiza/expertiza/blob/main/app/helpers/authorization_helper.rb AuthorizationHelper]] module. The [[https://github.com/expertiza/reimplementation-back-end reimplementation-back-end]] however, uses JWT (JSON Web Token) based authentication. This requires a reimplementation of an authorization concern module to accommodate JWT-based authentication&lt;br /&gt;
&lt;br /&gt;
===Concerns===&lt;br /&gt;
&lt;br /&gt;
A concern is a module that you extract to split the implementation of a class or module in coherent chunks, instead of having one big class body. Our new authorization module will be implemented as a concern which will work in tandem with the already-implemented [[https://github.com/expertiza/reimplementation-back-end/blob/main/app/controllers/concerns/jwt_token.rb JWT Concern]]&lt;br /&gt;
&lt;br /&gt;
The following points need to be taken care of as per the requirement&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt; Role Management &amp;lt;/strong&amp;gt;: &lt;br /&gt;
** Enable the system to process, verify, and decode roles from JWT Tokens.&lt;br /&gt;
** Use token role data to authenticate and authorize user actions.&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt; Privilege Verification &amp;lt;/strong&amp;gt;:&lt;br /&gt;
** Update methods to validate user privileges using JWT claims.&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt; Testing and Documentation &amp;lt;/strong&amp;gt;: &lt;br /&gt;
** Write comprehensive unit tests for all JWT-related methods.&lt;br /&gt;
** Include clear documentation and comments to aid future developers.&lt;br /&gt;
&lt;br /&gt;
=Implemented Changes=&lt;br /&gt;
&lt;br /&gt;
== JWT Token Overview ==&lt;br /&gt;
&lt;br /&gt;
A JSON Web Token (JWT) is a compact, URL-safe token format commonly used for securely transmitting information between parties. It is widely used in web applications for authentication and authorization, as it allows information to be verified and trusted. In the context of our reimplemented AuthorizationHelper module, JWT tokens will replace session-based authentication, enabling stateless and more secure access control.&lt;br /&gt;
&lt;br /&gt;
A JWT Token consists of three main parts:&lt;br /&gt;
&lt;br /&gt;
*Header: Contains metadata about the token, such as the type (JWT) and the hashing algorithm used (e.g., HS256 or RS256).&lt;br /&gt;
*Payload: Includes claims, which are statements about an entity (typically, the user) and additional data like the user’s role and permissions.&lt;br /&gt;
*Signature: A cryptographic signature generated by encoding the header and payload with a secret key or private key, ensuring data integrity.&lt;br /&gt;
These three sections are separated by dots (.), forming a token that looks like this: &amp;lt;Header&amp;gt;.&amp;lt;Payload&amp;gt;.&amp;lt;Signature&amp;gt;&lt;br /&gt;
&lt;br /&gt;
[[File:JWT-Workflow.png|500px|center]]&lt;br /&gt;
&lt;br /&gt;
==Overall Flow==&lt;br /&gt;
&lt;br /&gt;
[[File:Authorization_flow.png|500px|center]]&lt;br /&gt;
&lt;br /&gt;
==Methods Implemented==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;has_required_role?(required_role)&amp;lt;/strong&amp;gt;: &lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
 def has_required_role?(required_role)&lt;br /&gt;
    required_role = Role.find_by_name(required_role) if required_role.is_a?(String)&lt;br /&gt;
    current_user&amp;amp;.role&amp;amp;.all_privileges_of?(required_role) || false&lt;br /&gt;
 end&lt;br /&gt;
&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This function checks if the current user has the required role or higher privileges. The role name is passed down as a parameter in required_role which is the minimum required role level for an action&lt;br /&gt;
&lt;br /&gt;
For example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;has_required_role?('Administrator') # Checks if user is an admin or higher&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;has_required_role?(Role::INSTRUCTOR) # Checks if user is an instructor or higher&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
For exact role requirements, we also have:&lt;br /&gt;
* &amp;lt;strong&amp;gt;is_role?(required_role)&amp;lt;/strong&amp;gt;: &lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
 def is_role?(required_role)&lt;br /&gt;
    required_role = required_role.name if required_role.is_a?(Role)&lt;br /&gt;
    current_user&amp;amp;.role&amp;amp;.name == required_role&lt;br /&gt;
 end&lt;br /&gt;
&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
which checks if the user has exactly the specified role. For example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;is_role?('Student') # True only if user is exactly a student &amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
Finally, we have authorization methods which work with the ApplicationController as well as individual resource controllers:&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
  # Authorize all actions&lt;br /&gt;
  def authorize&lt;br /&gt;
    unless all_actions_allowed?&lt;br /&gt;
      render json: { &lt;br /&gt;
        error: &amp;quot;You are not authorized to #{params[:action]} this #{params[:controller]}&amp;quot;&lt;br /&gt;
      }, status: :forbidden&lt;br /&gt;
    end&lt;br /&gt;
  end&lt;br /&gt;
&lt;br /&gt;
  # Check if all actions are allowed&lt;br /&gt;
  def all_actions_allowed?&lt;br /&gt;
    return true if has_required_role?('Administrator')&lt;br /&gt;
    action_allowed?&lt;br /&gt;
  end&lt;br /&gt;
&lt;br /&gt;
  # Base action_allowed? - allows everything by default&lt;br /&gt;
  # Controllers should override this method to implement their authorization logic&lt;br /&gt;
  def action_allowed?&lt;br /&gt;
    true&lt;br /&gt;
  end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The individual resource controllers can then override the method 'action_allowed?' to manage access. For example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
  def action_allowed?&lt;br /&gt;
    has_required_role?('Instructor')&lt;br /&gt;
  end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Existing File Updates==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;[[https://github.com/expertiza/reimplementation-back-end/blob/main/app/controllers/application_controller.rb application_controller.rb]]&amp;lt;/strong&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This file was updated to include the new authorization module&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 class ApplicationController &amp;lt; ActionController::API&lt;br /&gt;
   include Authorization&lt;br /&gt;
   include JwtToken&lt;br /&gt;
  &lt;br /&gt;
   before_action :authorize&lt;br /&gt;
 end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
This ensures that the [[https://github.com/rarchitgupta/reimplementation-back-end/blob/jwt_authorization/app/controllers/concerns/authorization.rb 'has_required_role?']] method is available globally along with [[https://github.com/rarchitgupta/reimplementation-back-end/blob/jwt_authorization/app/controllers/concerns/authorization.rb 'is_role?']]. These methods can then be used to override 'action_allowed?' to override the base implementation and provide more granular control&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;[[https://github.com/rarchitgupta/reimplementation-back-end/blob/jwt_authorization/app/controllers/api/v1/courses_controller.rb courses_controller.rb]]&amp;lt;/strong&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
To test the functionality, based on the old Expertiza, the method was also overridden in the courses_controller.rb file:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 class Api::V1::CoursesController &amp;lt; ApplicationController&lt;br /&gt;
   before_action :set_course, only: %i[ show update destroy add_ta view_tas remove_ta copy ]&lt;br /&gt;
   rescue_from ActiveRecord::RecordNotFound, with: :course_not_found&lt;br /&gt;
   rescue_from ActionController::ParameterMissing, with: :parameter_missing&lt;br /&gt;
&lt;br /&gt;
   def action_allowed?&lt;br /&gt;
     has_required_role?('Instructor')&lt;br /&gt;
   end&lt;br /&gt;
&lt;br /&gt;
   ...&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Anticipated Outcomes==&lt;br /&gt;
1. Enhanced AuthorizationHelper Module with JWT Integration: &amp;lt;br&amp;gt;&lt;br /&gt;
Updated and operational AuthorizationHelper module that would use JWT-based authentication. The module would be restructured to incorporate token-based authentication checks, replacing prior session-based methods.&lt;br /&gt;
&lt;br /&gt;
2. Updated Associated Methods: &amp;lt;br&amp;gt;&lt;br /&gt;
Methods within the module will have to be updated to leverage JWT claims, ensuring authentication and authorization are handled based on token data. This will allow the module to verify user roles and permissions effectively through JWT claims.&lt;br /&gt;
&lt;br /&gt;
3. Comprehensive JWT Error Handling: &amp;lt;br&amp;gt;&lt;br /&gt;
Built-in error handling to manage potential JWT-related issues, such as token expiration, tampering, or invalid claims. This ensures that unauthorized access is &lt;br /&gt;
blocked, and clear error messages are provided when issues arise.&lt;br /&gt;
&lt;br /&gt;
4. Robust Unit Tests for Validation: &amp;lt;br&amp;gt;&lt;br /&gt;
A full suite of unit tests covering various scenarios, including normal, boundary, and edge cases, to validate each method’s functionality and confirm that all &lt;br /&gt;
JWT-based authentication flows work reliably.&lt;br /&gt;
&lt;br /&gt;
5. Detailed Documentation and Code Comments: &amp;lt;br&amp;gt;&lt;br /&gt;
In-depth documentation and comments would be added to each function, explaining purpose, usage, and JWT-related adjustments, aiding in code readability and future &lt;br /&gt;
maintenance.&lt;br /&gt;
&lt;br /&gt;
== Design Principles ==&lt;br /&gt;
The redesign of the `AuthorizationHelper` module for JWT-based authentication will follow well-established design principles to ensure the solution is secure, maintainable, and scalable. Below are the key principles to be applied and how they will shape this redesign:&lt;br /&gt;
&lt;br /&gt;
1. '''Single Responsibility Principle (SRP)'''&lt;br /&gt;
* '''Definition''': Each module or class should have one clear responsibility.&lt;br /&gt;
* '''How It’s Applied''': The `AuthorizationHelper` module focuses only on managing authentication and authorization, separating these concerns into distinct methods. For instance, `jwt_verify_and_decode` handles token verification, while `check_user_privileges` focuses on role-based checks. This keeps the code clean and easier to maintain.&lt;br /&gt;
&lt;br /&gt;
2. '''Separation of Concerns'''&lt;br /&gt;
* '''Definition''': Different aspects of the system should be handled independently.&lt;br /&gt;
* '''How It’s Applied''': JWT-related tasks like token creation and decoding are delegated to the `JsonWebToken` class, while privilege checking and user role management remain within `AuthorizationHelper`. This modular approach ensures changes in one area don’t unnecessarily affect the other.&lt;br /&gt;
&lt;br /&gt;
3. '''Security by Design'''&lt;br /&gt;
* '''Definition''': Security should be built into the system from the start, not as an afterthought.&lt;br /&gt;
* '''How It’s Applied''': JWT tokens are validated for expiry and tampering before any actions are authorized. Sensitive data like secret keys is securely stored in environment variables, and communication involving tokens is secured using HTTPS. The system also uses role-based access control (RBAC) to enforce fine-grained permissions.&lt;br /&gt;
&lt;br /&gt;
4. '''Statelessness'''&lt;br /&gt;
* '''Definition''': The system should not depend on maintaining user-specific data on the server.&lt;br /&gt;
* '''How It’s Applied''': By using JWT, all necessary information about the user is encoded in the token itself. This removes the dependency on server-side session storage, making the system scalable and suitable for distributed architectures.&lt;br /&gt;
&lt;br /&gt;
5. '''Testability'''&lt;br /&gt;
* '''Definition''': Code should be designed to make testing straightforward and effective.&lt;br /&gt;
* '''How It’s Applied''': Each method has a single responsibility, making it easier to write focused tests. The modular design allows us to test components like token verification and privilege checking independently, while mock tokens can simulate various scenarios (valid, expired, tampered).&lt;br /&gt;
&lt;br /&gt;
---&lt;br /&gt;
&lt;br /&gt;
== Test Plan ==&lt;br /&gt;
&lt;br /&gt;
=== Unit Tests ===&lt;br /&gt;
'''Definition''': Unit tests verify that individual methods work correctly in isolation under different scenarios.&lt;br /&gt;
&lt;br /&gt;
==== Tests for jwt_verify_and_decode ====&lt;br /&gt;
'''Valid Token Test:'''&lt;br /&gt;
* '''Input''': A valid JWT token with claims like `id`, `role`, and `exp`.&lt;br /&gt;
* '''Expected Output''': Decoded payload as a `HashWithIndifferentAccess`.&lt;br /&gt;
* '''Validation''': Ensure the returned payload matches the expected data.&lt;br /&gt;
&lt;br /&gt;
'''Expired Token Test:'''&lt;br /&gt;
* '''Input''': A token with an `exp` claim that has already passed.&lt;br /&gt;
* '''Expected Output''': `nil` with an appropriate error logged.&lt;br /&gt;
* '''Validation''': Confirm that the method gracefully handles expired tokens.&lt;br /&gt;
&lt;br /&gt;
'''Invalid Token Test:'''&lt;br /&gt;
* '''Input''': A tampered JWT token with an invalid signature.&lt;br /&gt;
* '''Expected Output''': `nil`.&lt;br /&gt;
* '''Validation''': Ensure an appropriate error message is logged, and sensitive information is not exposed.&lt;br /&gt;
&lt;br /&gt;
'''Missing Claims Test:'''&lt;br /&gt;
* '''Input''': A valid token missing critical claims like `role`.&lt;br /&gt;
* '''Expected Output''': `nil`.&lt;br /&gt;
* '''Validation''': Ensure the method flags the token as invalid due to missing data.&lt;br /&gt;
&lt;br /&gt;
==== Tests for check_user_privileges ====&lt;br /&gt;
'''Sufficient Privileges Test:'''&lt;br /&gt;
* '''Input''': User info with `role` as `Admin` and a `required_privilege` of `Student`.&lt;br /&gt;
* '''Expected Output''': `true`.&lt;br /&gt;
* '''Validation''': Verify the method correctly interprets hierarchical roles.&lt;br /&gt;
&lt;br /&gt;
'''Insufficient Privileges Test:'''&lt;br /&gt;
* '''Input''': User info with `role` as `Student` and a `required_privilege` of `Instructor`.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Ensure the method denies access for insufficient privileges.&lt;br /&gt;
&lt;br /&gt;
'''Missing Role Test:'''&lt;br /&gt;
* '''Input''': User info without a `role` claim.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Ensure the method handles missing roles gracefully.&lt;br /&gt;
&lt;br /&gt;
==== Tests for current_user_is_a? ====&lt;br /&gt;
'''Correct Role Test:'''&lt;br /&gt;
* '''Input''': Token with `role` as `Instructor` and `role_name` as `Instructor`.&lt;br /&gt;
* '''Expected Output''': `true`.&lt;br /&gt;
* '''Validation''': Verify the method returns `true` when roles match exactly.&lt;br /&gt;
&lt;br /&gt;
'''Incorrect Role Test:'''&lt;br /&gt;
* '''Input''': Token with `role` as `TA` and `role_name` as `Instructor`.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Ensure the method denies access when roles don’t match.&lt;br /&gt;
&lt;br /&gt;
'''Missing Token Test:'''&lt;br /&gt;
* '''Input''': `nil` token.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Confirm that the method handles missing tokens properly.&lt;br /&gt;
&lt;br /&gt;
---&lt;br /&gt;
&lt;br /&gt;
=== Integration Tests ===&lt;br /&gt;
'''Definition''': Integration tests validate that the `AuthorizationHelper` module functions correctly within the context of the overall system.&lt;br /&gt;
&lt;br /&gt;
==== Approach Options ====&lt;br /&gt;
1. '''Creating a Dummy API''':&lt;br /&gt;
* A lightweight API will be created specifically for testing the `AuthorizationHelper` methods.&lt;br /&gt;
* This API will simulate requests requiring token authentication and privilege checks.&lt;br /&gt;
* '''Advantages''':&lt;br /&gt;
** Fully isolated testing environment.&lt;br /&gt;
** Flexibility to simulate different roles, tokens, and scenarios.&lt;br /&gt;
* '''Disadvantages''':&lt;br /&gt;
** Requires additional setup and may not reflect real-world behavior perfectly.&lt;br /&gt;
&lt;br /&gt;
2. '''Implementing a New Controller in Expertiza''':&lt;br /&gt;
* A controller will be added to the existing Expertiza application that uses the refactored `AuthorizationHelper`.&lt;br /&gt;
* This ensures that tests occur in a real-world context, validating interactions with the actual system.&lt;br /&gt;
* '''Advantages''':&lt;br /&gt;
** Validates the actual behavior of the module within the system.&lt;br /&gt;
** Reflects real application workflows and edge cases.&lt;br /&gt;
* '''Disadvantages''':&lt;br /&gt;
** Potentially affects other parts of the application during testing.&lt;br /&gt;
** Requires effort to ensure test isolation.&lt;br /&gt;
&lt;br /&gt;
==== Integration Test Cases ====&lt;br /&gt;
'''API Endpoint Authentication'''&lt;br /&gt;
* '''Valid Token Test''':&lt;br /&gt;
** '''Scenario''': Send a valid JWT token to a protected endpoint.&lt;br /&gt;
** '''Expected Outcome''': HTTP 200 OK with access granted.&lt;br /&gt;
** '''Validation''': Confirm the user is authenticated and receives the correct resource.&lt;br /&gt;
&lt;br /&gt;
* '''Expired Token Test''':&lt;br /&gt;
** '''Scenario''': Send an expired JWT token to a protected endpoint.&lt;br /&gt;
** '''Expected Outcome''': HTTP 401 Unauthorized.&lt;br /&gt;
** '''Validation''': Ensure the system blocks access and provides a proper error message.&lt;br /&gt;
&lt;br /&gt;
* '''Tampered Token Test''':&lt;br /&gt;
** '''Scenario''': Send a tampered token with an invalid signature.&lt;br /&gt;
** '''Expected Outcome''': HTTP 401 Unauthorized.&lt;br /&gt;
** '''Validation''': Confirm the system denies access and logs the attempt securely.&lt;br /&gt;
&lt;br /&gt;
* '''Missing Token Test''':&lt;br /&gt;
** '''Scenario''': Make a request without providing a token.&lt;br /&gt;
** '''Expected Outcome''': HTTP 401 Unauthorized.&lt;br /&gt;
** '''Validation''': Verify that token authentication is strictly enforced.&lt;br /&gt;
&lt;br /&gt;
== Team ==&lt;br /&gt;
===Mentor===&lt;br /&gt;
*Kashika Mallick (kmallick@ncsu.edu)&lt;br /&gt;
&lt;br /&gt;
===Members===&lt;br /&gt;
*Shafa Hassan (shassa22@ncsu.edu)&lt;br /&gt;
*Archit Gupta (agupta85@ncsu.edu)&lt;br /&gt;
*Ansh Ganatra (aganatr@ncsu.edu)&lt;/div&gt;</summary>
		<author><name>Agupta85</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=File:Authorization_flow.png&amp;diff=160224</id>
		<title>File:Authorization flow.png</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=File:Authorization_flow.png&amp;diff=160224"/>
		<updated>2024-12-03T21:59:57Z</updated>

		<summary type="html">&lt;p&gt;Agupta85: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&lt;/div&gt;</summary>
		<author><name>Agupta85</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=File:Screenshot_2024-12-03_at_4.51.34_PM.png&amp;diff=160223</id>
		<title>File:Screenshot 2024-12-03 at 4.51.34 PM.png</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=File:Screenshot_2024-12-03_at_4.51.34_PM.png&amp;diff=160223"/>
		<updated>2024-12-03T21:58:34Z</updated>

		<summary type="html">&lt;p&gt;Agupta85: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&lt;/div&gt;</summary>
		<author><name>Agupta85</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2024_-_E2487._Reimplement_authorization_helper.rb&amp;diff=160222</id>
		<title>CSC/ECE 517 Fall 2024 - E2487. Reimplement authorization helper.rb</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2024_-_E2487._Reimplement_authorization_helper.rb&amp;diff=160222"/>
		<updated>2024-12-03T21:57:12Z</updated>

		<summary type="html">&lt;p&gt;Agupta85: /* Implemented Changes */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
Expertiza currently uses session-based authentication in its AuthorizationHelper module. However, the new back-end reimplementation adopts JSON Web Token (JWT) for authentication. This transition is necessary to make the system more scalable, stateless, and secure. JWT-based authentication will replace session-based methods, requiring updates to the AuthorizationHelper module and associated methods.&lt;br /&gt;
&lt;br /&gt;
== Background ==&lt;br /&gt;
The AuthorizationHelper module in Expertiza plays a critical role in managing user permissions and access control within the system. It provides methods to verify a user’s privileges based on their assigned roles, such as Super-Admin, Admin, Instructor, TA, or Student. These methods check if the user is authorized to perform actions like submitting assignments, reviewing work, or participating in quizzes. Additionally, it determines whether a user is involved in specific assignments, either as a participant, instructor, or through TA mappings.&lt;br /&gt;
&lt;br /&gt;
==Problem Statement==&lt;br /&gt;
&lt;br /&gt;
Expertiza currently uses session-based authentication in its [[https://github.com/expertiza/expertiza/blob/main/app/helpers/authorization_helper.rb AuthorizationHelper]] module. The [[https://github.com/expertiza/reimplementation-back-end reimplementation-back-end]] however, uses JWT (JSON Web Token) based authentication. This requires a reimplementation of an authorization concern module to accommodate JWT-based authentication&lt;br /&gt;
&lt;br /&gt;
===Concerns===&lt;br /&gt;
&lt;br /&gt;
A concern is a module that you extract to split the implementation of a class or module in coherent chunks, instead of having one big class body. Our new authorization module will be implemented as a concern which will work in tandem with the already-implemented [[https://github.com/expertiza/reimplementation-back-end/blob/main/app/controllers/concerns/jwt_token.rb JWT Concern]]&lt;br /&gt;
&lt;br /&gt;
The following points need to be taken care of as per the requirement&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt; Role Management &amp;lt;/strong&amp;gt;: &lt;br /&gt;
** Enable the system to process, verify, and decode roles from JWT Tokens.&lt;br /&gt;
** Use token role data to authenticate and authorize user actions.&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt; Privilege Verification &amp;lt;/strong&amp;gt;:&lt;br /&gt;
** Update methods to validate user privileges using JWT claims.&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt; Testing and Documentation &amp;lt;/strong&amp;gt;: &lt;br /&gt;
** Write comprehensive unit tests for all JWT-related methods.&lt;br /&gt;
** Include clear documentation and comments to aid future developers.&lt;br /&gt;
&lt;br /&gt;
=Implemented Changes=&lt;br /&gt;
&lt;br /&gt;
== JWT Token Overview ==&lt;br /&gt;
&lt;br /&gt;
A JSON Web Token (JWT) is a compact, URL-safe token format commonly used for securely transmitting information between parties. It is widely used in web applications for authentication and authorization, as it allows information to be verified and trusted. In the context of our reimplemented AuthorizationHelper module, JWT tokens will replace session-based authentication, enabling stateless and more secure access control.&lt;br /&gt;
&lt;br /&gt;
A JWT Token consists of three main parts:&lt;br /&gt;
&lt;br /&gt;
*Header: Contains metadata about the token, such as the type (JWT) and the hashing algorithm used (e.g., HS256 or RS256).&lt;br /&gt;
*Payload: Includes claims, which are statements about an entity (typically, the user) and additional data like the user’s role and permissions.&lt;br /&gt;
*Signature: A cryptographic signature generated by encoding the header and payload with a secret key or private key, ensuring data integrity.&lt;br /&gt;
These three sections are separated by dots (.), forming a token that looks like this: &amp;lt;Header&amp;gt;.&amp;lt;Payload&amp;gt;.&amp;lt;Signature&amp;gt;&lt;br /&gt;
&lt;br /&gt;
[[File:JWT-Workflow.png|500px|center]]&lt;br /&gt;
&lt;br /&gt;
==Overall Flow==&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
==Methods Implemented==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;has_required_role?(required_role)&amp;lt;/strong&amp;gt;: &lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
 def has_required_role?(required_role)&lt;br /&gt;
    required_role = Role.find_by_name(required_role) if required_role.is_a?(String)&lt;br /&gt;
    current_user&amp;amp;.role&amp;amp;.all_privileges_of?(required_role) || false&lt;br /&gt;
 end&lt;br /&gt;
&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This function checks if the current user has the required role or higher privileges. The role name is passed down as a parameter in required_role which is the minimum required role level for an action&lt;br /&gt;
&lt;br /&gt;
For example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;has_required_role?('Administrator') # Checks if user is an admin or higher&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;has_required_role?(Role::INSTRUCTOR) # Checks if user is an instructor or higher&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
For exact role requirements, we also have:&lt;br /&gt;
* &amp;lt;strong&amp;gt;is_role?(required_role)&amp;lt;/strong&amp;gt;: &lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
 def is_role?(required_role)&lt;br /&gt;
    required_role = required_role.name if required_role.is_a?(Role)&lt;br /&gt;
    current_user&amp;amp;.role&amp;amp;.name == required_role&lt;br /&gt;
 end&lt;br /&gt;
&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
which checks if the user has exactly the specified role. For example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;is_role?('Student') # True only if user is exactly a student &amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
Finally, we have authorization methods which work with the ApplicationController as well as individual resource controllers:&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
  # Authorize all actions&lt;br /&gt;
  def authorize&lt;br /&gt;
    unless all_actions_allowed?&lt;br /&gt;
      render json: { &lt;br /&gt;
        error: &amp;quot;You are not authorized to #{params[:action]} this #{params[:controller]}&amp;quot;&lt;br /&gt;
      }, status: :forbidden&lt;br /&gt;
    end&lt;br /&gt;
  end&lt;br /&gt;
&lt;br /&gt;
  # Check if all actions are allowed&lt;br /&gt;
  def all_actions_allowed?&lt;br /&gt;
    return true if has_required_role?('Administrator')&lt;br /&gt;
    action_allowed?&lt;br /&gt;
  end&lt;br /&gt;
&lt;br /&gt;
  # Base action_allowed? - allows everything by default&lt;br /&gt;
  # Controllers should override this method to implement their authorization logic&lt;br /&gt;
  def action_allowed?&lt;br /&gt;
    true&lt;br /&gt;
  end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The individual resource controllers can then override the method 'action_allowed?' to manage access. For example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
  def action_allowed?&lt;br /&gt;
    has_required_role?('Instructor')&lt;br /&gt;
  end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Existing File Updates==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;[[https://github.com/expertiza/reimplementation-back-end/blob/main/app/controllers/application_controller.rb application_controller.rb]]&amp;lt;/strong&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This file was updated to include the new authorization module&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 class ApplicationController &amp;lt; ActionController::API&lt;br /&gt;
   include Authorization&lt;br /&gt;
   include JwtToken&lt;br /&gt;
  &lt;br /&gt;
   before_action :authorize&lt;br /&gt;
 end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
This ensures that the [[https://github.com/rarchitgupta/reimplementation-back-end/blob/jwt_authorization/app/controllers/concerns/authorization.rb 'has_required_role?']] method is available globally along with [[https://github.com/rarchitgupta/reimplementation-back-end/blob/jwt_authorization/app/controllers/concerns/authorization.rb 'is_role?']]. These methods can then be used to override 'action_allowed?' to override the base implementation and provide more granular control&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;[[https://github.com/rarchitgupta/reimplementation-back-end/blob/jwt_authorization/app/controllers/api/v1/courses_controller.rb courses_controller.rb]]&amp;lt;/strong&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
To test the functionality, based on the old Expertiza, the method was also overridden in the courses_controller.rb file:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 class Api::V1::CoursesController &amp;lt; ApplicationController&lt;br /&gt;
   before_action :set_course, only: %i[ show update destroy add_ta view_tas remove_ta copy ]&lt;br /&gt;
   rescue_from ActiveRecord::RecordNotFound, with: :course_not_found&lt;br /&gt;
   rescue_from ActionController::ParameterMissing, with: :parameter_missing&lt;br /&gt;
&lt;br /&gt;
   def action_allowed?&lt;br /&gt;
     has_required_role?('Instructor')&lt;br /&gt;
   end&lt;br /&gt;
&lt;br /&gt;
   ...&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Anticipated Outcomes==&lt;br /&gt;
1. Enhanced AuthorizationHelper Module with JWT Integration: &amp;lt;br&amp;gt;&lt;br /&gt;
Updated and operational AuthorizationHelper module that would use JWT-based authentication. The module would be restructured to incorporate token-based authentication checks, replacing prior session-based methods.&lt;br /&gt;
&lt;br /&gt;
2. Updated Associated Methods: &amp;lt;br&amp;gt;&lt;br /&gt;
Methods within the module will have to be updated to leverage JWT claims, ensuring authentication and authorization are handled based on token data. This will allow the module to verify user roles and permissions effectively through JWT claims.&lt;br /&gt;
&lt;br /&gt;
3. Comprehensive JWT Error Handling: &amp;lt;br&amp;gt;&lt;br /&gt;
Built-in error handling to manage potential JWT-related issues, such as token expiration, tampering, or invalid claims. This ensures that unauthorized access is &lt;br /&gt;
blocked, and clear error messages are provided when issues arise.&lt;br /&gt;
&lt;br /&gt;
4. Robust Unit Tests for Validation: &amp;lt;br&amp;gt;&lt;br /&gt;
A full suite of unit tests covering various scenarios, including normal, boundary, and edge cases, to validate each method’s functionality and confirm that all &lt;br /&gt;
JWT-based authentication flows work reliably.&lt;br /&gt;
&lt;br /&gt;
5. Detailed Documentation and Code Comments: &amp;lt;br&amp;gt;&lt;br /&gt;
In-depth documentation and comments would be added to each function, explaining purpose, usage, and JWT-related adjustments, aiding in code readability and future &lt;br /&gt;
maintenance.&lt;br /&gt;
&lt;br /&gt;
== Design Principles ==&lt;br /&gt;
The redesign of the `AuthorizationHelper` module for JWT-based authentication will follow well-established design principles to ensure the solution is secure, maintainable, and scalable. Below are the key principles to be applied and how they will shape this redesign:&lt;br /&gt;
&lt;br /&gt;
1. '''Single Responsibility Principle (SRP)'''&lt;br /&gt;
* '''Definition''': Each module or class should have one clear responsibility.&lt;br /&gt;
* '''How It’s Applied''': The `AuthorizationHelper` module focuses only on managing authentication and authorization, separating these concerns into distinct methods. For instance, `jwt_verify_and_decode` handles token verification, while `check_user_privileges` focuses on role-based checks. This keeps the code clean and easier to maintain.&lt;br /&gt;
&lt;br /&gt;
2. '''Separation of Concerns'''&lt;br /&gt;
* '''Definition''': Different aspects of the system should be handled independently.&lt;br /&gt;
* '''How It’s Applied''': JWT-related tasks like token creation and decoding are delegated to the `JsonWebToken` class, while privilege checking and user role management remain within `AuthorizationHelper`. This modular approach ensures changes in one area don’t unnecessarily affect the other.&lt;br /&gt;
&lt;br /&gt;
3. '''Security by Design'''&lt;br /&gt;
* '''Definition''': Security should be built into the system from the start, not as an afterthought.&lt;br /&gt;
* '''How It’s Applied''': JWT tokens are validated for expiry and tampering before any actions are authorized. Sensitive data like secret keys is securely stored in environment variables, and communication involving tokens is secured using HTTPS. The system also uses role-based access control (RBAC) to enforce fine-grained permissions.&lt;br /&gt;
&lt;br /&gt;
4. '''Statelessness'''&lt;br /&gt;
* '''Definition''': The system should not depend on maintaining user-specific data on the server.&lt;br /&gt;
* '''How It’s Applied''': By using JWT, all necessary information about the user is encoded in the token itself. This removes the dependency on server-side session storage, making the system scalable and suitable for distributed architectures.&lt;br /&gt;
&lt;br /&gt;
5. '''Testability'''&lt;br /&gt;
* '''Definition''': Code should be designed to make testing straightforward and effective.&lt;br /&gt;
* '''How It’s Applied''': Each method has a single responsibility, making it easier to write focused tests. The modular design allows us to test components like token verification and privilege checking independently, while mock tokens can simulate various scenarios (valid, expired, tampered).&lt;br /&gt;
&lt;br /&gt;
---&lt;br /&gt;
&lt;br /&gt;
== Test Plan ==&lt;br /&gt;
&lt;br /&gt;
=== Unit Tests ===&lt;br /&gt;
'''Definition''': Unit tests verify that individual methods work correctly in isolation under different scenarios.&lt;br /&gt;
&lt;br /&gt;
==== Tests for jwt_verify_and_decode ====&lt;br /&gt;
'''Valid Token Test:'''&lt;br /&gt;
* '''Input''': A valid JWT token with claims like `id`, `role`, and `exp`.&lt;br /&gt;
* '''Expected Output''': Decoded payload as a `HashWithIndifferentAccess`.&lt;br /&gt;
* '''Validation''': Ensure the returned payload matches the expected data.&lt;br /&gt;
&lt;br /&gt;
'''Expired Token Test:'''&lt;br /&gt;
* '''Input''': A token with an `exp` claim that has already passed.&lt;br /&gt;
* '''Expected Output''': `nil` with an appropriate error logged.&lt;br /&gt;
* '''Validation''': Confirm that the method gracefully handles expired tokens.&lt;br /&gt;
&lt;br /&gt;
'''Invalid Token Test:'''&lt;br /&gt;
* '''Input''': A tampered JWT token with an invalid signature.&lt;br /&gt;
* '''Expected Output''': `nil`.&lt;br /&gt;
* '''Validation''': Ensure an appropriate error message is logged, and sensitive information is not exposed.&lt;br /&gt;
&lt;br /&gt;
'''Missing Claims Test:'''&lt;br /&gt;
* '''Input''': A valid token missing critical claims like `role`.&lt;br /&gt;
* '''Expected Output''': `nil`.&lt;br /&gt;
* '''Validation''': Ensure the method flags the token as invalid due to missing data.&lt;br /&gt;
&lt;br /&gt;
==== Tests for check_user_privileges ====&lt;br /&gt;
'''Sufficient Privileges Test:'''&lt;br /&gt;
* '''Input''': User info with `role` as `Admin` and a `required_privilege` of `Student`.&lt;br /&gt;
* '''Expected Output''': `true`.&lt;br /&gt;
* '''Validation''': Verify the method correctly interprets hierarchical roles.&lt;br /&gt;
&lt;br /&gt;
'''Insufficient Privileges Test:'''&lt;br /&gt;
* '''Input''': User info with `role` as `Student` and a `required_privilege` of `Instructor`.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Ensure the method denies access for insufficient privileges.&lt;br /&gt;
&lt;br /&gt;
'''Missing Role Test:'''&lt;br /&gt;
* '''Input''': User info without a `role` claim.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Ensure the method handles missing roles gracefully.&lt;br /&gt;
&lt;br /&gt;
==== Tests for current_user_is_a? ====&lt;br /&gt;
'''Correct Role Test:'''&lt;br /&gt;
* '''Input''': Token with `role` as `Instructor` and `role_name` as `Instructor`.&lt;br /&gt;
* '''Expected Output''': `true`.&lt;br /&gt;
* '''Validation''': Verify the method returns `true` when roles match exactly.&lt;br /&gt;
&lt;br /&gt;
'''Incorrect Role Test:'''&lt;br /&gt;
* '''Input''': Token with `role` as `TA` and `role_name` as `Instructor`.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Ensure the method denies access when roles don’t match.&lt;br /&gt;
&lt;br /&gt;
'''Missing Token Test:'''&lt;br /&gt;
* '''Input''': `nil` token.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Confirm that the method handles missing tokens properly.&lt;br /&gt;
&lt;br /&gt;
---&lt;br /&gt;
&lt;br /&gt;
=== Integration Tests ===&lt;br /&gt;
'''Definition''': Integration tests validate that the `AuthorizationHelper` module functions correctly within the context of the overall system.&lt;br /&gt;
&lt;br /&gt;
==== Approach Options ====&lt;br /&gt;
1. '''Creating a Dummy API''':&lt;br /&gt;
* A lightweight API will be created specifically for testing the `AuthorizationHelper` methods.&lt;br /&gt;
* This API will simulate requests requiring token authentication and privilege checks.&lt;br /&gt;
* '''Advantages''':&lt;br /&gt;
** Fully isolated testing environment.&lt;br /&gt;
** Flexibility to simulate different roles, tokens, and scenarios.&lt;br /&gt;
* '''Disadvantages''':&lt;br /&gt;
** Requires additional setup and may not reflect real-world behavior perfectly.&lt;br /&gt;
&lt;br /&gt;
2. '''Implementing a New Controller in Expertiza''':&lt;br /&gt;
* A controller will be added to the existing Expertiza application that uses the refactored `AuthorizationHelper`.&lt;br /&gt;
* This ensures that tests occur in a real-world context, validating interactions with the actual system.&lt;br /&gt;
* '''Advantages''':&lt;br /&gt;
** Validates the actual behavior of the module within the system.&lt;br /&gt;
** Reflects real application workflows and edge cases.&lt;br /&gt;
* '''Disadvantages''':&lt;br /&gt;
** Potentially affects other parts of the application during testing.&lt;br /&gt;
** Requires effort to ensure test isolation.&lt;br /&gt;
&lt;br /&gt;
==== Integration Test Cases ====&lt;br /&gt;
'''API Endpoint Authentication'''&lt;br /&gt;
* '''Valid Token Test''':&lt;br /&gt;
** '''Scenario''': Send a valid JWT token to a protected endpoint.&lt;br /&gt;
** '''Expected Outcome''': HTTP 200 OK with access granted.&lt;br /&gt;
** '''Validation''': Confirm the user is authenticated and receives the correct resource.&lt;br /&gt;
&lt;br /&gt;
* '''Expired Token Test''':&lt;br /&gt;
** '''Scenario''': Send an expired JWT token to a protected endpoint.&lt;br /&gt;
** '''Expected Outcome''': HTTP 401 Unauthorized.&lt;br /&gt;
** '''Validation''': Ensure the system blocks access and provides a proper error message.&lt;br /&gt;
&lt;br /&gt;
* '''Tampered Token Test''':&lt;br /&gt;
** '''Scenario''': Send a tampered token with an invalid signature.&lt;br /&gt;
** '''Expected Outcome''': HTTP 401 Unauthorized.&lt;br /&gt;
** '''Validation''': Confirm the system denies access and logs the attempt securely.&lt;br /&gt;
&lt;br /&gt;
* '''Missing Token Test''':&lt;br /&gt;
** '''Scenario''': Make a request without providing a token.&lt;br /&gt;
** '''Expected Outcome''': HTTP 401 Unauthorized.&lt;br /&gt;
** '''Validation''': Verify that token authentication is strictly enforced.&lt;br /&gt;
&lt;br /&gt;
== Team ==&lt;br /&gt;
===Mentor===&lt;br /&gt;
*Kashika Mallick (kmallick@ncsu.edu)&lt;br /&gt;
&lt;br /&gt;
===Members===&lt;br /&gt;
*Shafa Hassan (shassa22@ncsu.edu)&lt;br /&gt;
*Archit Gupta (agupta85@ncsu.edu)&lt;br /&gt;
*Ansh Ganatra (aganatr@ncsu.edu)&lt;/div&gt;</summary>
		<author><name>Agupta85</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2024_-_E2487._Reimplement_authorization_helper.rb&amp;diff=160221</id>
		<title>CSC/ECE 517 Fall 2024 - E2487. Reimplement authorization helper.rb</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2024_-_E2487._Reimplement_authorization_helper.rb&amp;diff=160221"/>
		<updated>2024-12-03T21:47:04Z</updated>

