Skip to content

lagalaga #14

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
Tyreviel wants to merge 3 commits into from
Closed

lagalaga #14

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
db2731e
add deadline
github-classroom[bot] Dec 10, 2025
85e4ec8
restart test
Tyreviel Dec 12, 2025
96f413b
testerna gröna
Tyreviel Dec 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
[![Review Assignment Due Date](https://classroom.github.com/assets/deadline-readme-button-22041afd0340ce965d47ae6ef1cefeee28c7c493a6346c4f15d667ab976d596c.svg)](https://classroom.github.com/a/339Lr3BJ)
### How the tests work (and Docker requirement)

This project ships with an end‑to‑end CLI integration test suite that uses Testcontainers to spin up a temporary MySQL database.
Expand Down
5 changes: 5 additions & 0 deletions pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,11 @@
<version>${junit.jupiter.version}</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-nop</artifactId>
<version>2.0.17</version>
</dependency>
Comment on lines +31 to +35
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

SLF4J 2.x recommended bindings backends Maven projects best practices

💡 Result:

Summary best practices for SLF4J 2.x bindings in Maven projects

  1. Libraries vs applications
  • Libraries should depend only on org.slf4j:slf4j-api (no binding). This leaves the choice of backend to the application. [1]
  1. Provide exactly one binding at runtime
  • An application must include a single SLF4J provider (binding) on the runtime classpath (Logback, Log4j‑2 SLF4J impl, slf4j-simple, slf4j-jdk10/jdk18, etc.). Multiple bindings produce SLF4J warnings and unpredictable selection; none yields no-op logging. [1][3]
  1. Typical recommended backends
  • Logback (ch.qos.logback:logback-classic 1.3.x) — common default, mature and SLF4J-native.
  • Log4j 2 (use log4j-slf4j2-impl for SLF4J 2.x) — good alternative with advanced features; take care to use the SLF4J2-compatible impl artifact. [1][2]
  1. Maven dependency patterns
  • In libraries: declare only slf4j-api (compile or provided). Example:
    org.slf4j:slf4j-api:2.x. [1]
  • In applications: add the chosen binding as a runtime (or implementation) dependency so it is not forced on downstream libs:
    ...logback-classicruntime. [1][4]
  1. Avoid bridging loops and conflicts
  • Don’t combine bridging adapters that create cycles (e.g., log4j-to-slf4j with log4j-slf4j2-impl). Remove or exclude the original API implementation when using an adapter. [2][4]
  1. Use exclusions and dependencyManagement to control transitive bindings
  • Exclude transitive bindings pulled by third-party libraries and centralize the chosen binding in your top-level pom (dependencyManagement) to ensure a single binding. [3]
  1. Version alignment
  • Keep the slf4j-api and binding versions compatible (use same SLF4J 2.x line). If you explicitly declare slf4j-api in your BOM or parent POM you avoid accidental mixes. [1]
  1. For container / frameworks (Spring Boot, app servers)
  • Prefer the framework’s recommended starter (Spring Boot: starter-logging or starter-log4j2) or explicitly override to your chosen backend; follow the framework docs to avoid duplicate bindings. [4]

References

  • SLF4J user manual (binding rules, api vs provider). [1]
  • Apache Log4j SLF4J binding notes (use log4j-slf4j2-impl for SLF4J 2.x; avoid loops). [2]
  • Classpath multiple SLF4J bindings and exclusions guidance. [3]
  • Practical setup (Logback/Log4j2 with SLF4J and Maven examples). [4]

If you want, I can produce example Maven snippets (library POM + application POM) for Logback and Log4j2.

🏁 Script executed:

cd / && find . -name "pom.xml" -type f 2>/dev/null | head -5

Repository: ithsjava25/ithsjava25-java-databas-jdbc-javafx-classrom

Length of output: 126

🏁 Script executed:

cat pom.xml | head -50

Repository: ithsjava25/ithsjava25-java-databas-jdbc-javafx-classrom

Length of output: 2049

Remove slf4j-nop or scope it to test only; libraries should depend only on slf4j-api.

slf4j-nop silently discards all SLF4J logs, hiding problems in production. Since this appears to be a library project, it should declare only org.slf4j:slf4j-api (without binding). Applications that depend on this library will then provide their own SLF4J backend (e.g., Logback, Log4j2) with <scope>runtime</scope>.

