The repository of the reviewed project is publicly available at ‣ (https://github.com/TanelOrumaa/Estonian-ID-card-mobile-authenticator-POC)

Latest commit at the time of the review: ‣ (bbd5093)

Code review

This project is in a very good shape with regards to code quality and readability, abstractions are used and well-placed, used sparingly, but do a good job on detaching card communication details from its usage.

In the MobileAuthApp, package [com.tarkvaraprojekt.mobileauthapp.network](<http://com.tarkvaraprojekt.mobileauthapp.network>) is completely unused and seems to be a remnant.

There seem to be remnants of testing code left around with a marker "TODO: DELETE" in the WebEidAuthentication.kt file.

Installation tests

Installation process is well-documented and instructed, as much as it can be for a system architecture of this size (Spring Boot backend and Android app). Some (frankly inescapable) friction remains with setting up a TLS-secured server using globally trusted certificates, for which the project's README suggests to use 'ngrok', which solves this issue, by tunneling public secure access through the service. Only step further would to have an always-updated public instance, so working on the Android apps would not even need a running server instance on the developer's machine and could instead just point the app at the running service. But this does demand some available server-space and a public domain, so while it would be a great addition to the developer experience, it cannot be expected from the developers.

Acceptance test

Direct link to the project's use cases:

https://github.com/TanelOrumaa/Estonian-ID-card-mobile-authenticator-POC/wiki/User-stories

It should be noted, that this system does not have any automated testing present, and this is understandable and natural due-to the nature of the system — the sole purpose of this system is to interface with a physical object over NFC, which simply cannot be simulated trivially on CI. Setting up automated tests for this process would depend on obtaining a testing card from SKID Solutions (https://www.skidsolutions.eu/en/services/testcard/), and setting up a physical device to be constantly ready to use this card as a part of the e2e testing process.

To compensate for the missing automated tests, the manual testing plan is thorough and well-documented (though marked as work-in-progress at the time of review), available at https://github.com/TanelOrumaa/Estonian-ID-card-mobile-authenticator-POC/wiki/Use-Case-Tests

Issues found

All failures in User Stories will not be listed, as they are already covered by use case failures.

• UC3: Enter PIN2 of the ID card
  • this view is missing, and the demo backend claims the signing mechanisms are a work in progress
• UC6: Use biometric authentication to enter PIN1 during the authentication process
  • this use case is missing wholesale, instead the PIN1 is provided automatically without additional consent, if it is saved
• UC7: Application automatically closes itself at the end of the authentication process
  • application at review did not close automatically, while this is defined under extensions, this violates the spirit of the use case
• UC8: Use the authentication application to log into a website
  • in main success scenario step 4, the application will not ask for PIN1 if it is already saved,
  • in main success scenario step 4, the intended referred use case is UC2, instead of UC3
  • extension 2 does not exist on the demo backend
  • extension 6, 7, directing the user back does not work
• UC9: Use the authentication application to give a signature on a website
  • This cannot be tested, as at review, a website supporting signing process has not been given/implemented