		<summary type="html">&lt;p&gt;Agupta85: /* Existing File Updates */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
Expertiza currently uses session-based authentication in its AuthorizationHelper module. However, the new back-end reimplementation adopts JSON Web Token (JWT) for authentication. This transition is necessary to make the system more scalable, stateless, and secure. JWT-based authentication will replace session-based methods, requiring updates to the AuthorizationHelper module and associated methods.&lt;br /&gt;
&lt;br /&gt;
== Background ==&lt;br /&gt;
The AuthorizationHelper module in Expertiza plays a critical role in managing user permissions and access control within the system. It provides methods to verify a user’s privileges based on their assigned roles, such as Super-Admin, Admin, Instructor, TA, or Student. These methods check if the user is authorized to perform actions like submitting assignments, reviewing work, or participating in quizzes. Additionally, it determines whether a user is involved in specific assignments, either as a participant, instructor, or through TA mappings.&lt;br /&gt;
&lt;br /&gt;
==Problem Statement==&lt;br /&gt;
&lt;br /&gt;
Expertiza currently uses session-based authentication in its [[https://github.com/expertiza/expertiza/blob/main/app/helpers/authorization_helper.rb AuthorizationHelper]] module. The [[https://github.com/expertiza/reimplementation-back-end reimplementation-back-end]] however, uses JWT (JSON Web Token) based authentication. This requires a reimplementation of an authorization concern module to accommodate JWT-based authentication&lt;br /&gt;
&lt;br /&gt;
===Concerns===&lt;br /&gt;
&lt;br /&gt;
A concern is a module that you extract to split the implementation of a class or module in coherent chunks, instead of having one big class body. Our new authorization module will be implemented as a concern which will work in tandem with the already-implemented [[https://github.com/expertiza/reimplementation-back-end/blob/main/app/controllers/concerns/jwt_token.rb JWT Concern]]&lt;br /&gt;
&lt;br /&gt;
The following points need to be taken care of as per the requirement&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt; Role Management &amp;lt;/strong&amp;gt;: &lt;br /&gt;
** Enable the system to process, verify, and decode roles from JWT Tokens.&lt;br /&gt;
** Use token role data to authenticate and authorize user actions.&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt; Privilege Verification &amp;lt;/strong&amp;gt;:&lt;br /&gt;
** Update methods to validate user privileges using JWT claims.&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt; Testing and Documentation &amp;lt;/strong&amp;gt;: &lt;br /&gt;
** Write comprehensive unit tests for all JWT-related methods.&lt;br /&gt;
** Include clear documentation and comments to aid future developers.&lt;br /&gt;
&lt;br /&gt;
=Implemented Changes=&lt;br /&gt;
&lt;br /&gt;
== JWT Token Overview ==&lt;br /&gt;
&lt;br /&gt;
A JSON Web Token (JWT) is a compact, URL-safe token format commonly used for securely transmitting information between parties. It is widely used in web applications for authentication and authorization, as it allows information to be verified and trusted. In the context of our reimplemented AuthorizationHelper module, JWT tokens will replace session-based authentication, enabling stateless and more secure access control.&lt;br /&gt;
&lt;br /&gt;
A JWT Token consists of three main parts:&lt;br /&gt;
&lt;br /&gt;
*Header: Contains metadata about the token, such as the type (JWT) and the hashing algorithm used (e.g., HS256 or RS256).&lt;br /&gt;
*Payload: Includes claims, which are statements about an entity (typically, the user) and additional data like the user’s role and permissions.&lt;br /&gt;
*Signature: A cryptographic signature generated by encoding the header and payload with a secret key or private key, ensuring data integrity.&lt;br /&gt;
These three sections are separated by dots (.), forming a token that looks like this: &amp;lt;Header&amp;gt;.&amp;lt;Payload&amp;gt;.&amp;lt;Signature&amp;gt;&lt;br /&gt;
&lt;br /&gt;
[[File:JWT-Workflow.png|500px|center]]&lt;br /&gt;
&lt;br /&gt;
==Methods Implemented==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;has_required_role?(required_role)&amp;lt;/strong&amp;gt;: &lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
 def has_required_role?(required_role)&lt;br /&gt;
    required_role = Role.find_by_name(required_role) if required_role.is_a?(String)&lt;br /&gt;
    current_user&amp;amp;.role&amp;amp;.all_privileges_of?(required_role) || false&lt;br /&gt;
 end&lt;br /&gt;
&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This function checks if the current user has the required role or higher privileges. The role name is passed down as a parameter in required_role which is the minimum required role level for an action&lt;br /&gt;
&lt;br /&gt;
For example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;has_required_role?('Administrator') # Checks if user is an admin or higher&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;has_required_role?(Role::INSTRUCTOR) # Checks if user is an instructor or higher&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
For exact role requirements, we also have:&lt;br /&gt;
* &amp;lt;strong&amp;gt;is_role?(required_role)&amp;lt;/strong&amp;gt;: &lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
 def is_role?(required_role)&lt;br /&gt;
    required_role = required_role.name if required_role.is_a?(Role)&lt;br /&gt;
    current_user&amp;amp;.role&amp;amp;.name == required_role&lt;br /&gt;
 end&lt;br /&gt;
&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
which checks if the user has exactly the specified role. For example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;is_role?('Student') # True only if user is exactly a student &amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
Finally, we have authorization methods which work with the ApplicationController as well as individual resource controllers:&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
  # Authorize all actions&lt;br /&gt;
  def authorize&lt;br /&gt;
    unless all_actions_allowed?&lt;br /&gt;
      render json: { &lt;br /&gt;
        error: &amp;quot;You are not authorized to #{params[:action]} this #{params[:controller]}&amp;quot;&lt;br /&gt;
      }, status: :forbidden&lt;br /&gt;
    end&lt;br /&gt;
  end&lt;br /&gt;
&lt;br /&gt;
  # Check if all actions are allowed&lt;br /&gt;
  def all_actions_allowed?&lt;br /&gt;
    return true if has_required_role?('Administrator')&lt;br /&gt;
    action_allowed?&lt;br /&gt;
  end&lt;br /&gt;
&lt;br /&gt;
  # Base action_allowed? - allows everything by default&lt;br /&gt;
  # Controllers should override this method to implement their authorization logic&lt;br /&gt;
  def action_allowed?&lt;br /&gt;
    true&lt;br /&gt;
  end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The individual resource controllers can then override the method 'action_allowed?' to manage access. For example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
  def action_allowed?&lt;br /&gt;
    has_required_role?('Instructor')&lt;br /&gt;
  end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Existing File Updates==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;[[https://github.com/expertiza/reimplementation-back-end/blob/main/app/controllers/application_controller.rb application_controller.rb]]&amp;lt;/strong&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This file was updated to include the new authorization module&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 class ApplicationController &amp;lt; ActionController::API&lt;br /&gt;
   include Authorization&lt;br /&gt;
   include JwtToken&lt;br /&gt;
  &lt;br /&gt;
   before_action :authorize&lt;br /&gt;
 end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
This ensures that the [[https://github.com/rarchitgupta/reimplementation-back-end/blob/jwt_authorization/app/controllers/concerns/authorization.rb 'has_required_role?']] method is available globally along with [[https://github.com/rarchitgupta/reimplementation-back-end/blob/jwt_authorization/app/controllers/concerns/authorization.rb 'is_role?']]. These methods can then be used to override 'action_allowed?' to override the base implementation and provide more granular control&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;[[https://github.com/rarchitgupta/reimplementation-back-end/blob/jwt_authorization/app/controllers/api/v1/courses_controller.rb courses_controller.rb]]&amp;lt;/strong&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
To test the functionality, based on the old Expertiza, the method was also overridden in the courses_controller.rb file:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 class Api::V1::CoursesController &amp;lt; ApplicationController&lt;br /&gt;
   before_action :set_course, only: %i[ show update destroy add_ta view_tas remove_ta copy ]&lt;br /&gt;
   rescue_from ActiveRecord::RecordNotFound, with: :course_not_found&lt;br /&gt;
   rescue_from ActionController::ParameterMissing, with: :parameter_missing&lt;br /&gt;
&lt;br /&gt;
   def action_allowed?&lt;br /&gt;
     has_required_role?('Instructor')&lt;br /&gt;
   end&lt;br /&gt;
&lt;br /&gt;
   ...&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Anticipated Outcomes==&lt;br /&gt;
1. Enhanced AuthorizationHelper Module with JWT Integration: &amp;lt;br&amp;gt;&lt;br /&gt;
Updated and operational AuthorizationHelper module that would use JWT-based authentication. The module would be restructured to incorporate token-based authentication checks, replacing prior session-based methods.&lt;br /&gt;
&lt;br /&gt;
2. Updated Associated Methods: &amp;lt;br&amp;gt;&lt;br /&gt;
Methods within the module will have to be updated to leverage JWT claims, ensuring authentication and authorization are handled based on token data. This will allow the module to verify user roles and permissions effectively through JWT claims.&lt;br /&gt;
&lt;br /&gt;
3. Comprehensive JWT Error Handling: &amp;lt;br&amp;gt;&lt;br /&gt;
Built-in error handling to manage potential JWT-related issues, such as token expiration, tampering, or invalid claims. This ensures that unauthorized access is &lt;br /&gt;
blocked, and clear error messages are provided when issues arise.&lt;br /&gt;
&lt;br /&gt;
4. Robust Unit Tests for Validation: &amp;lt;br&amp;gt;&lt;br /&gt;
A full suite of unit tests covering various scenarios, including normal, boundary, and edge cases, to validate each method’s functionality and confirm that all &lt;br /&gt;
JWT-based authentication flows work reliably.&lt;br /&gt;
&lt;br /&gt;
5. Detailed Documentation and Code Comments: &amp;lt;br&amp;gt;&lt;br /&gt;
In-depth documentation and comments would be added to each function, explaining purpose, usage, and JWT-related adjustments, aiding in code readability and future &lt;br /&gt;
maintenance.&lt;br /&gt;
&lt;br /&gt;
== Design Principles ==&lt;br /&gt;
The redesign of the `AuthorizationHelper` module for JWT-based authentication will follow well-established design principles to ensure the solution is secure, maintainable, and scalable. Below are the key principles to be applied and how they will shape this redesign:&lt;br /&gt;
&lt;br /&gt;
1. '''Single Responsibility Principle (SRP)'''&lt;br /&gt;
* '''Definition''': Each module or class should have one clear responsibility.&lt;br /&gt;
* '''How It’s Applied''': The `AuthorizationHelper` module focuses only on managing authentication and authorization, separating these concerns into distinct methods. For instance, `jwt_verify_and_decode` handles token verification, while `check_user_privileges` focuses on role-based checks. This keeps the code clean and easier to maintain.&lt;br /&gt;
&lt;br /&gt;
2. '''Separation of Concerns'''&lt;br /&gt;
* '''Definition''': Different aspects of the system should be handled independently.&lt;br /&gt;
* '''How It’s Applied''': JWT-related tasks like token creation and decoding are delegated to the `JsonWebToken` class, while privilege checking and user role management remain within `AuthorizationHelper`. This modular approach ensures changes in one area don’t unnecessarily affect the other.&lt;br /&gt;
&lt;br /&gt;
3. '''Security by Design'''&lt;br /&gt;
* '''Definition''': Security should be built into the system from the start, not as an afterthought.&lt;br /&gt;
* '''How It’s Applied''': JWT tokens are validated for expiry and tampering before any actions are authorized. Sensitive data like secret keys is securely stored in environment variables, and communication involving tokens is secured using HTTPS. The system also uses role-based access control (RBAC) to enforce fine-grained permissions.&lt;br /&gt;
&lt;br /&gt;
4. '''Statelessness'''&lt;br /&gt;
* '''Definition''': The system should not depend on maintaining user-specific data on the server.&lt;br /&gt;
* '''How It’s Applied''': By using JWT, all necessary information about the user is encoded in the token itself. This removes the dependency on server-side session storage, making the system scalable and suitable for distributed architectures.&lt;br /&gt;
&lt;br /&gt;
5. '''Testability'''&lt;br /&gt;
* '''Definition''': Code should be designed to make testing straightforward and effective.&lt;br /&gt;
* '''How It’s Applied''': Each method has a single responsibility, making it easier to write focused tests. The modular design allows us to test components like token verification and privilege checking independently, while mock tokens can simulate various scenarios (valid, expired, tampered).&lt;br /&gt;
&lt;br /&gt;
---&lt;br /&gt;
&lt;br /&gt;
== Test Plan ==&lt;br /&gt;
&lt;br /&gt;
=== Unit Tests ===&lt;br /&gt;
'''Definition''': Unit tests verify that individual methods work correctly in isolation under different scenarios.&lt;br /&gt;
&lt;br /&gt;
==== Tests for jwt_verify_and_decode ====&lt;br /&gt;
'''Valid Token Test:'''&lt;br /&gt;
* '''Input''': A valid JWT token with claims like `id`, `role`, and `exp`.&lt;br /&gt;
* '''Expected Output''': Decoded payload as a `HashWithIndifferentAccess`.&lt;br /&gt;
* '''Validation''': Ensure the returned payload matches the expected data.&lt;br /&gt;
&lt;br /&gt;
'''Expired Token Test:'''&lt;br /&gt;
* '''Input''': A token with an `exp` claim that has already passed.&lt;br /&gt;
* '''Expected Output''': `nil` with an appropriate error logged.&lt;br /&gt;
* '''Validation''': Confirm that the method gracefully handles expired tokens.&lt;br /&gt;
&lt;br /&gt;
'''Invalid Token Test:'''&lt;br /&gt;
* '''Input''': A tampered JWT token with an invalid signature.&lt;br /&gt;
* '''Expected Output''': `nil`.&lt;br /&gt;
* '''Validation''': Ensure an appropriate error message is logged, and sensitive information is not exposed.&lt;br /&gt;
&lt;br /&gt;
'''Missing Claims Test:'''&lt;br /&gt;
* '''Input''': A valid token missing critical claims like `role`.&lt;br /&gt;
* '''Expected Output''': `nil`.&lt;br /&gt;
* '''Validation''': Ensure the method flags the token as invalid due to missing data.&lt;br /&gt;
&lt;br /&gt;
==== Tests for check_user_privileges ====&lt;br /&gt;
'''Sufficient Privileges Test:'''&lt;br /&gt;
* '''Input''': User info with `role` as `Admin` and a `required_privilege` of `Student`.&lt;br /&gt;
* '''Expected Output''': `true`.&lt;br /&gt;
* '''Validation''': Verify the method correctly interprets hierarchical roles.&lt;br /&gt;
&lt;br /&gt;
'''Insufficient Privileges Test:'''&lt;br /&gt;
* '''Input''': User info with `role` as `Student` and a `required_privilege` of `Instructor`.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Ensure the method denies access for insufficient privileges.&lt;br /&gt;
&lt;br /&gt;
'''Missing Role Test:'''&lt;br /&gt;
* '''Input''': User info without a `role` claim.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Ensure the method handles missing roles gracefully.&lt;br /&gt;
&lt;br /&gt;
==== Tests for current_user_is_a? ====&lt;br /&gt;
'''Correct Role Test:'''&lt;br /&gt;
* '''Input''': Token with `role` as `Instructor` and `role_name` as `Instructor`.&lt;br /&gt;
* '''Expected Output''': `true`.&lt;br /&gt;
* '''Validation''': Verify the method returns `true` when roles match exactly.&lt;br /&gt;
&lt;br /&gt;
'''Incorrect Role Test:'''&lt;br /&gt;
* '''Input''': Token with `role` as `TA` and `role_name` as `Instructor`.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Ensure the method denies access when roles don’t match.&lt;br /&gt;
&lt;br /&gt;
'''Missing Token Test:'''&lt;br /&gt;
* '''Input''': `nil` token.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Confirm that the method handles missing tokens properly.&lt;br /&gt;
&lt;br /&gt;
---&lt;br /&gt;
&lt;br /&gt;
=== Integration Tests ===&lt;br /&gt;
'''Definition''': Integration tests validate that the `AuthorizationHelper` module functions correctly within the context of the overall system.&lt;br /&gt;
&lt;br /&gt;
==== Approach Options ====&lt;br /&gt;
1. '''Creating a Dummy API''':&lt;br /&gt;
* A lightweight API will be created specifically for testing the `AuthorizationHelper` methods.&lt;br /&gt;
* This API will simulate requests requiring token authentication and privilege checks.&lt;br /&gt;
* '''Advantages''':&lt;br /&gt;
** Fully isolated testing environment.&lt;br /&gt;
** Flexibility to simulate different roles, tokens, and scenarios.&lt;br /&gt;
* '''Disadvantages''':&lt;br /&gt;
** Requires additional setup and may not reflect real-world behavior perfectly.&lt;br /&gt;
&lt;br /&gt;
2. '''Implementing a New Controller in Expertiza''':&lt;br /&gt;
* A controller will be added to the existing Expertiza application that uses the refactored `AuthorizationHelper`.&lt;br /&gt;
* This ensures that tests occur in a real-world context, validating interactions with the actual system.&lt;br /&gt;
* '''Advantages''':&lt;br /&gt;
** Validates the actual behavior of the module within the system.&lt;br /&gt;
** Reflects real application workflows and edge cases.&lt;br /&gt;
* '''Disadvantages''':&lt;br /&gt;
** Potentially affects other parts of the application during testing.&lt;br /&gt;
** Requires effort to ensure test isolation.&lt;br /&gt;
&lt;br /&gt;
==== Integration Test Cases ====&lt;br /&gt;
'''API Endpoint Authentication'''&lt;br /&gt;
* '''Valid Token Test''':&lt;br /&gt;
** '''Scenario''': Send a valid JWT token to a protected endpoint.&lt;br /&gt;
** '''Expected Outcome''': HTTP 200 OK with access granted.&lt;br /&gt;
** '''Validation''': Confirm the user is authenticated and receives the correct resource.&lt;br /&gt;
&lt;br /&gt;
* '''Expired Token Test''':&lt;br /&gt;
** '''Scenario''': Send an expired JWT token to a protected endpoint.&lt;br /&gt;
** '''Expected Outcome''': HTTP 401 Unauthorized.&lt;br /&gt;
** '''Validation''': Ensure the system blocks access and provides a proper error message.&lt;br /&gt;
&lt;br /&gt;
* '''Tampered Token Test''':&lt;br /&gt;
** '''Scenario''': Send a tampered token with an invalid signature.&lt;br /&gt;
** '''Expected Outcome''': HTTP 401 Unauthorized.&lt;br /&gt;
** '''Validation''': Confirm the system denies access and logs the attempt securely.&lt;br /&gt;
&lt;br /&gt;
* '''Missing Token Test''':&lt;br /&gt;
** '''Scenario''': Make a request without providing a token.&lt;br /&gt;
** '''Expected Outcome''': HTTP 401 Unauthorized.&lt;br /&gt;
** '''Validation''': Verify that token authentication is strictly enforced.&lt;br /&gt;
&lt;br /&gt;
== Team ==&lt;br /&gt;
===Mentor===&lt;br /&gt;
*Kashika Mallick (kmallick@ncsu.edu)&lt;br /&gt;
&lt;br /&gt;
===Members===&lt;br /&gt;
*Shafa Hassan (shassa22@ncsu.edu)&lt;br /&gt;
*Archit Gupta (agupta85@ncsu.edu)&lt;br /&gt;
*Ansh Ganatra (aganatr@ncsu.edu)&lt;/div&gt;</summary>
		<author><name>Agupta85</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2024_-_E2487._Reimplement_authorization_helper.rb&amp;diff=160220</id>
		<title>CSC/ECE 517 Fall 2024 - E2487. Reimplement authorization helper.rb</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2024_-_E2487._Reimplement_authorization_helper.rb&amp;diff=160220"/>
		<updated>2024-12-03T21:43:39Z</updated>