If logging is needed for tests, scope slf4j-nop to test. For production logging, allow the consuming application to inject a real backend.

🤖 Prompt for AI Agents 
In pom.xml around lines 31 to 35: the project currently declares the SLF4J no-op
binding (org.slf4j:slf4j-nop) which will silently drop all logs; as this is a
library, remove the slf4j-nop dependency (or change it to scope test only) and
ensure the POM declares only org.slf4j:slf4j-api for compile/runtime; if tests
need a no-op backend, add org.slf4j:slf4j-nop with <scope>test</scope>,
otherwise rely on consuming applications to provide a runtime SLF4J binding
(e.g., Logback/Log4j2).

<dependency>
<groupId>org.assertj</groupId>
<artifactId>assertj-core</artifactId>
Expand Down
10 changes: 10 additions & 0 deletions src/main/java/com/example/Account.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
package com.example;

public record Account(
int userId,
String name,
String password,
String firstName,
String lastName,
String ssn
) {}
Comment on lines +3 to +10
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Critical: don’t model/store password (plaintext) and ssn in a general-purpose domain object.
This encourages unsafe persistence/logging and (per snippets) appears to be used with plaintext auth. At minimum: store passwordHash (not password) and keep ssn in a separate, tightly controlled type/flow (or remove entirely if not required).

9 changes: 9 additions & 0 deletions src/main/java/com/example/AccountRepository.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
package com.example;
import java.util.Optional;

public interface AccountRepository {
Optional<Account> findByNameAndPassword(String name, String password);
Account create(Account account);
boolean updatePassword(int userId, String newPassword);
boolean delete(int userId);
}
Comment on lines +1 to +9
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Critical: findByNameAndPassword(...) bakes plaintext password handling into the API.
Prefer findByName(String name) + password verification against a stored hash (or authenticate(name, password) that verifies hash internally, but never queries by plaintext). Same for updatePassword: accept plaintext only if it’s hashed inside the repository/service.

🤖 Prompt for AI Agents 
In src/main/java/com/example/AccountRepository.java lines 1-9: remove the
plaintext-query API findByNameAndPassword(String name, String password) and
replace it with a safe alternative — either add Optional<Account>
findByName(String name) so callers load the account and verify the supplied
password against the stored hash in the service layer, or provide boolean
authenticate(String name, String password) that performs hash verification
inside the repository (never expose or query by plaintext). Also change
updatePassword(int userId, String newPassword) to make the contract explicit:
either accept only a pre-hashed password (rename parameter to hashedPassword) or
keep accepting raw newPassword but perform hashing inside the repository before
persisting; update Javadoc/comments accordingly and adjust callers to match the
chosen contract.

90 changes: 90 additions & 0 deletions src/main/java/com/example/AccountRepositoryJdbc.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
package com.example;


import com.example.SimpleDriverManagerDataSource;

import java.sql.*;
import java.util.Optional;

public class AccountRepositoryJdbc implements AccountRepository {
private final SimpleDriverManagerDataSource ds;

public AccountRepositoryJdbc(SimpleDriverManagerDataSource ds) {
this.ds = ds;
}

@Override
public Optional<Account> findByNameAndPassword(String name, String password) {
String sql = "SELECT * FROM account WHERE name = ? AND password = ?";
try (Connection conn = ds.getConnection();
PreparedStatement ps = conn.prepareStatement(sql)) {
ps.setString(1, name);
ps.setString(2, password);
try (ResultSet rs = ps.executeQuery()) {
if (rs.next()) {
return Optional.of(new Account(
rs.getInt("user_id"),
rs.getString("name"),
rs.getString("password"),
rs.getString("first_name"),
rs.getString("last_name"),
rs.getString("ssn")
));
}
}
} catch (SQLException e) {
e.printStackTrace();
}
return Optional.empty();
}
Comment on lines +17 to +39
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# First, find and examine the full AccountRepositoryJdbc class
find . -name "AccountRepositoryJdbc.java" -type f

Repository: ithsjava25/ithsjava25-java-databas-jdbc-javafx-classrom

Length of output: 153

🏁 Script executed:

# Search for any bcrypt, argon2, or password hashing libraries in the project
rg -i "bcrypt|argon2|scrypt|password.*hash|messageDigest" --type java

