pplate/cannamanage
1
0
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects Releases Wiki Activity

feat(sprint-6): Phase 2 — DSGVO consent management
Deploy to Production / test (push) Has been cancelled
Details
Deploy to Production / deploy (push) Has been cancelled
Details

Browse Source 
- V6 migration: consents table with audit columns
- Consent entity, repository, service (grant/revoke/check)
- ConsentController: GET/POST/DELETE consent endpoints
- DSGVO export (Art. 15): full personal data JSON download
- DSGVO deletion (Art. 17): anonymization + account deactivation
- Frontend: consent banner (modal, cannot dismiss), privacy settings page
- React Query hooks for consent + DSGVO operations
- Full i18n (de/en) for consent and DSGVO namespaces
This commit is contained in:
Patrick Plate
2026-06-12 22:22:48 +02:00
parent b38902a7ee
commit 3232d2f7fd
17 changed files with 2227 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
cannamanage-api/src/main/java/de/cannamanage/api/controller/ConsentController.java
+100
View File
@@ -0,0 +1,100 @@
package de.cannamanage.api.controller;
import de.cannamanage.domain.entity.Consent;
import de.cannamanage.domain.entity.TenantContext;
import de.cannamanage.domain.entity.User;
import de.cannamanage.domain.enums.ConsentType;
import de.cannamanage.service.ConsentService;
import de.cannamanage.service.repository.UserRepository;
import io.swagger.v3.oas.annotations.Operation;
import io.swagger.v3.oas.annotations.tags.Tag;
import jakarta.servlet.http.HttpServletRequest;
import lombok.RequiredArgsConstructor;
import org.springframework.http.ResponseEntity;
import org.springframework.security.core.Authentication;
import org.springframework.web.bind.annotation.*;
import org.springframework.web.server.ResponseStatusException;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import static org.springframework.http.HttpStatus.NOT_FOUND;
@RestController
@RequestMapping("/api/v1/consent")
@RequiredArgsConstructor
@Tag(name = "Consent", description = "DSGVO consent management")
public class ConsentController {
private final ConsentService consentService;
private final UserRepository userRepository;
@GetMapping
@Operation(summary = "Get current user's consents")
public ResponseEntity<List<ConsentResponse>> getConsents(Authentication auth) {
UUID userId = resolveUserId(auth);
List<ConsentResponse> consents = consentService.getUserConsents(userId).stream()
.map(this::toResponse)
.toList();
return ResponseEntity.ok(consents);
}
@PostMapping
@Operation(summary = "Grant consent")
public ResponseEntity<ConsentResponse> grantConsent(
@RequestBody GrantConsentRequest request,
Authentication auth,
HttpServletRequest httpRequest) {
UUID userId = resolveUserId(auth);
String ipAddress = httpRequest.getRemoteAddr();
String userAgent = httpRequest.getHeader("User-Agent");
Consent consent = consentService.grantConsent(
userId,
request.type(),
request.version() != null ? request.version() : 1,
ipAddress,
userAgent
);
return ResponseEntity.ok(toResponse(consent));
}
@DeleteMapping("/{type}")
@Operation(summary = "Revoke consent")
public ResponseEntity<Void> revokeConsent(@PathVariable String type, Authentication auth) {
UUID userId = resolveUserId(auth);
ConsentType consentType = ConsentType.valueOf(type);
consentService.revokeConsent(userId, consentType);
return ResponseEntity.noContent().build();
}
@GetMapping("/check")
@Operation(summary = "Check if user has required DATA_PROCESSING consent")
public ResponseEntity<Map<String, Boolean>> checkConsent(Authentication auth) {
UUID userId = resolveUserId(auth);
boolean hasConsent = consentService.hasRequiredConsents(userId);
return ResponseEntity.ok(Map.of("hasDataProcessingConsent", hasConsent));
}
private UUID resolveUserId(Authentication auth) {
String email = auth.getName();
return userRepository.findByEmailAndTenantId(email, TenantContext.getCurrentTenant())
.map(User::getId)
.orElseThrow(() -> new ResponseStatusException(NOT_FOUND, "User not found"));
}
private ConsentResponse toResponse(Consent consent) {
return new ConsentResponse(
consent.getId(),
consent.getConsentType().name(),
consent.isGranted(),
consent.getGrantedAt() != null ? consent.getGrantedAt().toString() : null,
consent.getRevokedAt() != null ? consent.getRevokedAt().toString() : null,
consent.getVersion()
);
}
public record GrantConsentRequest(ConsentType type, Integer version) {}
public record ConsentResponse(UUID id, String type, boolean granted, String grantedAt, String revokedAt, int version) {}
}
cannamanage-api/src/main/java/de/cannamanage/api/controller/DsgvoController.java
+62
View File
@@ -0,0 +1,62 @@
package de.cannamanage.api.controller;
import de.cannamanage.domain.entity.TenantContext;
import de.cannamanage.domain.entity.User;
import de.cannamanage.service.DsgvoService;
import de.cannamanage.service.repository.UserRepository;
import io.swagger.v3.oas.annotations.Operation;
import io.swagger.v3.oas.annotations.tags.Tag;
import lombok.RequiredArgsConstructor;
import org.springframework.http.ResponseEntity;
import org.springframework.security.core.Authentication;
import org.springframework.web.bind.annotation.*;
import org.springframework.web.server.ResponseStatusException;
import java.util.Map;
import java.util.UUID;
import static org.springframework.http.HttpStatus.NOT_FOUND;
@RestController
@RequestMapping("/api/v1/dsgvo")
@RequiredArgsConstructor
@Tag(name = "DSGVO", description = "Data export and deletion (GDPR Art. 15 & 17)")
public class DsgvoController {
private final DsgvoService dsgvoService;
private final UserRepository userRepository;
/**
* Art. 15 DSGVO — Export all personal data as JSON.
*/
@GetMapping("/export")
@Operation(summary = "Export all personal data (Art. 15 DSGVO)")
public ResponseEntity<Map<String, Object>> exportData(Authentication auth) {
UUID userId = resolveUserId(auth);
UUID tenantId = TenantContext.getCurrentTenant();
Map<String, Object> data = dsgvoService.exportUserData(userId, tenantId);
return ResponseEntity.ok(data);
}
/**
* Art. 17 DSGVO — Right to erasure.
* Anonymizes personal data, deactivates account.
*/
@DeleteMapping("/delete")
@Operation(summary = "Delete account and anonymize data (Art. 17 DSGVO)")
public ResponseEntity<Map<String, String>> deleteAccount(Authentication auth) {
UUID userId = resolveUserId(auth);
dsgvoService.deleteUserData(userId);
return ResponseEntity.ok(Map.of(
"status", "deleted",
"message", "Dein Konto wurde gelöscht und deine Daten anonymisiert."
));
}
private UUID resolveUserId(Authentication auth) {
String email = auth.getName();
return userRepository.findByEmailAndTenantId(email, TenantContext.getCurrentTenant())
.map(User::getId)
.orElseThrow(() -> new ResponseStatusException(NOT_FOUND, "User not found"));
}
}
cannamanage-api/src/main/resources/db/migration/V6__consent_management.sql
+21
View File
@@ -0,0 +1,21 @@
-- V6: DSGVO Consent Management
-- Tracks user consent for data processing, marketing, analytics per GDPR Art. 6/7
CREATE TABLE IF NOT EXISTS consents (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
user_id UUID NOT NULL REFERENCES users(id),
consent_type VARCHAR(50) NOT NULL, -- 'DATA_PROCESSING', 'MARKETING', 'ANALYTICS'
granted BOOLEAN NOT NULL DEFAULT false,
granted_at TIMESTAMP WITH TIME ZONE,
revoked_at TIMESTAMP WITH TIME ZONE,
ip_address VARCHAR(45),
user_agent TEXT,
version INTEGER NOT NULL DEFAULT 1, -- consent text version
tenant_id UUID NOT NULL,
created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(),
updated_at TIMESTAMP WITH TIME ZONE DEFAULT NOW()
);
CREATE INDEX idx_consents_user ON consents(user_id);
CREATE INDEX idx_consents_tenant ON consents(tenant_id);
CREATE INDEX idx_consents_type ON consents(consent_type, user_id);
cannamanage-domain/src/main/java/de/cannamanage/domain/entity/Consent.java
+74
View File
@@ -0,0 +1,74 @@
package de.cannamanage.domain.entity;
import de.cannamanage.domain.enums.ConsentType;
import jakarta.persistence.*;
import java.time.Instant;
import java.util.UUID;
@Entity
@Table(name = "consents")
public class Consent extends AbstractTenantEntity {
@Column(name = "user_id", nullable = false)
private UUID userId;
@Enumerated(EnumType.STRING)
@Column(name = "consent_type", nullable = false, length = 50)
private ConsentType consentType;
@Column(name = "granted", nullable = false)
private boolean granted = false;
@Column(name = "granted_at")
private Instant grantedAt;
@Column(name = "revoked_at")
private Instant revokedAt;
@Column(name = "ip_address", length = 45)
private String ipAddress;
@Column(name = "user_agent", columnDefinition = "TEXT")
private String userAgent;
@Column(name = "version", nullable = false)
private int version = 1;
@Column(name = "updated_at")
private Instant updatedAt;
@PreUpdate
void onUpdate() {
this.updatedAt = Instant.now();
}
// --- Getters & Setters ---
public UUID getUserId() { return userId; }
public void setUserId(UUID userId) { this.userId = userId; }
public ConsentType getConsentType() { return consentType; }
public void setConsentType(ConsentType consentType) { this.consentType = consentType; }
public boolean isGranted() { return granted; }
public void setGranted(boolean granted) { this.granted = granted; }
public Instant getGrantedAt() { return grantedAt; }
public void setGrantedAt(Instant grantedAt) { this.grantedAt = grantedAt; }
public Instant getRevokedAt() { return revokedAt; }
public void setRevokedAt(Instant revokedAt) { this.revokedAt = revokedAt; }
public String getIpAddress() { return ipAddress; }
public void setIpAddress(String ipAddress) { this.ipAddress = ipAddress; }
public String getUserAgent() { return userAgent; }
public void setUserAgent(String userAgent) { this.userAgent = userAgent; }
public int getVersion() { return version; }
public void setVersion(int version) { this.version = version; }
public Instant getUpdatedAt() { return updatedAt; }
public void setUpdatedAt(Instant updatedAt) { this.updatedAt = updatedAt; }
}
cannamanage-domain/src/main/java/de/cannamanage/domain/enums/ConsentType.java
+10
View File
@@ -0,0 +1,10 @@
package de.cannamanage.domain.enums;
/**
* Types of DSGVO consent that can be granted or revoked by users.
*/
public enum ConsentType {
DATA_PROCESSING,
MARKETING,
ANALYTICS
}
cannamanage-frontend/messages/de.json
+27
View File
@@ -343,5 +343,32 @@
"notFound": "Ressource nicht gefunden.",
"quotaExceeded": "Kontingent überschritten.",
"serverError": "Serverfehler. Bitte versuche es später erneut."
},
"consent": {
"title": "Datenschutz-Einwilligung",
"dataProcessing": "Datenverarbeitung",
"dataProcessingDesc": "Ich willige ein, dass meine personenbezogenen Daten (Name, E-Mail, Geburtsdatum, Ausgabe-Historie) zum Zweck der Vereinsverwaltung verarbeitet werden. Rechtsgrundlage: Art. 6 Abs. 1 lit. a DSGVO.",
"marketing": "Marketing-Benachrichtigungen",
"marketingDesc": "Ich möchte über neue Funktionen und Angebote informiert werden.",
"accept": "Ich stimme zu",
"reject": "Ablehnen und Konto löschen",
"required": "Erforderlich",
"revoke": "Einwilligung widerrufen",
"revokeWarning": "Ohne Einwilligung zur Datenverarbeitung kann der Dienst nicht genutzt werden.",
"granted": "Erteilt am",
"revoked": "Widerrufen"
},
"dsgvo": {
"title": "Datenschutz",
"export": "Meine Daten exportieren",
"exportDesc": "Laden Sie alle über Sie gespeicherten Daten als JSON-Datei herunter (Art. 15 DSGVO).",
"exportButton": "Daten herunterladen",
"exporting": "Daten werden zusammengestellt...",
"exported": "Datenexport heruntergeladen.",
"delete": "Konto und Daten löschen",
"deleteDesc": "Alle personenbezogenen Daten werden unwiderruflich gelöscht oder anonymisiert (Art. 17 DSGVO). Ausgabe-Daten bleiben anonymisiert erhalten (gesetzliche Aufbewahrungspflicht).",
"deleteButton": "Konto endgültig löschen",
"deleteConfirm": "Bist du sicher? Diese Aktion kann nicht rückgängig gemacht werden.",
"deleteSuccess": "Dein Konto wurde gelöscht. Du wirst jetzt abgemeldet."
}
}
cannamanage-frontend/messages/en.json
+27
View File
@@ -343,5 +343,32 @@
"notFound": "Resource not found.",
"quotaExceeded": "Quota exceeded.",
"serverError": "Server error. Please try again later."