		<summary type="html">&lt;p&gt;Agupta85: /* Existing File Updates */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
Expertiza currently uses session-based authentication in its AuthorizationHelper module. However, the new back-end reimplementation adopts JSON Web Token (JWT) for authentication. This transition is necessary to make the system more scalable, stateless, and secure. JWT-based authentication will replace session-based methods, requiring updates to the AuthorizationHelper module and associated methods.&lt;br /&gt;
&lt;br /&gt;
== Background ==&lt;br /&gt;
The AuthorizationHelper module in Expertiza plays a critical role in managing user permissions and access control within the system. It provides methods to verify a user’s privileges based on their assigned roles, such as Super-Admin, Admin, Instructor, TA, or Student. These methods check if the user is authorized to perform actions like submitting assignments, reviewing work, or participating in quizzes. Additionally, it determines whether a user is involved in specific assignments, either as a participant, instructor, or through TA mappings.&lt;br /&gt;
&lt;br /&gt;
==Problem Statement==&lt;br /&gt;
&lt;br /&gt;
Expertiza currently uses session-based authentication in its [[https://github.com/expertiza/expertiza/blob/main/app/helpers/authorization_helper.rb AuthorizationHelper]] module. The [[https://github.com/expertiza/reimplementation-back-end reimplementation-back-end]] however, uses JWT (JSON Web Token) based authentication. This requires a reimplementation of an authorization concern module to accommodate JWT-based authentication&lt;br /&gt;
&lt;br /&gt;
===Concerns===&lt;br /&gt;
&lt;br /&gt;
A concern is a module that you extract to split the implementation of a class or module in coherent chunks, instead of having one big class body. Our new authorization module will be implemented as a concern which will work in tandem with the already-implemented [[https://github.com/expertiza/reimplementation-back-end/blob/main/app/controllers/concerns/jwt_token.rb JWT Concern]]&lt;br /&gt;
&lt;br /&gt;
The following points need to be taken care of as per the requirement&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt; Role Management &amp;lt;/strong&amp;gt;: &lt;br /&gt;
** Enable the system to process, verify, and decode roles from JWT Tokens.&lt;br /&gt;
** Use token role data to authenticate and authorize user actions.&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt; Privilege Verification &amp;lt;/strong&amp;gt;:&lt;br /&gt;
** Update methods to validate user privileges using JWT claims.&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt; Testing and Documentation &amp;lt;/strong&amp;gt;: &lt;br /&gt;
** Write comprehensive unit tests for all JWT-related methods.&lt;br /&gt;
** Include clear documentation and comments to aid future developers.&lt;br /&gt;
&lt;br /&gt;
=Implemented Changes=&lt;br /&gt;
&lt;br /&gt;
== JWT Token Overview ==&lt;br /&gt;
&lt;br /&gt;
A JSON Web Token (JWT) is a compact, URL-safe token format commonly used for securely transmitting information between parties. It is widely used in web applications for authentication and authorization, as it allows information to be verified and trusted. In the context of our reimplemented AuthorizationHelper module, JWT tokens will replace session-based authentication, enabling stateless and more secure access control.&lt;br /&gt;
&lt;br /&gt;
A JWT Token consists of three main parts:&lt;br /&gt;
&lt;br /&gt;
*Header: Contains metadata about the token, such as the type (JWT) and the hashing algorithm used (e.g., HS256 or RS256).&lt;br /&gt;
*Payload: Includes claims, which are statements about an entity (typically, the user) and additional data like the user’s role and permissions.&lt;br /&gt;
*Signature: A cryptographic signature generated by encoding the header and payload with a secret key or private key, ensuring data integrity.&lt;br /&gt;
These three sections are separated by dots (.), forming a token that looks like this: &amp;lt;Header&amp;gt;.&amp;lt;Payload&amp;gt;.&amp;lt;Signature&amp;gt;&lt;br /&gt;
&lt;br /&gt;
[[File:JWT-Workflow.png|500px|center]]&lt;br /&gt;
&lt;br /&gt;
==Methods Implemented==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;has_required_role?(required_role)&amp;lt;/strong&amp;gt;: &lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
 def has_required_role?(required_role)&lt;br /&gt;
    required_role = Role.find_by_name(required_role) if required_role.is_a?(String)&lt;br /&gt;
    current_user&amp;amp;.role&amp;amp;.all_privileges_of?(required_role) || false&lt;br /&gt;
 end&lt;br /&gt;
&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This function checks if the current user has the required role or higher privileges. The role name is passed down as a parameter in required_role which is the minimum required role level for an action&lt;br /&gt;
&lt;br /&gt;
For example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;has_required_role?('Administrator') # Checks if user is an admin or higher&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;has_required_role?(Role::INSTRUCTOR) # Checks if user is an instructor or higher&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
For exact role requirements, we also have:&lt;br /&gt;
* &amp;lt;strong&amp;gt;is_role?(required_role)&amp;lt;/strong&amp;gt;: &lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
 def is_role?(required_role)&lt;br /&gt;
    required_role = required_role.name if required_role.is_a?(Role)&lt;br /&gt;
    current_user&amp;amp;.role&amp;amp;.name == required_role&lt;br /&gt;
 end&lt;br /&gt;
&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
which checks if the user has exactly the specified role. For example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;is_role?('Student') # True only if user is exactly a student &amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
Finally, we have authorization methods which work with the ApplicationController as well as individual resource controllers:&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
  # Authorize all actions&lt;br /&gt;
  def authorize&lt;br /&gt;
    unless all_actions_allowed?&lt;br /&gt;
      render json: { &lt;br /&gt;
        error: &amp;quot;You are not authorized to #{params[:action]} this #{params[:controller]}&amp;quot;&lt;br /&gt;
      }, status: :forbidden&lt;br /&gt;
    end&lt;br /&gt;
  end&lt;br /&gt;
&lt;br /&gt;
  # Check if all actions are allowed&lt;br /&gt;
  def all_actions_allowed?&lt;br /&gt;
    return true if has_required_role?('Administrator')&lt;br /&gt;
    action_allowed?&lt;br /&gt;
  end&lt;br /&gt;
&lt;br /&gt;
  # Base action_allowed? - allows everything by default&lt;br /&gt;
  # Controllers should override this method to implement their authorization logic&lt;br /&gt;
  def action_allowed?&lt;br /&gt;
    true&lt;br /&gt;
  end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The individual resource controllers can then override the method 'action_allowed?' to manage access. For example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
  def action_allowed?&lt;br /&gt;
    has_required_role?('Instructor')&lt;br /&gt;
  end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Existing File Updates==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;[[https://github.com/expertiza/reimplementation-back-end/blob/main/app/controllers/application_controller.rb application_controller.rb]]&amp;lt;/strong&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This file was updated to include the new authorization module&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 class ApplicationController &amp;lt; ActionController::API&lt;br /&gt;
   include Authorization&lt;br /&gt;
   include JwtToken&lt;br /&gt;
  &lt;br /&gt;
   before_action :authorize&lt;br /&gt;
 end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
This ensures that the [[https://github.com/rarchitgupta/reimplementation-back-end/blob/jwt_authorization/app/controllers/concerns/authorization.rb 'has_required_role?']] method is available globally along with [[https://github.com/rarchitgupta/reimplementation-back-end/blob/jwt_authorization/app/controllers/concerns/authorization.rb 'is_role?']]. These methods can then be used to override 'action_allowed?' to override the base implementation and provide more granular control&lt;br /&gt;
&lt;br /&gt;
==Anticipated Outcomes==&lt;br /&gt;
1. Enhanced AuthorizationHelper Module with JWT Integration: &amp;lt;br&amp;gt;&lt;br /&gt;
Updated and operational AuthorizationHelper module that would use JWT-based authentication. The module would be restructured to incorporate token-based authentication checks, replacing prior session-based methods.&lt;br /&gt;
&lt;br /&gt;
2. Updated Associated Methods: &amp;lt;br&amp;gt;&lt;br /&gt;
Methods within the module will have to be updated to leverage JWT claims, ensuring authentication and authorization are handled based on token data. This will allow the module to verify user roles and permissions effectively through JWT claims.&lt;br /&gt;
&lt;br /&gt;
3. Comprehensive JWT Error Handling: &amp;lt;br&amp;gt;&lt;br /&gt;
Built-in error handling to manage potential JWT-related issues, such as token expiration, tampering, or invalid claims. This ensures that unauthorized access is &lt;br /&gt;
blocked, and clear error messages are provided when issues arise.&lt;br /&gt;
&lt;br /&gt;
4. Robust Unit Tests for Validation: &amp;lt;br&amp;gt;&lt;br /&gt;
A full suite of unit tests covering various scenarios, including normal, boundary, and edge cases, to validate each method’s functionality and confirm that all &lt;br /&gt;
JWT-based authentication flows work reliably.&lt;br /&gt;
&lt;br /&gt;
5. Detailed Documentation and Code Comments: &amp;lt;br&amp;gt;&lt;br /&gt;
In-depth documentation and comments would be added to each function, explaining purpose, usage, and JWT-related adjustments, aiding in code readability and future &lt;br /&gt;
maintenance.&lt;br /&gt;
&lt;br /&gt;
== Design Principles ==&lt;br /&gt;
The redesign of the `AuthorizationHelper` module for JWT-based authentication will follow well-established design principles to ensure the solution is secure, maintainable, and scalable. Below are the key principles to be applied and how they will shape this redesign:&lt;br /&gt;
&lt;br /&gt;
1. '''Single Responsibility Principle (SRP)'''&lt;br /&gt;
* '''Definition''': Each module or class should have one clear responsibility.&lt;br /&gt;
* '''How It’s Applied''': The `AuthorizationHelper` module focuses only on managing authentication and authorization, separating these concerns into distinct methods. For instance, `jwt_verify_and_decode` handles token verification, while `check_user_privileges` focuses on role-based checks. This keeps the code clean and easier to maintain.&lt;br /&gt;
&lt;br /&gt;
2. '''Separation of Concerns'''&lt;br /&gt;
* '''Definition''': Different aspects of the system should be handled independently.&lt;br /&gt;
* '''How It’s Applied''': JWT-related tasks like token creation and decoding are delegated to the `JsonWebToken` class, while privilege checking and user role management remain within `AuthorizationHelper`. This modular approach ensures changes in one area don’t unnecessarily affect the other.&lt;br /&gt;
&lt;br /&gt;
3. '''Security by Design'''&lt;br /&gt;
* '''Definition''': Security should be built into the system from the start, not as an afterthought.&lt;br /&gt;
* '''How It’s Applied''': JWT tokens are validated for expiry and tampering before any actions are authorized. Sensitive data like secret keys is securely stored in environment variables, and communication involving tokens is secured using HTTPS. The system also uses role-based access control (RBAC) to enforce fine-grained permissions.&lt;br /&gt;
&lt;br /&gt;
4. '''Statelessness'''&lt;br /&gt;
* '''Definition''': The system should not depend on maintaining user-specific data on the server.&lt;br /&gt;
* '''How It’s Applied''': By using JWT, all necessary information about the user is encoded in the token itself. This removes the dependency on server-side session storage, making the system scalable and suitable for distributed architectures.&lt;br /&gt;
&lt;br /&gt;
5. '''Testability'''&lt;br /&gt;
* '''Definition''': Code should be designed to make testing straightforward and effective.&lt;br /&gt;
* '''How It’s Applied''': Each method has a single responsibility, making it easier to write focused tests. The modular design allows us to test components like token verification and privilege checking independently, while mock tokens can simulate various scenarios (valid, expired, tampered).&lt;br /&gt;
&lt;br /&gt;
---&lt;br /&gt;
&lt;br /&gt;
== Test Plan ==&lt;br /&gt;
&lt;br /&gt;
=== Unit Tests ===&lt;br /&gt;
'''Definition''': Unit tests verify that individual methods work correctly in isolation under different scenarios.&lt;br /&gt;
&lt;br /&gt;
==== Tests for jwt_verify_and_decode ====&lt;br /&gt;
'''Valid Token Test:'''&lt;br /&gt;
* '''Input''': A valid JWT token with claims like `id`, `role`, and `exp`.&lt;br /&gt;
* '''Expected Output''': Decoded payload as a `HashWithIndifferentAccess`.&lt;br /&gt;
* '''Validation''': Ensure the returned payload matches the expected data.&lt;br /&gt;
&lt;br /&gt;
'''Expired Token Test:'''&lt;br /&gt;
* '''Input''': A token with an `exp` claim that has already passed.&lt;br /&gt;
* '''Expected Output''': `nil` with an appropriate error logged.&lt;br /&gt;
* '''Validation''': Confirm that the method gracefully handles expired tokens.&lt;br /&gt;
&lt;br /&gt;
'''Invalid Token Test:'''&lt;br /&gt;
* '''Input''': A tampered JWT token with an invalid signature.&lt;br /&gt;
* '''Expected Output''': `nil`.&lt;br /&gt;
* '''Validation''': Ensure an appropriate error message is logged, and sensitive information is not exposed.&lt;br /&gt;
&lt;br /&gt;
'''Missing Claims Test:'''&lt;br /&gt;
* '''Input''': A valid token missing critical claims like `role`.&lt;br /&gt;
* '''Expected Output''': `nil`.&lt;br /&gt;
* '''Validation''': Ensure the method flags the token as invalid due to missing data.&lt;br /&gt;
&lt;br /&gt;
==== Tests for check_user_privileges ====&lt;br /&gt;
'''Sufficient Privileges Test:'''&lt;br /&gt;
* '''Input''': User info with `role` as `Admin` and a `required_privilege` of `Student`.&lt;br /&gt;
* '''Expected Output''': `true`.&lt;br /&gt;
* '''Validation''': Verify the method correctly interprets hierarchical roles.&lt;br /&gt;
&lt;br /&gt;
'''Insufficient Privileges Test:'''&lt;br /&gt;
* '''Input''': User info with `role` as `Student` and a `required_privilege` of `Instructor`.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Ensure the method denies access for insufficient privileges.&lt;br /&gt;
&lt;br /&gt;
'''Missing Role Test:'''&lt;br /&gt;
* '''Input''': User info without a `role` claim.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Ensure the method handles missing roles gracefully.&lt;br /&gt;
&lt;br /&gt;
==== Tests for current_user_is_a? ====&lt;br /&gt;
'''Correct Role Test:'''&lt;br /&gt;
* '''Input''': Token with `role` as `Instructor` and `role_name` as `Instructor`.&lt;br /&gt;
* '''Expected Output''': `true`.&lt;br /&gt;
* '''Validation''': Verify the method returns `true` when roles match exactly.&lt;br /&gt;
&lt;br /&gt;
'''Incorrect Role Test:'''&lt;br /&gt;
* '''Input''': Token with `role` as `TA` and `role_name` as `Instructor`.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Ensure the method denies access when roles don’t match.&lt;br /&gt;
&lt;br /&gt;
'''Missing Token Test:'''&lt;br /&gt;
* '''Input''': `nil` token.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Confirm that the method handles missing tokens properly.&lt;br /&gt;
&lt;br /&gt;
---&lt;br /&gt;
&lt;br /&gt;
=== Integration Tests ===&lt;br /&gt;
'''Definition''': Integration tests validate that the `AuthorizationHelper` module functions correctly within the context of the overall system.&lt;br /&gt;
&lt;br /&gt;
==== Approach Options ====&lt;br /&gt;
1. '''Creating a Dummy API''':&lt;br /&gt;
* A lightweight API will be created specifically for testing the `AuthorizationHelper` methods.&lt;br /&gt;
* This API will simulate requests requiring token authentication and privilege checks.&lt;br /&gt;
* '''Advantages''':&lt;br /&gt;
** Fully isolated testing environment.&lt;br /&gt;
** Flexibility to simulate different roles, tokens, and scenarios.&lt;br /&gt;
* '''Disadvantages''':&lt;br /&gt;
** Requires additional setup and may not reflect real-world behavior perfectly.&lt;br /&gt;
&lt;br /&gt;
2. '''Implementing a New Controller in Expertiza''':&lt;br /&gt;
* A controller will be added to the existing Expertiza application that uses the refactored `AuthorizationHelper`.&lt;br /&gt;
* This ensures that tests occur in a real-world context, validating interactions with the actual system.&lt;br /&gt;
* '''Advantages''':&lt;br /&gt;
** Validates the actual behavior of the module within the system.&lt;br /&gt;
** Reflects real application workflows and edge cases.&lt;br /&gt;
* '''Disadvantages''':&lt;br /&gt;
** Potentially affects other parts of the application during testing.&lt;br /&gt;
** Requires effort to ensure test isolation.&lt;br /&gt;
&lt;br /&gt;
==== Integration Test Cases ====&lt;br /&gt;
'''API Endpoint Authentication'''&lt;br /&gt;
* '''Valid Token Test''':&lt;br /&gt;
** '''Scenario''': Send a valid JWT token to a protected endpoint.&lt;br /&gt;
** '''Expected Outcome''': HTTP 200 OK with access granted.&lt;br /&gt;
** '''Validation''': Confirm the user is authenticated and receives the correct resource.&lt;br /&gt;
&lt;br /&gt;
* '''Expired Token Test''':&lt;br /&gt;
** '''Scenario''': Send an expired JWT token to a protected endpoint.&lt;br /&gt;
** '''Expected Outcome''': HTTP 401 Unauthorized.&lt;br /&gt;
** '''Validation''': Ensure the system blocks access and provides a proper error message.&lt;br /&gt;
&lt;br /&gt;
* '''Tampered Token Test''':&lt;br /&gt;
** '''Scenario''': Send a tampered token with an invalid signature.&lt;br /&gt;
** '''Expected Outcome''': HTTP 401 Unauthorized.&lt;br /&gt;
** '''Validation''': Confirm the system denies access and logs the attempt securely.&lt;br /&gt;
&lt;br /&gt;
* '''Missing Token Test''':&lt;br /&gt;
** '''Scenario''': Make a request without providing a token.&lt;br /&gt;
** '''Expected Outcome''': HTTP 401 Unauthorized.&lt;br /&gt;
** '''Validation''': Verify that token authentication is strictly enforced.&lt;br /&gt;
&lt;br /&gt;
== Team ==&lt;br /&gt;
===Mentor===&lt;br /&gt;
*Kashika Mallick (kmallick@ncsu.edu)&lt;br /&gt;
&lt;br /&gt;
===Members===&lt;br /&gt;
*Shafa Hassan (shassa22@ncsu.edu)&lt;br /&gt;
*Archit Gupta (agupta85@ncsu.edu)&lt;br /&gt;
*Ansh Ganatra (aganatr@ncsu.edu)&lt;/div&gt;</summary>
		<author><name>Agupta85</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2024_-_E2487._Reimplement_authorization_helper.rb&amp;diff=160219</id>
		<title>CSC/ECE 517 Fall 2024 - E2487. Reimplement authorization helper.rb</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2024_-_E2487._Reimplement_authorization_helper.rb&amp;diff=160219"/>
		<updated>2024-12-03T21:37:56Z</updated>

		<summary type="html">&lt;p&gt;Agupta85: /* Existing File Updates */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
Expertiza currently uses session-based authentication in its AuthorizationHelper module. However, the new back-end reimplementation adopts JSON Web Token (JWT) for authentication. This transition is necessary to make the system more scalable, stateless, and secure. JWT-based authentication will replace session-based methods, requiring updates to the AuthorizationHelper module and associated methods.&lt;br /&gt;
&lt;br /&gt;
== Background ==&lt;br /&gt;
The AuthorizationHelper module in Expertiza plays a critical role in managing user permissions and access control within the system. It provides methods to verify a user’s privileges based on their assigned roles, such as Super-Admin, Admin, Instructor, TA, or Student. These methods check if the user is authorized to perform actions like submitting assignments, reviewing work, or participating in quizzes. Additionally, it determines whether a user is involved in specific assignments, either as a participant, instructor, or through TA mappings.&lt;br /&gt;
&lt;br /&gt;
==Problem Statement==&lt;br /&gt;
&lt;br /&gt;
Expertiza currently uses session-based authentication in its [[https://github.com/expertiza/expertiza/blob/main/app/helpers/authorization_helper.rb AuthorizationHelper]] module. The [[https://github.com/expertiza/reimplementation-back-end reimplementation-back-end]] however, uses JWT (JSON Web Token) based authentication. This requires a reimplementation of an authorization concern module to accommodate JWT-based authentication&lt;br /&gt;
&lt;br /&gt;
===Concerns===&lt;br /&gt;
&lt;br /&gt;
A concern is a module that you extract to split the implementation of a class or module in coherent chunks, instead of having one big class body. Our new authorization module will be implemented as a concern which will work in tandem with the already-implemented [[https://github.com/expertiza/reimplementation-back-end/blob/main/app/controllers/concerns/jwt_token.rb JWT Concern]]&lt;br /&gt;
&lt;br /&gt;
The following points need to be taken care of as per the requirement&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt; Role Management &amp;lt;/strong&amp;gt;: &lt;br /&gt;
** Enable the system to process, verify, and decode roles from JWT Tokens.&lt;br /&gt;
** Use token role data to authenticate and authorize user actions.&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt; Privilege Verification &amp;lt;/strong&amp;gt;:&lt;br /&gt;
** Update methods to validate user privileges using JWT claims.&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt; Testing and Documentation &amp;lt;/strong&amp;gt;: &lt;br /&gt;
** Write comprehensive unit tests for all JWT-related methods.&lt;br /&gt;
** Include clear documentation and comments to aid future developers.&lt;br /&gt;
&lt;br /&gt;
=Implemented Changes=&lt;br /&gt;
&lt;br /&gt;
== JWT Token Overview ==&lt;br /&gt;
&lt;br /&gt;
A JSON Web Token (JWT) is a compact, URL-safe token format commonly used for securely transmitting information between parties. It is widely used in web applications for authentication and authorization, as it allows information to be verified and trusted. In the context of our reimplemented AuthorizationHelper module, JWT tokens will replace session-based authentication, enabling stateless and more secure access control.&lt;br /&gt;
&lt;br /&gt;
A JWT Token consists of three main parts:&lt;br /&gt;
&lt;br /&gt;
*Header: Contains metadata about the token, such as the type (JWT) and the hashing algorithm used (e.g., HS256 or RS256).&lt;br /&gt;
*Payload: Includes claims, which are statements about an entity (typically, the user) and additional data like the user’s role and permissions.&lt;br /&gt;
*Signature: A cryptographic signature generated by encoding the header and payload with a secret key or private key, ensuring data integrity.&lt;br /&gt;
These three sections are separated by dots (.), forming a token that looks like this: &amp;lt;Header&amp;gt;.&amp;lt;Payload&amp;gt;.&amp;lt;Signature&amp;gt;&lt;br /&gt;
&lt;br /&gt;
[[File:JWT-Workflow.png|500px|center]]&lt;br /&gt;
&lt;br /&gt;
==Methods Implemented==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;has_required_role?(required_role)&amp;lt;/strong&amp;gt;: &lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
 def has_required_role?(required_role)&lt;br /&gt;
    required_role = Role.find_by_name(required_role) if required_role.is_a?(String)&lt;br /&gt;
    current_user&amp;amp;.role&amp;amp;.all_privileges_of?(required_role) || false&lt;br /&gt;
 end&lt;br /&gt;
&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This function checks if the current user has the required role or higher privileges. The role name is passed down as a parameter in required_role which is the minimum required role level for an action&lt;br /&gt;
&lt;br /&gt;
For example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;has_required_role?('Administrator') # Checks if user is an admin or higher&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;has_required_role?(Role::INSTRUCTOR) # Checks if user is an instructor or higher&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
For exact role requirements, we also have:&lt;br /&gt;
* &amp;lt;strong&amp;gt;is_role?(required_role)&amp;lt;/strong&amp;gt;: &lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
 def is_role?(required_role)&lt;br /&gt;
    required_role = required_role.name if required_role.is_a?(Role)&lt;br /&gt;
    current_user&amp;amp;.role&amp;amp;.name == required_role&lt;br /&gt;
 end&lt;br /&gt;
&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
which checks if the user has exactly the specified role. For example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;is_role?('Student') # True only if user is exactly a student &amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
Finally, we have authorization methods which work with the ApplicationController as well as individual resource controllers:&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
  # Authorize all actions&lt;br /&gt;
  def authorize&lt;br /&gt;
    unless all_actions_allowed?&lt;br /&gt;
      render json: { &lt;br /&gt;
        error: &amp;quot;You are not authorized to #{params[:action]} this #{params[:controller]}&amp;quot;&lt;br /&gt;
      }, status: :forbidden&lt;br /&gt;
    end&lt;br /&gt;
  end&lt;br /&gt;
&lt;br /&gt;
  # Check if all actions are allowed&lt;br /&gt;
  def all_actions_allowed?&lt;br /&gt;
    return true if has_required_role?('Administrator')&lt;br /&gt;
    action_allowed?&lt;br /&gt;
  end&lt;br /&gt;
&lt;br /&gt;
  # Base action_allowed? - allows everything by default&lt;br /&gt;
  # Controllers should override this method to implement their authorization logic&lt;br /&gt;
  def action_allowed?&lt;br /&gt;
    true&lt;br /&gt;
  end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The individual resource controllers can then override the method 'action_allowed?' to manage access. For example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
  def action_allowed?&lt;br /&gt;
    has_required_role?('Instructor')&lt;br /&gt;
  end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Existing File Updates==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;current_user_is_a?(role_name)&amp;lt;/strong&amp;gt;:&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 def current_user_is_a?(role_name)&lt;br /&gt;
     current_user_and_role_exist? &amp;amp;&amp;amp; session[:user].role.name == role_name&lt;br /&gt;
 end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Currently this method relies on the session variable which is populated at the time of login to determine the role of a user. This would have to be updated to decode the user's role from the JWT payload&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;user_logged_in?&amp;lt;/strong&amp;gt;:&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 def user_logged_in?&lt;br /&gt;
     !session[:user].nil?&lt;br /&gt;
 end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
This method will have to be updated to check the user's login status based on JWT validity&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;current_user_has_privileges_of?(role_name)&amp;lt;/strong&amp;gt;&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 def current_user_has_privileges_of?(role_name)&lt;br /&gt;
    current_user_and_role_exist? &amp;amp;&amp;amp; session[:user].role.has_all_privileges_of?(Role.find_by(name: role_name))&lt;br /&gt;
 end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Needs to remove dependency on session variable and get user information from the JWT's decoded payload&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;current_user_and_role_exist?&amp;lt;/strong&amp;gt;&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 def current_user_and_role_exist?&lt;br /&gt;
     user_logged_in? &amp;amp;&amp;amp; !session[:user].role.nil?&lt;br /&gt;
 end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Similarly, the role here needs to be checked from the JWT payload&lt;br /&gt;
Similarly methods like &amp;lt;strong&amp;gt;current_user_has_id?(id)&amp;lt;/strong&amp;gt; will also have to be updated to remove dependencies from the session object, which are all part of the [[https://github.com/expertiza/expertiza/blob/main/app/helpers/authorization_helper.rb| AuthorizationHelper]] module&lt;br /&gt;
&lt;br /&gt;
==Anticipated Outcomes==&lt;br /&gt;
1. Enhanced AuthorizationHelper Module with JWT Integration: &amp;lt;br&amp;gt;&lt;br /&gt;
Updated and operational AuthorizationHelper module that would use JWT-based authentication. The module would be restructured to incorporate token-based authentication checks, replacing prior session-based methods.&lt;br /&gt;
&lt;br /&gt;
2. Updated Associated Methods: &amp;lt;br&amp;gt;&lt;br /&gt;
Methods within the module will have to be updated to leverage JWT claims, ensuring authentication and authorization are handled based on token data. This will allow the module to verify user roles and permissions effectively through JWT claims.&lt;br /&gt;
&lt;br /&gt;
3. Comprehensive JWT Error Handling: &amp;lt;br&amp;gt;&lt;br /&gt;
Built-in error handling to manage potential JWT-related issues, such as token expiration, tampering, or invalid claims. This ensures that unauthorized access is &lt;br /&gt;
blocked, and clear error messages are provided when issues arise.&lt;br /&gt;
&lt;br /&gt;
4. Robust Unit Tests for Validation: &amp;lt;br&amp;gt;&lt;br /&gt;
A full suite of unit tests covering various scenarios, including normal, boundary, and edge cases, to validate each method’s functionality and confirm that all &lt;br /&gt;
JWT-based authentication flows work reliably.&lt;br /&gt;
&lt;br /&gt;
5. Detailed Documentation and Code Comments: &amp;lt;br&amp;gt;&lt;br /&gt;
In-depth documentation and comments would be added to each function, explaining purpose, usage, and JWT-related adjustments, aiding in code readability and future &lt;br /&gt;
maintenance.&lt;br /&gt;
&lt;br /&gt;
== Design Principles ==&lt;br /&gt;
The redesign of the `AuthorizationHelper` module for JWT-based authentication will follow well-established design principles to ensure the solution is secure, maintainable, and scalable. Below are the key principles to be applied and how they will shape this redesign:&lt;br /&gt;
&lt;br /&gt;
1. '''Single Responsibility Principle (SRP)'''&lt;br /&gt;
* '''Definition''': Each module or class should have one clear responsibility.&lt;br /&gt;
* '''How It’s Applied''': The `AuthorizationHelper` module focuses only on managing authentication and authorization, separating these concerns into distinct methods. For instance, `jwt_verify_and_decode` handles token verification, while `check_user_privileges` focuses on role-based checks. This keeps the code clean and easier to maintain.&lt;br /&gt;
&lt;br /&gt;
2. '''Separation of Concerns'''&lt;br /&gt;
* '''Definition''': Different aspects of the system should be handled independently.&lt;br /&gt;
* '''How It’s Applied''': JWT-related tasks like token creation and decoding are delegated to the `JsonWebToken` class, while privilege checking and user role management remain within `AuthorizationHelper`. This modular approach ensures changes in one area don’t unnecessarily affect the other.&lt;br /&gt;
&lt;br /&gt;
3. '''Security by Design'''&lt;br /&gt;
* '''Definition''': Security should be built into the system from the start, not as an afterthought.&lt;br /&gt;
* '''How It’s Applied''': JWT tokens are validated for expiry and tampering before any actions are authorized. Sensitive data like secret keys is securely stored in environment variables, and communication involving tokens is secured using HTTPS. The system also uses role-based access control (RBAC) to enforce fine-grained permissions.&lt;br /&gt;
&lt;br /&gt;
4. '''Statelessness'''&lt;br /&gt;
* '''Definition''': The system should not depend on maintaining user-specific data on the server.&lt;br /&gt;
* '''How It’s Applied''': By using JWT, all necessary information about the user is encoded in the token itself. This removes the dependency on server-side session storage, making the system scalable and suitable for distributed architectures.&lt;br /&gt;
&lt;br /&gt;
5. '''Testability'''&lt;br /&gt;
* '''Definition''': Code should be designed to make testing straightforward and effective.&lt;br /&gt;
* '''How It’s Applied''': Each method has a single responsibility, making it easier to write focused tests. The modular design allows us to test components like token verification and privilege checking independently, while mock tokens can simulate various scenarios (valid, expired, tampered).&lt;br /&gt;
&lt;br /&gt;
---&lt;br /&gt;
&lt;br /&gt;
== Test Plan ==&lt;br /&gt;
&lt;br /&gt;
=== Unit Tests ===&lt;br /&gt;
'''Definition''': Unit tests verify that individual methods work correctly in isolation under different scenarios.&lt;br /&gt;
&lt;br /&gt;
==== Tests for jwt_verify_and_decode ====&lt;br /&gt;
'''Valid Token Test:'''&lt;br /&gt;
* '''Input''': A valid JWT token with claims like `id`, `role`, and `exp`.&lt;br /&gt;
* '''Expected Output''': Decoded payload as a `HashWithIndifferentAccess`.&lt;br /&gt;
* '''Validation''': Ensure the returned payload matches the expected data.&lt;br /&gt;
&lt;br /&gt;
'''Expired Token Test:'''&lt;br /&gt;
* '''Input''': A token with an `exp` claim that has already passed.&lt;br /&gt;
* '''Expected Output''': `nil` with an appropriate error logged.&lt;br /&gt;
* '''Validation''': Confirm that the method gracefully handles expired tokens.&lt;br /&gt;
&lt;br /&gt;
'''Invalid Token Test:'''&lt;br /&gt;
* '''Input''': A tampered JWT token with an invalid signature.&lt;br /&gt;
* '''Expected Output''': `nil`.&lt;br /&gt;
* '''Validation''': Ensure an appropriate error message is logged, and sensitive information is not exposed.&lt;br /&gt;
&lt;br /&gt;
'''Missing Claims Test:'''&lt;br /&gt;
* '''Input''': A valid token missing critical claims like `role`.&lt;br /&gt;
* '''Expected Output''': `nil`.&lt;br /&gt;
* '''Validation''': Ensure the method flags the token as invalid due to missing data.&lt;br /&gt;
&lt;br /&gt;
==== Tests for check_user_privileges ====&lt;br /&gt;
'''Sufficient Privileges Test:'''&lt;br /&gt;
* '''Input''': User info with `role` as `Admin` and a `required_privilege` of `Student`.&lt;br /&gt;
* '''Expected Output''': `true`.&lt;br /&gt;
* '''Validation''': Verify the method correctly interprets hierarchical roles.&lt;br /&gt;
&lt;br /&gt;
'''Insufficient Privileges Test:'''&lt;br /&gt;
* '''Input''': User info with `role` as `Student` and a `required_privilege` of `Instructor`.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Ensure the method denies access for insufficient privileges.&lt;br /&gt;
&lt;br /&gt;
'''Missing Role Test:'''&lt;br /&gt;
* '''Input''': User info without a `role` claim.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Ensure the method handles missing roles gracefully.&lt;br /&gt;
&lt;br /&gt;
==== Tests for current_user_is_a? ====&lt;br /&gt;
'''Correct Role Test:'''&lt;br /&gt;
* '''Input''': Token with `role` as `Instructor` and `role_name` as `Instructor`.&lt;br /&gt;
* '''Expected Output''': `true`.&lt;br /&gt;
* '''Validation''': Verify the method returns `true` when roles match exactly.&lt;br /&gt;
&lt;br /&gt;
'''Incorrect Role Test:'''&lt;br /&gt;
* '''Input''': Token with `role` as `TA` and `role_name` as `Instructor`.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Ensure the method denies access when roles don’t match.&lt;br /&gt;
&lt;br /&gt;
'''Missing Token Test:'''&lt;br /&gt;
* '''Input''': `nil` token.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Confirm that the method handles missing tokens properly.&lt;br /&gt;
&lt;br /&gt;
---&lt;br /&gt;
&lt;br /&gt;
=== Integration Tests ===&lt;br /&gt;
'''Definition''': Integration tests validate that the `AuthorizationHelper` module functions correctly within the context of the overall system.&lt;br /&gt;
&lt;br /&gt;
==== Approach Options ====&lt;br /&gt;
1. '''Creating a Dummy API''':&lt;br /&gt;
* A lightweight API will be created specifically for testing the `AuthorizationHelper` methods.&lt;br /&gt;
* This API will simulate requests requiring token authentication and privilege checks.&lt;br /&gt;
* '''Advantages''':&lt;br /&gt;
** Fully isolated testing environment.&lt;br /&gt;
** Flexibility to simulate different roles, tokens, and scenarios.&lt;br /&gt;
* '''Disadvantages''':&lt;br /&gt;
** Requires additional setup and may not reflect real-world behavior perfectly.&lt;br /&gt;
&lt;br /&gt;
2. '''Implementing a New Controller in Expertiza''':&lt;br /&gt;
* A controller will be added to the existing Expertiza application that uses the refactored `AuthorizationHelper`.&lt;br /&gt;
* This ensures that tests occur in a real-world context, validating interactions with the actual system.&lt;br /&gt;
* '''Advantages''':&lt;br /&gt;
** Validates the actual behavior of the module within the system.&lt;br /&gt;
** Reflects real application workflows and edge cases.&lt;br /&gt;
* '''Disadvantages''':&lt;br /&gt;
** Potentially affects other parts of the application during testing.&lt;br /&gt;
** Requires effort to ensure test isolation.&lt;br /&gt;
&lt;br /&gt;
==== Integration Test Cases ====&lt;br /&gt;
'''API Endpoint Authentication'''&lt;br /&gt;
* '''Valid Token Test''':&lt;br /&gt;
** '''Scenario''': Send a valid JWT token to a protected endpoint.&lt;br /&gt;
** '''Expected Outcome''': HTTP 200 OK with access granted.&lt;br /&gt;
** '''Validation''': Confirm the user is authenticated and receives the correct resource.&lt;br /&gt;
&lt;br /&gt;
* '''Expired Token Test''':&lt;br /&gt;
** '''Scenario''': Send an expired JWT token to a protected endpoint.&lt;br /&gt;
** '''Expected Outcome''': HTTP 401 Unauthorized.&lt;br /&gt;
** '''Validation''': Ensure the system blocks access and provides a proper error message.&lt;br /&gt;
&lt;br /&gt;
* '''Tampered Token Test''':&lt;br /&gt;
** '''Scenario''': Send a tampered token with an invalid signature.&lt;br /&gt;
** '''Expected Outcome''': HTTP 401 Unauthorized.&lt;br /&gt;
** '''Validation''': Confirm the system denies access and logs the attempt securely.&lt;br /&gt;
&lt;br /&gt;
* '''Missing Token Test''':&lt;br /&gt;
** '''Scenario''': Make a request without providing a token.&lt;br /&gt;
** '''Expected Outcome''': HTTP 401 Unauthorized.&lt;br /&gt;
** '''Validation''': Verify that token authentication is strictly enforced.&lt;br /&gt;
&lt;br /&gt;
== Team ==&lt;br /&gt;
===Mentor===&lt;br /&gt;
*Kashika Mallick (kmallick@ncsu.edu)&lt;br /&gt;
&lt;br /&gt;
===Members===&lt;br /&gt;
*Shafa Hassan (shassa22@ncsu.edu)&lt;br /&gt;
*Archit Gupta (agupta85@ncsu.edu)&lt;br /&gt;
*Ansh Ganatra (aganatr@ncsu.edu)&lt;/div&gt;</summary>
		<author><name>Agupta85</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2024_-_E2487._Reimplement_authorization_helper.rb&amp;diff=160218</id>
		<title>CSC/ECE 517 Fall 2024 - E2487. Reimplement authorization helper.rb</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2024_-_E2487._Reimplement_authorization_helper.rb&amp;diff=160218"/>
		<updated>2024-12-03T21:36:55Z</updated>