Repository: ithsjava25/ithsjava25-java-databas-jdbc-javafx-classrom

Length of output: 81

🏁 Script executed:

# Check for imports related to password hashing
rg "import.*security|import.*crypto" --type java

Repository: ithsjava25/ithsjava25-java-databas-jdbc-javafx-classrom

Length of output: 81

🏁 Script executed:

# Look for any test files that might show password handling
fd -e java -path "*/test/*" | head -20

Repository: ithsjava25/ithsjava25-java-databas-jdbc-javafx-classrom

Length of output: 267

🌐 Web query:

Java bcrypt argon2 password hashing libraries best practices JDBC 2025

💡 Result:

Short answer — recommended libraries and best practices (2025):

Recommended Java libraries

  • Password4j (Argon2, bcrypt, scrypt, PBKDF2; pure‑Java, easy tuning + migration helpers). [1][2]
  • de.mkammerer:argon2‑jvm (native/JNA binding to reference Argon2 impl) for high performance/native impls. [3]
  • Spring Security encoders: BCryptPasswordEncoder and Argon2PasswordEncoder (Argon2 requires BouncyCastle / Password4j integration options). Use Spring’s Argon2Password4jPasswordEncoder if you rely on Password4j. [4][6]
  • jBCrypt or Spring’s BCryptPasswordEncoder for bcrypt when you need wide compatibility. (Use maintained packages or Spring’s implementation.) [4]

Sources: [1][3][4][6]

Core best practices

  • Prefer Argon2id for new apps; use bcrypt only if Argon2/scrypt not feasible. Tune to a ~0.5–1s verification time on your production hardware. (Argon2 is memory‑hard and resists GPU/ASIC attacks; bcrypt is adaptive but has a 72‑byte limit caveat.) [2][4]
  • Benchmark and pick parameters per environment (memory, iterations/time, parallelism for Argon2; cost/work factor for bcrypt). Use library helpers (Password4j SystemChecker, Argon2Helper) to find optimal params. [1][3]
  • Store the full encoded hash string (it contains salt and parameters). Use VARCHAR(255) (or larger) and avoid truncation. Include algorithm tag/version so you can detect weak/legacy hashes. [2][4]
  • Support automated rehashing: detect old/weak parameters (e.g., PasswordEncoder.upgradeEncoding) and rehash on next successful login. [4]
  • Use a safe max password length and handle long inputs thoughtfully (pre‑hash if needed) to avoid DoS; wipe sensitive char[] after use. Beware bcrypt’s historical 72‑byte behavior and recent fixes/patches. [3][5]
  • Use prepared statements/parameterized queries for JDBC; never concatenate passwords into SQL. Store only the hash; never logs or return raw passwords. Use least privilege DB user. (JDBC + crypto separation.) [no specific link — standard practice]
  • Consider adding a server-side pepper (secret stored outside DB, e.g., KMS or config vault) only if you can protect/manage it; pepper increases breach resistance but complicates rotation. Libraries like Password4j support pepper. [1]
  • Compare hashes in constant time (use library verify methods). Protect hash verification endpoints from timing/side channel leaks. [2][4]
  • Rotate/upgrade algorithms and parameters regularly and have migration plan for legacy hashes (PBKDF2/SHA1/MD5 -> Argon2/bcrypt). [1][2][3]

Security caveats & recent notes (2025)

  • Keep libraries up to date and watch advisories. Example: Spring Security reported a bcrypt handling CVE (max‑length issue fixed in specific versions) — upgrade affected versions promptly. Always verify library versions in your dependency BOM. [5]

Quick implementation tips (JDBC + Spring)

  • Use Spring Security PasswordEncoder (Argon2PasswordEncoder or BCryptPasswordEncoder) or Password4j wrappers for encoding/verification. Store encoder id + full hash (like $argon2id$…, $2b$…) in a single DB column. On login: fetch hash by username, call encoder.matches(raw, hash); if upgradeEncoding(hash) then rehash and update DB. Use PreparedStatement for updates. [4][6][1]