},
"consent": {
"title": "Privacy Consent",
"dataProcessing": "Data Processing",
"dataProcessingDesc": "I consent to the processing of my personal data (name, email, date of birth, distribution history) for the purpose of club management. Legal basis: Art. 6(1)(a) GDPR.",
"marketing": "Marketing Notifications",
"marketingDesc": "I would like to receive information about new features and offers.",
"accept": "I agree",
"reject": "Decline and delete account",
"required": "Required",
"revoke": "Revoke consent",
"revokeWarning": "Without consent for data processing, the service cannot be used.",
"granted": "Granted on",
"revoked": "Revoked"
},
"dsgvo": {
"title": "Privacy",
"export": "Export my data",
"exportDesc": "Download all data stored about you as a JSON file (Art. 15 GDPR).",
"exportButton": "Download data",
"exporting": "Compiling data...",
"exported": "Data export downloaded.",
"delete": "Delete account and data",
"deleteDesc": "All personal data will be irreversibly deleted or anonymized (Art. 17 GDPR). Distribution data will be retained in anonymized form (legal retention requirement).",
"deleteButton": "Permanently delete account",
"deleteConfirm": "Are you sure? This action cannot be undone.",
"deleteSuccess": "Your account has been deleted. You will now be logged out."
}
}
cannamanage-frontend/src/app/(dashboard-layout)/layout.tsx
+2
View File
@@ -1,6 +1,7 @@
import { NextIntlClientProvider } from "next-intl"
import { getMessages } from "next-intl/server"
import { ConsentBanner } from "@/components/consent-banner"
import { Layout } from "@/components/layout"
export default async function DashboardLayout({
@@ -13,6 +14,7 @@ export default async function DashboardLayout({
return (
<NextIntlClientProvider messages={messages}>
<Layout>{children}</Layout>
<ConsentBanner />
</NextIntlClientProvider>
)
}
cannamanage-frontend/src/app/(dashboard-layout)/settings/privacy/page.tsx
+203
View File
@@ -0,0 +1,203 @@
"use client"
import { useState } from "react"
import { useRouter } from "next/navigation"
import {
useConsentsQuery,
useDeleteAccountMutation,
useExportDataMutation,
useGrantConsentMutation,
useRevokeConsentMutation,
} from "@/services/consent"
import { useTranslations } from "next-intl"
import { Download, Shield, ToggleLeft, ToggleRight, Trash2 } from "lucide-react"
export default function PrivacySettingsPage() {
const t = useTranslations("dsgvo")
const tc = useTranslations("consent")
const router = useRouter()
const [showDeleteConfirm, setShowDeleteConfirm] = useState(false)
const { data: consents, isLoading } = useConsentsQuery()
const grantMutation = useGrantConsentMutation()
const revokeMutation = useRevokeConsentMutation()
const exportMutation = useExportDataMutation()
const deleteMutation = useDeleteAccountMutation()
const consentTypes = [
{
type: "DATA_PROCESSING" as const,
label: tc("dataProcessing"),
description: tc("dataProcessingDesc"),
required: true,
},
{
type: "MARKETING" as const,
label: tc("marketing"),
description: tc("marketingDesc"),
required: false,
},
{
type: "ANALYTICS" as const,
label: "Analytics",
description: "Nutzungsanalysen zur Verbesserung des Dienstes.",
required: false,
},
]
const isGranted = (type: string) =>
consents?.find((c) => c.type === type)?.granted ?? false
const getGrantedDate = (type: string) =>
consents?.find((c) => c.type === type)?.grantedAt
const handleToggle = async (type: string, currentlyGranted: boolean) => {
if (currentlyGranted) {
if (type === "DATA_PROCESSING") {
setShowDeleteConfirm(true)
return
}
await revokeMutation.mutateAsync(type)
} else {
await grantMutation.mutateAsync({
type: type as "DATA_PROCESSING" | "MARKETING" | "ANALYTICS",
version: 1,
})
}
}
const handleExport = () => {
exportMutation.mutate()
}
const handleDelete = async () => {
await deleteMutation.mutateAsync()
router.push("/login")
}
return (
<div className="mx-auto max-w-2xl space-y-8 p-6">
<div className="flex items-center gap-3">
<Shield className="h-6 w-6 text-primary" />
<h1 className="text-2xl font-bold">{t("title")}</h1>
</div>
{/* Consent Toggles */}
<section className="space-y-4">
<h2 className="text-lg font-semibold">{tc("title")}</h2>
{isLoading ? (
<div className="animate-pulse space-y-3">
{[1, 2, 3].map((i) => (
<div key={i} className="h-20 rounded-lg bg-muted" />
))}
</div>
) : (
consentTypes.map((ct) => {
const granted = isGranted(ct.type)
const grantedDate = getGrantedDate(ct.type)
return (
<div
key={ct.type}
className="flex items-start justify-between rounded-lg border p-4"
>
<div className="flex-1">
<div className="flex items-center gap-2">
<h3 className="font-medium">{ct.label}</h3>
{ct.required && (
<span className="rounded bg-primary/10 px-2 py-0.5 text-xs font-medium text-primary">
{tc("required")}
</span>
)}
</div>
<p className="mt-1 text-sm text-muted-foreground">
{ct.description}
</p>
{granted && grantedDate && (
<p className="mt-1 text-xs text-muted-foreground">
{tc("granted")}{" "}
{new Date(grantedDate).toLocaleDateString("de-DE")}
</p>
)}
</div>
<button
onClick={() => handleToggle(ct.type, granted)}
disabled={grantMutation.isPending || revokeMutation.isPending}
className="ml-4 shrink-0"
aria-label={granted ? tc("revoke") : tc("accept")}
>
{granted ? (
<ToggleRight className="h-8 w-8 text-primary" />
) : (
<ToggleLeft className="h-8 w-8 text-muted-foreground" />
)}
</button>
</div>
)
})
)}
</section>
{/* Data Export */}
<section className="space-y-3 rounded-lg border p-4">
<div className="flex items-center gap-2">
<Download className="h-5 w-5" />
<h2 className="text-lg font-semibold">{t("export")}</h2>
</div>
<p className="text-sm text-muted-foreground">{t("exportDesc")}</p>
<button
onClick={handleExport}
disabled={exportMutation.isPending}
className="inline-flex items-center gap-2 rounded-lg bg-secondary px-4 py-2 text-sm font-medium transition-colors hover:bg-secondary/80 disabled:opacity-50"
>
<Download className="h-4 w-4" />
{exportMutation.isPending ? t("exporting") : t("exportButton")}
</button>
{exportMutation.isSuccess && (
<p className="text-sm text-green-600">{t("exported")}</p>
)}
</section>
{/* Account Deletion */}
<section className="space-y-3 rounded-lg border border-destructive/30 bg-destructive/5 p-4">
<div className="flex items-center gap-2">
<Trash2 className="h-5 w-5 text-destructive" />
<h2 className="text-lg font-semibold text-destructive">
{t("delete")}
</h2>
</div>
<p className="text-sm text-muted-foreground">{t("deleteDesc")}</p>
{!showDeleteConfirm ? (
<button
onClick={() => setShowDeleteConfirm(true)}
className="inline-flex items-center gap-2 rounded-lg bg-destructive px-4 py-2 text-sm font-medium text-destructive-foreground transition-colors hover:bg-destructive/90"
>
<Trash2 className="h-4 w-4" />
{t("deleteButton")}
</button>
) : (
<div className="space-y-3 rounded-lg border border-destructive/50 bg-destructive/10 p-4">
<p className="text-sm font-medium text-destructive">
{t("deleteConfirm")}
</p>
<div className="flex gap-3">
<button
onClick={handleDelete}
disabled={deleteMutation.isPending}
className="inline-flex items-center gap-2 rounded-lg bg-destructive px-4 py-2 text-sm font-medium text-destructive-foreground transition-colors hover:bg-destructive/90 disabled:opacity-50"
>
{deleteMutation.isPending ? "..." : t("deleteButton")}
</button>
<button
onClick={() => setShowDeleteConfirm(false)}
className="rounded-lg border px-4 py-2 text-sm font-medium transition-colors hover:bg-muted"
>
Abbrechen
</button>
</div>
</div>
)}
</section>
</div>
)
}
cannamanage-frontend/src/components/consent-banner.tsx
+100
View File
@@ -0,0 +1,100 @@
"use client"
import { useState } from "react"
import {
useConsentCheckQuery,
useGrantConsentMutation,
} from "@/services/consent"
import { useTranslations } from "next-intl"
import { CheckCircle, Shield } from "lucide-react"
/**
* DSGVO Consent Banner — fullscreen modal overlay.
* Shows when a logged-in user has NOT yet granted DATA_PROCESSING consent.
* Cannot be dismissed without action.
*/
export function ConsentBanner() {
const t = useTranslations("consent")
const [marketingChecked, setMarketingChecked] = useState(false)
const { data: consentCheck, isLoading } = useConsentCheckQuery()
const grantMutation = useGrantConsentMutation()
// Don't show if still loading or consent already granted
if (isLoading || consentCheck?.hasDataProcessingConsent) {
return null
}
const handleAccept = async () => {
// Grant DATA_PROCESSING consent (required)
await grantMutation.mutateAsync({ type: "DATA_PROCESSING", version: 1 })
// Grant MARKETING if checked
if (marketingChecked) {
await grantMutation.mutateAsync({ type: "MARKETING", version: 1 })
}
}
const handleReject = () => {
// Redirect to deletion confirmation
window.location.href = "/settings/privacy?action=delete"
}
return (
<div className="fixed inset-0 z-[9999] flex items-center justify-center bg-black/70 backdrop-blur-sm">
<div className="mx-4 max-h-[90vh] w-full max-w-lg overflow-y-auto rounded-xl bg-card p-6 shadow-2xl">
<div className="mb-4 flex items-center gap-3">
<Shield className="h-8 w-8 text-primary" />
<h2 className="text-xl font-semibold">{t("title")}</h2>
</div>
{/* Required: Data Processing */}
<div className="mb-4 rounded-lg border border-primary/20 bg-primary/5 p-4">
<h3 className="mb-1 font-medium">{t("dataProcessing")}</h3>
<p className="text-sm text-muted-foreground">
{t("dataProcessingDesc")}
</p>
<p className="mt-2 text-xs font-medium text-primary">
{t("required")}
</p>
</div>
{/* Optional: Marketing */}
<div className="mb-6 rounded-lg border p-4">
<label className="flex cursor-pointer items-start gap-3">
<input
type="checkbox"
checked={marketingChecked}
onChange={(e) => setMarketingChecked(e.target.checked)}
className="mt-1 h-4 w-4 rounded border-gray-300"
/>
<div>
<h3 className="font-medium">{t("marketing")}</h3>
<p className="text-sm text-muted-foreground">
{t("marketingDesc")}
</p>
</div>
</label>
</div>
{/* Actions */}
<div className="flex flex-col gap-3">
<button
onClick={handleAccept}
disabled={grantMutation.isPending}
className="flex w-full items-center justify-center gap-2 rounded-lg bg-primary px-4 py-3 text-sm font-medium text-primary-foreground transition-colors hover:bg-primary/90 disabled:opacity-50"
>
<CheckCircle className="h-4 w-4" />
{grantMutation.isPending ? "..." : t("accept")}
</button>
<button
onClick={handleReject}
className="w-full text-center text-sm text-destructive underline transition-colors hover:text-destructive/80"
>
{t("reject")}
</button>
</div>
</div>
</div>
)
}
cannamanage-frontend/src/services/consent.ts
+102
View File
@@ -0,0 +1,102 @@
import { useMutation, useQuery, useQueryClient } from "@tanstack/react-query"
import { apiClient } from "@/lib/api-client"
// --- Types ---
export interface ConsentRecord {
id: string
type: "DATA_PROCESSING" | "MARKETING" | "ANALYTICS"
granted: boolean
grantedAt: string | null
revokedAt: string | null
version: number
}
export interface ConsentCheckResponse {
hasDataProcessingConsent: boolean
}
export interface GrantConsentRequest {
type: "DATA_PROCESSING" | "MARKETING" | "ANALYTICS"
version?: number
}
export interface DsgvoExportData {
exportDate: string
legalBasis: string
personalData: Record<string, unknown>
memberProfile?: Record<string, unknown>
distributions?: Record<string, unknown>[]
consents?: Record<string, unknown>[]
}
// --- Query Hooks ---
export function useConsentsQuery() {
return useQuery({
queryKey: ["consent", "list"],
queryFn: () => apiClient<ConsentRecord[]>("/consent"),
})
}
export function useConsentCheckQuery() {
return useQuery({
queryKey: ["consent", "check"],
queryFn: () => apiClient<ConsentCheckResponse>("/consent/check"),
})
}
// --- Mutation Hooks ---
export function useGrantConsentMutation() {
const queryClient = useQueryClient()
return useMutation({
mutationFn: (data: GrantConsentRequest) =>
apiClient<ConsentRecord>("/consent", { method: "POST", body: data }),
onSuccess: () => {
queryClient.invalidateQueries({ queryKey: ["consent"] })
},
})
}
export function useRevokeConsentMutation() {
const queryClient = useQueryClient()
return useMutation({
mutationFn: (type: string) =>
apiClient<void>(`/consent/${type}`, { method: "DELETE" }),
onSuccess: () => {
queryClient.invalidateQueries({ queryKey: ["consent"] })
},
})
}
export function useExportDataMutation() {
return useMutation({
mutationFn: async () => {
const data = await apiClient<DsgvoExportData>("/dsgvo/export")
// Trigger download
const blob = new Blob([JSON.stringify(data, null, 2)], {
type: "application/json",
})
const url = URL.createObjectURL(blob)
const a = document.createElement("a")
a.href = url
a.download = `meine-daten-${new Date().toISOString().slice(0, 10)}.json`
document.body.appendChild(a)
a.click()
document.body.removeChild(a)
URL.revokeObjectURL(url)
return data
},
})
}
export function useDeleteAccountMutation() {
return useMutation({
mutationFn: () =>
apiClient<{ status: string; message: string }>("/dsgvo/delete", {
method: "DELETE",
}),
})
}
cannamanage-service/src/main/java/de/cannamanage/service/ConsentService.java
+100
View File
@@ -0,0 +1,100 @@
package de.cannamanage.service;
import de.cannamanage.domain.entity.Consent;
import de.cannamanage.domain.enums.ConsentType;
import de.cannamanage.service.repository.ConsentRepository;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;
import java.time.Instant;
import java.util.List;
import java.util.UUID;
/**
* Manages DSGVO consent lifecycle: grant, revoke, check.