		<summary type="html">&lt;p&gt;Agupta85: /* Methods Implemented */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
Expertiza currently uses session-based authentication in its AuthorizationHelper module. However, the new back-end reimplementation adopts JSON Web Token (JWT) for authentication. This transition is necessary to make the system more scalable, stateless, and secure. JWT-based authentication will replace session-based methods, requiring updates to the AuthorizationHelper module and associated methods.&lt;br /&gt;
&lt;br /&gt;
== Background ==&lt;br /&gt;
The AuthorizationHelper module in Expertiza plays a critical role in managing user permissions and access control within the system. It provides methods to verify a user’s privileges based on their assigned roles, such as Super-Admin, Admin, Instructor, TA, or Student. These methods check if the user is authorized to perform actions like submitting assignments, reviewing work, or participating in quizzes. Additionally, it determines whether a user is involved in specific assignments, either as a participant, instructor, or through TA mappings.&lt;br /&gt;
&lt;br /&gt;
==Problem Statement==&lt;br /&gt;
&lt;br /&gt;
Expertiza currently uses session-based authentication in its [[https://github.com/expertiza/expertiza/blob/main/app/helpers/authorization_helper.rb AuthorizationHelper]] module. The [[https://github.com/expertiza/reimplementation-back-end reimplementation-back-end]] however, uses JWT (JSON Web Token) based authentication. This requires a reimplementation of an authorization concern module to accommodate JWT-based authentication&lt;br /&gt;
&lt;br /&gt;
===Concerns===&lt;br /&gt;
&lt;br /&gt;
A concern is a module that you extract to split the implementation of a class or module in coherent chunks, instead of having one big class body. Our new authorization module will be implemented as a concern which will work in tandem with the already-implemented [[https://github.com/expertiza/reimplementation-back-end/blob/main/app/controllers/concerns/jwt_token.rb JWT Concern]]&lt;br /&gt;
&lt;br /&gt;
The following points need to be taken care of as per the requirement&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt; Role Management &amp;lt;/strong&amp;gt;: &lt;br /&gt;
** Enable the system to process, verify, and decode roles from JWT Tokens.&lt;br /&gt;
** Use token role data to authenticate and authorize user actions.&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt; Privilege Verification &amp;lt;/strong&amp;gt;:&lt;br /&gt;
** Update methods to validate user privileges using JWT claims.&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt; Testing and Documentation &amp;lt;/strong&amp;gt;: &lt;br /&gt;
** Write comprehensive unit tests for all JWT-related methods.&lt;br /&gt;
** Include clear documentation and comments to aid future developers.&lt;br /&gt;
&lt;br /&gt;
=Implemented Changes=&lt;br /&gt;
&lt;br /&gt;
== JWT Token Overview ==&lt;br /&gt;
&lt;br /&gt;
A JSON Web Token (JWT) is a compact, URL-safe token format commonly used for securely transmitting information between parties. It is widely used in web applications for authentication and authorization, as it allows information to be verified and trusted. In the context of our reimplemented AuthorizationHelper module, JWT tokens will replace session-based authentication, enabling stateless and more secure access control.&lt;br /&gt;
&lt;br /&gt;
A JWT Token consists of three main parts:&lt;br /&gt;
&lt;br /&gt;
*Header: Contains metadata about the token, such as the type (JWT) and the hashing algorithm used (e.g., HS256 or RS256).&lt;br /&gt;
*Payload: Includes claims, which are statements about an entity (typically, the user) and additional data like the user’s role and permissions.&lt;br /&gt;
*Signature: A cryptographic signature generated by encoding the header and payload with a secret key or private key, ensuring data integrity.&lt;br /&gt;
These three sections are separated by dots (.), forming a token that looks like this: &amp;lt;Header&amp;gt;.&amp;lt;Payload&amp;gt;.&amp;lt;Signature&amp;gt;&lt;br /&gt;
&lt;br /&gt;
[[File:JWT-Workflow.png|500px|center]]&lt;br /&gt;
&lt;br /&gt;
==Methods Implemented==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;has_required_role?(required_role)&amp;lt;/strong&amp;gt;: &lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
 def has_required_role?(required_role)&lt;br /&gt;
    required_role = Role.find_by_name(required_role) if required_role.is_a?(String)&lt;br /&gt;
    current_user&amp;amp;.role&amp;amp;.all_privileges_of?(required_role) || false&lt;br /&gt;
 end&lt;br /&gt;
&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This function checks if the current user has the required role or higher privileges. The role name is passed down as a parameter in required_role which is the minimum required role level for an action&lt;br /&gt;
&lt;br /&gt;
For example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;has_required_role?('Administrator') # Checks if user is an admin or higher&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;has_required_role?(Role::INSTRUCTOR) # Checks if user is an instructor or higher&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
For exact role requirements, we also have:&lt;br /&gt;
* &amp;lt;strong&amp;gt;is_role?(required_role)&amp;lt;/strong&amp;gt;: &lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
 def is_role?(required_role)&lt;br /&gt;
    required_role = required_role.name if required_role.is_a?(Role)&lt;br /&gt;
    current_user&amp;amp;.role&amp;amp;.name == required_role&lt;br /&gt;
 end&lt;br /&gt;
&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
which checks if the user has exactly the specified role. For example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;is_role?('Student') # True only if user is exactly a student &amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
Finally, we have authorization methods which work with the ApplicationController as well as individual resource controllers:&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
  # Authorize all actions&lt;br /&gt;
  def authorize&lt;br /&gt;
    unless all_actions_allowed?&lt;br /&gt;
      render json: { &lt;br /&gt;
        error: &amp;quot;You are not authorized to #{params[:action]} this #{params[:controller]}&amp;quot;&lt;br /&gt;
      }, status: :forbidden&lt;br /&gt;
    end&lt;br /&gt;
  end&lt;br /&gt;
&lt;br /&gt;
  # Check if all actions are allowed&lt;br /&gt;
  def all_actions_allowed?&lt;br /&gt;
    return true if has_required_role?('Administrator')&lt;br /&gt;
    action_allowed?&lt;br /&gt;
  end&lt;br /&gt;
&lt;br /&gt;
  # Base action_allowed? - allows everything by default&lt;br /&gt;
  # Controllers should override this method to implement their authorization logic&lt;br /&gt;
  def action_allowed?&lt;br /&gt;
    true&lt;br /&gt;
  end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The individual resource controllers can then override the method 'action_allowed?' to manage access. For example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
  def action_allowed?&lt;br /&gt;
    has_required_role?('Instructor')&lt;br /&gt;
  end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Existing Methods to update==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;current_user_is_a?(role_name)&amp;lt;/strong&amp;gt;:&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 def current_user_is_a?(role_name)&lt;br /&gt;
     current_user_and_role_exist? &amp;amp;&amp;amp; session[:user].role.name == role_name&lt;br /&gt;
 end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Currently this method relies on the session variable which is populated at the time of login to determine the role of a user. This would have to be updated to decode the user's role from the JWT payload&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;user_logged_in?&amp;lt;/strong&amp;gt;:&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 def user_logged_in?&lt;br /&gt;
     !session[:user].nil?&lt;br /&gt;
 end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
This method will have to be updated to check the user's login status based on JWT validity&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;current_user_has_privileges_of?(role_name)&amp;lt;/strong&amp;gt;&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 def current_user_has_privileges_of?(role_name)&lt;br /&gt;
    current_user_and_role_exist? &amp;amp;&amp;amp; session[:user].role.has_all_privileges_of?(Role.find_by(name: role_name))&lt;br /&gt;
 end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Needs to remove dependency on session variable and get user information from the JWT's decoded payload&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;current_user_and_role_exist?&amp;lt;/strong&amp;gt;&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 def current_user_and_role_exist?&lt;br /&gt;
     user_logged_in? &amp;amp;&amp;amp; !session[:user].role.nil?&lt;br /&gt;
 end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Similarly, the role here needs to be checked from the JWT payload&lt;br /&gt;
Similarly methods like &amp;lt;strong&amp;gt;current_user_has_id?(id)&amp;lt;/strong&amp;gt; will also have to be updated to remove dependencies from the session object, which are all part of the [[https://github.com/expertiza/expertiza/blob/main/app/helpers/authorization_helper.rb| AuthorizationHelper]] module&lt;br /&gt;
&lt;br /&gt;
==Anticipated Outcomes==&lt;br /&gt;
1. Enhanced AuthorizationHelper Module with JWT Integration: &amp;lt;br&amp;gt;&lt;br /&gt;
Updated and operational AuthorizationHelper module that would use JWT-based authentication. The module would be restructured to incorporate token-based authentication checks, replacing prior session-based methods.&lt;br /&gt;
&lt;br /&gt;
2. Updated Associated Methods: &amp;lt;br&amp;gt;&lt;br /&gt;
Methods within the module will have to be updated to leverage JWT claims, ensuring authentication and authorization are handled based on token data. This will allow the module to verify user roles and permissions effectively through JWT claims.&lt;br /&gt;
&lt;br /&gt;
3. Comprehensive JWT Error Handling: &amp;lt;br&amp;gt;&lt;br /&gt;
Built-in error handling to manage potential JWT-related issues, such as token expiration, tampering, or invalid claims. This ensures that unauthorized access is &lt;br /&gt;
blocked, and clear error messages are provided when issues arise.&lt;br /&gt;
&lt;br /&gt;
4. Robust Unit Tests for Validation: &amp;lt;br&amp;gt;&lt;br /&gt;
A full suite of unit tests covering various scenarios, including normal, boundary, and edge cases, to validate each method’s functionality and confirm that all &lt;br /&gt;
JWT-based authentication flows work reliably.&lt;br /&gt;
&lt;br /&gt;
5. Detailed Documentation and Code Comments: &amp;lt;br&amp;gt;&lt;br /&gt;
In-depth documentation and comments would be added to each function, explaining purpose, usage, and JWT-related adjustments, aiding in code readability and future &lt;br /&gt;
maintenance.&lt;br /&gt;
&lt;br /&gt;
== Design Principles ==&lt;br /&gt;
The redesign of the `AuthorizationHelper` module for JWT-based authentication will follow well-established design principles to ensure the solution is secure, maintainable, and scalable. Below are the key principles to be applied and how they will shape this redesign:&lt;br /&gt;
&lt;br /&gt;
1. '''Single Responsibility Principle (SRP)'''&lt;br /&gt;
* '''Definition''': Each module or class should have one clear responsibility.&lt;br /&gt;
* '''How It’s Applied''': The `AuthorizationHelper` module focuses only on managing authentication and authorization, separating these concerns into distinct methods. For instance, `jwt_verify_and_decode` handles token verification, while `check_user_privileges` focuses on role-based checks. This keeps the code clean and easier to maintain.&lt;br /&gt;
&lt;br /&gt;
2. '''Separation of Concerns'''&lt;br /&gt;
* '''Definition''': Different aspects of the system should be handled independently.&lt;br /&gt;
* '''How It’s Applied''': JWT-related tasks like token creation and decoding are delegated to the `JsonWebToken` class, while privilege checking and user role management remain within `AuthorizationHelper`. This modular approach ensures changes in one area don’t unnecessarily affect the other.&lt;br /&gt;
&lt;br /&gt;
3. '''Security by Design'''&lt;br /&gt;
* '''Definition''': Security should be built into the system from the start, not as an afterthought.&lt;br /&gt;
* '''How It’s Applied''': JWT tokens are validated for expiry and tampering before any actions are authorized. Sensitive data like secret keys is securely stored in environment variables, and communication involving tokens is secured using HTTPS. The system also uses role-based access control (RBAC) to enforce fine-grained permissions.&lt;br /&gt;
&lt;br /&gt;
4. '''Statelessness'''&lt;br /&gt;
* '''Definition''': The system should not depend on maintaining user-specific data on the server.&lt;br /&gt;
* '''How It’s Applied''': By using JWT, all necessary information about the user is encoded in the token itself. This removes the dependency on server-side session storage, making the system scalable and suitable for distributed architectures.&lt;br /&gt;
&lt;br /&gt;
5. '''Testability'''&lt;br /&gt;
* '''Definition''': Code should be designed to make testing straightforward and effective.&lt;br /&gt;
* '''How It’s Applied''': Each method has a single responsibility, making it easier to write focused tests. The modular design allows us to test components like token verification and privilege checking independently, while mock tokens can simulate various scenarios (valid, expired, tampered).&lt;br /&gt;
&lt;br /&gt;
---&lt;br /&gt;
&lt;br /&gt;
== Test Plan ==&lt;br /&gt;
&lt;br /&gt;
=== Unit Tests ===&lt;br /&gt;
'''Definition''': Unit tests verify that individual methods work correctly in isolation under different scenarios.&lt;br /&gt;
&lt;br /&gt;
==== Tests for jwt_verify_and_decode ====&lt;br /&gt;
'''Valid Token Test:'''&lt;br /&gt;
* '''Input''': A valid JWT token with claims like `id`, `role`, and `exp`.&lt;br /&gt;
* '''Expected Output''': Decoded payload as a `HashWithIndifferentAccess`.&lt;br /&gt;
* '''Validation''': Ensure the returned payload matches the expected data.&lt;br /&gt;
&lt;br /&gt;
'''Expired Token Test:'''&lt;br /&gt;
* '''Input''': A token with an `exp` claim that has already passed.&lt;br /&gt;
* '''Expected Output''': `nil` with an appropriate error logged.&lt;br /&gt;
* '''Validation''': Confirm that the method gracefully handles expired tokens.&lt;br /&gt;
&lt;br /&gt;
'''Invalid Token Test:'''&lt;br /&gt;
* '''Input''': A tampered JWT token with an invalid signature.&lt;br /&gt;
* '''Expected Output''': `nil`.&lt;br /&gt;
* '''Validation''': Ensure an appropriate error message is logged, and sensitive information is not exposed.&lt;br /&gt;
&lt;br /&gt;
'''Missing Claims Test:'''&lt;br /&gt;
* '''Input''': A valid token missing critical claims like `role`.&lt;br /&gt;
* '''Expected Output''': `nil`.&lt;br /&gt;
* '''Validation''': Ensure the method flags the token as invalid due to missing data.&lt;br /&gt;
&lt;br /&gt;
==== Tests for check_user_privileges ====&lt;br /&gt;
'''Sufficient Privileges Test:'''&lt;br /&gt;
* '''Input''': User info with `role` as `Admin` and a `required_privilege` of `Student`.&lt;br /&gt;
* '''Expected Output''': `true`.&lt;br /&gt;
* '''Validation''': Verify the method correctly interprets hierarchical roles.&lt;br /&gt;
&lt;br /&gt;
'''Insufficient Privileges Test:'''&lt;br /&gt;
* '''Input''': User info with `role` as `Student` and a `required_privilege` of `Instructor`.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Ensure the method denies access for insufficient privileges.&lt;br /&gt;
&lt;br /&gt;
'''Missing Role Test:'''&lt;br /&gt;
* '''Input''': User info without a `role` claim.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Ensure the method handles missing roles gracefully.&lt;br /&gt;
&lt;br /&gt;
==== Tests for current_user_is_a? ====&lt;br /&gt;
'''Correct Role Test:'''&lt;br /&gt;
* '''Input''': Token with `role` as `Instructor` and `role_name` as `Instructor`.&lt;br /&gt;
* '''Expected Output''': `true`.&lt;br /&gt;
* '''Validation''': Verify the method returns `true` when roles match exactly.&lt;br /&gt;
&lt;br /&gt;
'''Incorrect Role Test:'''&lt;br /&gt;
* '''Input''': Token with `role` as `TA` and `role_name` as `Instructor`.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Ensure the method denies access when roles don’t match.&lt;br /&gt;
&lt;br /&gt;
'''Missing Token Test:'''&lt;br /&gt;
* '''Input''': `nil` token.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Confirm that the method handles missing tokens properly.&lt;br /&gt;
&lt;br /&gt;
---&lt;br /&gt;
&lt;br /&gt;
=== Integration Tests ===&lt;br /&gt;
'''Definition''': Integration tests validate that the `AuthorizationHelper` module functions correctly within the context of the overall system.&lt;br /&gt;
&lt;br /&gt;
==== Approach Options ====&lt;br /&gt;
1. '''Creating a Dummy API''':&lt;br /&gt;
* A lightweight API will be created specifically for testing the `AuthorizationHelper` methods.&lt;br /&gt;
* This API will simulate requests requiring token authentication and privilege checks.&lt;br /&gt;
* '''Advantages''':&lt;br /&gt;
** Fully isolated testing environment.&lt;br /&gt;
** Flexibility to simulate different roles, tokens, and scenarios.&lt;br /&gt;
* '''Disadvantages''':&lt;br /&gt;
** Requires additional setup and may not reflect real-world behavior perfectly.&lt;br /&gt;
&lt;br /&gt;
2. '''Implementing a New Controller in Expertiza''':&lt;br /&gt;
* A controller will be added to the existing Expertiza application that uses the refactored `AuthorizationHelper`.&lt;br /&gt;
* This ensures that tests occur in a real-world context, validating interactions with the actual system.&lt;br /&gt;
* '''Advantages''':&lt;br /&gt;
** Validates the actual behavior of the module within the system.&lt;br /&gt;
** Reflects real application workflows and edge cases.&lt;br /&gt;
* '''Disadvantages''':&lt;br /&gt;
** Potentially affects other parts of the application during testing.&lt;br /&gt;
** Requires effort to ensure test isolation.&lt;br /&gt;
&lt;br /&gt;
==== Integration Test Cases ====&lt;br /&gt;
'''API Endpoint Authentication'''&lt;br /&gt;
* '''Valid Token Test''':&lt;br /&gt;
** '''Scenario''': Send a valid JWT token to a protected endpoint.&lt;br /&gt;
** '''Expected Outcome''': HTTP 200 OK with access granted.&lt;br /&gt;
** '''Validation''': Confirm the user is authenticated and receives the correct resource.&lt;br /&gt;
&lt;br /&gt;
* '''Expired Token Test''':&lt;br /&gt;
** '''Scenario''': Send an expired JWT token to a protected endpoint.&lt;br /&gt;
** '''Expected Outcome''': HTTP 401 Unauthorized.&lt;br /&gt;
** '''Validation''': Ensure the system blocks access and provides a proper error message.&lt;br /&gt;
&lt;br /&gt;
* '''Tampered Token Test''':&lt;br /&gt;
** '''Scenario''': Send a tampered token with an invalid signature.&lt;br /&gt;
** '''Expected Outcome''': HTTP 401 Unauthorized.&lt;br /&gt;
** '''Validation''': Confirm the system denies access and logs the attempt securely.&lt;br /&gt;
&lt;br /&gt;
* '''Missing Token Test''':&lt;br /&gt;
** '''Scenario''': Make a request without providing a token.&lt;br /&gt;
** '''Expected Outcome''': HTTP 401 Unauthorized.&lt;br /&gt;
** '''Validation''': Verify that token authentication is strictly enforced.&lt;br /&gt;
&lt;br /&gt;
== Team ==&lt;br /&gt;
===Mentor===&lt;br /&gt;
*Kashika Mallick (kmallick@ncsu.edu)&lt;br /&gt;
&lt;br /&gt;
===Members===&lt;br /&gt;
*Shafa Hassan (shassa22@ncsu.edu)&lt;br /&gt;
*Archit Gupta (agupta85@ncsu.edu)&lt;br /&gt;
*Ansh Ganatra (aganatr@ncsu.edu)&lt;/div&gt;</summary>
		<author><name>Agupta85</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2024_-_E2487._Reimplement_authorization_helper.rb&amp;diff=160217</id>
		<title>CSC/ECE 517 Fall 2024 - E2487. Reimplement authorization helper.rb</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2024_-_E2487._Reimplement_authorization_helper.rb&amp;diff=160217"/>
		<updated>2024-12-03T21:29:57Z</updated>

