From c596d6b8eb1d8dfcfac48afde8bb25cd6a5def11 Mon Sep 17 00:00:00 2001 From: Ahmet Abdullah Gultekin Date: Wed, 3 Jun 2026 09:29:06 +0000 Subject: [PATCH] docs: reconcile mobile triage + CHANGELOG (Activity History #83 shipped; scope-B done) - CHANGELOG: add the Activity History wiring (#83) under [Unreleased]. - docs/MOBILE_TRIAGE_2026-06-03.md: mark #2 (Activity History), #5 (approve-login) FIXED and #7 (cross-device QR) PARTIAL; replace 'Deferred follow-ups' with a Resolution section (client-apps #82/#83, web-app #199 merged + deployed) + the remaining backend-deferred items. Co-Authored-By: Claude Opus 4.8 (1M context) --- CHANGELOG.md | 8 +++++ docs/MOBILE_TRIAGE_2026-06-03.md | 51 +++++++++++++++++++++----------- 2 files changed, 41 insertions(+), 18 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2187455e..54552b9a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,14 @@ All notable changes to the FIVUCSAS client apps (Android, iOS, Desktop). `InviteApiImpl.getReceivedInvites()` now returns an empty list until a backend listing endpoint exists, so the screen shows its proper empty state. Restore the call when the endpoint ships. +- **Activity History now loads real data (#83).** The "History" tab was a hardcoded + empty list that never called the API. It now loads the current user's own events + from the existing `GET /api/v1/my/activity` (the admin `/audit-logs` endpoint 403s + for end users), maps each action to the All / Verifications / Enrollments chips + (`VERIF*` → verification, `ENROLL*` → enrollment), shows a loading state, and + surfaces load errors with a Retry instead of rendering an error as "empty". New + `ActivityHistoryViewModel` + `getMyActivity` on the audit API/repository. EN + TR + (`ACTHIST_LOAD_ERROR`). ### Changed diff --git a/docs/MOBILE_TRIAGE_2026-06-03.md b/docs/MOBILE_TRIAGE_2026-06-03.md index 926f2386..a5526fe8 100644 --- a/docs/MOBILE_TRIAGE_2026-06-03.md +++ b/docs/MOBILE_TRIAGE_2026-06-03.md @@ -21,12 +21,12 @@ intended. | # | Issue | Root cause | Status | |---|-------|-----------|--------| | 1 | "My Invitations" crashes with a JSON/array decode error | Mobile calls `GET /api/v1/invites/received`; **no such backend endpoint** → 404 object decoded as a list → serializer throws. Mobile is ahead of the API. | **FIXED-HERE** | -| 2 | Activity History always empty | Screen is a hardcoded `emptyList()` (`ActivityHistoryScreen.kt:61`); never calls the API. Correct endpoint `GET /api/v1/my/activity` **exists** and the web app uses it. | **DEFERRED** | +| 2 | Activity History always empty | Screen is a hardcoded `emptyList()` (`ActivityHistoryScreen.kt:61`); never calls the API. Correct endpoint `GET /api/v1/my/activity` **exists** and the web app uses it. | **FIXED** (#83) | | 3 | Settings: dead/misleading controls | "Enable Notifications" + "Biometric Authentication" + "Analytics" switches are local no-ops (two default ON). The "Voice, Voice Search, OTP, TOTP, Liveness, Card, Token" line is a static string advertising 6 methods the app no longer ships, mislabeled under "Biometric Authentication". | **FIXED-HERE** | | 4 | Notifications always empty | Hardcoded `emptyList()` (`NotificationsScreen.kt:40`). **No notifications-feed endpoint exists** on the backend (only notification *preferences*). | **FIXED-HERE** (bell hidden) | -| 5 | "Login requests" inaccessible from web | Backend + mobile approver + web initiator panel are all built, but the web launch button was removed in PR #141 and **never re-homed**, so nothing can start a request → mobile screen always empty. | **DEFERRED** | +| 5 | "Login requests" inaccessible from web | Backend + mobile approver + web initiator panel are all built, but the web launch button was removed in PR #141 and **never re-homed**, so nothing can start a request → mobile screen always empty. | **FIXED** (web #199 re-homed the button) | | 6 | "Scan ID Card / Capture Front" — what is it? | The "Add Card" photo wizard (`CardScanScreen.kt`). It photographs the card, said "Card Added Successfully", then **discards the images** — no OCR, no upload, no backend. | **FIXED-HERE** (honest copy) | -| 