*/
@Service
public class ConsentService {
private static final Logger log = LoggerFactory.getLogger(ConsentService.class);
private final ConsentRepository consentRepository;
public ConsentService(ConsentRepository consentRepository) {
this.consentRepository = consentRepository;
}
/**
* Grant a specific consent type for a user.
* Creates a new record or re-grants a previously revoked one.
*/
@Transactional
public Consent grantConsent(UUID userId, ConsentType type, int version, String ipAddress, String userAgent) {
Consent consent = consentRepository.findByUserIdAndConsentType(userId, type)
.orElseGet(() -> {
Consent c = new Consent();
c.setUserId(userId);
c.setConsentType(type);
return c;
});
consent.setGranted(true);
consent.setGrantedAt(Instant.now());
consent.setRevokedAt(null);
consent.setVersion(version);
consent.setIpAddress(ipAddress);
consent.setUserAgent(userAgent);
consent.setUpdatedAt(Instant.now());
log.info("Consent granted: userId={}, type={}, version={}", userId, type, version);
return consentRepository.save(consent);
}
/**
* Revoke a specific consent type for a user.
*/
@Transactional
public void revokeConsent(UUID userId, ConsentType type) {
consentRepository.findByUserIdAndConsentType(userId, type)
.ifPresent(consent -> {
consent.setGranted(false);
consent.setRevokedAt(Instant.now());
consent.setUpdatedAt(Instant.now());
consentRepository.save(consent);
log.info("Consent revoked: userId={}, type={}", userId, type);
});
}
/**
* Revoke all consents for a user (used during account deletion).
*/
@Transactional
public void revokeAllConsents(UUID userId) {
List<Consent> consents = consentRepository.findByUserIdAndGrantedTrue(userId);
Instant now = Instant.now();
for (Consent consent : consents) {
consent.setGranted(false);
consent.setRevokedAt(now);
consent.setUpdatedAt(now);
}
consentRepository.saveAll(consents);
log.info("All consents revoked for userId={}", userId);
}
/**
* Check if a user has the required DATA_PROCESSING consent.
*/
public boolean hasRequiredConsents(UUID userId) {
return consentRepository.existsByUserIdAndConsentTypeAndGrantedTrue(userId, ConsentType.DATA_PROCESSING);
}
/**
* Get all consent records for a user.
*/
@Transactional(readOnly = true)
public List<Consent> getUserConsents(UUID userId) {
return consentRepository.findByUserId(userId);
}
}
cannamanage-service/src/main/java/de/cannamanage/service/DsgvoService.java
+152
View File
@@ -0,0 +1,152 @@
package de.cannamanage.service;
import de.cannamanage.domain.entity.Consent;
import de.cannamanage.domain.entity.Distribution;
import de.cannamanage.domain.entity.Member;
import de.cannamanage.domain.entity.User;
import de.cannamanage.service.repository.ConsentRepository;
import de.cannamanage.service.repository.DistributionRepository;
import de.cannamanage.service.repository.MemberRepository;
import de.cannamanage.service.repository.UserRepository;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;
import java.time.Instant;
import java.util.*;
/**
* DSGVO compliance service — data export (Art. 15) and data deletion (Art. 17).
*/
@Service
public class DsgvoService {
private static final Logger log = LoggerFactory.getLogger(DsgvoService.class);
private static final String ANONYMIZED = "GELÖSCHT";
private final UserRepository userRepository;
private final MemberRepository memberRepository;
private final DistributionRepository distributionRepository;
private final ConsentRepository consentRepository;
private final ConsentService consentService;
public DsgvoService(UserRepository userRepository,
MemberRepository memberRepository,
DistributionRepository distributionRepository,
ConsentRepository consentRepository,
ConsentService consentService) {
this.userRepository = userRepository;
this.memberRepository = memberRepository;
this.distributionRepository = distributionRepository;
this.consentRepository = consentRepository;
this.consentService = consentService;
}
/**
* Export all personal data for a user (Art. 15 DSGVO).
* Returns a structured map suitable for JSON serialization.
*/
@Transactional(readOnly = true)
public Map<String, Object> exportUserData(UUID userId, UUID tenantId) {
Map<String, Object> export = new LinkedHashMap<>();
export.put("exportDate", Instant.now().toString());
export.put("legalBasis", "Art. 15 DSGVO — Auskunftsrecht der betroffenen Person");
// Personal data from user account
User user = userRepository.findById(userId).orElse(null);
if (user != null) {
Map<String, Object> personal = new LinkedHashMap<>();
personal.put("email", user.getEmail());
personal.put("role", user.getRole().name());
personal.put("active", user.isActive());
personal.put("lastLogin", user.getLastLogin() != null ? user.getLastLogin().toString() : null);
personal.put("createdAt", user.getCreatedAt() != null ? user.getCreatedAt().toString() : null);
export.put("personalData", personal);
}
// Member profile data
if (user != null && user.getMemberId() != null) {
memberRepository.findById(user.getMemberId()).ifPresent(member -> {
Map<String, Object> profile = new LinkedHashMap<>();
profile.put("firstName", member.getFirstName());
profile.put("lastName", member.getLastName());
profile.put("dateOfBirth", member.getDateOfBirth() != null ? member.getDateOfBirth().toString() : null);
profile.put("memberNumber", member.getMemberNumber());
profile.put("status", member.getStatus().name());
profile.put("joinedAt", member.getCreatedAt() != null ? member.getCreatedAt().toString() : null);
export.put("memberProfile", profile);
});
}
// Distribution history
if (user != null && user.getMemberId() != null) {
UUID memberId = user.getMemberId();
List<Distribution> distributions = distributionRepository.findByMemberIdAndTenantId(memberId, tenantId);
List<Map<String, Object>> distList = distributions.stream()
.map(d -> {
Map<String, Object> entry = new LinkedHashMap<>();
entry.put("id", d.getId().toString());
entry.put("amountGrams", d.getQuantityGrams());
entry.put("distributedAt", d.getDistributedAt() != null ? d.getDistributedAt().toString() : null);
return entry;
})
.toList();
export.put("distributions", distList);
}
// Consent records
List<Consent> consents = consentRepository.findByUserId(userId);
List<Map<String, Object>> consentList = consents.stream()
.map(c -> {
Map<String, Object> entry = new LinkedHashMap<>();
entry.put("type", c.getConsentType().name());
entry.put("granted", c.isGranted());
entry.put("grantedAt", c.getGrantedAt() != null ? c.getGrantedAt().toString() : null);
entry.put("revokedAt", c.getRevokedAt() != null ? c.getRevokedAt().toString() : null);
entry.put("version", c.getVersion());
return entry;
})
.toList();
export.put("consents", consentList);
return export;
}
/**
* Delete/anonymize all personal data for a user (Art. 17 DSGVO).
* - Anonymizes personal data (name, email → "GELÖSCHT")
* - Keeps distribution records (compliance) but anonymizes member reference
* - Revokes all consents
* - Deactivates account
*/
@Transactional
public void deleteUserData(UUID userId) {
User user = userRepository.findById(userId)
.orElseThrow(() -> new IllegalArgumentException("User not found: " + userId));
// Anonymize member profile
if (user.getMemberId() != null) {
memberRepository.findById(user.getMemberId()).ifPresent(member -> {
member.setFirstName(ANONYMIZED);
member.setLastName(ANONYMIZED);
member.setEmail(ANONYMIZED + "@deleted.local");
member.setPhone(null);
memberRepository.save(member);
log.info("Member profile anonymized: memberId={}", member.getId());
});
}
// Revoke all consents
consentService.revokeAllConsents(userId);
// Anonymize and deactivate user account
user.setEmail(ANONYMIZED + "_" + userId + "@deleted.local");
user.setPasswordHash(ANONYMIZED);
user.setRefreshTokenHash(null);
user.setActive(false);
userRepository.save(user);
log.info("User data deleted/anonymized: userId={}", userId);
}
}
cannamanage-service/src/main/java/de/cannamanage/service/repository/ConsentRepository.java
+22
View File
@@ -0,0 +1,22 @@
package de.cannamanage.service.repository;
import de.cannamanage.domain.entity.Consent;
import de.cannamanage.domain.enums.ConsentType;
import org.springframework.data.jpa.repository.JpaRepository;
import org.springframework.stereotype.Repository;
import java.util.List;
import java.util.Optional;
import java.util.UUID;
@Repository
public interface ConsentRepository extends JpaRepository<Consent, UUID> {
Optional<Consent> findByUserIdAndConsentType(UUID userId, ConsentType consentType);
List<Consent> findByUserId(UUID userId);
List<Consent> findByUserIdAndGrantedTrue(UUID userId);
boolean existsByUserIdAndConsentTypeAndGrantedTrue(UUID userId, ConsentType consentType);
}
cannamanage-service/src/main/java/de/cannamanage/service/repository/DistributionRepository.java
+5
View File
@@ -64,4 +64,9 @@ public interface DistributionRepository extends JpaRepository<Distribution, UUID
* Paginated distribution history for a member, newest first (portal history).
*/
Page<Distribution> findByMemberIdAndTenantIdOrderByDistributedAtDesc(UUID memberId, UUID tenantId, Pageable pageable);
/**
* Find all distributions for a specific member (for DSGVO export).