		<summary type="html">&lt;p&gt;Agupta85: /* Methods to implement */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
Expertiza currently uses session-based authentication in its AuthorizationHelper module. However, the new back-end reimplementation adopts JSON Web Token (JWT) for authentication. This transition is necessary to make the system more scalable, stateless, and secure. JWT-based authentication will replace session-based methods, requiring updates to the AuthorizationHelper module and associated methods.&lt;br /&gt;
&lt;br /&gt;
== Background ==&lt;br /&gt;
The AuthorizationHelper module in Expertiza plays a critical role in managing user permissions and access control within the system. It provides methods to verify a user’s privileges based on their assigned roles, such as Super-Admin, Admin, Instructor, TA, or Student. These methods check if the user is authorized to perform actions like submitting assignments, reviewing work, or participating in quizzes. Additionally, it determines whether a user is involved in specific assignments, either as a participant, instructor, or through TA mappings.&lt;br /&gt;
&lt;br /&gt;
==Problem Statement==&lt;br /&gt;
&lt;br /&gt;
Expertiza currently uses session-based authentication in its [[https://github.com/expertiza/expertiza/blob/main/app/helpers/authorization_helper.rb AuthorizationHelper]] module. The [[https://github.com/expertiza/reimplementation-back-end reimplementation-back-end]] however, uses JWT (JSON Web Token) based authentication. This requires a reimplementation of an authorization concern module to accommodate JWT-based authentication&lt;br /&gt;
&lt;br /&gt;
===Concerns===&lt;br /&gt;
&lt;br /&gt;
A concern is a module that you extract to split the implementation of a class or module in coherent chunks, instead of having one big class body. Our new authorization module will be implemented as a concern which will work in tandem with the already-implemented [[https://github.com/expertiza/reimplementation-back-end/blob/main/app/controllers/concerns/jwt_token.rb JWT Concern]]&lt;br /&gt;
&lt;br /&gt;
The following points need to be taken care of as per the requirement&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt; Role Management &amp;lt;/strong&amp;gt;: &lt;br /&gt;
** Enable the system to process, verify, and decode roles from JWT Tokens.&lt;br /&gt;
** Use token role data to authenticate and authorize user actions.&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt; Privilege Verification &amp;lt;/strong&amp;gt;:&lt;br /&gt;
** Update methods to validate user privileges using JWT claims.&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt; Testing and Documentation &amp;lt;/strong&amp;gt;: &lt;br /&gt;
** Write comprehensive unit tests for all JWT-related methods.&lt;br /&gt;
** Include clear documentation and comments to aid future developers.&lt;br /&gt;
&lt;br /&gt;
=Implemented Changes=&lt;br /&gt;
&lt;br /&gt;
== JWT Token Overview ==&lt;br /&gt;
&lt;br /&gt;
A JSON Web Token (JWT) is a compact, URL-safe token format commonly used for securely transmitting information between parties. It is widely used in web applications for authentication and authorization, as it allows information to be verified and trusted. In the context of our reimplemented AuthorizationHelper module, JWT tokens will replace session-based authentication, enabling stateless and more secure access control.&lt;br /&gt;
&lt;br /&gt;
A JWT Token consists of three main parts:&lt;br /&gt;
&lt;br /&gt;
*Header: Contains metadata about the token, such as the type (JWT) and the hashing algorithm used (e.g., HS256 or RS256).&lt;br /&gt;
*Payload: Includes claims, which are statements about an entity (typically, the user) and additional data like the user’s role and permissions.&lt;br /&gt;
*Signature: A cryptographic signature generated by encoding the header and payload with a secret key or private key, ensuring data integrity.&lt;br /&gt;
These three sections are separated by dots (.), forming a token that looks like this: &amp;lt;Header&amp;gt;.&amp;lt;Payload&amp;gt;.&amp;lt;Signature&amp;gt;&lt;br /&gt;
&lt;br /&gt;
[[File:JWT-Workflow.png|500px|center]]&lt;br /&gt;
&lt;br /&gt;
==Methods Implemented==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;has_required_role?(required_role)&amp;lt;/strong&amp;gt;: &lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
 def has_required_role?(required_role)&lt;br /&gt;
    required_role = Role.find_by_name(required_role) if required_role.is_a?(String)&lt;br /&gt;
    current_user&amp;amp;.role&amp;amp;.all_privileges_of?(required_role) || false&lt;br /&gt;
 end&lt;br /&gt;
&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This function checks if the current user has the required role or higher privileges. The role name is passed down as a parameter in required_role which is the minimum required role level for an action&lt;br /&gt;
&lt;br /&gt;
For example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;has_required_role?('Administrator') # Checks if user is an admin or higher&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;has_required_role?(Role::INSTRUCTOR) # Checks if user is an instructor or higher&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
For exact role requirements, we also have:&lt;br /&gt;
* &amp;lt;strong&amp;gt;is_role?(required_role)&amp;lt;/strong&amp;gt;: &lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
 def is_role?(required_role)&lt;br /&gt;
    required_role = required_role.name if required_role.is_a?(Role)&lt;br /&gt;
    current_user&amp;amp;.role&amp;amp;.name == required_role&lt;br /&gt;
 end&lt;br /&gt;
&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
which checks if the user has exactly the specified role. For example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;is_role?('Student') # True only if user is exactly a student &amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Existing Methods to update==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;current_user_is_a?(role_name)&amp;lt;/strong&amp;gt;:&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 def current_user_is_a?(role_name)&lt;br /&gt;
     current_user_and_role_exist? &amp;amp;&amp;amp; session[:user].role.name == role_name&lt;br /&gt;
 end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Currently this method relies on the session variable which is populated at the time of login to determine the role of a user. This would have to be updated to decode the user's role from the JWT payload&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;user_logged_in?&amp;lt;/strong&amp;gt;:&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 def user_logged_in?&lt;br /&gt;
     !session[:user].nil?&lt;br /&gt;
 end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
This method will have to be updated to check the user's login status based on JWT validity&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;current_user_has_privileges_of?(role_name)&amp;lt;/strong&amp;gt;&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 def current_user_has_privileges_of?(role_name)&lt;br /&gt;
    current_user_and_role_exist? &amp;amp;&amp;amp; session[:user].role.has_all_privileges_of?(Role.find_by(name: role_name))&lt;br /&gt;
 end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Needs to remove dependency on session variable and get user information from the JWT's decoded payload&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;current_user_and_role_exist?&amp;lt;/strong&amp;gt;&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 def current_user_and_role_exist?&lt;br /&gt;
     user_logged_in? &amp;amp;&amp;amp; !session[:user].role.nil?&lt;br /&gt;
 end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Similarly, the role here needs to be checked from the JWT payload&lt;br /&gt;
Similarly methods like &amp;lt;strong&amp;gt;current_user_has_id?(id)&amp;lt;/strong&amp;gt; will also have to be updated to remove dependencies from the session object, which are all part of the [[https://github.com/expertiza/expertiza/blob/main/app/helpers/authorization_helper.rb| AuthorizationHelper]] module&lt;br /&gt;
&lt;br /&gt;
==Anticipated Outcomes==&lt;br /&gt;
1. Enhanced AuthorizationHelper Module with JWT Integration: &amp;lt;br&amp;gt;&lt;br /&gt;
Updated and operational AuthorizationHelper module that would use JWT-based authentication. The module would be restructured to incorporate token-based authentication checks, replacing prior session-based methods.&lt;br /&gt;
&lt;br /&gt;
2. Updated Associated Methods: &amp;lt;br&amp;gt;&lt;br /&gt;
Methods within the module will have to be updated to leverage JWT claims, ensuring authentication and authorization are handled based on token data. This will allow the module to verify user roles and permissions effectively through JWT claims.&lt;br /&gt;
&lt;br /&gt;
3. Comprehensive JWT Error Handling: &amp;lt;br&amp;gt;&lt;br /&gt;
Built-in error handling to manage potential JWT-related issues, such as token expiration, tampering, or invalid claims. This ensures that unauthorized access is &lt;br /&gt;
blocked, and clear error messages are provided when issues arise.&lt;br /&gt;
&lt;br /&gt;
4. Robust Unit Tests for Validation: &amp;lt;br&amp;gt;&lt;br /&gt;
A full suite of unit tests covering various scenarios, including normal, boundary, and edge cases, to validate each method’s functionality and confirm that all &lt;br /&gt;
JWT-based authentication flows work reliably.&lt;br /&gt;
&lt;br /&gt;
5. Detailed Documentation and Code Comments: &amp;lt;br&amp;gt;&lt;br /&gt;
In-depth documentation and comments would be added to each function, explaining purpose, usage, and JWT-related adjustments, aiding in code readability and future &lt;br /&gt;
maintenance.&lt;br /&gt;
&lt;br /&gt;
== Design Principles ==&lt;br /&gt;
The redesign of the `AuthorizationHelper` module for JWT-based authentication will follow well-established design principles to ensure the solution is secure, maintainable, and scalable. Below are the key principles to be applied and how they will shape this redesign:&lt;br /&gt;
&lt;br /&gt;
1. '''Single Responsibility Principle (SRP)'''&lt;br /&gt;
* '''Definition''': Each module or class should have one clear responsibility.&lt;br /&gt;
* '''How It’s Applied''': The `AuthorizationHelper` module focuses only on managing authentication and authorization, separating these concerns into distinct methods. For instance, `jwt_verify_and_decode` handles token verification, while `check_user_privileges` focuses on role-based checks. This keeps the code clean and easier to maintain.&lt;br /&gt;
&lt;br /&gt;
2. '''Separation of Concerns'''&lt;br /&gt;
* '''Definition''': Different aspects of the system should be handled independently.&lt;br /&gt;
* '''How It’s Applied''': JWT-related tasks like token creation and decoding are delegated to the `JsonWebToken` class, while privilege checking and user role management remain within `AuthorizationHelper`. This modular approach ensures changes in one area don’t unnecessarily affect the other.&lt;br /&gt;
&lt;br /&gt;
3. '''Security by Design'''&lt;br /&gt;
* '''Definition''': Security should be built into the system from the start, not as an afterthought.&lt;br /&gt;
* '''How It’s Applied''': JWT tokens are validated for expiry and tampering before any actions are authorized. Sensitive data like secret keys is securely stored in environment variables, and communication involving tokens is secured using HTTPS. The system also uses role-based access control (RBAC) to enforce fine-grained permissions.&lt;br /&gt;
&lt;br /&gt;
4. '''Statelessness'''&lt;br /&gt;
* '''Definition''': The system should not depend on maintaining user-specific data on the server.&lt;br /&gt;
* '''How It’s Applied''': By using JWT, all necessary information about the user is encoded in the token itself. This removes the dependency on server-side session storage, making the system scalable and suitable for distributed architectures.&lt;br /&gt;
&lt;br /&gt;
5. '''Testability'''&lt;br /&gt;
* '''Definition''': Code should be designed to make testing straightforward and effective.&lt;br /&gt;
* '''How It’s Applied''': Each method has a single responsibility, making it easier to write focused tests. The modular design allows us to test components like token verification and privilege checking independently, while mock tokens can simulate various scenarios (valid, expired, tampered).&lt;br /&gt;
&lt;br /&gt;
---&lt;br /&gt;
&lt;br /&gt;
== Test Plan ==&lt;br /&gt;
&lt;br /&gt;
=== Unit Tests ===&lt;br /&gt;
'''Definition''': Unit tests verify that individual methods work correctly in isolation under different scenarios.&lt;br /&gt;
&lt;br /&gt;
==== Tests for jwt_verify_and_decode ====&lt;br /&gt;
'''Valid Token Test:'''&lt;br /&gt;
* '''Input''': A valid JWT token with claims like `id`, `role`, and `exp`.&lt;br /&gt;
* '''Expected Output''': Decoded payload as a `HashWithIndifferentAccess`.&lt;br /&gt;
* '''Validation''': Ensure the returned payload matches the expected data.&lt;br /&gt;
&lt;br /&gt;
'''Expired Token Test:'''&lt;br /&gt;
* '''Input''': A token with an `exp` claim that has already passed.&lt;br /&gt;
* '''Expected Output''': `nil` with an appropriate error logged.&lt;br /&gt;
* '''Validation''': Confirm that the method gracefully handles expired tokens.&lt;br /&gt;
&lt;br /&gt;
'''Invalid Token Test:'''&lt;br /&gt;
* '''Input''': A tampered JWT token with an invalid signature.&lt;br /&gt;
* '''Expected Output''': `nil`.&lt;br /&gt;
* '''Validation''': Ensure an appropriate error message is logged, and sensitive information is not exposed.&lt;br /&gt;
&lt;br /&gt;
'''Missing Claims Test:'''&lt;br /&gt;
* '''Input''': A valid token missing critical claims like `role`.&lt;br /&gt;
* '''Expected Output''': `nil`.&lt;br /&gt;
* '''Validation''': Ensure the method flags the token as invalid due to missing data.&lt;br /&gt;
&lt;br /&gt;
==== Tests for check_user_privileges ====&lt;br /&gt;
'''Sufficient Privileges Test:'''&lt;br /&gt;
* '''Input''': User info with `role` as `Admin` and a `required_privilege` of `Student`.&lt;br /&gt;
* '''Expected Output''': `true`.&lt;br /&gt;
* '''Validation''': Verify the method correctly interprets hierarchical roles.&lt;br /&gt;
&lt;br /&gt;
'''Insufficient Privileges Test:'''&lt;br /&gt;
* '''Input''': User info with `role` as `Student` and a `required_privilege` of `Instructor`.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Ensure the method denies access for insufficient privileges.&lt;br /&gt;
&lt;br /&gt;
'''Missing Role Test:'''&lt;br /&gt;
* '''Input''': User info without a `role` claim.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Ensure the method handles missing roles gracefully.&lt;br /&gt;
&lt;br /&gt;
==== Tests for current_user_is_a? ====&lt;br /&gt;
'''Correct Role Test:'''&lt;br /&gt;
* '''Input''': Token with `role` as `Instructor` and `role_name` as `Instructor`.&lt;br /&gt;
* '''Expected Output''': `true`.&lt;br /&gt;
* '''Validation''': Verify the method returns `true` when roles match exactly.&lt;br /&gt;
&lt;br /&gt;
'''Incorrect Role Test:'''&lt;br /&gt;
* '''Input''': Token with `role` as `TA` and `role_name` as `Instructor`.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Ensure the method denies access when roles don’t match.&lt;br /&gt;
&lt;br /&gt;
'''Missing Token Test:'''&lt;br /&gt;
* '''Input''': `nil` token.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Confirm that the method handles missing tokens properly.&lt;br /&gt;
&lt;br /&gt;
---&lt;br /&gt;
&lt;br /&gt;
=== Integration Tests ===&lt;br /&gt;
'''Definition''': Integration tests validate that the `AuthorizationHelper` module functions correctly within the context of the overall system.&lt;br /&gt;
&lt;br /&gt;
==== Approach Options ====&lt;br /&gt;
1. '''Creating a Dummy API''':&lt;br /&gt;
* A lightweight API will be created specifically for testing the `AuthorizationHelper` methods.&lt;br /&gt;
* This API will simulate requests requiring token authentication and privilege checks.&lt;br /&gt;
* '''Advantages''':&lt;br /&gt;
** Fully isolated testing environment.&lt;br /&gt;
** Flexibility to simulate different roles, tokens, and scenarios.&lt;br /&gt;
* '''Disadvantages''':&lt;br /&gt;
** Requires additional setup and may not reflect real-world behavior perfectly.&lt;br /&gt;
&lt;br /&gt;
2. '''Implementing a New Controller in Expertiza''':&lt;br /&gt;
* A controller will be added to the existing Expertiza application that uses the refactored `AuthorizationHelper`.&lt;br /&gt;
* This ensures that tests occur in a real-world context, validating interactions with the actual system.&lt;br /&gt;
* '''Advantages''':&lt;br /&gt;
** Validates the actual behavior of the module within the system.&lt;br /&gt;
** Reflects real application workflows and edge cases.&lt;br /&gt;
* '''Disadvantages''':&lt;br /&gt;
** Potentially affects other parts of the application during testing.&lt;br /&gt;
** Requires effort to ensure test isolation.&lt;br /&gt;
&lt;br /&gt;
==== Integration Test Cases ====&lt;br /&gt;
'''API Endpoint Authentication'''&lt;br /&gt;
* '''Valid Token Test''':&lt;br /&gt;
** '''Scenario''': Send a valid JWT token to a protected endpoint.&lt;br /&gt;
** '''Expected Outcome''': HTTP 200 OK with access granted.&lt;br /&gt;
** '''Validation''': Confirm the user is authenticated and receives the correct resource.&lt;br /&gt;
&lt;br /&gt;
* '''Expired Token Test''':&lt;br /&gt;
** '''Scenario''': Send an expired JWT token to a protected endpoint.&lt;br /&gt;
** '''Expected Outcome''': HTTP 401 Unauthorized.&lt;br /&gt;
** '''Validation''': Ensure the system blocks access and provides a proper error message.&lt;br /&gt;
&lt;br /&gt;
* '''Tampered Token Test''':&lt;br /&gt;
** '''Scenario''': Send a tampered token with an invalid signature.&lt;br /&gt;
** '''Expected Outcome''': HTTP 401 Unauthorized.&lt;br /&gt;
** '''Validation''': Confirm the system denies access and logs the attempt securely.&lt;br /&gt;
&lt;br /&gt;
* '''Missing Token Test''':&lt;br /&gt;
** '''Scenario''': Make a request without providing a token.&lt;br /&gt;
** '''Expected Outcome''': HTTP 401 Unauthorized.&lt;br /&gt;
** '''Validation''': Verify that token authentication is strictly enforced.&lt;br /&gt;
&lt;br /&gt;
== Team ==&lt;br /&gt;
===Mentor===&lt;br /&gt;
*Kashika Mallick (kmallick@ncsu.edu)&lt;br /&gt;
&lt;br /&gt;
===Members===&lt;br /&gt;
*Shafa Hassan (shassa22@ncsu.edu)&lt;br /&gt;
*Archit Gupta (agupta85@ncsu.edu)&lt;br /&gt;
*Ansh Ganatra (aganatr@ncsu.edu)&lt;/div&gt;</summary>
		<author><name>Agupta85</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2024_-_E2487._Reimplement_authorization_helper.rb&amp;diff=160215</id>
		<title>CSC/ECE 517 Fall 2024 - E2487. Reimplement authorization helper.rb</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2024_-_E2487._Reimplement_authorization_helper.rb&amp;diff=160215"/>
		<updated>2024-12-03T21:08:34Z</updated>

		<summary type="html">&lt;p&gt;Agupta85: /* Implemented Changes */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
Expertiza currently uses session-based authentication in its AuthorizationHelper module. However, the new back-end reimplementation adopts JSON Web Token (JWT) for authentication. This transition is necessary to make the system more scalable, stateless, and secure. JWT-based authentication will replace session-based methods, requiring updates to the AuthorizationHelper module and associated methods.&lt;br /&gt;
&lt;br /&gt;
== Background ==&lt;br /&gt;
The AuthorizationHelper module in Expertiza plays a critical role in managing user permissions and access control within the system. It provides methods to verify a user’s privileges based on their assigned roles, such as Super-Admin, Admin, Instructor, TA, or Student. These methods check if the user is authorized to perform actions like submitting assignments, reviewing work, or participating in quizzes. Additionally, it determines whether a user is involved in specific assignments, either as a participant, instructor, or through TA mappings.&lt;br /&gt;
&lt;br /&gt;
==Problem Statement==&lt;br /&gt;
&lt;br /&gt;
Expertiza currently uses session-based authentication in its [[https://github.com/expertiza/expertiza/blob/main/app/helpers/authorization_helper.rb AuthorizationHelper]] module. The [[https://github.com/expertiza/reimplementation-back-end reimplementation-back-end]] however, uses JWT (JSON Web Token) based authentication. This requires a reimplementation of an authorization concern module to accommodate JWT-based authentication&lt;br /&gt;
&lt;br /&gt;
===Concerns===&lt;br /&gt;
&lt;br /&gt;
A concern is a module that you extract to split the implementation of a class or module in coherent chunks, instead of having one big class body. Our new authorization module will be implemented as a concern which will work in tandem with the already-implemented [[https://github.com/expertiza/reimplementation-back-end/blob/main/app/controllers/concerns/jwt_token.rb JWT Concern]]&lt;br /&gt;
&lt;br /&gt;
The following points need to be taken care of as per the requirement&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt; Role Management &amp;lt;/strong&amp;gt;: &lt;br /&gt;
** Enable the system to process, verify, and decode roles from JWT Tokens.&lt;br /&gt;
** Use token role data to authenticate and authorize user actions.&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt; Privilege Verification &amp;lt;/strong&amp;gt;:&lt;br /&gt;
** Update methods to validate user privileges using JWT claims.&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt; Testing and Documentation &amp;lt;/strong&amp;gt;: &lt;br /&gt;
** Write comprehensive unit tests for all JWT-related methods.&lt;br /&gt;
** Include clear documentation and comments to aid future developers.&lt;br /&gt;
&lt;br /&gt;
=Implemented Changes=&lt;br /&gt;
&lt;br /&gt;
== JWT Token Overview ==&lt;br /&gt;
&lt;br /&gt;
A JSON Web Token (JWT) is a compact, URL-safe token format commonly used for securely transmitting information between parties. It is widely used in web applications for authentication and authorization, as it allows information to be verified and trusted. In the context of our reimplemented AuthorizationHelper module, JWT tokens will replace session-based authentication, enabling stateless and more secure access control.&lt;br /&gt;
&lt;br /&gt;
A JWT Token consists of three main parts:&lt;br /&gt;
&lt;br /&gt;
*Header: Contains metadata about the token, such as the type (JWT) and the hashing algorithm used (e.g., HS256 or RS256).&lt;br /&gt;
*Payload: Includes claims, which are statements about an entity (typically, the user) and additional data like the user’s role and permissions.&lt;br /&gt;
*Signature: A cryptographic signature generated by encoding the header and payload with a secret key or private key, ensuring data integrity.&lt;br /&gt;
These three sections are separated by dots (.), forming a token that looks like this: &amp;lt;Header&amp;gt;.&amp;lt;Payload&amp;gt;.&amp;lt;Signature&amp;gt;&lt;br /&gt;
&lt;br /&gt;
[[File:JWT-Workflow.png|500px|center]]&lt;br /&gt;
&lt;br /&gt;
==Methods to implement==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;jwt_verify_and_decode(token)&amp;lt;/strong&amp;gt;: This method will verify and decode a JWT token and return the user's information, including role and claims. Successful verification of the token signature with the secret key will be followed by extraction of the payload which will contain important information about the user and their role for authentication and authorization.&lt;br /&gt;
* &amp;lt;strong&amp;gt;check_user_privileges(user_info, required_privilege)&amp;lt;/strong&amp;gt;: extract the user's roles or permissions from user_info (e.g., from the decoded JWT payload). Then, check if required_privilege exists within the user's permissions, returning true if it does and false otherwise to control access accordingly.&lt;br /&gt;
&lt;br /&gt;
==Existing Methods to update==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;current_user_is_a?(role_name)&amp;lt;/strong&amp;gt;:&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 def current_user_is_a?(role_name)&lt;br /&gt;
     current_user_and_role_exist? &amp;amp;&amp;amp; session[:user].role.name == role_name&lt;br /&gt;
 end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Currently this method relies on the session variable which is populated at the time of login to determine the role of a user. This would have to be updated to decode the user's role from the JWT payload&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;user_logged_in?&amp;lt;/strong&amp;gt;:&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 def user_logged_in?&lt;br /&gt;
     !session[:user].nil?&lt;br /&gt;
 end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
This method will have to be updated to check the user's login status based on JWT validity&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;current_user_has_privileges_of?(role_name)&amp;lt;/strong&amp;gt;&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 def current_user_has_privileges_of?(role_name)&lt;br /&gt;
    current_user_and_role_exist? &amp;amp;&amp;amp; session[:user].role.has_all_privileges_of?(Role.find_by(name: role_name))&lt;br /&gt;
 end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Needs to remove dependency on session variable and get user information from the JWT's decoded payload&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;current_user_and_role_exist?&amp;lt;/strong&amp;gt;&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 def current_user_and_role_exist?&lt;br /&gt;
     user_logged_in? &amp;amp;&amp;amp; !session[:user].role.nil?&lt;br /&gt;
 end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Similarly, the role here needs to be checked from the JWT payload&lt;br /&gt;
Similarly methods like &amp;lt;strong&amp;gt;current_user_has_id?(id)&amp;lt;/strong&amp;gt; will also have to be updated to remove dependencies from the session object, which are all part of the [[https://github.com/expertiza/expertiza/blob/main/app/helpers/authorization_helper.rb| AuthorizationHelper]] module&lt;br /&gt;
&lt;br /&gt;
==Anticipated Outcomes==&lt;br /&gt;
1. Enhanced AuthorizationHelper Module with JWT Integration: &amp;lt;br&amp;gt;&lt;br /&gt;
Updated and operational AuthorizationHelper module that would use JWT-based authentication. The module would be restructured to incorporate token-based authentication checks, replacing prior session-based methods.&lt;br /&gt;
&lt;br /&gt;
2. Updated Associated Methods: &amp;lt;br&amp;gt;&lt;br /&gt;
Methods within the module will have to be updated to leverage JWT claims, ensuring authentication and authorization are handled based on token data. This will allow the module to verify user roles and permissions effectively through JWT claims.&lt;br /&gt;
&lt;br /&gt;
3. Comprehensive JWT Error Handling: &amp;lt;br&amp;gt;&lt;br /&gt;
Built-in error handling to manage potential JWT-related issues, such as token expiration, tampering, or invalid claims. This ensures that unauthorized access is &lt;br /&gt;
blocked, and clear error messages are provided when issues arise.&lt;br /&gt;
&lt;br /&gt;
4. Robust Unit Tests for Validation: &amp;lt;br&amp;gt;&lt;br /&gt;
A full suite of unit tests covering various scenarios, including normal, boundary, and edge cases, to validate each method’s functionality and confirm that all &lt;br /&gt;
JWT-based authentication flows work reliably.&lt;br /&gt;
&lt;br /&gt;
5. Detailed Documentation and Code Comments: &amp;lt;br&amp;gt;&lt;br /&gt;
In-depth documentation and comments would be added to each function, explaining purpose, usage, and JWT-related adjustments, aiding in code readability and future &lt;br /&gt;
maintenance.&lt;br /&gt;
&lt;br /&gt;
== Design Principles ==&lt;br /&gt;
The redesign of the `AuthorizationHelper` module for JWT-based authentication will follow well-established design principles to ensure the solution is secure, maintainable, and scalable. Below are the key principles to be applied and how they will shape this redesign:&lt;br /&gt;
&lt;br /&gt;
1. '''Single Responsibility Principle (SRP)'''&lt;br /&gt;
* '''Definition''': Each module or class should have one clear responsibility.&lt;br /&gt;
* '''How It’s Applied''': The `AuthorizationHelper` module focuses only on managing authentication and authorization, separating these concerns into distinct methods. For instance, `jwt_verify_and_decode` handles token verification, while `check_user_privileges` focuses on role-based checks. This keeps the code clean and easier to maintain.&lt;br /&gt;
&lt;br /&gt;
2. '''Separation of Concerns'''&lt;br /&gt;
* '''Definition''': Different aspects of the system should be handled independently.&lt;br /&gt;
* '''How It’s Applied''': JWT-related tasks like token creation and decoding are delegated to the `JsonWebToken` class, while privilege checking and user role management remain within `AuthorizationHelper`. This modular approach ensures changes in one area don’t unnecessarily affect the other.&lt;br /&gt;
&lt;br /&gt;
3. '''Security by Design'''&lt;br /&gt;
* '''Definition''': Security should be built into the system from the start, not as an afterthought.&lt;br /&gt;
* '''How It’s Applied''': JWT tokens are validated for expiry and tampering before any actions are authorized. Sensitive data like secret keys is securely stored in environment variables, and communication involving tokens is secured using HTTPS. The system also uses role-based access control (RBAC) to enforce fine-grained permissions.&lt;br /&gt;
&lt;br /&gt;
4. '''Statelessness'''&lt;br /&gt;
* '''Definition''': The system should not depend on maintaining user-specific data on the server.&lt;br /&gt;
* '''How It’s Applied''': By using JWT, all necessary information about the user is encoded in the token itself. This removes the dependency on server-side session storage, making the system scalable and suitable for distributed architectures.&lt;br /&gt;
&lt;br /&gt;
5. '''Testability'''&lt;br /&gt;
* '''Definition''': Code should be designed to make testing straightforward and effective.&lt;br /&gt;
* '''How It’s Applied''': Each method has a single responsibility, making it easier to write focused tests. The modular design allows us to test components like token verification and privilege checking independently, while mock tokens can simulate various scenarios (valid, expired, tampered).&lt;br /&gt;
&lt;br /&gt;
---&lt;br /&gt;
&lt;br /&gt;
== Test Plan ==&lt;br /&gt;
&lt;br /&gt;
=== Unit Tests ===&lt;br /&gt;
'''Definition''': Unit tests verify that individual methods work correctly in isolation under different scenarios.&lt;br /&gt;
&lt;br /&gt;
==== Tests for jwt_verify_and_decode ====&lt;br /&gt;
'''Valid Token Test:'''&lt;br /&gt;
* '''Input''': A valid JWT token with claims like `id`, `role`, and `exp`.&lt;br /&gt;
* '''Expected Output''': Decoded payload as a `HashWithIndifferentAccess`.&lt;br /&gt;
* '''Validation''': Ensure the returned payload matches the expected data.&lt;br /&gt;
&lt;br /&gt;
'''Expired Token Test:'''&lt;br /&gt;
* '''Input''': A token with an `exp` claim that has already passed.&lt;br /&gt;
* '''Expected Output''': `nil` with an appropriate error logged.&lt;br /&gt;
* '''Validation''': Confirm that the method gracefully handles expired tokens.&lt;br /&gt;
&lt;br /&gt;
'''Invalid Token Test:'''&lt;br /&gt;
* '''Input''': A tampered JWT token with an invalid signature.&lt;br /&gt;
* '''Expected Output''': `nil`.&lt;br /&gt;
* '''Validation''': Ensure an appropriate error message is logged, and sensitive information is not exposed.&lt;br /&gt;
&lt;br /&gt;
'''Missing Claims Test:'''&lt;br /&gt;
* '''Input''': A valid token missing critical claims like `role`.&lt;br /&gt;
* '''Expected Output''': `nil`.&lt;br /&gt;
* '''Validation''': Ensure the method flags the token as invalid due to missing data.&lt;br /&gt;
&lt;br /&gt;
==== Tests for check_user_privileges ====&lt;br /&gt;
'''Sufficient Privileges Test:'''&lt;br /&gt;
* '''Input''': User info with `role` as `Admin` and a `required_privilege` of `Student`.&lt;br /&gt;
* '''Expected Output''': `true`.&lt;br /&gt;
* '''Validation''': Verify the method correctly interprets hierarchical roles.&lt;br /&gt;
&lt;br /&gt;
'''Insufficient Privileges Test:'''&lt;br /&gt;
* '''Input''': User info with `role` as `Student` and a `required_privilege` of `Instructor`.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Ensure the method denies access for insufficient privileges.&lt;br /&gt;
&lt;br /&gt;
'''Missing Role Test:'''&lt;br /&gt;
* '''Input''': User info without a `role` claim.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Ensure the method handles missing roles gracefully.&lt;br /&gt;
&lt;br /&gt;
==== Tests for current_user_is_a? ====&lt;br /&gt;
'''Correct Role Test:'''&lt;br /&gt;
* '''Input''': Token with `role` as `Instructor` and `role_name` as `Instructor`.&lt;br /&gt;
* '''Expected Output''': `true`.&lt;br /&gt;
* '''Validation''': Verify the method returns `true` when roles match exactly.&lt;br /&gt;
&lt;br /&gt;
'''Incorrect Role Test:'''&lt;br /&gt;
* '''Input''': Token with `role` as `TA` and `role_name` as `Instructor`.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Ensure the method denies access when roles don’t match.&lt;br /&gt;
&lt;br /&gt;
'''Missing Token Test:'''&lt;br /&gt;
* '''Input''': `nil` token.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Confirm that the method handles missing tokens properly.&lt;br /&gt;
&lt;br /&gt;
---&lt;br /&gt;
&lt;br /&gt;
=== Integration Tests ===&lt;br /&gt;
'''Definition''': Integration tests validate that the `AuthorizationHelper` module functions correctly within the context of the overall system.&lt;br /&gt;
&lt;br /&gt;
==== Approach Options ====&lt;br /&gt;
1. '''Creating a Dummy API''':&lt;br /&gt;
* A lightweight API will be created specifically for testing the `AuthorizationHelper` methods.&lt;br /&gt;
* This API will simulate requests requiring token authentication and privilege checks.&lt;br /&gt;
* '''Advantages''':&lt;br /&gt;
** Fully isolated testing environment.&lt;br /&gt;
** Flexibility to simulate different roles, tokens, and scenarios.&lt;br /&gt;
* '''Disadvantages''':&lt;br /&gt;
** Requires additional setup and may not reflect real-world behavior perfectly.&lt;br /&gt;
&lt;br /&gt;
2. '''Implementing a New Controller in Expertiza''':&lt;br /&gt;
* A controller will be added to the existing Expertiza application that uses the refactored `AuthorizationHelper`.&lt;br /&gt;
* This ensures that tests occur in a real-world context, validating interactions with the actual system.&lt;br /&gt;
* '''Advantages''':&lt;br /&gt;
** Validates the actual behavior of the module within the system.&lt;br /&gt;
** Reflects real application workflows and edge cases.&lt;br /&gt;
* '''Disadvantages''':&lt;br /&gt;
** Potentially affects other parts of the application during testing.&lt;br /&gt;
** Requires effort to ensure test isolation.&lt;br /&gt;
&lt;br /&gt;
==== Integration Test Cases ====&lt;br /&gt;
'''API Endpoint Authentication'''&lt;br /&gt;
* '''Valid Token Test''':&lt;br /&gt;
** '''Scenario''': Send a valid JWT token to a protected endpoint.&lt;br /&gt;
** '''Expected Outcome''': HTTP 200 OK with access granted.&lt;br /&gt;
** '''Validation''': Confirm the user is authenticated and receives the correct resource.&lt;br /&gt;
&lt;br /&gt;
* '''Expired Token Test''':&lt;br /&gt;
** '''Scenario''': Send an expired JWT token to a protected endpoint.&lt;br /&gt;
** '''Expected Outcome''': HTTP 401 Unauthorized.&lt;br /&gt;
** '''Validation''': Ensure the system blocks access and provides a proper error message.&lt;br /&gt;
&lt;br /&gt;
* '''Tampered Token Test''':&lt;br /&gt;
** '''Scenario''': Send a tampered token with an invalid signature.&lt;br /&gt;
** '''Expected Outcome''': HTTP 401 Unauthorized.&lt;br /&gt;
** '''Validation''': Confirm the system denies access and logs the attempt securely.&lt;br /&gt;
&lt;br /&gt;
* '''Missing Token Test''':&lt;br /&gt;
** '''Scenario''': Make a request without providing a token.&lt;br /&gt;
** '''Expected Outcome''': HTTP 401 Unauthorized.&lt;br /&gt;
** '''Validation''': Verify that token authentication is strictly enforced.&lt;br /&gt;
&lt;br /&gt;
== Team ==&lt;br /&gt;
===Mentor===&lt;br /&gt;
*Kashika Mallick (kmallick@ncsu.edu)&lt;br /&gt;
&lt;br /&gt;
===Members===&lt;br /&gt;
*Shafa Hassan (shassa22@ncsu.edu)&lt;br /&gt;
*Archit Gupta (agupta85@ncsu.edu)&lt;br /&gt;
*Ansh Ganatra (aganatr@ncsu.edu)&lt;/div&gt;</summary>
		<author><name>Agupta85</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2024_-_E2487._Reimplement_authorization_helper.rb&amp;diff=160214</id>
		<title>CSC/ECE 517 Fall 2024 - E2487. Reimplement authorization helper.rb</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2024_-_E2487._Reimplement_authorization_helper.rb&amp;diff=160214"/>
		<updated>2024-12-03T20:58:26Z</updated>