References

  1. Password4j project/docs — password4j (Argon2,bcrypt,scrypt,pepper,benchmark tools). [Password4j documentation & GitHub]. [1][2]
  2. OWASP Password Storage Cheat Sheet (recommendations on algorithm choice, PBKDF2 guidance, iteration targets). [3]
  3. argon2-jvm (de.mkammerer) — JVM binding and Argon2Helper for parameter tuning. [3]
  4. Spring Security Password Storage docs & Argon2PasswordEncoder/BCryptPasswordEncoder (encoding, upgradeEncoding, defaults). [4][6]
  5. Spring Security advisory CVE-2025-22228 (bcrypt max-length issue) — upgrade guidance. [5]

If you want, I can:

  • suggest exact Argon2/bcrypt parameter ranges for your production hardware (I’ll need CPU/memory/per‑hash latency target and target throughput), or
  • produce a minimal Spring+JDBC code example showing encoding, verify, rehash-on-login, and safe JDBC usage.

🏁 Script executed:

# Read the full AccountRepositoryJdbc class
cat -n ./src/main/java/com/example/AccountRepositoryJdbc.java

Repository: ithsjava25/ithsjava25-java-databas-jdbc-javafx-classrom

Length of output: 3975

🏁 Script executed:

# Check if Account class has any password-sensitive methods or constructors
find . -name "Account.java" -type f

Repository: ithsjava25/ithsjava25-java-databas-jdbc-javafx-classrom

Length of output: 139

🏁 Script executed:

# Quick check of Account.java to confirm it returns password/ssn
cat ./src/main/java/com/example/Account.java

Repository: ithsjava25/ithsjava25-java-databas-jdbc-javafx-classrom

Length of output: 284

Plaintext password authentication is a critical security flaw affecting all auth methods.
The findByNameAndPassword, create, and updatePassword methods all store and compare passwords in plaintext (line 22: ps.setString(2, password) in the WHERE clause; lines 47, 69). This must be replaced with a cryptographic hash verified in application code, never in SQL. Additionally, findByNameAndPassword (lines 28, 31) returns raw password and SSN to callers—remove these from responses unless absolutely required.

Recommended approach for JDBC:
Use Password4j (pure Java, supports Argon2/bcrypt/scrypt, easiest for plain JDBC) or Spring Security's Argon2PasswordEncoder/BCryptPasswordEncoder if Spring is available. For new projects, prefer Argon2id (memory-hard, resists GPU attacks) over bcrypt. Store the full encoded hash string (e.g., $argon2id$…) in a VARCHAR(255+) column; do not truncate. On login: fetch the hash by username, call encoder.matches(rawPassword, storedHash), and never pass raw passwords to SQL.


@Override
public Account create(Account account) {
String sql = "INSERT INTO account (name, password, first_name, last_name, ssn) VALUES (?, ?, ?, ?, ?)";
try (Connection conn = ds.getConnection();
PreparedStatement ps = conn.prepareStatement(sql, Statement.RETURN_GENERATED_KEYS)) {
ps.setString(1, account.name());
ps.setString(2, account.password());
ps.setString(3, account.firstName());
ps.setString(4, account.lastName());
ps.setString(5, account.ssn());
ps.executeUpdate();
try (ResultSet keys = ps.getGeneratedKeys()) {
if (keys.next()) {
return new Account(keys.getInt(1), account.name(), account.password(),
account.firstName(), account.lastName(), account.ssn());
}
}
} catch (SQLException e) {
e.printStackTrace();
}
return account;
}
Comment on lines +42 to +62
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

create() returning the input account on failure can silently corrupt callers.
If insert fails or no generated key is returned, return account; makes failure look like success. Prefer throwing, or returning Optional<Account> / Either, or at least returning an Account with a clearly invalid userId and documenting it.

🤖 Prompt for AI Agents 
In src/main/java/com/example/AccountRepositoryJdbc.java around lines 42 to 62,
the create() method currently returns the input account on SQL failure or when
no generated key is present, which masks failures; change the method to not
silently succeed — either 1) throw a checked or unchecked persistence exception
when the insert fails or when getGeneratedKeys() returns no key (wrap and
rethrow the caught SQLException with context), or 2) change the return type to
Optional<Account> and return Optional.empty() on failure/no-key; ensure the
original SQLException is not swallowed (propagate or include as cause) and
update callers or signature accordingly.