*/
List<Distribution> findByMemberIdAndTenantId(UUID memberId, UUID tenantId);
}
docs/sprint-6/cannamanage-sprint6-plan-review.md
+339
View File
@@ -0,0 +1,339 @@
# CannaManage Sprint 6 Plan — Multi-Persona Review Panel
**Date:** 2026-06-12
**Reviewed Document:** `docs/sprint-6/cannamanage-sprint6-plan.md` (v2, ~1266 lines)
**Review Method:** 6-persona stakeholder simulation, scoring on 4 dimensions (0100%)
**Iteration:** 1
**Sprint Goal:** Production readiness — deploy, DSGVO compliance, Stripe payments, immutable audit log, grow calendar, notifications, launch
---
## Decisions Incorporated (13 confirmed ✅)
All open questions from the planning session are resolved:
1.**Stripe** (fresh account) — SEPA + PayPal + Card (D1)
2.**SEPA Lastschrift** as primary payment method (D2)
3.**IONOS VPS** (existing plate-software.de, 8 GB RAM) (D3)
4.**Subdomain** `cannamanage.plate-software.de` (D4)
5.**pg_dump** daily 7d + weekly 4w retention (D5)
6.**Gitea Actions** self-hosted CI/CD (D6)
7.**Uptime Kuma** for monitoring (D7)
8.**Consent-first** DSGVO approach (D8)
9.**Immutable append-only** audit log (D9)
10.**FullCalendar** with FULL scope (sensors, photos, feeding) (D10)
11.**WebSocket (SockJS/STOMP)** + Web Push API (D11)
12.**3-month free trial** → tiered pricing (D12)
13.**Basic PWA** (manifest + offline page) in Sprint 6 (D13)
---
## 1. 👤 Club Member (End User)
*"I'm a regular member of a cannabis social club. I want to use the app on my phone, get notified about my distributions, and trust that my data is protected under DSGVO."*
### Findings
| # | Type | Observation |
|---|------|-------------|
| 1 | ✅ Positive | **PWA installable** — I can add CannaManage to my home screen and use it like a native app. Standalone mode, themed green, proper icons. This makes daily access much faster than bookmarking a URL. |
| 2 | ✅ Positive | **Real-time distribution notifications** — When staff records a distribution for me, I get an instant notification via WebSocket. No more checking manually. The bell icon shows unread count. |
| 3 | ✅ Positive | **Push notifications even when app is closed** — Web Push with opt-in means I get notified about quota warnings and batch recalls even with the browser closed. Critical for recalls. |
| 4 | ✅ Positive | **DSGVO transparency** — I can see exactly what data is stored about me, export everything as ZIP (Art. 15), and request full deletion (Art. 17). The consent flow is clear: accept or leave. |
| 5 | ✅ Positive | **Offline resilience** — If I lose signal, I see an offline page instead of a browser error. Not full offline mode, but graceful degradation. |
| 6 | ⚠️ Minor | **No grow calendar visibility for members** — The grow calendar appears to be admin-only. As a member, I'd love to see what's currently growing (without sensitive details) — builds trust and community engagement. |
| 7 | ⚠️ Minor | **Notification preferences not detailed** — Can I choose which notifications I receive? The plan mentions opt-in for push but doesn't describe granular notification preferences (e.g., only recalls, not every distribution). |
| 8 | ✅ Positive | **Consent versioning** — If the privacy policy changes, I'm re-prompted. I'm not silently bound to new terms. |
### Scores
| Dimension | Score | Rationale |
|-----------|-------|-----------|
| Precision | 88% | Notification events are explicitly listed (quota warning, batch recall, new distribution). PWA manifest is precisely defined. However, notification *preferences* and member-facing grow visibility are unspecified. |
| Correctness | 92% | WebSocket + STOMP is a correct real-time architecture for this scale. Web Push with VAPID is the right standard. DSGVO implementation follows Arts. 6, 7, 15, 17 correctly. |
| Usability | 86% | PWA + push + bell icon covers my daily needs well. Missing granular notification control and member-facing grow calendar slightly reduce the experience. |
| Usefulness | 90% | The jump from "no notifications, no DSGVO, no mobile" to "push notifications, full DSGVO compliance, installable PWA" is massive. This sprint makes the app genuinely usable for daily members. |
**Composite Score: 89%**
### Recommended Fixes
- Add a note about notification preferences (future sprint or a simple "mute all" toggle)
- Consider a read-only grow progress view for members (e.g., "Northern Lights — Flowering 🌸" without quantities)
---
## 2. 🏢 Club Owner / Vorstand (Business Owner)
*"I run the Anbauvereinigung. I need Stripe payments to fund operations, an audit log for Behörde inspections, the grow calendar to manage our cultivation, and a reliable production deployment."*
### Findings
| # | Type | Observation |
|---|------|-------------|
| 1 | ✅ Positive | **Stripe handles all billing complexity** — SEPA mandates, dunning, invoicing, billing portal, payment method updates — all offloaded to Stripe. I don't need to manually chase payments or generate invoices. |
| 2 | ✅ Positive | **Tiered pricing is clear** — Starter (€29/50 members) vs. Pro (€79/unlimited) gives me room to grow. The 14-day free trial lowers the barrier for new clubs. |
| 3 | ✅ Positive | **Immutable audit log for Behörde** — PDF export of the audit log is exactly what inspectors need. Every distribution, member change, and batch action is logged with server timestamps. Immutability (`@Immutable` + no DELETE) ensures credibility. |
| 4 | ✅ Positive | **Grow calendar (FULL scope)** — Stage tracking from seedling to curing, batch linking for traceability, sensor data for environmental control, photo documentation for compliance evidence. This is a complete cultivation management tool. |
| 5 | ✅ Positive | **Production deployment on existing infrastructure** — No new server to provision. Co-hosted on the existing IONOS VPS means lower cost and immediate availability. Gitea Actions CI/CD means I don't depend on GitHub. |
| 6 | ⚠️ Medium | **Pricing discrepancy in plan** — Section 0 (Decisions) says "≤30 members, €19/mo" and "≤100 members, €49/mo" but Section 3.3 (Stripe Architecture) says "up to 50 members, €29/month" and "unlimited members, €79/month". These need to be reconciled before implementation. |
| 7 | ⚠️ Medium | **Trial period discrepancy** — Decision D12 says "3-month free trial" but the Stripe code shows `setTrialPeriodDays(14L)` (14 days). Which is it? This directly affects my club's onboarding strategy. |
| 8 | ⚠️ Minor | **No grace period defined** — What happens when a payment fails? How many retry attempts before lockout? The plan mentions `invoice.payment_failed` shows a warning but doesn't specify the dunning timeline (Stripe default is 3 attempts over ~14 days, but this should be documented). |
| 9 | ✅ Positive | **Subscription enforcement middleware**`SubscriptionFilter.java` blocks API access when subscription expires. No free-riding after trial ends. |
| 10 | ✅ Positive | **Harvest → batch traceability** — Linking a grow entry to a batch creates the full chain: grow → batch → distribution → member. This is exactly what regulators want to see. |
### Scores
| Dimension | Score | Rationale |
|-----------|-------|-----------|
| Precision | 82% | The pricing/trial discrepancies are concerning — they need resolution before implementation. Grow calendar and audit log are precisely specified. Dunning behavior is under-specified. |
| Correctness | 88% | Stripe architecture follows best practices (webhook signature verification, idempotent handlers, billing portal). Audit log immutability approach is correct. Grow stages and batch linking are logically sound. |
| Usability | 90% | Self-service billing portal, one-click PDF export for audits, visual grow calendar — all reduce my operational burden significantly. |
| Usefulness | 93% | This sprint delivers the three hardest requirements for going live: payments (to sustain the business), audit (for legal compliance), and grow tracking (for cultivation management). |
**Composite Score: 88%**
### Must Fix Before Implementation
- 🔴 **Reconcile pricing tiers** — D12 says €19/€49 (30/100 members), Section 3.3 says €29/€79 (50/unlimited). Pick one and update throughout.
- 🔴 **Reconcile trial period** — D12 says 3 months, code says 14 days. Which is the actual business decision?
- Add dunning timeline documentation (how many retries, what interval, when lockout)
---
## 3. 💻 Developer (Technical)
*"I'm building this on IONOS with Docker + Nginx, Gitea Actions for CI/CD, Stripe webhooks, WebSockets, and sensor ingestion. Is the architecture sound?"*
### Findings
| # | Type | Observation |
|---|------|-------------|
| 1 | ✅ Positive | **Docker Compose prod is well-structured** — env vars via `.env`, proper health checks with `start_period`, restart policies, named volumes for pgdata. Production-ready configuration. |
| 2 | ✅ Positive | **Nginx config is comprehensive** — TLS termination, HTTP/2, HSTS, rate limiting (30r/s with burst), WebSocket upgrade, security headers. The Stripe webhook path correctly skips rate limiting. |
| 3 | ✅ Positive | **Gitea Actions CI/CD is practical** — Self-hosted, no external dependencies, build → Docker → deploy locally. Simple and fast for a single-server deployment. |
| 4 | ⚠️ Medium | **Gitea Actions `cd /opt/cannamanage` in deploy step** — The deploy step assumes the runner IS the production server (running locally). This works but means the CI runner has root-level access to production. If the Gitea instance is compromised, production is compromised. Consider SSH-based deployment even for local deploys (separation of concerns). |
| 5 | ⚠️ Medium | **No blue-green or rolling deploy**`docker compose up -d --remove-orphans` causes downtime during image pull + container restart. For a single VPS this might be acceptable, but even a simple `docker compose pull && docker compose up -d` split would reduce downtime to seconds. |
| 6 | ✅ Positive | **Stripe webhook signature verification**`Webhook.constructEvent(payload, sigHeader, webhookSecret)` is the correct Stripe SDK pattern. Prevents webhook spoofing. |
| 7 | ⚠️ Minor | **WebSocket auth not specified**`WebSocketConfig` uses `setAllowedOriginPatterns("*")`. In production, this should be restricted to the actual domain. Also, how is the WebSocket connection authenticated? STOMP interceptor with JWT? Session cookie? |
| 8 | ⚠️ Minor | **Sensor data ingestion endpoint unclear** — The plan mentions "API endpoint for IoT devices" for sensor readings but doesn't specify authentication for IoT devices. Are sensors authenticated with API keys? Device tokens? This is a different auth flow from user JWT. |
| 9 | ✅ Positive | **Backup strategy is simple and effective**`pg_dump | gzip` with cron rotation. For a single-VPS deployment with <1000 users, this is the right approach. No over-engineering. |
| 10 | ✅ Positive | **Flyway migrations are well-sequenced** — V6 (consent + audit), V7 (stripe), V8 (grow), V9 (notifications). Clear dependency ordering. |
| 11 | ⚠️ Minor | **Phase 1 header says "Hetzner VPS" but body says "IONOS VPS"** — The Phase 1 heading reads "Production Deployment (Hetzner VPS)" but the decision says IONOS. Inconsistency in the document. |
| 12 | ✅ Positive | **Service worker scope is appropriately limited** — "Basic in Sprint 6" (offline page + asset caching) avoids the complexity of full offline sync, which would require IndexedDB and conflict resolution. |
| 13 | ⚠️ Minor | **Photo upload size limit (10MB) but no storage strategy** — Where are grow photos stored? Local filesystem? S3-compatible object storage? For a single VPS, local disk works initially but needs a plan for growth. |
### Scores
| Dimension | Score | Rationale |
|-----------|-------|-----------|
| Precision | 85% | Core architecture is well-specified (Docker, Nginx, Stripe, Flyway). Gaps in WebSocket auth, sensor device auth, photo storage, and deploy strategy reduce precision. |
| Correctness | 87% | Docker Compose patterns, Nginx configuration, Stripe SDK usage, and STOMP/SockJS are all technically correct. The `allowedOriginPatterns("*")` and missing auth layers are correctness concerns for production. |
| Usability | 88% | Gitea Actions CI/CD is developer-friendly. Single `docker compose up` for local dev. Flyway handles migrations automatically. Clear phase separation makes implementation order obvious. |
| Usefulness | 91% | The plan delivers a complete production stack: deploy pipeline, payment processing, real-time notifications, and grow management — all on a single affordable VPS. Pragmatic engineering. |
**Composite Score: 88%**
### Recommended Fixes
- 🔴 Fix Phase 1 heading: "Hetzner VPS" → "IONOS VPS"
- Specify WebSocket authentication mechanism (STOMP CONNECT frame with JWT or session-based)
- Restrict `setAllowedOriginPatterns` to `cannamanage.plate-software.de` in production
- Document sensor device authentication strategy (API key-based recommended)
- Add photo storage strategy note (local filesystem initially, `/opt/cannamanage/uploads/`, with future migration path to S3)
- Consider `docker compose pull && docker compose up -d` two-step deploy to minimize downtime
---
## 4. 🛡️ Datenschutzbeauftragter (Privacy/DSGVO Officer)
*"I ensure this application complies with DSGVO. I check consent flows, data exports, erasure rights, data minimization, and third-party data processing agreements."*
### Findings
| # | Type | Observation |
|---|------|-------------|
| 1 | ✅ Positive | **Art. 6 Rechtsgrundlage** — Consent-first approach (Art. 6 Abs. 1 lit. a) is implemented. Users must explicitly accept before using the app. Consent entity stores timestamp, IP, user agent, and policy version. |
| 2 | ✅ Positive | **Art. 7 Einwilligung** — Consent is freely given (user can decline and is logged out), specific (separate consent types: PRIVACY_POLICY, TERMS_OF_SERVICE, DATA_PROCESSING), informed (links to full Datenschutzerklärung), and unambiguous ("Akzeptieren" button). Withdrawal is as easy as giving (revoke in settings). |
| 3 | ✅ Positive | **Art. 15 Auskunftsrecht**`GET /api/v1/dsgvo/export` returns a ZIP with all personal data. The implementation collects user profile, distributions, quota history, consent records, and login history. |
| 4 | ✅ Positive | **Art. 17 Recht auf Löschung**`DELETE /api/v1/dsgvo/erasure` with appropriate exemption: "Some data must be retained for legal compliance (tax records, 10-year retention)." This correctly implements the Art. 17(3)(b) exception for legal obligations. |