		<summary type="html">&lt;p&gt;Agupta85: /* Problem Statement */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Introduction ==&lt;br /&gt;
Expertiza currently uses session-based authentication in its AuthorizationHelper module. However, the new back-end reimplementation adopts JSON Web Token (JWT) for authentication. This transition is necessary to make the system more scalable, stateless, and secure. JWT-based authentication will replace session-based methods, requiring updates to the AuthorizationHelper module and associated methods.&lt;br /&gt;
&lt;br /&gt;
== Background ==&lt;br /&gt;
The AuthorizationHelper module in Expertiza plays a critical role in managing user permissions and access control within the system. It provides methods to verify a user’s privileges based on their assigned roles, such as Super-Admin, Admin, Instructor, TA, or Student. These methods check if the user is authorized to perform actions like submitting assignments, reviewing work, or participating in quizzes. Additionally, it determines whether a user is involved in specific assignments, either as a participant, instructor, or through TA mappings.&lt;br /&gt;
&lt;br /&gt;
==Problem Statement==&lt;br /&gt;
&lt;br /&gt;
Expertiza currently uses session-based authentication in its [[https://github.com/expertiza/expertiza/blob/main/app/helpers/authorization_helper.rb AuthorizationHelper]] module. The [[https://github.com/expertiza/reimplementation-back-end reimplementation-back-end]] however, uses JWT (JSON Web Token) based authentication. This requires a reimplementation of an authorization concern module to accommodate JWT-based authentication&lt;br /&gt;
&lt;br /&gt;
===Concerns===&lt;br /&gt;
&lt;br /&gt;
A concern is a module that you extract to split the implementation of a class or module in coherent chunks, instead of having one big class body. Our new authorization module will be implemented as a concern which will work in tandem with the already-implemented [[https://github.com/expertiza/reimplementation-back-end/blob/main/app/controllers/concerns/jwt_token.rb JWT Concern]]&lt;br /&gt;
&lt;br /&gt;
The following points need to be taken care of as per the requirement&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt; Role Management &amp;lt;/strong&amp;gt;: &lt;br /&gt;
** Enable the system to process, verify, and decode roles from JWT Tokens.&lt;br /&gt;
** Use token role data to authenticate and authorize user actions.&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt; Privilege Verification &amp;lt;/strong&amp;gt;:&lt;br /&gt;
** Update methods to validate user privileges using JWT claims.&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt; Testing and Documentation &amp;lt;/strong&amp;gt;: &lt;br /&gt;
** Write comprehensive unit tests for all JWT-related methods.&lt;br /&gt;
** Include clear documentation and comments to aid future developers.&lt;br /&gt;
&lt;br /&gt;
=Proposed Changes=&lt;br /&gt;
&lt;br /&gt;
== JWT Token Overview ==&lt;br /&gt;
&lt;br /&gt;
A JSON Web Token (JWT) is a compact, URL-safe token format commonly used for securely transmitting information between parties. It is widely used in web applications for authentication and authorization, as it allows information to be verified and trusted. In the context of our reimplemented AuthorizationHelper module, JWT tokens will replace session-based authentication, enabling stateless and more secure access control.&lt;br /&gt;
&lt;br /&gt;
A JWT Token consists of three main parts:&lt;br /&gt;
&lt;br /&gt;
*Header: Contains metadata about the token, such as the type (JWT) and the hashing algorithm used (e.g., HS256 or RS256).&lt;br /&gt;
*Payload: Includes claims, which are statements about an entity (typically, the user) and additional data like the user’s role and permissions.&lt;br /&gt;
*Signature: A cryptographic signature generated by encoding the header and payload with a secret key or private key, ensuring data integrity.&lt;br /&gt;
These three sections are separated by dots (.), forming a token that looks like this: &amp;lt;Header&amp;gt;.&amp;lt;Payload&amp;gt;.&amp;lt;Signature&amp;gt;&lt;br /&gt;
&lt;br /&gt;
[[File:JWT-Workflow.png|500px|center]]&lt;br /&gt;
&lt;br /&gt;
==Methods to implement==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;jwt_verify_and_decode(token)&amp;lt;/strong&amp;gt;: This method will verify and decode a JWT token and return the user's information, including role and claims. Successful verification of the token signature with the secret key will be followed by extraction of the payload which will contain important information about the user and their role for authentication and authorization.&lt;br /&gt;
* &amp;lt;strong&amp;gt;check_user_privileges(user_info, required_privilege)&amp;lt;/strong&amp;gt;: extract the user's roles or permissions from user_info (e.g., from the decoded JWT payload). Then, check if required_privilege exists within the user's permissions, returning true if it does and false otherwise to control access accordingly.&lt;br /&gt;
&lt;br /&gt;
==Existing Methods to update==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;current_user_is_a?(role_name)&amp;lt;/strong&amp;gt;:&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 def current_user_is_a?(role_name)&lt;br /&gt;
     current_user_and_role_exist? &amp;amp;&amp;amp; session[:user].role.name == role_name&lt;br /&gt;
 end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Currently this method relies on the session variable which is populated at the time of login to determine the role of a user. This would have to be updated to decode the user's role from the JWT payload&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;user_logged_in?&amp;lt;/strong&amp;gt;:&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 def user_logged_in?&lt;br /&gt;
     !session[:user].nil?&lt;br /&gt;
 end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
This method will have to be updated to check the user's login status based on JWT validity&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;current_user_has_privileges_of?(role_name)&amp;lt;/strong&amp;gt;&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 def current_user_has_privileges_of?(role_name)&lt;br /&gt;
    current_user_and_role_exist? &amp;amp;&amp;amp; session[:user].role.has_all_privileges_of?(Role.find_by(name: role_name))&lt;br /&gt;
 end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Needs to remove dependency on session variable and get user information from the JWT's decoded payload&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;current_user_and_role_exist?&amp;lt;/strong&amp;gt;&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 def current_user_and_role_exist?&lt;br /&gt;
     user_logged_in? &amp;amp;&amp;amp; !session[:user].role.nil?&lt;br /&gt;
 end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Similarly, the role here needs to be checked from the JWT payload&lt;br /&gt;
Similarly methods like &amp;lt;strong&amp;gt;current_user_has_id?(id)&amp;lt;/strong&amp;gt; will also have to be updated to remove dependencies from the session object, which are all part of the [[https://github.com/expertiza/expertiza/blob/main/app/helpers/authorization_helper.rb| AuthorizationHelper]] module&lt;br /&gt;
&lt;br /&gt;
==Anticipated Outcomes==&lt;br /&gt;
1. Enhanced AuthorizationHelper Module with JWT Integration: &amp;lt;br&amp;gt;&lt;br /&gt;
Updated and operational AuthorizationHelper module that would use JWT-based authentication. The module would be restructured to incorporate token-based authentication checks, replacing prior session-based methods.&lt;br /&gt;
&lt;br /&gt;
2. Updated Associated Methods: &amp;lt;br&amp;gt;&lt;br /&gt;
Methods within the module will have to be updated to leverage JWT claims, ensuring authentication and authorization are handled based on token data. This will allow the module to verify user roles and permissions effectively through JWT claims.&lt;br /&gt;
&lt;br /&gt;
3. Comprehensive JWT Error Handling: &amp;lt;br&amp;gt;&lt;br /&gt;
Built-in error handling to manage potential JWT-related issues, such as token expiration, tampering, or invalid claims. This ensures that unauthorized access is &lt;br /&gt;
blocked, and clear error messages are provided when issues arise.&lt;br /&gt;
&lt;br /&gt;
4. Robust Unit Tests for Validation: &amp;lt;br&amp;gt;&lt;br /&gt;
A full suite of unit tests covering various scenarios, including normal, boundary, and edge cases, to validate each method’s functionality and confirm that all &lt;br /&gt;
JWT-based authentication flows work reliably.&lt;br /&gt;
&lt;br /&gt;
5. Detailed Documentation and Code Comments: &amp;lt;br&amp;gt;&lt;br /&gt;
In-depth documentation and comments would be added to each function, explaining purpose, usage, and JWT-related adjustments, aiding in code readability and future &lt;br /&gt;
maintenance.&lt;br /&gt;
&lt;br /&gt;
== Design Principles ==&lt;br /&gt;
The redesign of the `AuthorizationHelper` module for JWT-based authentication will follow well-established design principles to ensure the solution is secure, maintainable, and scalable. Below are the key principles to be applied and how they will shape this redesign:&lt;br /&gt;
&lt;br /&gt;
1. '''Single Responsibility Principle (SRP)'''&lt;br /&gt;
* '''Definition''': Each module or class should have one clear responsibility.&lt;br /&gt;
* '''How It’s Applied''': The `AuthorizationHelper` module focuses only on managing authentication and authorization, separating these concerns into distinct methods. For instance, `jwt_verify_and_decode` handles token verification, while `check_user_privileges` focuses on role-based checks. This keeps the code clean and easier to maintain.&lt;br /&gt;
&lt;br /&gt;
2. '''Separation of Concerns'''&lt;br /&gt;
* '''Definition''': Different aspects of the system should be handled independently.&lt;br /&gt;
* '''How It’s Applied''': JWT-related tasks like token creation and decoding are delegated to the `JsonWebToken` class, while privilege checking and user role management remain within `AuthorizationHelper`. This modular approach ensures changes in one area don’t unnecessarily affect the other.&lt;br /&gt;
&lt;br /&gt;
3. '''Security by Design'''&lt;br /&gt;
* '''Definition''': Security should be built into the system from the start, not as an afterthought.&lt;br /&gt;
* '''How It’s Applied''': JWT tokens are validated for expiry and tampering before any actions are authorized. Sensitive data like secret keys is securely stored in environment variables, and communication involving tokens is secured using HTTPS. The system also uses role-based access control (RBAC) to enforce fine-grained permissions.&lt;br /&gt;
&lt;br /&gt;
4. '''Statelessness'''&lt;br /&gt;
* '''Definition''': The system should not depend on maintaining user-specific data on the server.&lt;br /&gt;
* '''How It’s Applied''': By using JWT, all necessary information about the user is encoded in the token itself. This removes the dependency on server-side session storage, making the system scalable and suitable for distributed architectures.&lt;br /&gt;
&lt;br /&gt;
5. '''Testability'''&lt;br /&gt;
* '''Definition''': Code should be designed to make testing straightforward and effective.&lt;br /&gt;
* '''How It’s Applied''': Each method has a single responsibility, making it easier to write focused tests. The modular design allows us to test components like token verification and privilege checking independently, while mock tokens can simulate various scenarios (valid, expired, tampered).&lt;br /&gt;
&lt;br /&gt;
---&lt;br /&gt;
&lt;br /&gt;
== Test Plan ==&lt;br /&gt;
&lt;br /&gt;
=== Unit Tests ===&lt;br /&gt;
'''Definition''': Unit tests verify that individual methods work correctly in isolation under different scenarios.&lt;br /&gt;
&lt;br /&gt;
==== Tests for jwt_verify_and_decode ====&lt;br /&gt;
'''Valid Token Test:'''&lt;br /&gt;
* '''Input''': A valid JWT token with claims like `id`, `role`, and `exp`.&lt;br /&gt;
* '''Expected Output''': Decoded payload as a `HashWithIndifferentAccess`.&lt;br /&gt;
* '''Validation''': Ensure the returned payload matches the expected data.&lt;br /&gt;
&lt;br /&gt;
'''Expired Token Test:'''&lt;br /&gt;
* '''Input''': A token with an `exp` claim that has already passed.&lt;br /&gt;
* '''Expected Output''': `nil` with an appropriate error logged.&lt;br /&gt;
* '''Validation''': Confirm that the method gracefully handles expired tokens.&lt;br /&gt;
&lt;br /&gt;
'''Invalid Token Test:'''&lt;br /&gt;
* '''Input''': A tampered JWT token with an invalid signature.&lt;br /&gt;
* '''Expected Output''': `nil`.&lt;br /&gt;
* '''Validation''': Ensure an appropriate error message is logged, and sensitive information is not exposed.&lt;br /&gt;
&lt;br /&gt;
'''Missing Claims Test:'''&lt;br /&gt;
* '''Input''': A valid token missing critical claims like `role`.&lt;br /&gt;
* '''Expected Output''': `nil`.&lt;br /&gt;
* '''Validation''': Ensure the method flags the token as invalid due to missing data.&lt;br /&gt;
&lt;br /&gt;
==== Tests for check_user_privileges ====&lt;br /&gt;
'''Sufficient Privileges Test:'''&lt;br /&gt;
* '''Input''': User info with `role` as `Admin` and a `required_privilege` of `Student`.&lt;br /&gt;
* '''Expected Output''': `true`.&lt;br /&gt;
* '''Validation''': Verify the method correctly interprets hierarchical roles.&lt;br /&gt;
&lt;br /&gt;
'''Insufficient Privileges Test:'''&lt;br /&gt;
* '''Input''': User info with `role` as `Student` and a `required_privilege` of `Instructor`.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Ensure the method denies access for insufficient privileges.&lt;br /&gt;
&lt;br /&gt;
'''Missing Role Test:'''&lt;br /&gt;
* '''Input''': User info without a `role` claim.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Ensure the method handles missing roles gracefully.&lt;br /&gt;
&lt;br /&gt;
==== Tests for current_user_is_a? ====&lt;br /&gt;
'''Correct Role Test:'''&lt;br /&gt;
* '''Input''': Token with `role` as `Instructor` and `role_name` as `Instructor`.&lt;br /&gt;
* '''Expected Output''': `true`.&lt;br /&gt;
* '''Validation''': Verify the method returns `true` when roles match exactly.&lt;br /&gt;
&lt;br /&gt;
'''Incorrect Role Test:'''&lt;br /&gt;
* '''Input''': Token with `role` as `TA` and `role_name` as `Instructor`.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Ensure the method denies access when roles don’t match.&lt;br /&gt;
&lt;br /&gt;
'''Missing Token Test:'''&lt;br /&gt;
* '''Input''': `nil` token.&lt;br /&gt;
* '''Expected Output''': `false`.&lt;br /&gt;
* '''Validation''': Confirm that the method handles missing tokens properly.&lt;br /&gt;
&lt;br /&gt;
---&lt;br /&gt;
&lt;br /&gt;
=== Integration Tests ===&lt;br /&gt;
'''Definition''': Integration tests validate that the `AuthorizationHelper` module functions correctly within the context of the overall system.&lt;br /&gt;
&lt;br /&gt;
==== Approach Options ====&lt;br /&gt;
1. '''Creating a Dummy API''':&lt;br /&gt;
* A lightweight API will be created specifically for testing the `AuthorizationHelper` methods.&lt;br /&gt;
* This API will simulate requests requiring token authentication and privilege checks.&lt;br /&gt;
* '''Advantages''':&lt;br /&gt;
** Fully isolated testing environment.&lt;br /&gt;
** Flexibility to simulate different roles, tokens, and scenarios.&lt;br /&gt;
* '''Disadvantages''':&lt;br /&gt;
** Requires additional setup and may not reflect real-world behavior perfectly.&lt;br /&gt;
&lt;br /&gt;
2. '''Implementing a New Controller in Expertiza''':&lt;br /&gt;
* A controller will be added to the existing Expertiza application that uses the refactored `AuthorizationHelper`.&lt;br /&gt;
* This ensures that tests occur in a real-world context, validating interactions with the actual system.&lt;br /&gt;
* '''Advantages''':&lt;br /&gt;
** Validates the actual behavior of the module within the system.&lt;br /&gt;
** Reflects real application workflows and edge cases.&lt;br /&gt;
* '''Disadvantages''':&lt;br /&gt;
** Potentially affects other parts of the application during testing.&lt;br /&gt;
** Requires effort to ensure test isolation.&lt;br /&gt;
&lt;br /&gt;
==== Integration Test Cases ====&lt;br /&gt;
'''API Endpoint Authentication'''&lt;br /&gt;
* '''Valid Token Test''':&lt;br /&gt;
** '''Scenario''': Send a valid JWT token to a protected endpoint.&lt;br /&gt;
** '''Expected Outcome''': HTTP 200 OK with access granted.&lt;br /&gt;
** '''Validation''': Confirm the user is authenticated and receives the correct resource.&lt;br /&gt;
&lt;br /&gt;
* '''Expired Token Test''':&lt;br /&gt;
** '''Scenario''': Send an expired JWT token to a protected endpoint.&lt;br /&gt;
** '''Expected Outcome''': HTTP 401 Unauthorized.&lt;br /&gt;
** '''Validation''': Ensure the system blocks access and provides a proper error message.&lt;br /&gt;
&lt;br /&gt;
* '''Tampered Token Test''':&lt;br /&gt;
** '''Scenario''': Send a tampered token with an invalid signature.&lt;br /&gt;
** '''Expected Outcome''': HTTP 401 Unauthorized.&lt;br /&gt;
** '''Validation''': Confirm the system denies access and logs the attempt securely.&lt;br /&gt;
&lt;br /&gt;
* '''Missing Token Test''':&lt;br /&gt;
** '''Scenario''': Make a request without providing a token.&lt;br /&gt;
** '''Expected Outcome''': HTTP 401 Unauthorized.&lt;br /&gt;
** '''Validation''': Verify that token authentication is strictly enforced.&lt;br /&gt;
&lt;br /&gt;
== Team ==&lt;br /&gt;
===Mentor===&lt;br /&gt;
*Kashika Mallick (kmallick@ncsu.edu)&lt;br /&gt;
&lt;br /&gt;
===Members===&lt;br /&gt;
*Shafa Hassan (shassa22@ncsu.edu)&lt;br /&gt;
*Archit Gupta (agupta85@ncsu.edu)&lt;br /&gt;
*Ansh Ganatra (aganatr@ncsu.edu)&lt;/div&gt;</summary>
		<author><name>Agupta85</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2024_-_E2487._Reimplement_authorization_helper.rb&amp;diff=159172</id>
		<title>CSC/ECE 517 Fall 2024 - E2487. Reimplement authorization helper.rb</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2024_-_E2487._Reimplement_authorization_helper.rb&amp;diff=159172"/>
		<updated>2024-11-12T22:57:07Z</updated>

		<summary type="html">&lt;p&gt;Agupta85: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Background ==&lt;br /&gt;
The AuthorizationHelper module in Expertiza plays a critical role in managing user permissions and access control within the system. It provides methods to verify a user’s privileges based on their assigned roles, such as Super-Admin, Admin, Instructor, TA, or Student. These methods check if the user is authorized to perform actions like submitting assignments, reviewing work, or participating in quizzes. Additionally, it determines whether a user is involved in specific assignments, either as a participant, instructor, or through TA mappings.&lt;br /&gt;
&lt;br /&gt;
==Problem Statement==&lt;br /&gt;
&lt;br /&gt;
Expertiza currently uses session-based authentication in its [[https://github.com/expertiza/expertiza/blob/main/app/helpers/authorization_helper.rb| AuthorizationHelper]] module. The [[https://github.com/expertiza/reimplementation-back-end| reimplementation-back-end]] however, uses JWT (JSON Web Token) based authentication. This requires a redesign of the AuthorizationHelper module to accommodate JWT-based authentication.&lt;br /&gt;
&lt;br /&gt;
The following points need to be taken care of as per the requirement&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt; JWT Creation &amp;lt;/strong&amp;gt;: Make sure that a valid JSON Web Token is created which stores necessary details about the user and their role&lt;br /&gt;
* &amp;lt;strong&amp;gt; Token expiry and revocation &amp;lt;/strong&amp;gt;: Token expiry and refresh mechanisms need to be implemented as well as a strategy for token revocation&lt;br /&gt;
* &amp;lt;strong&amp;gt; Remove dependency on session &amp;lt;/strong&amp;gt;: The system has to be refactored, configured and tested thoroughly to ensure that having migrated to JWT, there is no dependency on Rails' session&lt;br /&gt;
* Writing rspec test cases for all JWT authentication helper methods to ensure proper exception and error handling&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
==Methods to implement==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;jwt_verify_and_decode(token)&amp;lt;/strong&amp;gt;: This method will verify and decode a JWT token and return the user's information, including role and claims. Successful verification of the token signature with the secret key will be followed by extraction of the payload which will contain important information about the user and their role for authentication and authorization.&lt;br /&gt;
* &amp;lt;strong&amp;gt;check_user_privileges(user_info, required_privilege)&amp;lt;/strong&amp;gt;: extract the user's roles or permissions from user_info (e.g., from the decoded JWT payload). Then, check if required_privilege exists within the user's permissions, returning true if it does and false otherwise to control access accordingly.&lt;br /&gt;
&lt;br /&gt;
==Existing Methods to update==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;current_user_is_a?(role_name)&amp;lt;/strong&amp;gt;:&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 def current_user_is_a?(role_name)&lt;br /&gt;
     current_user_and_role_exist? &amp;amp;&amp;amp; session[:user].role.name == role_name&lt;br /&gt;
 end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Currently this method relies on the session variable which is populated at the time of login to determine the role of a user. This would have to be updated to decode the user's role from the JWT payload&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;user_logged_in?&amp;lt;/strong&amp;gt;:&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 def user_logged_in?&lt;br /&gt;
     !session[:user].nil?&lt;br /&gt;
 end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
This method will have to be updated to check the user's login status based on JWT validity&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;current_user_has_privileges_of?(role_name)&amp;lt;/strong&amp;gt;&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 def current_user_has_privileges_of?(role_name)&lt;br /&gt;
    current_user_and_role_exist? &amp;amp;&amp;amp; session[:user].role.has_all_privileges_of?(Role.find_by(name: role_name))&lt;br /&gt;
 end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Needs to remove dependency on session variable and get user information from the JWT's decoded payload&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;current_user_and_role_exist?&amp;lt;/strong&amp;gt;&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 def current_user_and_role_exist?&lt;br /&gt;
     user_logged_in? &amp;amp;&amp;amp; !session[:user].role.nil?&lt;br /&gt;
 end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Similarly, the role here needs to be checked from the JWT payload&lt;br /&gt;
Similarly methods like &amp;lt;strong&amp;gt;current_user_has_id?(id)&amp;lt;/strong&amp;gt; will also have to be updated to remove dependencies from the session object, which are all part of the [[https://github.com/expertiza/expertiza/blob/main/app/helpers/authorization_helper.rb| AuthorizationHelper]] module&lt;br /&gt;
&lt;br /&gt;
== JWT Token Overview ==&lt;br /&gt;
&lt;br /&gt;
A JSON Web Token (JWT) is a compact, URL-safe token format commonly used for securely transmitting information between parties. It is widely used in web applications for authentication and authorization, as it allows information to be verified and trusted. In the context of our reimplemented AuthorizationHelper module, JWT tokens will replace session-based authentication, enabling stateless and more secure access control.&lt;br /&gt;
&lt;br /&gt;
Structure of a JWT&lt;br /&gt;
A JWT consists of three main parts:&lt;br /&gt;
&lt;br /&gt;
*Header: Contains metadata about the token, such as the type (JWT) and the hashing algorithm used (e.g., HS256 or RS256).&lt;br /&gt;
*Payload: Includes claims, which are statements about an entity (typically, the user) and additional data like the user’s role and permissions.&lt;br /&gt;
*Signature: A cryptographic signature generated by encoding the header and payload with a secret key or private key, ensuring data integrity.&lt;br /&gt;
These three sections are separated by dots (.), forming a token that looks like this: &amp;lt;Header&amp;gt;.&amp;lt;Payload&amp;gt;.&amp;lt;Signature&amp;gt;&lt;br /&gt;
&lt;br /&gt;
[[File:JWT-Workflow.png|500px|center]]&lt;br /&gt;
&lt;br /&gt;
==Anticipated Outcomes==&lt;br /&gt;
1. Enhanced AuthorizationHelper Module with JWT Integration: &amp;lt;br&amp;gt;&lt;br /&gt;
Updated and operational AuthorizationHelper module that would use JWT-based authentication. The module would be restructured to incorporate token-based authentication checks, replacing prior session-based methods.&lt;br /&gt;
&lt;br /&gt;
2. Updated Associated Methods: &amp;lt;br&amp;gt;&lt;br /&gt;
Methods within the module will have to be updated to leverage JWT claims, ensuring authentication and authorization are handled based on token data. This will allow the module to verify user roles and permissions effectively through JWT claims.&lt;br /&gt;
&lt;br /&gt;
3. Comprehensive JWT Error Handling: &amp;lt;br&amp;gt;&lt;br /&gt;
Built-in error handling to manage potential JWT-related issues, such as token expiration, tampering, or invalid claims. This ensures that unauthorized access is &lt;br /&gt;
blocked, and clear error messages are provided when issues arise.&lt;br /&gt;
&lt;br /&gt;
4. Robust Unit Tests for Validation: &amp;lt;br&amp;gt;&lt;br /&gt;
A full suite of unit tests covering various scenarios, including normal, boundary, and edge cases, to validate each method’s functionality and confirm that all &lt;br /&gt;
JWT-based authentication flows work reliably.&lt;br /&gt;
&lt;br /&gt;
5. Detailed Documentation and Code Comments: &amp;lt;br&amp;gt;&lt;br /&gt;
In-depth documentation and comments would be added to each function, explaining purpose, usage, and JWT-related adjustments, aiding in code readability and future &lt;br /&gt;
maintenance.&lt;br /&gt;
&lt;br /&gt;
== Test Plan ==&lt;br /&gt;
&lt;br /&gt;
== Team ==&lt;br /&gt;
===Mentor===&lt;br /&gt;
*Kashika Mallick  (kmallick@ncsu.edu)&lt;br /&gt;
&lt;br /&gt;
===Members===&lt;br /&gt;
*Shafa Hassan (shassa22@ncsu.edu)&lt;br /&gt;
*Archit Gupta (agupta85@ncsu.edu)&lt;br /&gt;
*Ansh Ganatra (aganatr@ncsu.edu)&lt;/div&gt;</summary>
		<author><name>Agupta85</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2024_-_E2487._Reimplement_authorization_helper.rb&amp;diff=159132</id>
		<title>CSC/ECE 517 Fall 2024 - E2487. Reimplement authorization helper.rb</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2024_-_E2487._Reimplement_authorization_helper.rb&amp;diff=159132"/>
		<updated>2024-11-12T20:16:22Z</updated>

