Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,14 @@ All notable changes to the FIVUCSAS client apps (Android, iOS, Desktop).
`InviteApiImpl.getReceivedInvites()` now returns an empty list until a backend
listing endpoint exists, so the screen shows its proper empty state. Restore the
call when the endpoint ships.
- **Activity History now loads real data (#83).** The "History" tab was a hardcoded
empty list that never called the API. It now loads the current user's own events
from the existing `GET /api/v1/my/activity` (the admin `/audit-logs` endpoint 403s
for end users), maps each action to the All / Verifications / Enrollments chips
(`VERIF*` → verification, `ENROLL*` → enrollment), shows a loading state, and
surfaces load errors with a Retry instead of rendering an error as "empty". New
`ActivityHistoryViewModel` + `getMyActivity` on the audit API/repository. EN + TR
(`ACTHIST_LOAD_ERROR`).

### Changed

Expand Down
51 changes: 33 additions & 18 deletions docs/MOBILE_TRIAGE_2026-06-03.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,12 +21,12 @@ intended.
| # | Issue | Root cause | Status |
|---|-------|-----------|--------|
| 1 | "My Invitations" crashes with a JSON/array decode error | Mobile calls `GET /api/v1/invites/received`; **no such backend endpoint** → 404 object decoded as a list → serializer throws. Mobile is ahead of the API. | **FIXED-HERE** |
| 2 | Activity History always empty | Screen is a hardcoded `emptyList()` (`ActivityHistoryScreen.kt:61`); never calls the API. Correct endpoint `GET /api/v1/my/activity` **exists** and the web app uses it. | **DEFERRED** |
| 2 | Activity History always empty | Screen is a hardcoded `emptyList()` (`ActivityHistoryScreen.kt:61`); never calls the API. Correct endpoint `GET /api/v1/my/activity` **exists** and the web app uses it. | **FIXED** (#83) |
| 3 | Settings: dead/misleading controls | "Enable Notifications" + "Biometric Authentication" + "Analytics" switches are local no-ops (two default ON). The "Voice, Voice Search, OTP, TOTP, Liveness, Card, Token" line is a static string advertising 6 methods the app no longer ships, mislabeled under "Biometric Authentication". | **FIXED-HERE** |
| 4 | Notifications always empty | Hardcoded `emptyList()` (`NotificationsScreen.kt:40`). **No notifications-feed endpoint exists** on the backend (only notification *preferences*). | **FIXED-HERE** (bell hidden) |
| 5 | "Login requests" inaccessible from web | Backend + mobile approver + web initiator panel are all built, but the web launch button was removed in PR #141 and **never re-homed**, so nothing can start a request → mobile screen always empty. | **DEFERRED** |
| 5 | "Login requests" inaccessible from web | Backend + mobile approver + web initiator panel are all built, but the web launch button was removed in PR #141 and **never re-homed**, so nothing can start a request → mobile screen always empty. | **FIXED** (web #199 re-homed the button) |
| 6 | "Scan ID Card / Capture Front" — what is it? | The "Add Card" photo wizard (`CardScanScreen.kt`). It photographs the card, said "Card Added Successfully", then **discards the images** — no OCR, no upload, no backend. | **FIXED-HERE** (honest copy) |
| 7 | QR login "not working because of mobile" | Two unrelated QR systems. Cross-device QR login (phone scans desktop) has a complete mobile+API half but the **web/desktop screen that shows the login QR was never built**. The web's only QR is a same-device MFA step. | **DEFERRED** |
| 7 | QR login "not working because of mobile" | Two unrelated QR systems. Cross-device QR login (phone scans desktop) has a complete mobile+API half but the **web/desktop screen that shows the login QR was never built**. The web's only QR is a same-device MFA step. | **PARTIAL** (web #199 built the desktop QR; multi-step handoff deferred) |
| 8 | "Scan with MRZ" disabled | Button requires the 3 MRZ fields; v5.3.0 added a "Scan MRZ with camera" button that auto-fills them (PR #80). | **FIXED-IN-5.3.0** |
| 9 | QR bottom button invisible | QR screen now scrolls + has nav-bar insets (PR #80); button is reachable (may be below the fold). | **FIXED-IN-5.3.0** |
| 10 | "Join a Tenant" / "Members: 0" | Honest read-only directory; self-service join genuinely doesn't exist. "Members: 0" is real data (tenants the user isn't in, scoped by the tenant filter), not a bug. | **BY-DESIGN** |
Expand All @@ -45,18 +45,33 @@ intended.

> All mobile fixes require an **APK rebuild + reinstall** to reach the phone.

## Deferred follow-ups (not in this branch)

- **#2 Activity History** — add a `getMyActivity(page,size)` client method hitting
`GET /api/v1/my/activity` (the admin `audit-logs` path 403s for end users), wire
`ActivityHistoryScreen` to a ViewModel, map actions to the All/Verifications/
Enrollments chips. Mobile-only; the endpoint already exists. *(Was scope B.)*
- **#5 Approve-login** — re-home the launch button removed in web PR #141 (add
"Approve on another device" after the identifier step → `setShowApproveLogin(true)` /
`setAltFlow('approveLogin')`). All other plumbing exists. *(Was scope B.)*
- **#7 Cross-device QR login** — build the missing desktop "Sign in with your phone"
screen (`POST /auth/qr/session` → render QR encoding the **sessionId** → poll
`GET /auth/qr/session/{id}`). Note the sessionId-vs-qrContent identifier ambiguity
before implementing.
- **#4 Notifications feed** / **#1 invitations-received list** — need new backend
endpoints; post-demo.
## Resolution (2026-06-03)

The scope-B follow-ups were built and shipped the same day:

- **#2 Activity History — DONE (client-apps #83, merged).** New `getMyActivity(page,size)`
on the audit API/repository hitting `GET /api/v1/my/activity`, a new
`ActivityHistoryViewModel`, action→chip mapping, loading + Retry-on-error states.
Reaches devices on the next APK rebuild.
- **#5 Approve-login — DONE (web-app #199, merged + deployed).** `Layer1Shortcuts`
renders the "Approve on another device" button again (both `LoginPage` and
`HostedLoginApp` already passed `onApproveClick`; the panel self-collects the email).
So a web sign-in can finally surface a request on the mobile "Login requests" screen.
- **#7 Cross-device QR login — PARTIAL (web-app #199, merged + deployed).** New
`qr-login.ts` + `QrLoginPanel` on both surfaces; the QR encodes the **sessionId**
(`fivucsas://qr-login?session=<id>` — what the mobile scanner resolves; `qrContent`
is not a lookup key). Works end-to-end for single-step tenants (browser-verified
live on app.fivucsas.com). **Remaining:** a multi-step tenant (e.g. Marmara) returns
`mfaRequired` and the panel shows "continue here" rather than bridging the
`mfaSessionToken` into the step-up flow — that handoff needs a small API change (add
the next step's `availableMethods` to the QR poll response) and was deferred to avoid
a prod API rebuild right before the demo.

Deploy state: **app.fivucsas.com** auto-deployed via the Hostinger workflow on merge;
**verify.fivucsas.com** rebuilt + redeployed (Docker). The **mobile** fixes (scope-A +
#83) reach the phone only after an operator **APK rebuild + reinstall**.

## Still deferred (need new backend endpoints)

- **#4 Notifications feed** / **#1 invitations-received list** — post-demo; no backend
endpoint exists yet.