| 5 | ⚠️ Medium | **Art. 28 Auftragsverarbeitung (Stripe)** — Stripe is a data processor handling payment data. The plan doesn't mention the AVV (Auftragsverarbeitungsvertrag) with Stripe. This is a legal requirement. Stripe provides a standard DPA — it must be accepted and documented. |
| 6 | ⚠️ Medium | **IP address storage in consent** — Storing IP addresses in the consent record is legitimate for proof of consent (Art. 7(1)), but the Datenschutzerklärung must explicitly mention this. IP addresses are personal data (EuGH C-582/14). Ensure retention period is defined. |
| 7 | ⚠️ Medium | **Audit log contains PII**`actor_name` ("Patrick Plate"), `ip_address`, and `description` (may contain member names in distribution descriptions like "25g Northern Lights an Max Mustermann ausgegeben"). The audit log is immutable (no deletion), which conflicts with Art. 17. This needs a documented legal basis (Art. 6(1)(c) — legal obligation for compliance records) and a defined retention period. |
| 8 | ⚠️ Minor | **Data minimization (Art. 5(1)(c))** — The consent entity stores `user_agent` (full browser string). Is the full user agent necessary? A truncated version or just the browser name would satisfy proof requirements while minimizing data. |
| 9 | ✅ Positive | **Consent versioning** — When the privacy policy changes, users are re-prompted. This correctly implements the requirement for renewed consent when purposes change. |
| 10 | ⚠️ Minor | **No cookie banner mentioned** — The consent modal handles app usage consent, but if any analytics cookies or third-party scripts are used (Uptime Kuma external check?), a separate cookie consent mechanism may be needed under ePrivacy/TTDSG. If no cookies beyond session cookies → document this. |
| 11 | ✅ Positive | **Erasure with anonymization** — "Anonymize distributions (keep aggregates for compliance)" correctly balances Art. 17 deletion with legal retention. Aggregate data is no longer personal data. |
### Scores
| Dimension | Score | Rationale |
|-----------|-------|-----------|
| Precision | 84% | Core DSGVO flows (consent, export, erasure) are well-specified. Missing: AVV documentation with Stripe, audit log retention periods, IP storage justification in Datenschutzerklärung. |
| Correctness | 86% | Arts. 6, 7, 15, 17 are correctly implemented. The Art. 17(3)(b) exception for legal obligations is correctly applied. However, the audit log immutability vs. Art. 17 tension needs explicit legal basis documentation. |
| Usability | 90% | The consent flow is user-friendly: clear modal, accept/decline, revoke in settings, export as ZIP. Privacy settings page gives users full control. |
| Usefulness | 88% | The DSGVO implementation covers all critical requirements for launch. The few gaps (AVV, retention periods, audit log legal basis) are documentation tasks, not code changes. |
**Composite Score: 87%**
### Must Fix Before Launch
- 🔴 **Document Stripe AVV** — Accept Stripe's DPA, reference it in the Datenschutzerklärung as a data processor (Art. 28)
- 🔴 **Define audit log retention period** — Document the legal basis (Art. 6(1)(c) + §257 HGB 10-year retention for business records) and add it to the Datenschutzerklärung
- 🟡 Mention IP address storage in the Datenschutzerklärung (why, how long, legal basis)
- 🟡 Consider truncating `user_agent` to browser name + version only
- Clarify cookie usage: if only session cookies, add a "no tracking cookies" statement to the privacy policy
---
## 5. 🔒 Security Auditor
*"I audit the security posture of this application before it goes live. I check PCI compliance, SEPA data handling, webhook verification, TLS configuration, secret management, and backup encryption."*
### Findings
| # | Type | Observation |
|---|------|-------------|
| 1 | ✅ Positive | **Stripe handles PCI compliance** — By using Stripe Checkout (hosted payment page) and Payment Element (Stripe.js), card data never touches our servers. PCI SAQ-A eligible. No card numbers in our DB. |
| 2 | ✅ Positive | **Webhook signature verification**`Webhook.constructEvent(payload, sigHeader, webhookSecret)` validates the HMAC signature from Stripe. Rejects tampered or replayed webhook events. |
| 3 | ✅ Positive | **TLS configuration** — Let's Encrypt certificate, HTTP→HTTPS redirect, HSTS with 2-year max-age. SSL Labs A+ should be achievable with these settings. |
| 4 | ✅ Positive | **Security headers** — HSTS, X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Referrer-Policy: strict-origin-when-cross-origin. Good baseline. |
| 5 | ⚠️ Medium | **Missing CSP header** — Content-Security-Policy is not in the Nginx config. Without CSP, XSS attacks can load arbitrary external scripts. Add at minimum: `default-src 'self'; script-src 'self' https://js.stripe.com; frame-src https://js.stripe.com;` |
| 6 | ⚠️ Medium | **Secrets in Docker env vars**`STRIPE_SECRET_KEY`, `JWT_SECRET`, `DB_PASSWORD` are passed as environment variables. While this is common with Docker Compose, the `.env` file on the server must be root-only readable (chmod 600). The plan doesn't mention file permissions or secret rotation. |
| 7 | ⚠️ Medium | **Backup encryption missing**`pg_dump | gzip` creates unencrypted backups. If the VPS is compromised, all historical data is exposed. Add `| gpg --encrypt --recipient backup@cannamanage.de` or use `pg_dump ... | openssl enc -aes-256-cbc`. |
| 8 | ⚠️ Minor | **Rate limiting only on `/api/`** — The `/` (frontend) path has no rate limiting. While Next.js SSR is less sensitive, a determined attacker could DOS the frontend rendering. Consider a lower global rate limit (e.g., 100r/s). |
| 9 | ✅ Positive | **Stripe webhook path excluded from rate limiting** — Correct decision. Stripe retries on 429 with exponential backoff, but rate-limiting webhooks can cause payment state drift. |
| 10 | ⚠️ Minor | **No fail2ban or IP blocking** — If the rate limiter triggers repeatedly for an IP, there's no mechanism to ban that IP temporarily. Consider adding `limit_req_status 429` + fail2ban watching for 429s in access.log. |
| 11 | ✅ Positive | **Audit log immutability**`@Immutable` annotation + no DELETE in repository. Server-generated timestamps prevent client manipulation. JSONB details field preserves before/after state for forensics. |
| 12 | ⚠️ Medium | **No DB-level DELETE prevention on audit_event** — Hibernate `@Immutable` is application-level only. A compromised backend or direct DB access can still DELETE records. Add a PostgreSQL trigger: `CREATE RULE no_delete_audit AS ON DELETE TO audit_event DO INSTEAD NOTHING;` or use a `REVOKE DELETE` on the app DB user. |
| 13 | ⚠️ Minor | **SEPA data handling** — SEPA bank details (IBAN) are handled by Stripe, not stored locally. Good. But the plan should explicitly state "No IBAN data touches our servers" as a security control statement. |
| 14 | ✅ Positive | **JWT for API auth**`JWT_SECRET` from env, Spring Security integration for API endpoints. Standard approach for SPA backends. |
| 15 | ⚠️ Minor | **No JWT rotation or expiry mentioned** — The plan uses `JWT_SECRET` but doesn't specify token expiry, refresh token strategy, or secret rotation cadence. For a go-live, at minimum define token TTL (e.g., 15min access + 7d refresh). |
### Scores
| Dimension | Score | Rationale |
|-----------|-------|-----------|
| Precision | 83% | TLS, Stripe, and webhook verification are precise. Missing: CSP header definition, backup encryption, secret file permissions, DB-level audit protection, JWT lifecycle. |
| Correctness | 85% | The security architecture is fundamentally sound (Stripe handles PCI, TLS terminates at Nginx, rate limiting exists). But application-level immutability without DB enforcement is incomplete. Missing CSP is a significant gap. |
| Usability | 91% | From a security operations standpoint: automated TLS renewal, simple backup cron, Docker restart policies, and Uptime Kuma alerting make ongoing security operations manageable. |
| Usefulness | 87% | The plan delivers a production-ready security baseline. The gaps are hardening measures that should be addressed before public launch but don't block development. |
**Composite Score: 87%**
### Must Fix Before Launch
- 🔴 **Add Content-Security-Policy header** — at minimum: `default-src 'self'; script-src 'self' https://js.stripe.com; frame-src https://js.stripe.com https://hooks.stripe.com; style-src 'self' 'unsafe-inline'; img-src 'self' data:;`
- 🔴 **Encrypt backups** — Add GPG or AES-256 encryption to the backup script
- 🔴 **Add DB-level audit protection** — PostgreSQL RULE or REVOKE DELETE on audit_event for the app user
- 🟡 Document `.env` file permissions (chmod 600, root-only)
- 🟡 Define JWT token lifecycle (access TTL, refresh strategy, secret rotation)
- 🟡 Add explicit "No IBAN/card data stored locally" security control statement
---
## 6. 🌱 Cultivation Manager (Grower)
*"I manage the club's grows from seed to harvest. I need to track plant stages, monitor environment (temperature/humidity), document with photos, plan feeding schedules, and link harvests to inventory batches."*
### Findings
| # | Type | Observation |
|---|------|-------------|
| 1 | ✅ Positive | **Full lifecycle tracking** — Six stages (Seedling → Vegetative → Flowering → Harvest → Drying → Curing) cover the complete cannabis grow cycle. Color-coded calendar blocks give me instant visual status of all active grows. |
| 2 | ✅ Positive | **Harvest → batch linking** — This is the killer feature for compliance. When I harvest, I link directly to a batch entity, creating full traceability: seed → plant → harvest → batch → distribution → member. Inspectors love this. |
| 3 | ✅ Positive | **Sensor data** — Temperature and humidity readings with configurable threshold alerts (e.g., temp > 30°C → notification). This lets me react quickly to environmental issues even when I'm not in the grow room. |
| 4 | ✅ Positive | **Photo documentation** — Timeline view with captions per grow entry. This serves both my own record-keeping (disease identification, growth progress) and compliance evidence for inspectors. |
| 5 | ✅ Positive | **Feeding schedule** — Nutrient name, amount, frequency, and calendar overlay showing feeding days. This replaces my spreadsheet and integrates feeding with the grow timeline. |
| 6 | ⚠️ Medium | **No multi-grow-room support** — The `GrowEntry` entity has no `room` or `location` field. In a real club, we might have multiple grow rooms (veg room, flower room, drying room). Entries should be groupable by location. |
| 7 | ⚠️ Medium | **Sensor readings are per-grow-entry, not per-room** — In practice, a temperature sensor monitors a room, not a single plant. Multiple grows share the same room environment. The data model should allow sensor readings at a room level, shared across grow entries in that room. |
| 8 | ⚠️ Minor | **No yield tracking compared to expected** — The entity has `expected_yield_grams` and `actual_yield_grams`, which is great. But the plan doesn't mention a yield comparison/analytics view. Over time, I want to see yield trends per strain. |
| 9 | ⚠️ Minor | **No recurring grow templates** — If I grow Northern Lights every 3 months with the same feeding schedule, I'd love to create a template and duplicate it. Not essential for v1, but worth noting. |
| 10 | ✅ Positive | **FullCalendar with drag-resize** — Adjusting end dates by dragging is intuitive. Starting a new grow by clicking a date is natural. The de locale (German month names, Monday start) is correct for our users. |
| 11 | ✅ Positive | **Audit log integration** — Grow entries and harvest-to-batch links are logged in the audit trail. This creates an unbroken record of cultivation activities for regulatory compliance. |
| 12 | ⚠️ Minor | **No strain-specific growing guides** — It would be helpful to see default durations per stage for a given strain (e.g., Northern Lights typical flowering: 8 weeks). Auto-suggest end dates based on strain genetics. Future feature. |
### Scores
| Dimension | Score | Rationale |
|-----------|-------|-----------|
| Precision | 84% | Core entities (GrowEntry, SensorReading, GrowPhoto, FeedingSchedule) are well-defined with specific fields. Stage enum is complete. However, the room/location dimension is missing, and sensor-to-room relationship is not modeled. |
| Correctness | 85% | The stage progression, batch linking, and calendar visualization are all correct cannabis cultivation patterns. The sensor model (per-entry rather than per-room) is architecturally questionable but functionally correct for MVP. |
| Usability | 88% | FullCalendar with color-coded stages, drag-resize, and click-to-create is highly usable. Photo gallery with timeline is intuitive. Feeding schedule with calendar overlay reduces context switching. |
| Usefulness | 90% | This is the most comprehensive grow management I've seen in a club management app. The harvest-to-batch traceability alone justifies the feature. Sensors, photos, and feeding elevate it from a simple calendar to a real cultivation tool. |
**Composite Score: 87%**
### Recommended Improvements
- 🟡 Add `room` or `location` field to `GrowEntry` (simple VARCHAR, e.g., "Veg Room A", "Flower Room 1")
- 🟡 Consider a `SensorDevice` entity linked to a room, with readings associated to the device rather than individual grow entries
- Add yield analytics as a future enhancement (strain performance over time)
- Note: templates and strain guides are clear Sprint 7+ features
---
## Summary Matrix
| Persona | Precision | Correctness | Usability | Usefulness | Composite |
|---------|-----------|-------------|-----------|------------|-----------|
| 👤 Club Member | 88% | 92% | 86% | 90% | **89%** |
| 🏢 Club Owner / Vorstand | 82% | 88% | 90% | 93% | **88%** |
| 💻 Developer | 85% | 87% | 88% | 91% | **88%** |
| 🛡️ Datenschutzbeauftragter | 84% | 86% | 90% | 88% | **87%** |
| 🔒 Security Auditor | 83% | 85% | 91% | 87% | **87%** |
| 🌱 Cultivation Manager | 84% | 85% | 88% | 90% | **87%** |
| **Average** | **84%** | **87%** | **89%** | **90%** | **88%** |
---
## Verdict: 🟡 CONDITIONAL PASS (88% — below 85% target on Precision)
The Sprint 6 plan is ambitious and well-structured, covering all critical go-live requirements. However, it contains internal inconsistencies (pricing, trial period, server provider naming) and security gaps (CSP, backup encryption, DB-level audit protection) that must be resolved before implementation begins.