		<summary type="html">&lt;p&gt;Agupta85: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Background ==&lt;br /&gt;
The AuthorizationHelper module in Expertiza plays a critical role in managing user permissions and access control within the system. It provides methods to verify a user’s privileges based on their assigned roles, such as Super-Admin, Admin, Instructor, TA, or Student. These methods check if the user is authorized to perform actions like submitting assignments, reviewing work, or participating in quizzes. Additionally, it determines whether a user is involved in specific assignments, either as a participant, instructor, or through TA mappings.&lt;br /&gt;
&lt;br /&gt;
==Problem Statement==&lt;br /&gt;
&lt;br /&gt;
Expertiza currently uses session-based authentication in its [[https://github.com/expertiza/expertiza/blob/main/app/helpers/authorization_helper.rb| AuthorizationHelper]] module. The [[https://github.com/expertiza/reimplementation-back-end| reimplementation-back-end]] however, uses JWT (JSON Web Token) based authentication. This requires a redesign of the AuthorizationHelper module to accommodate JWT-based authentication.&lt;br /&gt;
&lt;br /&gt;
The following points need to be taken care of as per the requirement&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt; JWT Creation &amp;lt;/strong&amp;gt;: Make sure that a valid JSON Web Token is created which stores necessary details about the user and their role&lt;br /&gt;
* &amp;lt;strong&amp;gt; Token expiry and revocation &amp;lt;/strong&amp;gt;: Token expiry and refresh mechanisms need to be implemented as well as a strategy for token revocation&lt;br /&gt;
* &amp;lt;strong&amp;gt; Remove dependency on session &amp;lt;/strong&amp;gt;: The system has to be refactored, configured and tested thoroughly to ensure that having migrated to JWT, there is no dependency on Rails' session&lt;br /&gt;
* Writing rspec test cases for all JWT authentication helper methods to ensure proper exception and error handling&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
==Methods to implement==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;jwt_verify_and_decode(token)&amp;lt;/strong&amp;gt;: This method will verify and decode a JWT token and return the user's information, including role and claims. Successful verification of the token signature with the secret key will be followed by extraction of the payload which will contain important information about the user and their role for authentication and authorization.&lt;br /&gt;
* &amp;lt;strong&amp;gt;check_user_privileges(user_info, required_privilege)&amp;lt;/strong&amp;gt;: extract the user's roles or permissions from user_info (e.g., from the decoded JWT payload). Then, check if required_privilege exists within the user's permissions, returning true if it does and false otherwise to control access accordingly.&lt;br /&gt;
&lt;br /&gt;
==Existing Methods to update==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;current_user_is_a?(role_name)&amp;lt;/strong&amp;gt;:&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 def current_user_is_a?(role_name)&lt;br /&gt;
     current_user_and_role_exist? &amp;amp;&amp;amp; session[:user].role.name == role_name&lt;br /&gt;
 end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Currently this method relies on the session variable which is populated at the time of login to determine the role of a user. This would have to be updated to decode the user's role from the JWT payload&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;user_logged_in?&amp;lt;/strong&amp;gt;:&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
 def user_logged_in?&lt;br /&gt;
     !session[:user].nil?&lt;br /&gt;
 end&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
This method will have to be updated to check the user's login status based on JWT validity&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
Similarly methods like &amp;lt;strong&amp;gt;current_user_has_privileges_of?(role_name)&amp;lt;/strong&amp;gt; and &amp;lt;strong&amp;gt;current_user_has_id?(id)&amp;lt;/strong&amp;gt; will also have to be updated to remove dependencies from the session object, which are all part of the [[https://github.com/expertiza/expertiza/blob/main/app/helpers/authorization_helper.rb| AuthorizationHelper]] module&lt;br /&gt;
&lt;br /&gt;
== JWT Token Overview ==&lt;br /&gt;
&lt;br /&gt;
A JSON Web Token (JWT) is a compact, URL-safe token format commonly used for securely transmitting information between parties. It is widely used in web applications for authentication and authorization, as it allows information to be verified and trusted. In the context of our reimplemented AuthorizationHelper module, JWT tokens will replace session-based authentication, enabling stateless and more secure access control.&lt;br /&gt;
&lt;br /&gt;
Structure of a JWT&lt;br /&gt;
A JWT consists of three main parts:&lt;br /&gt;
&lt;br /&gt;
*Header: Contains metadata about the token, such as the type (JWT) and the hashing algorithm used (e.g., HS256 or RS256).&lt;br /&gt;
*Payload: Includes claims, which are statements about an entity (typically, the user) and additional data like the user’s role and permissions.&lt;br /&gt;
*Signature: A cryptographic signature generated by encoding the header and payload with a secret key or private key, ensuring data integrity.&lt;br /&gt;
These three sections are separated by dots (.), forming a token that looks like this: &amp;lt;Header&amp;gt;.&amp;lt;Payload&amp;gt;.&amp;lt;Signature&amp;gt;&lt;br /&gt;
&lt;br /&gt;
[[File:JWT-Workflow.png|500px|center]]&lt;br /&gt;
&lt;br /&gt;
==Anticipated Outcomes==&lt;br /&gt;
1. Enhanced AuthorizationHelper Module with JWT Integration: &amp;lt;br&amp;gt;&lt;br /&gt;
Updated and operational AuthorizationHelper module that would use JWT-based authentication. The module would be restructured to incorporate token-based authentication checks, replacing prior session-based methods.&lt;br /&gt;
&lt;br /&gt;
2. Updated Associated Methods: &amp;lt;br&amp;gt;&lt;br /&gt;
Methods within the module will have to be updated to leverage JWT claims, ensuring authentication and authorization are handled based on token data. This will allow the module to verify user roles and permissions effectively through JWT claims.&lt;br /&gt;
&lt;br /&gt;
3. Comprehensive JWT Error Handling: &amp;lt;br&amp;gt;&lt;br /&gt;
Built-in error handling to manage potential JWT-related issues, such as token expiration, tampering, or invalid claims. This ensures that unauthorized access is &lt;br /&gt;
blocked, and clear error messages are provided when issues arise.&lt;br /&gt;
&lt;br /&gt;
4. Robust Unit Tests for Validation: &amp;lt;br&amp;gt;&lt;br /&gt;
A full suite of unit tests covering various scenarios, including normal, boundary, and edge cases, to validate each method’s functionality and confirm that all &lt;br /&gt;
JWT-based authentication flows work reliably.&lt;br /&gt;
&lt;br /&gt;
5. Detailed Documentation and Code Comments: &amp;lt;br&amp;gt;&lt;br /&gt;
In-depth documentation and comments would be added to each function, explaining purpose, usage, and JWT-related adjustments, aiding in code readability and future &lt;br /&gt;
maintenance.&lt;br /&gt;
&lt;br /&gt;
== Test Plan ==&lt;br /&gt;
&lt;br /&gt;
== Team ==&lt;br /&gt;
===Mentor===&lt;br /&gt;
*Kashika Mallick  (kmallick@ncsu.edu)&lt;br /&gt;
&lt;br /&gt;
===Members===&lt;br /&gt;
*Shafa Hassan (shassa22@ncsu.edu)&lt;br /&gt;
*Archit Gupta (agupta85@ncsu.edu)&lt;br /&gt;
*Ansh Ganatra (aganatr@ncsu.edu)&lt;/div&gt;</summary>
		<author><name>Agupta85</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2024_-_E2487._Reimplement_authorization_helper.rb&amp;diff=159129</id>
		<title>CSC/ECE 517 Fall 2024 - E2487. Reimplement authorization helper.rb</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2024_-_E2487._Reimplement_authorization_helper.rb&amp;diff=159129"/>
		<updated>2024-11-12T19:56:35Z</updated>

		<summary type="html">&lt;p&gt;Agupta85: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Background ==&lt;br /&gt;
The AuthorizationHelper module in Expertiza plays a critical role in managing user permissions and access control within the system. It provides methods to verify a user’s privileges based on their assigned roles, such as Super-Admin, Admin, Instructor, TA, or Student. These methods check if the user is authorized to perform actions like submitting assignments, reviewing work, or participating in quizzes. Additionally, it determines whether a user is involved in specific assignments, either as a participant, instructor, or through TA mappings.&lt;br /&gt;
&lt;br /&gt;
==Problem Statement==&lt;br /&gt;
&lt;br /&gt;
Expertiza currently uses session-based authentication in its [[https://github.com/expertiza/expertiza/blob/main/app/helpers/authorization_helper.rb| AuthorizationHelper]] module. The [[https://github.com/expertiza/reimplementation-back-end| reimplementation-back-end]] however, uses JWT (JSON Web Token) based authentication. This requires a redesign of the AuthorizationHelper module to accommodate JWT-based authentication.&lt;br /&gt;
&lt;br /&gt;
The following points need to be taken care of as per the requirement&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt; JWT Creation &amp;lt;/strong&amp;gt;: Make sure that a valid JSON Web Token is created which stores necessary details about the user and their role&lt;br /&gt;
* &amp;lt;strong&amp;gt; Token expiry and revocation &amp;lt;/strong&amp;gt;: Token expiry and refresh mechanisms need to be implemented as well as a strategy for token revocation&lt;br /&gt;
* &amp;lt;strong&amp;gt; Remove dependency on session &amp;lt;/strong&amp;gt;: The system has to be refactored, configured and tested thoroughly to ensure that having migrated to JWT, there is no dependency on Rails' session&lt;br /&gt;
* Writing rspec test cases for all JWT authentication helper methods to ensure proper exception and error handling&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
==Methods to implement==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;jwt_verify_and_decode(token)&amp;lt;/strong&amp;gt;: This method will verify and decode a JWT token and return the user's information, including role and claims. Successful verification of the token signature with the secret key will be followed by extraction of the payload which will contain important information about the user and their role for authentication and authorization.&lt;br /&gt;
* &amp;lt;strong&amp;gt;check_user_privileges(user_info, required_privilege)&amp;lt;/strong&amp;gt;: extract the user's roles or permissions from user_info (e.g., from the decoded JWT payload). Then, check if required_privilege exists within the user's permissions, returning true if it does and false otherwise to control access accordingly.&lt;br /&gt;
&lt;br /&gt;
Further, the already existing methods need to be updated and need to be refactored to account for the new authentication system&lt;br /&gt;
&lt;br /&gt;
== JWT Token Overview ==&lt;br /&gt;
&lt;br /&gt;
A JSON Web Token (JWT) is a compact, URL-safe token format commonly used for securely transmitting information between parties. It is widely used in web applications for authentication and authorization, as it allows information to be verified and trusted. In the context of our reimplemented AuthorizationHelper module, JWT tokens will replace session-based authentication, enabling stateless and more secure access control.&lt;br /&gt;
&lt;br /&gt;
Structure of a JWT&lt;br /&gt;
A JWT consists of three main parts:&lt;br /&gt;
&lt;br /&gt;
*Header: Contains metadata about the token, such as the type (JWT) and the hashing algorithm used (e.g., HS256 or RS256).&lt;br /&gt;
*Payload: Includes claims, which are statements about an entity (typically, the user) and additional data like the user’s role and permissions.&lt;br /&gt;
*Signature: A cryptographic signature generated by encoding the header and payload with a secret key or private key, ensuring data integrity.&lt;br /&gt;
These three sections are separated by dots (.), forming a token that looks like this: &amp;lt;Header&amp;gt;.&amp;lt;Payload&amp;gt;.&amp;lt;Signature&amp;gt;&lt;br /&gt;
&lt;br /&gt;
[[File:JWT-Workflow.png|500px|center]]&lt;br /&gt;
&lt;br /&gt;
==Anticipated Outcomes==&lt;br /&gt;
1. Enhanced AuthorizationHelper Module with JWT Integration: &amp;lt;br&amp;gt;&lt;br /&gt;
Updated and operational AuthorizationHelper module that would use JWT-based authentication. The module would be restructured to incorporate token-based authentication checks, replacing prior session-based methods.&lt;br /&gt;
&lt;br /&gt;
2. Updated Associated Methods: &amp;lt;br&amp;gt;&lt;br /&gt;
Methods within the module will have to be updated to leverage JWT claims, ensuring authentication and authorization are handled based on token data. This will allow the module to verify user roles and permissions effectively through JWT claims.&lt;br /&gt;
&lt;br /&gt;
3. Comprehensive JWT Error Handling: &amp;lt;br&amp;gt;&lt;br /&gt;
Built-in error handling to manage potential JWT-related issues, such as token expiration, tampering, or invalid claims. This ensures that unauthorized access is &lt;br /&gt;
blocked, and clear error messages are provided when issues arise.&lt;br /&gt;
&lt;br /&gt;
4. Robust Unit Tests for Validation: &amp;lt;br&amp;gt;&lt;br /&gt;
A full suite of unit tests covering various scenarios, including normal, boundary, and edge cases, to validate each method’s functionality and confirm that all &lt;br /&gt;
JWT-based authentication flows work reliably.&lt;br /&gt;
&lt;br /&gt;
5. Detailed Documentation and Code Comments: &amp;lt;br&amp;gt;&lt;br /&gt;
In-depth documentation and comments would be added to each function, explaining purpose, usage, and JWT-related adjustments, aiding in code readability and future &lt;br /&gt;
maintenance.&lt;br /&gt;
&lt;br /&gt;
== Test Plan ==&lt;br /&gt;
&lt;br /&gt;
== Team ==&lt;br /&gt;
===Mentor===&lt;br /&gt;
*Kashika Mallick  (kmallick@ncsu.edu)&lt;br /&gt;
&lt;br /&gt;
===Members===&lt;br /&gt;
*Shafa Hassan (shassa22@ncsu.edu)&lt;br /&gt;
*Archit Gupta (agupta85@ncsu.edu)&lt;br /&gt;
*Ansh Ganatra (aganatr@ncsu.edu)&lt;/div&gt;</summary>
		<author><name>Agupta85</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2024_-_E2487._Reimplement_authorization_helper.rb&amp;diff=158932</id>
		<title>CSC/ECE 517 Fall 2024 - E2487. Reimplement authorization helper.rb</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2024_-_E2487._Reimplement_authorization_helper.rb&amp;diff=158932"/>
		<updated>2024-11-12T01:04:50Z</updated>

		<summary type="html">&lt;p&gt;Agupta85: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;==Problem Statement==&lt;br /&gt;
&lt;br /&gt;
Expertiza currently uses session-based authentication in its [[https://github.com/expertiza/expertiza/blob/main/app/helpers/authorization_helper.rb| AuthorizationHelper]] module. The [[https://github.com/expertiza/reimplementation-back-end| reimplementation-back-end]] however, uses JWT (JSON Web Token) based authentication. This requires a redesign of the AuthorizationHelper module to accommodate JWT-based authentication.&lt;br /&gt;
&lt;br /&gt;
The following points need to be taken care of as per the requirement&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt; JWT Creation &amp;lt;/strong&amp;gt;: Make sure that a valid JSON Web Token is created which stores necessary details about the user and their role&lt;br /&gt;
* &amp;lt;strong&amp;gt; Token expiry and revocation &amp;lt;/strong&amp;gt;: Token expiry and refresh mechanisms need to be implemented as well as a strategy for token revocation&lt;br /&gt;
* &amp;lt;strong&amp;gt; Remove dependency on session &amp;lt;/strong&amp;gt;: The system has to be refactored, configured and tested thoroughly to ensure that having migrated to JWT, there is no dependency on Rails' session&lt;br /&gt;
* Writing rspec test cases for all JWT authentication helper methods to ensure proper exception and error handling&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
==Methods to implement==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;strong&amp;gt;jwt_verify_and_decode(token)&amp;lt;/strong&amp;gt;: This method will verify and decode a JWT token and return the user's information, including role and claims. Successful verification of the token signature with the secret key will be followed by extraction of the payload which will contain important information about the user and their role for authentication and authorization.&lt;br /&gt;
* &amp;lt;strong&amp;gt;check_user_privileges(user_info, required_privilege)&amp;lt;/strong&amp;gt;: extract the user's roles or permissions from user_info (e.g., from the decoded JWT payload). Then, check if required_privilege exists within the user's permissions, returning true if it does and false otherwise to control access accordingly.&lt;br /&gt;
&lt;br /&gt;
Further, the already existing methods need to be updated and need to be refactored to account for the new authentication system&lt;/div&gt;</summary>
		<author><name>Agupta85</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2024_-_E2469._Reimplement_grades/view_team&amp;diff=157972</id>
		<title>CSC/ECE 517 Fall 2024 - E2469. Reimplement grades/view team</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2024_-_E2469._Reimplement_grades/view_team&amp;diff=157972"/>
		<updated>2024-10-30T00:47:33Z</updated>

		<summary type="html">&lt;p&gt;Agupta85: /* Reimplementation and Improvements */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Background ==&lt;br /&gt;
Expertiza is an open-source learning management system developed with Ruby on Rails, facilitating assignment creation, team management, and a structured peer review process. Designed for educational settings, Expertiza offers instructors tools to assign topics, manage teams, and allow students to collaborate on various assignment formats, including URLs and wiki pages. Its peer review functionality encourages students to provide feedback, promoting a collaborative learning experience.&lt;br /&gt;
&lt;br /&gt;
==Problem Statement ==&lt;br /&gt;
This project focuses on reimplementing the grades/view_team page in Expertiza. The current interface lacks modern design aesthetics and usability standards making it challenging for users to access and understand grading data efficiently. Our objective is to develop a fully functional and visually cohesive front end for the Grades View page. By enhancing visual consistency, simplifying information display, improving responsiveness, giving users freedom to select views, and intuitive layout, this redesign aims to provide an improved user experience.&lt;br /&gt;
&lt;br /&gt;
== Reimplementation and Improvements ==&lt;br /&gt;
=== Enhanced Peer Review and Author Feedback Filtering ===&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== I) Existing Design ====&lt;br /&gt;
[[File:ShowReviews Feedback.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== II) Modified Design ====&lt;br /&gt;
[[File:GradesView2.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== III) Files Changed for this Modification ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
1. [https://github.com/rarchitgupta/reimplementation-front-end/blob/feature/review-table-improvements/src/pages/ViewTeamGrades/Statistics.tsx Statistics.tsx]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
2. [https://github.com/rarchitgupta/reimplementation-front-end/blob/feature/review-table-improvements/src/pages/ViewTeamGrades/Filters.tsx Filters.tsx]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
3. [https://github.com/rarchitgupta/reimplementation-front-end/blob/feature/review-table-improvements/src/pages/ViewTeamGrades/ShowReviews.tsx ShowReviews.tsx]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
The requirement in the statistic section of the grade page was to make changes to show dropdown selection menu for &amp;quot;Author Feedback&amp;quot; or &amp;quot;Reviews&amp;quot; and further add filtering based on the rounds (Round 1 or Round 2 or All) for &amp;quot;Author Feedback&amp;quot; or &amp;quot;Reviews&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
To carry out the changes on first selection menu, we had toggle reviews and toggle feedback event listeners defined in statistics based on which we displayed the data using ShowReviews react componenet. These event listeners were passed to Filters component and which had drop down UI component for &amp;quot;Author Feedback&amp;quot; or &amp;quot;Reviews&amp;quot;. Based on the option selected either toggleShowReviews or toggleAuthorFeedback were invoked.&lt;br /&gt;
&lt;br /&gt;
To do make further changes to display data according to rounds, first in the Statistics component of react application we defined the state &amp;quot;roundSelected&amp;quot; and also defined listener function to update round (selectRound). This event listener function was passed to Filter react component which had the UI element for second drop down for rounds selection. Based on the round selected from the dropdown, we invoked selectRound event listener function. When this event listener function is invoked we update the state variable &amp;quot;roundSelected&amp;quot;. And then this state variable is passed as props to ShowReviews react component which is responsible for iterating over &amp;quot;Author Feedback&amp;quot; or &amp;quot;Reviews&amp;quot; data and added the logic to show data with rounds based on the prop.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== IV) Rationale ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
The &amp;quot;Show Reviews&amp;quot; and &amp;quot;Show Author Feedback&amp;quot; link displays all the peer reviews from Round 1 and Round 2 and author's feedback from both rounds in a single view. This forces the users to scroll all the rounds' reviews and feedback sequentially which can be overwhelming when users wish to view feedback from a specific round. Also, users don't have the freedom and control to choose to view all rounds' reviews/feedbacks or specific rounds' reviews/feedbacks. Additionally, a single view adds visual clutter and increases cognitive load. &lt;br /&gt;
&lt;br /&gt;
With the 2 dropdowns users have more control over which reviews they would like to view. The first dropdown lets them choose from viewing reviews or author's feedback for the reviews provided, while the second dropdown allows them to select specific rounds (Round 1, Round 2, or both). This gives users the flexibility to focus on specific rounds as needed. Separating the reviews/author feedback based on a round filter reduces clutter, creating a cleaner, more organized layout. Users can now view reviews and feedback in a more structured way, which simplifies navigation and enhances readability and improves satisfaction.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Replaced the disorganized display of scores for submitted work, author feedback, and teammate reviews with a Structured Scorecard table for clearer presentation. ===&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== I) Existing Design ====&lt;br /&gt;
[[File:OldScorecard.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== II) Modified Design ====&lt;br /&gt;
[[File:NewScorecard.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== III) Files Changed for this Modification ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
1. [https://github.com/rarchitgupta/reimplementation-front-end/blob/feature/review-table-improvements/src/pages/ViewTeamGrades/Statistics.tsx Statistics.tsx]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The Statistics.tsx file was modified to implement the new tabular format for the grades summary. We removed the earlier code for the UI which showed the scores in a tabular format. However, the existing table was difficult to read without borders around the table. The modified table gets rid of unnecessary statistics like &amp;quot;contributor&amp;quot; and removes the toggles to show reviews and author feedback. This ensures that the section does not repeat links and present information not required&lt;br /&gt;
&lt;br /&gt;
==== IV) Rationale ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
The previous display of scores for submitted work, author feedback, and teammate reviews was fragmented and lacked clarity, making it difficult for users to interpret performance metrics at a glance. By introducing a structured scorecard table, we present all relevant data in a clear, organized format, enabling users to easily compare and understand scores across different rounds. This redesign improves usability by offering a more intuitive layout and better visibility of grading information.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Removed the names of reviewers as they are supposed to remain anonymous. ===&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== I) Existing Design ====&lt;br /&gt;
[[File:ReviewerNameChange.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== II) Modified Design ====&lt;br /&gt;
[[File:ReviewerNameChange2.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== III) Rationale ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
The reason for this change is to shift focus more on quality and content of feedback and reviews rather than identity of reviewers. Anonymity encourages the reviewers to provide constructive criticism as reviewers will review without concern for any issues or repercussions.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Styling of Review Table ===&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== I) Existing Design ====&lt;br /&gt;
[Image to be Added]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== II) Modified Design ====&lt;br /&gt;
[Image to be Added]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== III) [Design pattern/solid/dry][TODO] ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== IV) [Code Snippet][TODO] ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== V) Rationale ====&lt;br /&gt;
&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
=== Fixed styling Toggle Question List ===&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== I) Existing Design ====&lt;br /&gt;
[[File:ToggleChange1.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== II) Modified Design ====&lt;br /&gt;
[[File:ToggleChange.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== III) [Design pattern/solid/dry][TODO] ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== IV) [Code Snippet][TODO] ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== V) Rationale ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
The &amp;quot;Toggle Question List&amp;quot; styling was refined for better alignment and readability, enhancing the clarity of the page’s interactive elements.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
=== Unified Review Rounds Button and Interface Styling Update ===&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== I) Existing Design ====&lt;br /&gt;
[[File:ReviewTableSeparateView.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== II) Modified Design ====&lt;br /&gt;
[[File:UnifiedReviewTable.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== III) [Design pattern/solid/dry][TODO] ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== IV) [Code Snippet][TODO] ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== V) Rationale ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
Addition of “All Rounds’’ Button: The new &amp;quot;All Rounds&amp;quot; button allows users to view reviews from multiple rounds in a single table. This eliminates the need to switch between individual rounds, giving users a comprehensive view of the feedback across all rounds at once. &lt;br /&gt;
Color and Style Consistency: The colors and styles of the buttons were updated to match Expertiza’s established color scheme, ensuring a cohesive and professional look across the platform. This consistency aids in navigation, making the interface feel more intuitive and visually appealing. &lt;br /&gt;
&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
=== Expanded Submission Links Display ===&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== I) Existing Design ====&lt;br /&gt;
[[File:ToggleSubmission.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== II) Modified Design ====&lt;br /&gt;
[[File:ExpandedSubmissions.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== III) [Design pattern/solid/dry][TODO] ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== IV) [Code Snippet][TODO] ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== V) Rationale ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
The change enhances usability by directly presenting all relevant submission links to users without requiring additional interaction to show or hide them. This expanded view allows for quicker access to project resources and a more streamlined experience, improving efficiency and clarity in the peer review process on the grades/view_team page.&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Testing ==&lt;br /&gt;
We have conducted comprehensive manual testing to verify the functionality, usability, and visual consistency of the reimplemented features.&lt;br /&gt;
&lt;br /&gt;
1. &amp;lt;b&amp;gt;Peer Review and Feedback Filter:&amp;lt;/b&amp;gt; Tested the dropdown options to confirm that users can correctly view specific rounds of peer reviews or author feedback as selected. &lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
2. &amp;lt;b&amp;gt;Scorecard Table:&amp;lt;/b&amp;gt; Checked that the Scorecard table displays relevant scores in an organized manner and ensured that the scoring data is correctly calculated.&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
3 &amp;lt;b&amp;gt;Submission Links:&amp;lt;/b&amp;gt; Verified that the submission links were directly displayed, without the need to toggle them. Each link was tested individually to ensure it opens the correct resource without errors.&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
4. &amp;lt;b&amp;gt;Styling Consistency:&amp;lt;/b&amp;gt; We compared the new styling of buttons, dropdowns, and tables with the rest of Expertiza's interface to ensure a cohesive look.&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
5. &amp;lt;b&amp;gt;Anonymity of Reviewers:&amp;lt;/b&amp;gt; Verified that reviewers’ names were properly hidden, preserving anonymity throughout the review display&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
6. &amp;lt;b&amp;gt;All Rounds Button:&amp;lt;/b&amp;gt; Tested the &amp;quot;All Rounds&amp;quot; button by viewing multiple rounds of reviews in a single table to confirm that users can easily access and interpret cumulative feedback without toggling between views.&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
== Repository Links ==&lt;br /&gt;
[https://github.com/rarchitgupta/reimplementation-front-end FrontEnd]&lt;br /&gt;
&lt;br /&gt;
[https://github.com/expertiza/reimplementation-back-end Backend]&lt;br /&gt;
&lt;br /&gt;
[https://github.com/expertiza/reimplementation-front-end/pull/62 Pull Request]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
== Project Mentor ==&lt;br /&gt;
Kashika Mallick  (kmallick@ncsu.edu)&lt;br /&gt;
&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
== Team Members ==&lt;br /&gt;
Shafa Hassan (shassa22@ncsu.edu)&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
Archit Gupta (agupta85@ncsu.edu)&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
Ansh Ganatra (aganatr@ncsu.edu)&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;/div&gt;</summary>
		<author><name>Agupta85</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2024_-_E2469._Reimplement_grades/view_team&amp;diff=157960</id>
		<title>CSC/ECE 517 Fall 2024 - E2469. Reimplement grades/view team</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2024_-_E2469._Reimplement_grades/view_team&amp;diff=157960"/>
		<updated>2024-10-30T00:40:47Z</updated>