@Override
public boolean updatePassword(int userId, String newPassword) {
String sql = "UPDATE account SET password = ? WHERE user_id = ?";
try (Connection conn = ds.getConnection();
PreparedStatement ps = conn.prepareStatement(sql)) {
ps.setString(1, newPassword);
ps.setInt(2, userId);
return ps.executeUpdate() > 0;
} catch (SQLException e) {
e.printStackTrace();
}
return false;
}
Comment on lines +65 to +76
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Password update should follow the same hashing approach (and ideally enforce policy).
Once you switch to hashed passwords, updatePassword should store the hash, not the raw password.

🤖 Prompt for AI Agents 
In src/main/java/com/example/AccountRepositoryJdbc.java around lines 65 to 76,
updatePassword currently stores the raw newPassword; change it to compute and
store the password hash using the same hashing utility/mechanism used elsewhere
(e.g., PasswordHasher.hash(newPassword) or BCrypt) and ensure any required
salt/parameters are applied consistently; before hashing, validate newPassword
against the project's password policy (length/complexity) and throw or return an
error if it fails; replace ps.setString(1, newPassword) with ps.setString(1,
passwordHash) and keep the rest of the DB logic and proper exception handling.


@Override
public boolean delete(int userId) {
String sql = "DELETE FROM account WHERE user_id = ?";
try (Connection conn = ds.getConnection();
PreparedStatement ps = conn.prepareStatement(sql)) {
ps.setInt(1, userId);
return ps.executeUpdate() > 0;
} catch (SQLException e) {
e.printStackTrace();
}
return false;
}
}
2 changes: 2 additions & 0 deletions src/main/java/com/example/DevDatabaseInitializer.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,11 @@ public static void start() {
.withInitScript("init.sql");
mysql.start();


System.setProperty("APP_JDBC_URL", mysql.getJdbcUrl());
System.setProperty("APP_DB_USER", mysql.getUsername());
System.setProperty("APP_DB_PASS", mysql.getPassword());
System.out.println("Init script loaded, JDBC URL: " + mysql.getJdbcUrl());
Comment on lines +19 to +23
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Avoid printing connection details to stdout (even in dev) unless you’re sure logs won’t be shared.
JDBC URLs can leak host/port and sometimes params; prefer an actual logger + debug level, or print a redacted form.

🤖 Prompt for AI Agents 
In src/main/java/com/example/DevDatabaseInitializer.java around lines 19 to 23,
avoid printing the full JDBC URL to stdout; replace the System.out.println call
with a proper logger (e.g., use an SLF4J Logger from LoggerFactory) and log at
debug level, and if you must include the URL log a redacted form that masks
host/port/credentials (or omit query params entirely). Ensure the logger is used
consistently and that debug-level logging is acceptable in your dev profile.

}
}
}
131 changes: 102 additions & 29 deletions src/main/java/com/example/Main.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,57 +1,130 @@
package com.example;

import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.SQLException;
import com.example.Account;
import com.example.AccountRepository;
import com.example.AccountRepositoryJdbc;
import com.example.MoonMissionRepository;
import com.example.MoonMissionRepositoryJdbc;

import java.util.Arrays;
import java.util.Scanner;

public class Main {

static void main(String[] args) {
public static void main(String[] args) {
if (isDevMode(args)) {
DevDatabaseInitializer.start();
}
new Main().run();
}

public void run() {
// Resolve DB settings with precedence: System properties -> Environment variables
String jdbcUrl = resolveConfig("APP_JDBC_URL", "APP_JDBC_URL");
String dbUser = resolveConfig("APP_DB_USER", "APP_DB_USER");
String dbPass = resolveConfig("APP_DB_PASS", "APP_DB_PASS");

if (jdbcUrl == null || dbUser == null || dbPass == null) {
throw new IllegalStateException(
"Missing DB configuration. Provide APP_JDBC_URL, APP_DB_USER, APP_DB_PASS " +
"as system properties (-Dkey=value) or environment variables.");
throw new IllegalStateException("Missing DB configuration...");
}

try (Connection connection = DriverManager.getConnection(jdbcUrl, dbUser, dbPass)) {
} catch (SQLException e) {
throw new RuntimeException(e);
SimpleDriverManagerDataSource ds = new SimpleDriverManagerDataSource(jdbcUrl, dbUser, dbPass);
AccountRepository accountRepo = new AccountRepositoryJdbc(ds);
MoonMissionRepository missionRepo = new MoonMissionRepositoryJdbc(ds);