**Overall assessment:** The plan is *implementable as-is* for development purposes, but requires 4 must-fix items before production launch.
---
## Priority Fix List
### 🔴 Must Fix (Blocking launch)
| # | Source | Issue | Fix |
|---|--------|-------|-----|
| 1 | 🏢 Owner | Pricing tier discrepancy (D12 vs §3.3) | Reconcile: pick €19/€49 or €29/€79. Update all references. |
| 2 | 🏢 Owner | Trial period discrepancy (3 months vs 14 days) | Confirm business decision. Update D12 or Stripe code. |
| 3 | 🔒 Security | No Content-Security-Policy header | Add CSP to Nginx config targeting Stripe JS domains. |
| 4 | 🔒 Security | Backups are unencrypted | Add GPG/AES-256 encryption to backup script. |
| 5 | 🔒 Security | Audit log only app-level immutable | Add PostgreSQL RULE or REVOKE DELETE on audit_event. |
| 6 | 🛡️ DSGVO | No Stripe AVV documentation | Accept Stripe DPA, reference in Datenschutzerklärung. |
| 7 | 🛡️ DSGVO | Audit log retention period undefined | Document legal basis (§257 HGB) + retention in privacy policy. |
| 8 | 💻 Dev | Phase 1 heading says "Hetzner" instead of "IONOS" | Fix heading text. |
### 🟡 Should Fix (Before launch, non-blocking for dev)
| # | Source | Issue | Fix |
|---|--------|-------|-----|
| 9 | 💻 Dev | WebSocket auth mechanism unspecified | Document STOMP CONNECT JWT or session-based auth. |
| 10 | 💻 Dev | `allowedOriginPatterns("*")` in production | Restrict to `cannamanage.plate-software.de`. |
| 11 | 💻 Dev | Photo storage location undefined | Document local filesystem path + future S3 migration. |
| 12 | 💻 Dev | Sensor device auth for IoT undefined | Specify API key-based auth for devices. |
| 13 | 🔒 Security | JWT lifecycle not specified | Define access token TTL (15min) + refresh token (7d). |
| 14 | 🔒 Security | `.env` file permissions not documented | Add chmod 600 + root ownership requirement. |
| 15 | 🛡️ DSGVO | IP address storage not in privacy policy | Add to Datenschutzerklärung with retention period. |
| 16 | 🌱 Grower | No room/location field on GrowEntry | Add optional `location` VARCHAR field. |
| 17 | 🌱 Grower | Sensors modeled per-entry not per-room | Consider `SensorDevice` entity linked to location. |
### 🟢 Nice to Have (Sprint 7+)
| # | Source | Issue | Fix |
|---|--------|-------|-----|
| 18 | 👤 Member | No granular notification preferences | Add mute/category toggles in settings. |
| 19 | 👤 Member | No member-visible grow progress | Read-only grow view for members. |
| 20 | 🏢 Owner | Dunning timeline not documented | Add retry schedule documentation. |
| 21 | 🌱 Grower | No grow templates | Duplicate-from-previous feature. |
| 22 | 🌱 Grower | No yield analytics | Strain performance dashboard. |
| 23 | 💻 Dev | No blue-green deploy | Two-step pull + up for zero-downtime. |
| 24 | 🔒 Security | No fail2ban integration | Watch for 429s, auto-ban repeat offenders. |
---
## Recommendation
**Proceed with development** after resolving the 8 🔴 must-fix items (most are documentation/config corrections, not architectural changes). The plan is solid architecturally and covers all critical go-live requirements. Target the 🟡 items during implementation as they come up naturally in each phase.
**Estimated fix effort:** ~2 hours for document corrections (items 1, 2, 8), ~1 day for security hardening specs (items 37).
docs/sprint-6/cannamanage-sprint6-testplan.md
+881
View File
@@ -0,0 +1,881 @@
# Testplan: CannaManage Sprint 6 — Production Readiness
**Datum:** 2026-06-12
**Modul:** cannamanage (all modules)
**Autor:** Patrick Plate
**Status:** Entwurf v1
**Basis:** cannamanage-sprint6-plan.md (v1)
---
## Testübersicht
| ID | Beschreibung | Typ | Klasse/Tool | Status |
|----|-------------|-----|-------------|--------|
| T-01 | ConsentService: accept consent | Unit | `ConsentServiceTest` | ⬜ |
| T-02 | ConsentService: revoke consent | Unit | `ConsentServiceTest` | ⬜ |
| T-03 | ConsentService: check consent status | Unit | `ConsentServiceTest` | ⬜ |
| T-04 | ConsentService: re-prompt on new version | Unit | `ConsentServiceTest` | ⬜ |
| T-05 | DsgvoService: export user data (ZIP) | Unit | `DsgvoServiceTest` | ⬜ |
| T-06 | DsgvoService: erasure request (anonymize) | Unit | `DsgvoServiceTest` | ⬜ |
| T-07 | DsgvoService: retain legally required data | Unit | `DsgvoServiceTest` | ⬜ |
| T-08 | StripeService: create customer | Unit | `StripeServiceTest` | ⬜ |
| T-09 | StripeService: create checkout session (SEPA) | Unit | `StripeServiceTest` | ⬜ |
| T-10 | StripeService: create billing portal session | Unit | `StripeServiceTest` | ⬜ |
| T-11 | StripeService: handle webhook invoice.paid | Unit | `StripeServiceTest` | ⬜ |
| T-12 | StripeService: handle webhook payment_failed | Unit | `StripeServiceTest` | ⬜ |
| T-13 | StripeService: handle webhook subscription.deleted | Unit | `StripeServiceTest` | ⬜ |
| T-14 | StripeWebhookController: reject invalid signature | Unit | `StripeWebhookControllerTest` | ⬜ |
| T-15 | SubscriptionFilter: block expired subscription | Unit | `SubscriptionFilterTest` | ⬜ |
| T-16 | SubscriptionFilter: allow active subscription | Unit | `SubscriptionFilterTest` | ⬜ |
| T-17 | SubscriptionFilter: allow trial period | Unit | `SubscriptionFilterTest` | ⬜ |
| T-18 | AuditService: log event | Unit | `AuditServiceTest` | ⬜ |
| T-19 | AuditService: immutability (no update/delete) | Integration | `AuditServiceIntegrationTest` | ⬜ |
| T-20 | AuditService: JSON details serialization | Unit | `AuditServiceTest` | ⬜ |
| T-21 | AuditService: server-generated timestamp (Europe/Berlin) | Unit | `AuditServiceTest` | ⬜ |
| T-22 | AuditController: paginated list with filters | Integration | `AuditControllerIntegrationTest` | ⬜ |
| T-23 | AuditController: PDF export | Integration | `AuditControllerIntegrationTest` | ⬜ |
| T-24 | GrowCalendarService: create grow entry | Unit | `GrowCalendarServiceTest` | ⬜ |
| T-25 | GrowCalendarService: update stage transition | Unit | `GrowCalendarServiceTest` | ⬜ |
| T-26 | GrowCalendarService: link harvest to batch | Unit | `GrowCalendarServiceTest` | ⬜ |
| T-27 | GrowCalendarService: reject invalid stage progression | Unit | `GrowCalendarServiceTest` | ⬜ |
| T-28 | NotificationService: quota warning at 80% | Unit | `NotificationServiceTest` | ⬜ |
| T-29 | NotificationService: batch recall notification | Unit | `NotificationServiceTest` | ⬜ |
| T-30 | NotificationService: new distribution notification | Unit | `NotificationServiceTest` | ⬜ |
| T-31 | Flyway V6: consent + audit_event tables created | Integration | `FlywayMigrationTest` | ⬜ |
| T-32 | Flyway V7: stripe columns added to club | Integration | `FlywayMigrationTest` | ⬜ |
| T-33 | Flyway V8: grow_entry table created | Integration | `FlywayMigrationTest` | ⬜ |
| T-34 | Flyway V9: notification table created | Integration | `FlywayMigrationTest` | ⬜ |
| T-35 | Consent flow E2E: login → banner → accept → app access | E2E | Playwright | ⬜ |
| T-36 | Consent flow E2E: login → banner → reject → logout | E2E | Playwright | ⬜ |
| T-37 | Billing page E2E: display plan + upgrade CTA | E2E | Playwright | ⬜ |
| T-38 | Audit log page E2E: filter + pagination + PDF download | E2E | Playwright | ⬜ |
| T-39 | Grow calendar E2E: create entry + drag resize | E2E | Playwright | ⬜ |
| T-40 | Notification bell E2E: receive + display + mark read | E2E | Playwright | ⬜ |
| T-41 | PWA manifest: installable, correct icons | E2E | Lighthouse | ⬜ |
| T-42 | Production smoke test: full user journey | Manual | Production | ⬜ |
| T-43 | Backup/restore: pg_dump + restore verification | Manual | Production | ⬜ |
| T-44 | TLS verification: SSL Labs A+ rating | Manual | SSL Labs | ⬜ |
| T-45 | Load test: 100 concurrent users, p95 < 500ms | Performance | k6 | ⬜ |
Status: ⬜ Offen | ✅ Bestanden | ❌ Fehlgeschlagen | ⏭️ Übersprungen
---
## Testfälle
### T-01: ConsentService — accept consent
**Typ:** Unit
**Klasse:** `de.cannamanage.service.ConsentServiceTest`
**Methode:** `testAcceptConsent()`
**Vorbedingungen:**
- User existiert in der DB
- Kein vorhandener Consent-Eintrag für diesen User + Typ + Version
**Szenarien:**
| # | Eingabe | Erwartetes Ergebnis |
|---|---------|-------------------|
| a | Gültiger User, PRIVACY_POLICY, Version "2026-06-v1" | Consent-Entity gespeichert mit IP, User-Agent, Timestamp |
| b | User mit bereits akzeptiertem Consent (gleiche Version) | Exception: ConsentAlreadyAcceptedException |
| c | User mit revoked Consent (gleiche Version) | Neuer Consent-Eintrag erstellt (re-accept möglich) |
**Nachbedingungen:**
- Audit-Log-Eintrag CONSENT_ACCEPTED erstellt
- Consent in DB mit korrektem Timestamp
---
### T-02: ConsentService — revoke consent
**Typ:** Unit
**Klasse:** `de.cannamanage.service.ConsentServiceTest`
**Methode:** `testRevokeConsent()`
**Vorbedingungen:**
- User hat aktiven Consent (acceptedAt != null, revokedAt == null)
**Szenarien:**
| # | Eingabe | Erwartetes Ergebnis |
|---|---------|-------------------|
| a | User mit aktivem Consent | revokedAt gesetzt, Audit-Log CONSENT_REVOKED |
| b | User ohne aktiven Consent | Exception: NoActiveConsentException |
**Nachbedingungen:**
- Nachfolgende API-Aufrufe blockiert (Consent-Check schlägt fehl)
---
### T-03: ConsentService — check consent status
**Typ:** Unit
**Klasse:** `de.cannamanage.service.ConsentServiceTest`
**Methode:** `testCheckConsentStatus()`
**Vorbedingungen:**
- Verschiedene Consent-Zustände in DB
**Szenarien:**
| # | Eingabe | Erwartetes Ergebnis |
|---|---------|-------------------|
| a | User mit aktivem Consent (aktuelle Version) | `true` |
| b | User ohne Consent | `false` |
| c | User mit revoked Consent | `false` |
| d | User mit Consent alter Version (neue Version verfügbar) | `false` (re-prompt nötig) |
---
### T-04: ConsentService — re-prompt on new version
**Typ:** Unit
**Klasse:** `de.cannamanage.service.ConsentServiceTest`
**Methode:** `testRePromptOnNewVersion()`
**Vorbedingungen:**
- User hat Consent für Version "2026-06-v1"
- System-Consent-Version ist jetzt "2026-09-v2"
**Szenarien:**
| # | Eingabe | Erwartetes Ergebnis |
|---|---------|-------------------|
| a | Check mit aktueller Version "2026-09-v2" | `false` — user muss neue Version akzeptieren |
| b | Nach Accept der neuen Version | `true` |
---
### T-05: DsgvoService — export user data (ZIP)
**Typ:** Unit
**Klasse:** `de.cannamanage.service.DsgvoServiceTest`
**Methode:** `testExportUserData()`
**Vorbedingungen:**
- User mit Profildaten, Distributions, Quota-History, Consent-Einträgen
**Szenarien:**
| # | Eingabe | Erwartetes Ergebnis |
|---|---------|-------------------|
| a | User mit vollständigen Daten | ZIP enthält: profile.json, distributions.json, quota-history.json, consents.json |
| b | User ohne Distributions | ZIP enthält leere distributions.json (leeres Array) |