		<summary type="html">&lt;p&gt;Agupta85: /* Removed the names of reviewers as they are supposed to remain anonymous. */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Background ==&lt;br /&gt;
Expertiza is an open-source learning management system developed with Ruby on Rails, facilitating assignment creation, team management, and a structured peer review process. Designed for educational settings, Expertiza offers instructors tools to assign topics, manage teams, and allow students to collaborate on various assignment formats, including URLs and wiki pages. Its peer review functionality encourages students to provide feedback, promoting a collaborative learning experience.&lt;br /&gt;
&lt;br /&gt;
==Problem Statement ==&lt;br /&gt;
This project focuses on reimplementing the grades/view_team page in Expertiza. The current interface lacks modern design aesthetics and usability standards making it challenging for users to access and understand grading data efficiently. Our objective is to develop a fully functional and visually cohesive front end for the Grades View page. By enhancing visual consistency, simplifying information display, improving responsiveness, giving users freedom to select views, and intuitive layout, this redesign aims to provide an improved user experience.&lt;br /&gt;
&lt;br /&gt;
== Reimplementation and Improvements ==&lt;br /&gt;
=== Enhanced Peer Review and Author Feedback Filtering ===&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== I) Existing Design ====&lt;br /&gt;
[[File:ShowReviews Feedback.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== II) Modified Design ====&lt;br /&gt;
[[File:GradesView2.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== III) Files Changed for this Modification ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
1. [https://github.com/rarchitgupta/reimplementation-front-end/blob/feature/review-table-improvements/src/pages/ViewTeamGrades/Statistics.tsx Statistics.tsx]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
2. [https://github.com/rarchitgupta/reimplementation-front-end/blob/feature/review-table-improvements/src/pages/ViewTeamGrades/Filters.tsx Filters.tsx]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
3. [https://github.com/rarchitgupta/reimplementation-front-end/blob/feature/review-table-improvements/src/pages/ViewTeamGrades/ShowReviews.tsx ShowReviews.tsx]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
The requirement in the statistic section of the grade page was to make changes to show dropdown selection menu for &amp;quot;Author Feedback&amp;quot; or &amp;quot;Reviews&amp;quot; and further add filtering based on the rounds (Round 1 or Round 2 or All) for &amp;quot;Author Feedback&amp;quot; or &amp;quot;Reviews&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
To carry out the changes on first selection menu, we had toggle reviews and toggle feedback event listeners defined in statistics based on which we displayed the data using ShowReviews react componenet. These event listeners were passed to Filters component and which had drop down UI component for &amp;quot;Author Feedback&amp;quot; or &amp;quot;Reviews&amp;quot;. Based on the option selected either toggleShowReviews or toggleAuthorFeedback were invoked.&lt;br /&gt;
&lt;br /&gt;
To do make further changes to display data according to rounds, first in the Statistics component of react application we defined the state &amp;quot;roundSelected&amp;quot; and also defined listener function to update round (selectRound). This event listener function was passed to Filter react component which had the UI element for second drop down for rounds selection. Based on the round selected from the dropdown, we invoked selectRound event listener function. When this event listener function is invoked we update the state variable &amp;quot;roundSelected&amp;quot;. And then this state variable is passed as props to ShowReviews react component which is responsible for iterating over &amp;quot;Author Feedback&amp;quot; or &amp;quot;Reviews&amp;quot; data and added the logic to show data with rounds based on the prop.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== IV) Rationale ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
The &amp;quot;Show Reviews&amp;quot; and &amp;quot;Show Author Feedback&amp;quot; link displays all the peer reviews from Round 1 and Round 2 and author's feedback from both rounds in a single view. This forces the users to scroll all the rounds' reviews and feedback sequentially which can be overwhelming when users wish to view feedback from a specific round. Also, users don't have the freedom and control to choose to view all rounds' reviews/feedbacks or specific rounds' reviews/feedbacks. Additionally, a single view adds visual clutter and increases cognitive load. &lt;br /&gt;
&lt;br /&gt;
With the 2 dropdowns users have more control over which reviews they would like to view. The first dropdown lets them choose from viewing reviews or author's feedback for the reviews provided, while the second dropdown allows them to select specific rounds (Round 1, Round 2, or both). This gives users the flexibility to focus on specific rounds as needed. Separating the reviews/author feedback based on a round filter reduces clutter, creating a cleaner, more organized layout. Users can now view reviews and feedback in a more structured way, which simplifies navigation and enhances readability and improves satisfaction.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Replaced the disorganized display of scores for submitted work, author feedback, and teammate reviews with a Structured Scorecard table for clearer presentation. ===&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== I) Existing Design ====&lt;br /&gt;
[[File:OldScorecard.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== II) Modified Design ====&lt;br /&gt;
[[File:NewScorecard.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== III) Files Changed for this Modification ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
1. [https://github.com/rarchitgupta/reimplementation-front-end/blob/feature/review-table-improvements/src/pages/ViewTeamGrades/Statistics.tsx Statistics.tsx]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The Statistics.tsx file was modified to implement the new tabular format for the grades summary. We removed the earlier code for the UI which showed the scores in a tabular format. However, the existing table was difficult to read without borders around the table. The modified table gets rid of unnecessary statistics like &amp;quot;contributor&amp;quot; and removes the toggles to show reviews and author feedback. This ensures that the section does not repeat links and present information not required&lt;br /&gt;
&lt;br /&gt;
==== IV) Rationale ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
The previous display of scores for submitted work, author feedback, and teammate reviews was fragmented and lacked clarity, making it difficult for users to interpret performance metrics at a glance. By introducing a structured scorecard table, we present all relevant data in a clear, organized format, enabling users to easily compare and understand scores across different rounds. This redesign improves usability by offering a more intuitive layout and better visibility of grading information.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Removed the names of reviewers as they are supposed to remain anonymous. ===&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== I) Existing Design ====&lt;br /&gt;
[[File:ReviewerNameChange.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== II) Modified Design ====&lt;br /&gt;
[[File:ReviewerNameChange2.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== III) Rationale ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
The reason for this change is to shift focus more on quality and content of feedback and reviews rather than identity of reviewers. Anonymity encourages the reviewers to provide constructive criticism as reviewers will review without concern for any issues or repercussions.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Removed information that didn’t add value ===&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== I) Existing Design ====&lt;br /&gt;
[[File:Contributer RangeRemoved.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== II) [Design pattern/solid/dry][TODO] ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== IV) [Code Snippet][TODO] ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== V) Rationale ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
Contributor Name: The displayed contributor name only indicated the team member who submitted the work, which could cause confusion, as all team members contribute to the assignment. Additionally, team members' names are already displayed at the top of the page, making this information redundant. Removing it reduces visual clutter, focusing the user's attention on relevant grading information.&lt;br /&gt;
Score Range: The score range provided minimal value in understanding the overall grade, as the average score alone conveys a clearer summary of performance. By removing the range, the layout is simplified, helping users to focus on meaningful metrics without unnecessary data.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
=== Styling of Review Table ===&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== I) Existing Design ====&lt;br /&gt;
[Image to be Added]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== II) Modified Design ====&lt;br /&gt;
[Image to be Added]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== III) [Design pattern/solid/dry][TODO] ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== IV) [Code Snippet][TODO] ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== V) Rationale ====&lt;br /&gt;
&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
=== Fixed styling Toggle Question List ===&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== I) Existing Design ====&lt;br /&gt;
[[File:ToggleChange1.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== II) Modified Design ====&lt;br /&gt;
[[File:ToggleChange.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== III) [Design pattern/solid/dry][TODO] ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== IV) [Code Snippet][TODO] ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== V) Rationale ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
The &amp;quot;Toggle Question List&amp;quot; styling was refined for better alignment and readability, enhancing the clarity of the page’s interactive elements.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
=== Unified Review Rounds Button and Interface Styling Update ===&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== I) Existing Design ====&lt;br /&gt;
[[File:ReviewTableSeparateView.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== II) Modified Design ====&lt;br /&gt;
[[File:UnifiedReviewTable.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== III) [Design pattern/solid/dry][TODO] ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== IV) [Code Snippet][TODO] ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== V) Rationale ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
Addition of “All Rounds’’ Button: The new &amp;quot;All Rounds&amp;quot; button allows users to view reviews from multiple rounds in a single table. This eliminates the need to switch between individual rounds, giving users a comprehensive view of the feedback across all rounds at once. &lt;br /&gt;
Color and Style Consistency: The colors and styles of the buttons were updated to match Expertiza’s established color scheme, ensuring a cohesive and professional look across the platform. This consistency aids in navigation, making the interface feel more intuitive and visually appealing. &lt;br /&gt;
&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
=== Expanded Submission Links Display ===&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== I) Existing Design ====&lt;br /&gt;
[[File:ToggleSubmission.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== II) Modified Design ====&lt;br /&gt;
[[File:ExpandedSubmissions.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== III) [Design pattern/solid/dry][TODO] ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== IV) [Code Snippet][TODO] ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== V) Rationale ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
The change enhances usability by directly presenting all relevant submission links to users without requiring additional interaction to show or hide them. This expanded view allows for quicker access to project resources and a more streamlined experience, improving efficiency and clarity in the peer review process on the grades/view_team page.&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
== Testing ==&lt;br /&gt;
We have conducted comprehensive manual testing to verify the functionality, usability, and visual consistency of the reimplemented features.&lt;br /&gt;
&lt;br /&gt;
1. &amp;lt;b&amp;gt;Peer Review and Feedback Filter:&amp;lt;/b&amp;gt; Tested the dropdown options to confirm that users can correctly view specific rounds of peer reviews or author feedback as selected. &lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
2. &amp;lt;b&amp;gt;Scorecard Table:&amp;lt;/b&amp;gt; Checked that the Scorecard table displays relevant scores in an organized manner and ensured that the scoring data is correctly calculated.&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
3 &amp;lt;b&amp;gt;Submission Links:&amp;lt;/b&amp;gt; Verified that the submission links were directly displayed, without the need to toggle them. Each link was tested individually to ensure it opens the correct resource without errors.&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
4. &amp;lt;b&amp;gt;Styling Consistency:&amp;lt;/b&amp;gt; We compared the new styling of buttons, dropdowns, and tables with the rest of Expertiza's interface to ensure a cohesive look.&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
5. &amp;lt;b&amp;gt;Anonymity of Reviewers:&amp;lt;/b&amp;gt; Verified that reviewers’ names were properly hidden, preserving anonymity throughout the review display&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
6. &amp;lt;b&amp;gt;All Rounds Button:&amp;lt;/b&amp;gt; Tested the &amp;quot;All Rounds&amp;quot; button by viewing multiple rounds of reviews in a single table to confirm that users can easily access and interpret cumulative feedback without toggling between views.&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
== Repository Links ==&lt;br /&gt;
[https://github.com/rarchitgupta/reimplementation-front-end FrontEnd]&lt;br /&gt;
&lt;br /&gt;
[https://github.com/expertiza/reimplementation-back-end Backend]&lt;br /&gt;
&lt;br /&gt;
[https://github.com/expertiza/reimplementation-front-end/pull/62 Pull Request]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
== Project Mentor ==&lt;br /&gt;
Kashika Mallick  (kmallick@ncsu.edu)&lt;br /&gt;
&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
== Team Members ==&lt;br /&gt;
Shafa Hassan (shassa22@ncsu.edu)&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
Archit Gupta (agupta85@ncsu.edu)&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
Ansh Ganatra (aganatr@ncsu.edu)&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;/div&gt;</summary>
		<author><name>Agupta85</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2024_-_E2469._Reimplement_grades/view_team&amp;diff=157946</id>
		<title>CSC/ECE 517 Fall 2024 - E2469. Reimplement grades/view team</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2024_-_E2469._Reimplement_grades/view_team&amp;diff=157946"/>
		<updated>2024-10-30T00:32:36Z</updated>

		<summary type="html">&lt;p&gt;Agupta85: /* Replaced the disorganized display of scores for submitted work, author feedback, and teammate reviews with a Structured Scorecard table for clearer presentation. */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Background ==&lt;br /&gt;
Expertiza is an open-source learning management system developed with Ruby on Rails, facilitating assignment creation, team management, and a structured peer review process. Designed for educational settings, Expertiza offers instructors tools to assign topics, manage teams, and allow students to collaborate on various assignment formats, including URLs and wiki pages. Its peer review functionality encourages students to provide feedback, promoting a collaborative learning experience.&lt;br /&gt;
&lt;br /&gt;
==Problem Statement ==&lt;br /&gt;
This project focuses on reimplementing the grades/view_team page in Expertiza. The current interface lacks modern design aesthetics and usability standards making it challenging for users to access and understand grading data efficiently. Our objective is to develop a fully functional and visually cohesive front end for the Grades View page. By enhancing visual consistency, simplifying information display, improving responsiveness, giving users freedom to select views, and intuitive layout, this redesign aims to provide an improved user experience.&lt;br /&gt;
&lt;br /&gt;
== Reimplementation and Improvements ==&lt;br /&gt;
=== Enhanced Peer Review and Author Feedback Filtering ===&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== I) Existing Design ====&lt;br /&gt;
[[File:ShowReviews Feedback.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== II) Modified Design ====&lt;br /&gt;
[[File:GradesView2.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== III) Files Changed for this Modification ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
1. [https://github.com/rarchitgupta/reimplementation-front-end/blob/feature/review-table-improvements/src/pages/ViewTeamGrades/Statistics.tsx Statistics.tsx]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
2. [https://github.com/rarchitgupta/reimplementation-front-end/blob/feature/review-table-improvements/src/pages/ViewTeamGrades/Filters.tsx Filters.tsx]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
3. [https://github.com/rarchitgupta/reimplementation-front-end/blob/feature/review-table-improvements/src/pages/ViewTeamGrades/ShowReviews.tsx ShowReviews.tsx]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
The requirement in the statistic section of the grade page was to make changes to show dropdown selection menu for &amp;quot;Author Feedback&amp;quot; or &amp;quot;Reviews&amp;quot; and further add filtering based on the rounds (Round 1 or Round 2 or All) for &amp;quot;Author Feedback&amp;quot; or &amp;quot;Reviews&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
To carry out the changes on first selection menu, we had toggle reviews and toggle feedback event listeners defined in statistics based on which we displayed the data using ShowReviews react componenet. These event listeners were passed to Filters component and which had drop down UI component for &amp;quot;Author Feedback&amp;quot; or &amp;quot;Reviews&amp;quot;. Based on the option selected either toggleShowReviews or toggleAuthorFeedback were invoked.&lt;br /&gt;
&lt;br /&gt;
To do make further changes to display data according to rounds, first in the Statistics component of react application we defined the state &amp;quot;roundSelected&amp;quot; and also defined listener function to update round (selectRound). This event listener function was passed to Filter react component which had the UI element for second drop down for rounds selection. Based on the round selected from the dropdown, we invoked selectRound event listener function. When this event listener function is invoked we update the state variable &amp;quot;roundSelected&amp;quot;. And then this state variable is passed as props to ShowReviews react component which is responsible for iterating over &amp;quot;Author Feedback&amp;quot; or &amp;quot;Reviews&amp;quot; data and added the logic to show data with rounds based on the prop.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== IV) Rationale ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
The &amp;quot;Show Reviews&amp;quot; and &amp;quot;Show Author Feedback&amp;quot; link displays all the peer reviews from Round 1 and Round 2 and author's feedback from both rounds in a single view. This forces the users to scroll all the rounds' reviews and feedback sequentially which can be overwhelming when users wish to view feedback from a specific round. Also, users don't have the freedom and control to choose to view all rounds' reviews/feedbacks or specific rounds' reviews/feedbacks. Additionally, a single view adds visual clutter and increases cognitive load. &lt;br /&gt;
&lt;br /&gt;
With the 2 dropdowns users have more control over which reviews they would like to view. The first dropdown lets them choose from viewing reviews or author's feedback for the reviews provided, while the second dropdown allows them to select specific rounds (Round 1, Round 2, or both). This gives users the flexibility to focus on specific rounds as needed. Separating the reviews/author feedback based on a round filter reduces clutter, creating a cleaner, more organized layout. Users can now view reviews and feedback in a more structured way, which simplifies navigation and enhances readability and improves satisfaction.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Replaced the disorganized display of scores for submitted work, author feedback, and teammate reviews with a Structured Scorecard table for clearer presentation. ===&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== I) Existing Design ====&lt;br /&gt;
[[File:OldScorecard.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== II) Modified Design ====&lt;br /&gt;
[[File:NewScorecard.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== III) Files Changed for this Modification ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
1. [https://github.com/rarchitgupta/reimplementation-front-end/blob/feature/review-table-improvements/src/pages/ViewTeamGrades/Statistics.tsx Statistics.tsx]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The Statistics.tsx file was modified to implement the new tabular format for the grades summary. We removed the earlier code for the UI which showed the scores in a tabular format. However, the existing table was difficult to read without borders around the table. The modified table gets rid of unnecessary statistics like &amp;quot;contributor&amp;quot; and removes the toggles to show reviews and author feedback. This ensures that the section does not repeat links and present information not required&lt;br /&gt;
&lt;br /&gt;
==== IV) Rationale ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
The previous display of scores for submitted work, author feedback, and teammate reviews was fragmented and lacked clarity, making it difficult for users to interpret performance metrics at a glance. By introducing a structured scorecard table, we present all relevant data in a clear, organized format, enabling users to easily compare and understand scores across different rounds. This redesign improves usability by offering a more intuitive layout and better visibility of grading information.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Removed the names of reviewers as they are supposed to remain anonymous. ===&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== I) Existing Design ====&lt;br /&gt;
[[File:ReviewerNameChange.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== II) Modified Design ====&lt;br /&gt;
[[File:ReviewerNameChange2.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== III) [Design pattern/solid/dry][TODO] ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== IV) [Code Snippet][TODO] ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== V) Rationale ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
The reason for this change is to shift focus more on quality and content of feedback and reviews rather than identity of reviewers. Anonymity encourages the reviewers to provide constructive criticism as reviewers will review without concern for any issues or repercussions.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
=== Removed information that didn’t add value ===&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== I) Existing Design ====&lt;br /&gt;
[[File:Contributer RangeRemoved.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== II) [Design pattern/solid/dry][TODO] ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== IV) [Code Snippet][TODO] ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== V) Rationale ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
Contributor Name: The displayed contributor name only indicated the team member who submitted the work, which could cause confusion, as all team members contribute to the assignment. Additionally, team members' names are already displayed at the top of the page, making this information redundant. Removing it reduces visual clutter, focusing the user's attention on relevant grading information.&lt;br /&gt;
Score Range: The score range provided minimal value in understanding the overall grade, as the average score alone conveys a clearer summary of performance. By removing the range, the layout is simplified, helping users to focus on meaningful metrics without unnecessary data.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
=== Styling of Review Table ===&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== I) Existing Design ====&lt;br /&gt;
[Image to be Added]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== II) Modified Design ====&lt;br /&gt;
[Image to be Added]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== III) [Design pattern/solid/dry][TODO] ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== IV) [Code Snippet][TODO] ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== V) Rationale ====&lt;br /&gt;
&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
=== Fixed styling Toggle Question List ===&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== I) Existing Design ====&lt;br /&gt;
[[File:ToggleChange1.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== II) Modified Design ====&lt;br /&gt;
[[File:ToggleChange.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== III) [Design pattern/solid/dry][TODO] ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== IV) [Code Snippet][TODO] ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== V) Rationale ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
The &amp;quot;Toggle Question List&amp;quot; styling was refined for better alignment and readability, enhancing the clarity of the page’s interactive elements.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
=== Unified Review Rounds Button and Interface Styling Update ===&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== I) Existing Design ====&lt;br /&gt;
[[File:ReviewTableSeparateView.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== II) Modified Design ====&lt;br /&gt;
[[File:UnifiedReviewTable.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== III) [Design pattern/solid/dry][TODO] ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== IV) [Code Snippet][TODO] ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== V) Rationale ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
Addition of “All Rounds’’ Button: The new &amp;quot;All Rounds&amp;quot; button allows users to view reviews from multiple rounds in a single table. This eliminates the need to switch between individual rounds, giving users a comprehensive view of the feedback across all rounds at once. &lt;br /&gt;
Color and Style Consistency: The colors and styles of the buttons were updated to match Expertiza’s established color scheme, ensuring a cohesive and professional look across the platform. This consistency aids in navigation, making the interface feel more intuitive and visually appealing. &lt;br /&gt;
&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
=== Expanded Submission Links Display ===&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== I) Existing Design ====&lt;br /&gt;
[[File:ToggleSubmission.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== II) Modified Design ====&lt;br /&gt;
[[File:ExpandedSubmissions.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== III) [Design pattern/solid/dry][TODO] ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== IV) [Code Snippet][TODO] ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== V) Rationale ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
The change enhances usability by directly presenting all relevant submission links to users without requiring additional interaction to show or hide them. This expanded view allows for quicker access to project resources and a more streamlined experience, improving efficiency and clarity in the peer review process on the grades/view_team page.&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
== Testing ==&lt;br /&gt;
We have conducted comprehensive manual testing to verify the functionality, usability, and visual consistency of the reimplemented features.&lt;br /&gt;
&lt;br /&gt;
1. &amp;lt;b&amp;gt;Peer Review and Feedback Filter:&amp;lt;/b&amp;gt; Tested the dropdown options to confirm that users can correctly view specific rounds of peer reviews or author feedback as selected. &lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
2. &amp;lt;b&amp;gt;Scorecard Table:&amp;lt;/b&amp;gt; Checked that the Scorecard table displays relevant scores in an organized manner and ensured that the scoring data is correctly calculated.&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
3 &amp;lt;b&amp;gt;Submission Links:&amp;lt;/b&amp;gt; Verified that the submission links were directly displayed, without the need to toggle them. Each link was tested individually to ensure it opens the correct resource without errors.&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
4. &amp;lt;b&amp;gt;Styling Consistency:&amp;lt;/b&amp;gt; We compared the new styling of buttons, dropdowns, and tables with the rest of Expertiza's interface to ensure a cohesive look.&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
5. &amp;lt;b&amp;gt;Anonymity of Reviewers:&amp;lt;/b&amp;gt; Verified that reviewers’ names were properly hidden, preserving anonymity throughout the review display&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
6. &amp;lt;b&amp;gt;All Rounds Button:&amp;lt;/b&amp;gt; Tested the &amp;quot;All Rounds&amp;quot; button by viewing multiple rounds of reviews in a single table to confirm that users can easily access and interpret cumulative feedback without toggling between views.&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
== Repository Links ==&lt;br /&gt;
[https://github.com/rarchitgupta/reimplementation-front-end FrontEnd]&lt;br /&gt;
&lt;br /&gt;
[https://github.com/expertiza/reimplementation-back-end Backend]&lt;br /&gt;
&lt;br /&gt;
[https://github.com/expertiza/reimplementation-front-end/pull/62 Pull Request]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
== Project Mentor ==&lt;br /&gt;
Kashika Mallick  (kmallick@ncsu.edu)&lt;br /&gt;
&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
== Team Members ==&lt;br /&gt;
Shafa Hassan (shassa22@ncsu.edu)&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
Archit Gupta (agupta85@ncsu.edu)&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
Ansh Ganatra (aganatr@ncsu.edu)&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;/div&gt;</summary>
		<author><name>Agupta85</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2024_-_E2469._Reimplement_grades/view_team&amp;diff=157933</id>
		<title>CSC/ECE 517 Fall 2024 - E2469. Reimplement grades/view team</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2024_-_E2469._Reimplement_grades/view_team&amp;diff=157933"/>
		<updated>2024-10-30T00:23:51Z</updated>

		<summary type="html">&lt;p&gt;Agupta85: /* III) [Files Changed for this modification] */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Background ==&lt;br /&gt;
Expertiza is an open-source learning management system developed with Ruby on Rails, facilitating assignment creation, team management, and a structured peer review process. Designed for educational settings, Expertiza offers instructors tools to assign topics, manage teams, and allow students to collaborate on various assignment formats, including URLs and wiki pages. Its peer review functionality encourages students to provide feedback, promoting a collaborative learning experience.&lt;br /&gt;
&lt;br /&gt;
==Problem Statement ==&lt;br /&gt;
This project focuses on reimplementing the grades/view_team page in Expertiza. The current interface lacks modern design aesthetics and usability standards making it challenging for users to access and understand grading data efficiently. Our objective is to develop a fully functional and visually cohesive front end for the Grades View page. By enhancing visual consistency, simplifying information display, improving responsiveness, giving users freedom to select views, and intuitive layout, this redesign aims to provide an improved user experience.&lt;br /&gt;
&lt;br /&gt;
== Reimplementation and Improvements ==&lt;br /&gt;
=== Enhanced Peer Review and Author Feedback Filtering ===&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== I) Existing Design ====&lt;br /&gt;
[[File:ShowReviews Feedback.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== II) Modified Design ====&lt;br /&gt;
[[File:GradesView2.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== III) Files Changed for this Modification ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
1. [https://github.com/rarchitgupta/reimplementation-front-end/blob/feature/review-table-improvements/src/pages/ViewTeamGrades/Statistics.tsx Statistics.tsx]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
2. [https://github.com/rarchitgupta/reimplementation-front-end/blob/feature/review-table-improvements/src/pages/ViewTeamGrades/Filters.tsx Filters.tsx]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
3. [https://github.com/rarchitgupta/reimplementation-front-end/blob/feature/review-table-improvements/src/pages/ViewTeamGrades/ShowReviews.tsx ShowReviews.tsx]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
The requirement in the statistic section of the grade page was to make changes to show dropdown selection menu for &amp;quot;Author Feedback&amp;quot; or &amp;quot;Reviews&amp;quot; and further add filtering based on the rounds (Round 1 or Round 2 or All) for &amp;quot;Author Feedback&amp;quot; or &amp;quot;Reviews&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
To carry out the changes on first selection menu, we had toggle reviews and toggle feedback event listeners defined in statistics based on which we displayed the data using ShowReviews react componenet. These event listeners were passed to Filters component and which had drop down UI component for &amp;quot;Author Feedback&amp;quot; or &amp;quot;Reviews&amp;quot;. Based on the option selected either toggleShowReviews or toggleAuthorFeedback were invoked.&lt;br /&gt;
&lt;br /&gt;
To do make further changes to display data according to rounds, first in the Statistics component of react application we defined the state &amp;quot;roundSelected&amp;quot; and also defined listener function to update round (selectRound). This event listener function was passed to Filter react component which had the UI element for second drop down for rounds selection. Based on the round selected from the dropdown, we invoked selectRound event listener function. When this event listener function is invoked we update the state variable &amp;quot;roundSelected&amp;quot;. And then this state variable is passed as props to ShowReviews react component which is responsible for iterating over &amp;quot;Author Feedback&amp;quot; or &amp;quot;Reviews&amp;quot; data and added the logic to show data with rounds based on the prop.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== IV) Rationale ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
The &amp;quot;Show Reviews&amp;quot; and &amp;quot;Show Author Feedback&amp;quot; link displays all the peer reviews from Round 1 and Round 2 and author's feedback from both rounds in a single view. This forces the users to scroll all the rounds' reviews and feedback sequentially which can be overwhelming when users wish to view feedback from a specific round. Also, users don't have the freedom and control to choose to view all rounds' reviews/feedbacks or specific rounds' reviews/feedbacks. Additionally, a single view adds visual clutter and increases cognitive load. &lt;br /&gt;
&lt;br /&gt;
With the 2 dropdowns users have more control over which reviews they would like to view. The first dropdown lets them choose from viewing reviews or author's feedback for the reviews provided, while the second dropdown allows them to select specific rounds (Round 1, Round 2, or both). This gives users the flexibility to focus on specific rounds as needed. Separating the reviews/author feedback based on a round filter reduces clutter, creating a cleaner, more organized layout. Users can now view reviews and feedback in a more structured way, which simplifies navigation and enhances readability and improves satisfaction.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Replaced the disorganized display of scores for submitted work, author feedback, and teammate reviews with a Structured Scorecard table for clearer presentation. ===&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== I) Existing Design ====&lt;br /&gt;
[[File:OldScorecard.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== II) Modified Design ====&lt;br /&gt;
[[File:NewScorecard.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== III) [Design pattern/solid/dry][TODO] ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== III) Files Changed for this Modification ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
1. [https://github.com/rarchitgupta/reimplementation-front-end/blob/feature/review-table-improvements/src/pages/ViewTeamGrades/Statistics.tsx Statistics.tsx]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The Statistics.tsx file was modified to implement the new tabular format for the grades summary. We removed the earlier code for the UI which showed the scores in a tabular format. However, the existing table was difficult to read without borders around the table. The modified table gets rid of unnecessary statistics like &amp;quot;contributor&amp;quot; and removes the toggles to show reviews and author feedback. This ensures that the section does not repeat links and present information not required&lt;br /&gt;
&lt;br /&gt;
==== V) Rationale ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
The previous display of scores for submitted work, author feedback, and teammate reviews was fragmented and lacked clarity, making it difficult for users to interpret performance metrics at a glance. By introducing a structured scorecard table, we present all relevant data in a clear, organized format, enabling users to easily compare and understand scores across different rounds. This redesign improves usability by offering a more intuitive layout and better visibility of grading information.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
=== Removed the names of reviewers as they are supposed to remain anonymous. ===&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== I) Existing Design ====&lt;br /&gt;
[[File:ReviewerNameChange.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== II) Modified Design ====&lt;br /&gt;
[[File:ReviewerNameChange2.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== III) [Design pattern/solid/dry][TODO] ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== IV) [Code Snippet][TODO] ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== V) Rationale ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
The reason for this change is to shift focus more on quality and content of feedback and reviews rather than identity of reviewers. Anonymity encourages the reviewers to provide constructive criticism as reviewers will review without concern for any issues or repercussions.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
=== Removed information that didn’t add value ===&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== I) Existing Design ====&lt;br /&gt;
[[File:Contributer RangeRemoved.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== II) [Design pattern/solid/dry][TODO] ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== IV) [Code Snippet][TODO] ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== V) Rationale ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
Contributor Name: The displayed contributor name only indicated the team member who submitted the work, which could cause confusion, as all team members contribute to the assignment. Additionally, team members' names are already displayed at the top of the page, making this information redundant. Removing it reduces visual clutter, focusing the user's attention on relevant grading information.&lt;br /&gt;
Score Range: The score range provided minimal value in understanding the overall grade, as the average score alone conveys a clearer summary of performance. By removing the range, the layout is simplified, helping users to focus on meaningful metrics without unnecessary data.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
=== Styling of Review Table ===&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== I) Existing Design ====&lt;br /&gt;
[Image to be Added]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== II) Modified Design ====&lt;br /&gt;
[Image to be Added]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== III) [Design pattern/solid/dry][TODO] ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== IV) [Code Snippet][TODO] ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== V) Rationale ====&lt;br /&gt;
&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
=== Fixed styling Toggle Question List ===&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== I) Existing Design ====&lt;br /&gt;
[[File:ToggleChange1.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== II) Modified Design ====&lt;br /&gt;
[[File:ToggleChange.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== III) [Design pattern/solid/dry][TODO] ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== IV) [Code Snippet][TODO] ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== V) Rationale ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
The &amp;quot;Toggle Question List&amp;quot; styling was refined for better alignment and readability, enhancing the clarity of the page’s interactive elements.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
=== Unified Review Rounds Button and Interface Styling Update ===&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== I) Existing Design ====&lt;br /&gt;
[[File:ReviewTableSeparateView.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== II) Modified Design ====&lt;br /&gt;
[[File:UnifiedReviewTable.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== III) [Design pattern/solid/dry][TODO] ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== IV) [Code Snippet][TODO] ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== V) Rationale ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
Addition of “All Rounds’’ Button: The new &amp;quot;All Rounds&amp;quot; button allows users to view reviews from multiple rounds in a single table. This eliminates the need to switch between individual rounds, giving users a comprehensive view of the feedback across all rounds at once. &lt;br /&gt;
Color and Style Consistency: The colors and styles of the buttons were updated to match Expertiza’s established color scheme, ensuring a cohesive and professional look across the platform. This consistency aids in navigation, making the interface feel more intuitive and visually appealing. &lt;br /&gt;
&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
=== Expanded Submission Links Display ===&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== I) Existing Design ====&lt;br /&gt;
[[File:ToggleSubmission.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== II) Modified Design ====&lt;br /&gt;
[[File:ExpandedSubmissions.png|500px|center]]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== III) [Design pattern/solid/dry][TODO] ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== IV) [Code Snippet][TODO] ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
==== V) Rationale ====&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
The change enhances usability by directly presenting all relevant submission links to users without requiring additional interaction to show or hide them. This expanded view allows for quicker access to project resources and a more streamlined experience, improving efficiency and clarity in the peer review process on the grades/view_team page.&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
== Testing ==&lt;br /&gt;
We have conducted comprehensive manual testing to verify the functionality, usability, and visual consistency of the reimplemented features.&lt;br /&gt;
&lt;br /&gt;
1. &amp;lt;b&amp;gt;Peer Review and Feedback Filter:&amp;lt;/b&amp;gt; Tested the dropdown options to confirm that users can correctly view specific rounds of peer reviews or author feedback as selected. &lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
2. &amp;lt;b&amp;gt;Scorecard Table:&amp;lt;/b&amp;gt; Checked that the Scorecard table displays relevant scores in an organized manner and ensured that the scoring data is correctly calculated.&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
3 &amp;lt;b&amp;gt;Submission Links:&amp;lt;/b&amp;gt; Verified that the submission links were directly displayed, without the need to toggle them. Each link was tested individually to ensure it opens the correct resource without errors.&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
4. &amp;lt;b&amp;gt;Styling Consistency:&amp;lt;/b&amp;gt; We compared the new styling of buttons, dropdowns, and tables with the rest of Expertiza's interface to ensure a cohesive look.&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
5. &amp;lt;b&amp;gt;Anonymity of Reviewers:&amp;lt;/b&amp;gt; Verified that reviewers’ names were properly hidden, preserving anonymity throughout the review display&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
6. &amp;lt;b&amp;gt;All Rounds Button:&amp;lt;/b&amp;gt; Tested the &amp;quot;All Rounds&amp;quot; button by viewing multiple rounds of reviews in a single table to confirm that users can easily access and interpret cumulative feedback without toggling between views.&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
== Repository Links ==&lt;br /&gt;
[https://github.com/rarchitgupta/reimplementation-front-end FrontEnd]&lt;br /&gt;
&lt;br /&gt;
[https://github.com/expertiza/reimplementation-back-end Backend]&lt;br /&gt;
&lt;br /&gt;
[https://github.com/expertiza/reimplementation-front-end/pull/62 Pull Request]&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
== Project Mentor ==&lt;br /&gt;
Kashika Mallick  (kmallick@ncsu.edu)&lt;br /&gt;
&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
== Team Members ==&lt;br /&gt;
Shafa Hassan (shassa22@ncsu.edu)&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
Archit Gupta (agupta85@ncsu.edu)&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;br /&gt;
Ansh Ganatra (aganatr@ncsu.edu)&lt;br /&gt;
&amp;lt;br&amp;gt;&lt;/div&gt;</summary>
		<author><name>Agupta85</name></author>
	</entry>
</feed>