Scanner sc = new Scanner(System.in);

System.out.println("Username:");
String username = sc.nextLine();
System.out.println("Password:");
String password = sc.nextLine();

if (accountRepo.findByNameAndPassword(username, password).isPresent()) {
System.out.println("username accepted");
menuLoop(accountRepo, missionRepo, sc);
} else {
System.out.println("Invalid username or password");
System.out.println("0) Exit");
String opt = sc.nextLine();
if ("0".equals(opt)) {
return;
}
}
}
Comment on lines 25 to +51
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Major: login flow implies plaintext passwords and has a “dead-end” invalid-login UX.
Even for demos, avoid findByNameAndPassword(username, password) (see AccountRepository comment). Also consider looping on invalid login instead of prompting only for “0) Exit”.

🤖 Prompt for AI Agents 
In src/main/java/com/example/Main.java around lines 25 to 51, the current login
flow calls findByNameAndPassword(username, password) (implying plaintext
password comparison) and gives users a single “Invalid… 0) Exit” dead-end;
change the flow to first lookup the account by username (use
AccountRepository.findByName or equivalent), then verify the provided password
against the account’s stored password hash using the repository’s or a secure
password-verification method (bcrypt/Argon2) rather than direct comparison,
avoid logging or storing the raw password, and replace the single-failure path
with a retry loop (or limited-attempt loop) that re-prompts for credentials
(ideally masking input) and only exits after user choice or max attempts.


private void menuLoop(AccountRepository accountRepo, MoonMissionRepository missionRepo, Scanner sc) {
boolean running = true;
while (running) {
System.out.println("Menu:");
System.out.println("1) List moon missions");
System.out.println("2) Get mission by id");
System.out.println("3) Count missions by year");
System.out.println("4) Create account");
System.out.println("5) Update account password");
System.out.println("6) Delete account");
System.out.println("0) Exit");

String choice = sc.nextLine();
switch (choice) {
case "1":
missionRepo.findAll().forEach(m -> System.out.println(m.spacecraft()));
break;
case "2":
System.out.println("mission_id:");
int id = Integer.parseInt(sc.nextLine());
missionRepo.findById(id).ifPresentOrElse(
m -> System.out.println("Mission " + m.missionId() + ": " + m.spacecraft()),
() -> System.out.println("No mission found")
);
break;
case "3":
System.out.println("year:");
int year = Integer.parseInt(sc.nextLine());
int count = missionRepo.countByYear(year);
System.out.println(count + " missions in " + year);
break;
case "4":
System.out.println("first name:");
String fn = sc.nextLine();
System.out.println("last name:");
String ln = sc.nextLine();
System.out.println("ssn:");
String ssn = sc.nextLine();
System.out.println("password:");
String pw = sc.nextLine();
String name = fn.substring(0,3) + ln.substring(0,3);
accountRepo.create(new Account(0, name, pw, fn, ln, ssn));
System.out.println("account created");
break;
case "5":
System.out.println("user_id:");
int uid = Integer.parseInt(sc.nextLine());
System.out.println("new password:");
String newPw = sc.nextLine();
if (accountRepo.updatePassword(uid, newPw)) {
System.out.println("updated");
}
break;
case "6":
System.out.println("user_id:");
int delId = Integer.parseInt(sc.nextLine());
if (accountRepo.delete(delId)) {
System.out.println("deleted");
}
break;
case "0":
running = false;
break;
default:
System.out.println("Invalid option");
}
Comment on lines +53 to +118
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Major: menu can crash on bad input (Integer.parseInt) and short names (substring(0,3)).
Add input validation + safe username generation, and handle false returns (update/delete) with feedback.