| c | User mit gelöschtem Account | Exception: UserNotFoundException |
**Nachbedingungen:**
- Audit-Log-Eintrag DATA_EXPORT_REQUESTED
- ZIP-Datei ist valides ZIP-Format
---
### T-06: DsgvoService — erasure request
**Typ:** Unit
**Klasse:** `de.cannamanage.service.DsgvoServiceTest`
**Methode:** `testErasureRequest()`
**Vorbedingungen:**
- User mit vollständigen Daten, aktiven Sessions
**Szenarien:**
| # | Eingabe | Erwartetes Ergebnis |
|---|---------|-------------------|
| a | Gültiger User | Name → "GELÖSCHT", Email → hash, Distributions anonymisiert (Mengen erhalten, Personenbezug entfernt) |
| b | User mit aktivem Consent | Alle Consents revoked |
| c | User mit aktiver Session | Alle Sessions invalidiert |
**Nachbedingungen:**
- Audit-Log-Eintrag DATA_ERASURE_REQUESTED
- Aggregat-Daten für Compliance erhalten (Gesamtmengen pro Monat)
- Kein Personenbezug mehr herstellbar
---
### T-07: DsgvoService — retain legally required data
**Typ:** Unit
**Klasse:** `de.cannamanage.service.DsgvoServiceTest`
**Methode:** `testRetainLegallyRequiredData()`
**Vorbedingungen:**
- User mit Distributions (steuerrelevant, 10-Jahres-Aufbewahrungspflicht)
**Szenarien:**
| # | Eingabe | Erwartetes Ergebnis |
|---|---------|-------------------|
| a | Erasure-Request für User mit Distributions | Distributions anonymisiert (member_id → null oder "ANON"), aber Zeilen + Mengen erhalten |
| b | Erasure-Request für User ohne Distributions | Vollständige Löschung aller Daten |
---
### T-08: StripeService — create customer
**Typ:** Unit (mit Stripe Mock)
**Klasse:** `de.cannamanage.service.StripeServiceTest`
**Methode:** `testCreateCustomer()`
**Vorbedingungen:**
- Club und Owner existieren
- Stripe API gemockt
**Szenarien:**
| # | Eingabe | Erwartetes Ergebnis |
|---|---------|-------------------|
| a | Club "Grüner Daumen", Owner email "owner@test.de" | Stripe Customer erstellt mit email + metadata (club_id, user_id) |
| b | Club bereits mit stripe_customer_id | Exception: CustomerAlreadyExistsException |
**Nachbedingungen:**
- club.stripeCustomerId gesetzt
---
### T-09: StripeService — create checkout session
**Typ:** Unit (mit Stripe Mock)
**Klasse:** `de.cannamanage.service.StripeServiceTest`
**Methode:** `testCreateCheckoutSession()`
**Vorbedingungen:**
- Club hat stripe_customer_id
- Price ID existiert
**Szenarien:**
| # | Eingabe | Erwartetes Ergebnis |
|---|---------|-------------------|
| a | Starter plan, SEPA | Session mit mode=subscription, payment_methods=[sepa_debit,card,paypal], trial=14 days |
| b | Pro plan | Session mit korrektem price_id |
| c | Club ohne stripe_customer_id | Exception: NoStripeCustomerException |
---
### T-10: StripeService — billing portal session
**Typ:** Unit (mit Stripe Mock)
**Klasse:** `de.cannamanage.service.StripeServiceTest`
**Methode:** `testCreateBillingPortalSession()`
**Szenarien:**
| # | Eingabe | Erwartetes Ergebnis |
|---|---------|-------------------|
| a | Club mit activem Subscription | Portal-Session-URL zurückgegeben |
| b | Club ohne Subscription | Exception oder leere Portal-Session |
---
### T-11: StripeService — webhook invoice.paid
**Typ:** Unit
**Klasse:** `de.cannamanage.service.StripeServiceTest`
**Methode:** `testHandleInvoicePaid()`
**Szenarien:**
| # | Eingabe | Erwartetes Ergebnis |
|---|---------|-------------------|
| a | Gültiges invoice.paid Event | Club subscription_status → ACTIVE, Audit-Log PAYMENT_RECEIVED |
| b | Event für unbekannten Customer | Logged + ignoriert (kein Fehler) |
---
### T-12: StripeService — webhook payment_failed
**Typ:** Unit
**Klasse:** `de.cannamanage.service.StripeServiceTest`
**Methode:** `testHandlePaymentFailed()`
**Szenarien:**
| # | Eingabe | Erwartetes Ergebnis |
|---|---------|-------------------|
| a | Gültiges invoice.payment_failed Event | Club subscription_status → PAST_DUE, Audit-Log PAYMENT_FAILED |
| b | Wiederholter Fehlschlag | Status bleibt PAST_DUE (idempotent) |
---
### T-13: StripeService — webhook subscription.deleted
**Typ:** Unit
**Klasse:** `de.cannamanage.service.StripeServiceTest`
**Methode:** `testHandleSubscriptionDeleted()`
**Szenarien:**
| # | Eingabe | Erwartetes Ergebnis |
|---|---------|-------------------|
| a | Gültiges customer.subscription.deleted Event | Club subscription_status → CANCELED, Audit-Log SUBSCRIPTION_CANCELED |
---
### T-14: StripeWebhookController — reject invalid signature
**Typ:** Unit
**Klasse:** `de.cannamanage.api.controller.StripeWebhookControllerTest`
**Methode:** `testRejectInvalidSignature()`
**Szenarien:**
| # | Eingabe | Erwartetes Ergebnis |
|---|---------|-------------------|
| a | Request ohne Stripe-Signature Header | 400 Bad Request |
| b | Request mit ungültiger Signatur | 400 Bad Request |
| c | Request mit gültiger Signatur | 200 OK, Event verarbeitet |
---
### T-15: SubscriptionFilter — block expired subscription
**Typ:** Unit
**Klasse:** `de.cannamanage.api.security.SubscriptionFilterTest`
**Methode:** `testBlockExpiredSubscription()`
**Szenarien:**
| # | Eingabe | Erwartetes Ergebnis |
|---|---------|-------------------|
| a | Club mit status CANCELED | 402 Payment Required |
| b | Club mit status PAST_DUE (>grace period) | 402 Payment Required |
| c | Actuator/health endpoint | Kein Filter (immer erlaubt) |
| d | Webhook endpoint | Kein Filter (immer erlaubt) |
---
### T-16: SubscriptionFilter — allow active subscription
**Typ:** Unit
**Klasse:** `de.cannamanage.api.security.SubscriptionFilterTest`
**Methode:** `testAllowActiveSubscription()`
**Szenarien:**
| # | Eingabe | Erwartetes Ergebnis |
|---|---------|-------------------|
| a | Club mit status ACTIVE | Request durchgelassen |
| b | Club mit status PAST_DUE (innerhalb Grace Period) | Request durchgelassen (mit Warning-Header) |
---
### T-17: SubscriptionFilter — allow trial period
**Typ:** Unit
**Klasse:** `de.cannamanage.api.security.SubscriptionFilterTest`
**Methode:** `testAllowTrialPeriod()`
**Szenarien:**
| # | Eingabe | Erwartetes Ergebnis |
|---|---------|-------------------|
| a | Club mit status TRIALING, trial_ends_at > now | Request durchgelassen |
| b | Club mit status TRIALING, trial_ends_at < now | 402 Payment Required |
---
### T-18: AuditService — log event
**Typ:** Unit
**Klasse:** `de.cannamanage.service.AuditServiceTest`
**Methode:** `testLogEvent()`
**Szenarien:**
| # | Eingabe | Erwartetes Ergebnis |
|---|---------|-------------------|
| a | DISTRIBUTION_CREATED, actor, entity, description | AuditEvent in DB gespeichert mit allen Feldern |
| b | System-Event (kein Actor) | actorId=null, actorName="SYSTEM" |
| c | Event mit Details (JSON) | details-Feld enthält serialisiertes JSON |
**Nachbedingungen:**
- createdAt server-generiert (nicht aus Request)
---
### T-19: AuditService — immutability
**Typ:** Integration
**Klasse:** `de.cannamanage.service.AuditServiceIntegrationTest`
**Methode:** `testImmutability()`
**Vorbedingungen:**
- AuditEvent in DB gespeichert
**Szenarien:**
| # | Eingabe | Erwartetes Ergebnis |
|---|---------|-------------------|
| a | UPDATE auf audit_event Zeile via EntityManager | Exception (Hibernate @Immutable verhindert Update) |
| b | DELETE auf audit_event Zeile via EntityManager | Exception oder ignoriert |
| c | Native SQL UPDATE | DB-Trigger verhindert Änderung (wenn implementiert) |
---
### T-20: AuditService — JSON details serialization
**Typ:** Unit
**Klasse:** `de.cannamanage.service.AuditServiceTest`
**Methode:** `testJsonDetailsSerialization()`
**Szenarien:**
| # | Eingabe | Erwartetes Ergebnis |
|---|---------|-------------------|
| a | Map mit before/after Werten | Valides JSON in details-Feld |
| b | null details | details-Feld ist null (nicht "null" String) |
| c | Komplexes Objekt mit verschachtelten Feldern | Korrekt serialisiert, deserialisierbar |
---
### T-21: AuditService — server-generated timestamp
**Typ:** Unit
**Klasse:** `de.cannamanage.service.AuditServiceTest`
**Methode:** `testServerGeneratedTimestamp()`
**Szenarien:**
| # | Eingabe | Erwartetes Ergebnis |
|---|---------|-------------------|
| a | Event ohne explizites Timestamp | createdAt = Instant.now() (±1s Toleranz) |
| b | Event mit manipuliertem createdAt im Request | Ignoriert — Server überschreibt via @PrePersist |
---
### T-22: AuditController — paginated list with filters
**Typ:** Integration
**Klasse:** `de.cannamanage.api.controller.AuditControllerIntegrationTest`
**Methode:** `testPaginatedListWithFilters()`
**Vorbedingungen:**
- 100+ Audit-Events in DB (verschiedene Typen, Zeiträume, Akteure)
**Szenarien:**
| # | Eingabe | Erwartetes Ergebnis |
|---|---------|-------------------|
| a | GET /audit?page=0&size=50 | 50 Events, Pagination-Metadaten korrekt |
| b | GET /audit?type=DISTRIBUTION_CREATED | Nur Distribution-Events |
| c | GET /audit?from=2026-06-01&to=2026-06-30 | Nur Events im Juni |
| d | GET /audit?actor=Patrick | Nur Events von Patrick |
| e | GET /audit?search=Northern+Lights | Full-text Suche in description |
---
### T-23: AuditController — PDF export
**Typ:** Integration
**Klasse:** `de.cannamanage.api.controller.AuditControllerIntegrationTest`
**Methode:** `testPdfExport()`
**Szenarien:**
| # | Eingabe | Erwartetes Ergebnis |
|---|---------|-------------------|
| a | GET /audit/export?format=pdf&from=2026-06-01&to=2026-06-30 | Valides PDF, Content-Type application/pdf |
| b | Export mit 0 Events | PDF mit "Keine Einträge im Zeitraum" Meldung |
| c | Export mit 1000+ Events | PDF generiert ohne OutOfMemory (streamed) |
---
### T-24: GrowCalendarService — create grow entry
**Typ:** Unit
**Klasse:** `de.cannamanage.service.GrowCalendarServiceTest`
**Methode:** `testCreateGrowEntry()`
**Szenarien:**
| # | Eingabe | Erwartetes Ergebnis |
|---|---------|-------------------|
| a | Strain "Northern Lights", SEEDLING, startDate=today, plantCount=10 | GrowEntry gespeichert, Audit-Log |
| b | Ohne strain_id | Validation-Fehler |
| c | endDate vor startDate | Validation-Fehler |
---
### T-25: GrowCalendarService — stage transition
**Typ:** Unit
**Klasse:** `de.cannamanage.service.GrowCalendarServiceTest`
**Methode:** `testStageTransition()`
**Szenarien:**
| # | Eingabe | Erwartetes Ergebnis |
|---|---------|-------------------|
| a | SEEDLING → VEGETATIVE | Erfolgreich, stage aktualisiert |
| b | SEEDLING → FLOWERING (Stufe übersprungen) | Erlaubt (flexible Progression) |
| c | HARVEST → SEEDLING (Rückwärts) | Erlaubt (Korrektur möglich) |
---
### T-26: GrowCalendarService — link harvest to batch
**Typ:** Unit
**Klasse:** `de.cannamanage.service.GrowCalendarServiceTest`
**Methode:** `testLinkHarvestToBatch()`
**Szenarien:**
| # | Eingabe | Erwartetes Ergebnis |
|---|---------|-------------------|