7 | QR login "not working because of mobile" | Two unrelated QR systems. Cross-device QR login (phone scans desktop) has a complete mobile+API half but the **web/desktop screen that shows the login QR was never built**. The web's only QR is a same-device MFA step. | **DEFERRED** | +| 7 | QR login "not working because of mobile" | Two unrelated QR systems. Cross-device QR login (phone scans desktop) has a complete mobile+API half but the **web/desktop screen that shows the login QR was never built**. The web's only QR is a same-device MFA step. | **PARTIAL** (web #199 built the desktop QR; multi-step handoff deferred) | | 8 | "Scan with MRZ" disabled | Button requires the 3 MRZ fields; v5.3.0 added a "Scan MRZ with camera" button that auto-fills them (PR #80). | **FIXED-IN-5.3.0** | | 9 | QR bottom button invisible | QR screen now scrolls + has nav-bar insets (PR #80); button is reachable (may be below the fold). | **FIXED-IN-5.3.0** | | 10 | "Join a Tenant" / "Members: 0" | Honest read-only directory; self-service join genuinely doesn't exist. "Members: 0" is real data (tenants the user isn't in, scoped by the tenant filter), not a bug. | **BY-DESIGN** | @@ -45,18 +45,33 @@ intended. > All mobile fixes require an **APK rebuild + reinstall** to reach the phone. -## Deferred follow-ups (not in this branch) - -- **#2 Activity History** — add a `getMyActivity(page,size)` client method hitting - `GET /api/v1/my/activity` (the admin `audit-logs` path 403s for end users), wire - `ActivityHistoryScreen` to a ViewModel, map actions to the All/Verifications/ - Enrollments chips. Mobile-only; the endpoint already exists. *(Was scope B.)* -- **#5 Approve-login** — re-home the launch button removed in web PR #141 (add - "Approve on another device" after the identifier step → `setShowApproveLogin(true)` / - `setAltFlow('approveLogin')`). All other plumbing exists. *(Was scope B.)* -- **#7 Cross-device QR login** — build the missing desktop "Sign in with your phone" - screen (`POST /auth/qr/session` → render QR encoding the **sessionId** → poll - `GET /auth/qr/session/{id}`). Note the sessionId-vs-qrContent identifier ambiguity - before implementing. -- **#4 Notifications feed** / **#1 invitations-received list** — need new backend - endpoints; post-demo. +## Resolution (2026-06-03) + +The scope-B follow-ups were built and shipped the same day: + +- **#2 Activity History — DONE (client-apps #83, merged).** New `getMyActivity(page,size)` + on the audit API/repository hitting `GET /api/v1/my/activity`, a new + `ActivityHistoryViewModel`, action→chip mapping, loading + Retry-on-error states. + Reaches devices on the next APK rebuild. +- **#5 Approve-login — DONE (web-app #199, merged + deployed).** `Layer1Shortcuts` + renders the "Approve on another device" button again (both `LoginPage` and + `HostedLoginApp` already passed `onApproveClick`; the panel self-collects the email). + So a web sign-in can finally surface a request on the mobile "Login requests" screen. +- **#7 Cross-device QR login — PARTIAL (web-app #199, merged + deployed).** New + `qr-login.ts` + `QrLoginPanel` on both surfaces; the QR encodes the **sessionId** + (`fivucsas://qr-login?session=` — what the mobile scanner resolves; `qrContent` + is not a lookup key). Works end-to-end for single-step tenants (browser-verified + live on app.fivucsas.com). **Remaining:** a multi-step tenant (e.g. Marmara) returns + `mfaRequired` and the panel shows "continue here" rather than bridging the + `mfaSessionToken` into the step-up flow — that handoff needs a small API change (add + the next step's `availableMethods` to the QR poll response) and was deferred to avoid + a prod API rebuild right before the demo. + +Deploy state: **app.fivucsas.com** auto-deployed via the Hostinger workflow on merge; +**verify.fivucsas.com** rebuilt + redeployed (Docker). The **mobile** fixes (scope-A + +#83) reach the phone only after an operator **APK rebuild + reinstall**. + +## Still deferred (need new backend endpoints) + +- **#4 Notifications feed** / **#1 invitations-received list** — post-demo; no backend + endpoint exists yet.