@@
-                case "2":
+                case "2":
                     System.out.println("mission_id:");
-                    int id = Integer.parseInt(sc.nextLine());
+                    Integer id = tryParseInt(sc.nextLine());
+                    if (id == null) { System.out.println("Invalid number"); break; }
                     missionRepo.findById(id).ifPresentOrElse(
@@
-                case "3":
+                case "3":
                     System.out.println("year:");
-                    int year = Integer.parseInt(sc.nextLine());
+                    Integer year = tryParseInt(sc.nextLine());
+                    if (year == null) { System.out.println("Invalid year"); break; }
                     int count = missionRepo.countByYear(year);
@@
                 case "4":
@@
-                    String name = fn.substring(0,3) + ln.substring(0,3);
+                    String name = safePrefix(fn, 3) + safePrefix(ln, 3);
                     accountRepo.create(new Account(0, name, pw, fn, ln, ssn));
                     System.out.println("account created");
                     break;
                 case "5":
                     System.out.println("user_id:");
-                    int uid = Integer.parseInt(sc.nextLine());
+                    Integer uid = tryParseInt(sc.nextLine());
+                    if (uid == null) { System.out.println("Invalid user_id"); break; }
                     System.out.println("new password:");
                     String newPw = sc.nextLine();
-                    if (accountRepo.updatePassword(uid, newPw)) {
-                        System.out.println("updated");
-                    }
+                    System.out.println(accountRepo.updatePassword(uid, newPw) ? "updated" : "not found");
                     break;
                 case "6":
                     System.out.println("user_id:");
-                    int delId = Integer.parseInt(sc.nextLine());
-                    if (accountRepo.delete(delId)) {
-                        System.out.println("deleted");
-                    }
+                    Integer delId = tryParseInt(sc.nextLine());
+                    if (delId == null) { System.out.println("Invalid user_id"); break; }
+                    System.out.println(accountRepo.delete(delId) ? "deleted" : "not found");
                     break;
@@
     }
+
+    private static Integer tryParseInt(String s) {
+        try { return Integer.parseInt(s.trim()); }
+        catch (Exception e) { return null; }
+    }
+
+    private static String safePrefix(String s, int n) {
+        if (s == null) return "";
+        String t = s.trim();
+        return t.length() <= n ? t : t.substring(0, n);
+    }
🤖 Prompt for AI Agents 
In src/main/java/com/example/Main.java around lines 53 to 118, the menu code
currently calls Integer.parseInt without guarding against invalid numeric input,
uses substring(0,3) which will throw for short names, and silently ignores false
returns from update/delete; fix by validating and parsing integers with
try/catch or a helper that reprompts (or treats invalid input as invalid option)
to avoid NumberFormatException, check string lengths before calling substring
and build a safe username (e.g. use the full first/last name if shorter than 3,
or pad/truncate using Math.min(name.length(),3)), and after
updatePassword/delete calls print explicit success or failure messages when the
repository returns false so the user gets feedback.

}
//Todo: Starting point for your code
}

/**
* Determines if the application is running in development mode based on system properties,
* environment variables, or command-line arguments.
*
* @param args an array of command-line arguments
* @return {@code true} if the application is in development mode; {@code false} otherwise
*/
private static boolean isDevMode(String[] args) {
if (Boolean.getBoolean("devMode")) //Add VM option -DdevMode=true
return true;
if ("true".equalsIgnoreCase(System.getenv("DEV_MODE"))) //Environment variable DEV_MODE=true
return true;
return Arrays.asList(args).contains("--dev"); //Argument --dev
if (Boolean.getBoolean("devMode")) return true;
if ("true".equalsIgnoreCase(System.getenv("DEV_MODE"))) return true;
return Arrays.asList(args).contains("--dev");
}

/**
* Reads configuration with precedence: Java system property first, then environment variable.
* Returns trimmed value or null if neither source provides a non-empty value.
*/
private static String resolveConfig(String propertyKey, String envKey) {
String v = System.getProperty(propertyKey);
if (v == null || v.trim().isEmpty()) {
Expand Down
14 changes: 14 additions & 0 deletions src/main/java/com/example/MoonMission.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
package com.example;

import java.time.LocalDate;

public record MoonMission(
int missionId,
String spacecraft,
LocalDate launchDate,
String carrierRocket,
String operator,
String missionType,
String outcome
) {}

11 changes: 11 additions & 0 deletions src/main/java/com/example/MoonMissionRepository.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
package com.example;

import com.example.MoonMission;
import java.util.List;
import java.util.Optional;

public interface MoonMissionRepository {
List<MoonMission> findAll();
Optional<MoonMission> findById(int missionId);
int countByYear(int year);
}
Loading
Loading