| a | GrowEntry im HARVEST-Stage + existierende Batch | linkedBatch gesetzt, Audit-Log HARVEST_LINKED_TO_BATCH |
| b | GrowEntry nicht im HARVEST-Stage | Nur im HARVEST/DRYING/CURING-Stage erlaubt |
| c | Batch bereits mit anderem GrowEntry verknüpft | Warnung (aber erlaubt — ein Batch kann mehrere Grows haben) |
---
### T-27: GrowCalendarService — reject invalid stage
**Typ:** Unit
**Klasse:** `de.cannamanage.service.GrowCalendarServiceTest`
**Methode:** `testRejectInvalidStage()`
**Szenarien:**
| # | Eingabe | Erwartetes Ergebnis |
|---|---------|-------------------|
| a | Stage = null | Validation-Fehler |
| b | Stage = ungültiger String (API-Ebene) | 400 Bad Request |
---
### T-28: NotificationService — quota warning
**Typ:** Unit
**Klasse:** `de.cannamanage.service.NotificationServiceTest`
**Methode:** `testQuotaWarning()`
**Vorbedingungen:**
- SimpMessagingTemplate gemockt
**Szenarien:**
| # | Eingabe | Erwartetes Ergebnis |
|---|---------|-------------------|
| a | userId=42, percentUsed=80 | Message an /user/42/queue/notifications mit type=QUOTA_WARNING |
| b | userId=42, percentUsed=95 | Gleiche Nachricht (Schwellwert-Logik liegt im Aufrufer) |
---
### T-29: NotificationService — batch recall
**Typ:** Unit
**Klasse:** `de.cannamanage.service.NotificationServiceTest`
**Methode:** `testBatchRecallNotification()`
**Szenarien:**
| # | Eingabe | Erwartetes Ergebnis |
|---|---------|-------------------|
| a | clubId=1, batchName="Northern Lights #7" | Message an /topic/club/1/notifications mit type=BATCH_RECALL |
---
### T-30: NotificationService — new distribution
**Typ:** Unit
**Klasse:** `de.cannamanage.service.NotificationServiceTest`
**Methode:** `testNewDistributionNotification()`
**Szenarien:**
| # | Eingabe | Erwartetes Ergebnis |
|---|---------|-------------------|
| a | memberId=7, "Northern Lights", 5.0g | Message an /user/7/queue/notifications mit type=DISTRIBUTION |
---
### T-31: Flyway V6 — consent + audit_event tables
**Typ:** Integration
**Klasse:** `de.cannamanage.FlywayMigrationTest`
**Methode:** `testV6ConsentAndAuditTables()`
**Szenarien:**
| # | Eingabe | Erwartetes Ergebnis |
|---|---------|-------------------|
| a | Migration V6 ausführen | Tabellen `consent` und `audit_event` existieren |
| b | consent: unique constraint (user_id, consent_type, version) | Duplikat-Insert schlägt fehl |
| c | audit_event: JSONB column für details | INSERT mit JSON-Wert funktioniert |
---
### T-32: Flyway V7 — stripe columns
**Typ:** Integration
**Klasse:** `de.cannamanage.FlywayMigrationTest`
**Methode:** `testV7StripeColumns()`
**Szenarien:**
| # | Eingabe | Erwartetes Ergebnis |
|---|---------|-------------------|
| a | Migration V7 ausführen | Spalten stripe_customer_id, subscription_status, subscription_plan, trial_ends_at in club |
| b | Existierende Clubs | NULL-Werte für neue Spalten (keine Default-Pflicht) |
---
### T-33: Flyway V8 — grow_entry table
**Typ:** Integration
**Klasse:** `de.cannamanage.FlywayMigrationTest`
**Methode:** `testV8GrowEntryTable()`
**Szenarien:**
| # | Eingabe | Erwartetes Ergebnis |
|---|---------|-------------------|
| a | Migration V8 ausführen | Tabelle `grow_entry` mit FK zu strain + batch |
| b | INSERT mit gültigem strain_id | Erfolgreich |
| c | INSERT mit ungültigem strain_id | FK-Violation |
---
### T-34: Flyway V9 — notification table
**Typ:** Integration
**Klasse:** `de.cannamanage.FlywayMigrationTest`
**Methode:** `testV9NotificationTable()`
**Szenarien:**
| # | Eingabe | Erwartetes Ergebnis |
|---|---------|-------------------|
| a | Migration V9 ausführen | Tabelle `notification` existiert |
| b | Index auf (user_id, read_at) | Performante Abfrage ungelesener Notifications |
---
### T-35: Consent Flow E2E — accept
**Typ:** E2E (Playwright)
**Klasse:** `e2e/consent-flow.spec.ts`
**Vorbedingungen:**
- Neuer User (kein Consent in DB)
**Szenarien:**
| # | Eingabe | Erwartetes Ergebnis |
|---|---------|-------------------|
| a | Login → Consent-Banner erscheint | Modal sichtbar, "Akzeptieren" + "Ablehnen" Buttons |
| b | Klick "Akzeptieren" | Modal verschwindet, Dashboard wird geladen |
| c | Erneuter Login (gleicher User) | Kein Banner (Consent bereits akzeptiert) |
---
### T-36: Consent Flow E2E — reject
**Typ:** E2E (Playwright)
**Klasse:** `e2e/consent-flow.spec.ts`
**Szenarien:**
| # | Eingabe | Erwartetes Ergebnis |
|---|---------|-------------------|
| a | Login → Klick "Ablehnen" | Redirect zu Login-Seite, Session invalidiert |
| b | Versuch direkter Navigation zu /dashboard (ohne Consent) | Redirect zu Consent-Banner |
---
### T-37: Billing Page E2E
**Typ:** E2E (Playwright)
**Klasse:** `e2e/billing.spec.ts`
**Szenarien:**
| # | Eingabe | Erwartetes Ergebnis |
|---|---------|-------------------|
| a | Navigate zu /settings/billing (Trial-User) | Pricing Cards sichtbar (Starter + Pro) |
| b | Navigate zu /settings/billing (Active Subscriber) | Aktueller Plan + "Verwalten" Button sichtbar |
| c | Klick "Verwalten" | Redirect zu Stripe Billing Portal |
---
### T-38: Audit Log Page E2E
**Typ:** E2E (Playwright)
**Klasse:** `e2e/audit-log.spec.ts`
**Szenarien:**
| # | Eingabe | Erwartetes Ergebnis |
|---|---------|-------------------|
| a | Navigate zu /admin/audit-log | Tabelle mit Events sichtbar |
| b | Filter nach Typ "Distribution" | Nur Distribution-Events angezeigt |
| c | Klick "PDF Export" | PDF-Download startet |
| d | Pagination (Seite 2) | Neue Events geladen |
---
### T-39: Grow Calendar E2E
**Typ:** E2E (Playwright)
**Klasse:** `e2e/grow-calendar.spec.ts`
**Szenarien:**
| # | Eingabe | Erwartetes Ergebnis |
|---|---------|-------------------|
| a | Navigate zu /grow | FullCalendar sichtbar mit Monatsansicht |
| b | Klick auf Datum | Create-Dialog öffnet sich |
| c | Formular ausfüllen + speichern | Neuer farbiger Block im Kalender |
| d | Klick auf existierenden Block | Detail-Panel mit Edit/Delete |
---
### T-40: Notification Bell E2E
**Typ:** E2E (Playwright)
**Klasse:** `e2e/notifications.spec.ts`
**Szenarien:**
| # | Eingabe | Erwartetes Ergebnis |
|---|---------|-------------------|
| a | Notification empfangen (via WebSocket) | Bell-Icon zeigt Badge mit Anzahl |
| b | Klick auf Bell | Dropdown mit Notification-Liste |
| c | Klick auf einzelne Notification | Als gelesen markiert, Badge decremented |
---
### T-41: PWA Manifest
**Typ:** E2E (Lighthouse)
**Tool:** Lighthouse PWA Audit
**Szenarien:**
| # | Eingabe | Erwartetes Ergebnis |
|---|---------|-------------------|
| a | Lighthouse PWA Audit | installable=true, manifest valid, service worker registered |
| b | Icons vorhanden | 192px + 512px PNG Icons |
| c | Offline-Seite | Netzwerk trennen → offline.html angezeigt (statt Browser-Fehler) |
---
### T-42: Production Smoke Test
**Typ:** Manual (Production)
**Tool:** Browser auf cannamanage.de
**Szenarien:**
| # | Aktion | Erwartetes Ergebnis |
|---|--------|-------------------|
| a | Registrierung neuer Club | Account erstellt, Consent-Banner erscheint |
| b | Consent akzeptieren | Zugang zur App |
| c | Subscription (Stripe Test-Karte) | Checkout → Subscription aktiv |
| d | Mitglied anlegen | Mitglied in Liste sichtbar |
| e | Ausgabe aufzeichnen | Distribution erstellt, Quota aktualisiert |
| f | Audit-Log prüfen | Alle Aktionen geloggt |
| g | PDF Export | Valides PDF heruntergeladen |
| h | Grow-Eintrag erstellen | Kalender zeigt Eintrag |
| i | Notification empfangen | Bell-Icon zeigt neue Notification |
---
### T-43: Backup/Restore Verification
**Typ:** Manual (Production)
**Tool:** SSH + pg_dump/pg_restore
**Szenarien:**
| # | Aktion | Erwartetes Ergebnis |
|---|--------|-------------------|
| a | pg_dump auf Production | Komprimiertes SQL-File erstellt |
| b | Restore in leere DB | Alle Tabellen + Daten wiederhergestellt |
| c | Cron-Job Ausführung prüfen | Backup-Datei < 24h alt in /backup/ |
| d | Rotation prüfen | Keine Dateien > 7 Tage in /backup/ |
---
### T-44: TLS Verification
**Typ:** Manual
**Tool:** SSL Labs (ssllabs.com/ssltest)
**Szenarien:**
| # | Aktion | Erwartetes Ergebnis |
|---|--------|-------------------|
| a | SSL Labs Test auf cannamanage.de | Rating: A+ |
| b | HSTS Header prüfen | Strict-Transport-Security present, max-age ≥ 63072000 |
| c | Mixed Content prüfen | Keine HTTP-Ressourcen auf HTTPS-Seite |
---
### T-45: Load Test
**Typ:** Performance
**Tool:** k6
**Script:** `scripts/load-test.js`
**Szenarien:**
| # | Konfiguration | Erwartetes Ergebnis |
|---|--------------|-------------------|
| a | 100 VUs, 5 min, Ramp-up 30s | p95 < 500ms, 0 errors |
| b | API endpoints: /dashboard, /members, /distributions | Alle < 500ms p95 |
| c | WebSocket connections: 50 concurrent | Stable, kein Disconnect |
---
## Testdaten
### Seed-Daten (für Unit/Integration Tests)
- **Club:** "Testverein Grüner Daumen" (id=1)
- **Users:** admin@test.de (ADMIN), staff@test.de (STAFF), member@test.de (MEMBER)
- **Members:** 5 Testmitglieder mit verschiedenen Quota-Ständen (0%, 50%, 80%, 95%, 100%)
- **Batches:** 3 Batches (Northern Lights, Amnesia Haze, White Widow)
- **Distributions:** 20 historische Distributionen
- **Strains:** 5 Sorten mit THC/CBD-Werten
- **Grow Entries:** 3 in verschiedenen Stages
### Stripe Test-Daten
- Stripe Test-Karte: `4242424242424242` (Erfolg)
- Stripe Test-SEPA: `DE89370400440532013000` (Erfolg)
- Stripe Test-Karte: `4000000000000002` (Ablehnung)
- Webhook Events: via Stripe CLI (`stripe listen --forward-to localhost:8080/api/v1/webhooks/stripe`)
---
## Testabdeckung
| Komponente | Unit | Integration | E2E | Manual | Gesamt |
|-----------|------|-------------|-----|--------|--------|
| ConsentService | 4 | 0 | 2 | 0 | 6 |
| DsgvoService | 3 | 0 | 0 | 0 | 3 |
| StripeService | 6 | 0 | 1 | 0 | 7 |
| StripeWebhookController | 1 | 0 | 0 | 0 | 1 |
| SubscriptionFilter | 3 | 0 | 0 | 0 | 3 |
| AuditService | 4 | 2 | 1 | 0 | 7 |
| GrowCalendarService | 4 | 0 | 1 | 0 | 5 |
| NotificationService | 3 | 0 | 1 | 0 | 4 |
| Flyway Migrations | 0 | 4 | 0 | 0 | 4 |
| PWA/Production | 0 | 0 | 1 | 3 | 4 |
| Performance | 0 | 0 | 0 | 1 | 1 |
| **Summe** | **28** | **6** | **7** | **4** | **45** |
---
## Hinweise
- **Stripe-Tests:** Verwenden gemockten Stripe-Client (keine echten API-Calls in Unit-Tests). Integration mit Stripe CLI für Webhook-Testing.
- **WebSocket-Tests:** SimpMessagingTemplate wird gemockt. E2E-Test prüft echte WS-Verbindung.
- **Immutability:** Zusätzlich zum Hibernate @Immutable kann ein DB-Trigger empfohlen werden — Test T-19c prüft dies nur wenn implementiert.
- **DSGVO-Tests:** Besonderes Augenmerk auf Datenminimierung — Tests verifizieren, dass Löschung vollständig ist UND dass legal notwendige Daten erhalten bleiben.
- **Performance-Test:** k6 Script wird in Phase 7 erstellt. Baseline-Werte nach Phase 1 Deployment messen.