The submit button is only enabled/disabled after the end user changes focus of either of the password fields. Better feedback when checked after each keystroke.

Every template that uses this kind of syntax (i.e. profile, control_create_user, about):

<html th:insert="fragments/standard_page :: page(~{ :: .main-content})">

raises the following exception when running in a production environment:

ERROR [https-jsse-nio-443-exec-4] org.thymeleaf.TemplateEngine             : [THYMELEAF][https-jsse-nio-443-exec-4] Exception processing template "control_create_user": Error resolving template [/fragments/common], template might not exist or might not be accessible by any of the configured Template Resolvers (template: "fragments/standard_page" - line 4, col 7)
org.thymeleaf.exceptions.TemplateInputException: Error resolving template [/fragments/common], template might not exist or might not be accessible by any of the configured Template Resolvers (template: "fragments/standard_page" - line 4, col 7)

This does not happen during development.

Not specifying a file and putting some password in the upload form is apparently valid input for both the controller and service, since there is a file, it just doesn't have any content. This shouldn't be allowed.

Currently, file lifetimes are set at 60 minutes (via hidden field) and set to expire after download after 15 minutes. Allow logged in users to change both of these.

User is effectively locked out of their account if they don't remember their password. Add "Forgot password" button to login page and allow user to reset their password via secure link to their email inbox.

Have to modify all AJAX requests to account for this rather than just adding more URLs to the ignore list.

Ground work for email confirmation is set up, but not verified to actually yet work.

Trying to upload a large file (>~10 MB) results in a net::ERR_CONNECTION_RESET result in my environment (Windows 11 / Brave). Unsure what's causing this.

If a user changes their email address, there is currently no option to, nor is there a verification link sent to the new email address. Add a button to allow this in the profile details page.

Currently, a logged in user is logged out when they close their browser. There should be a "Remember me" checkbox when logging in which will store the credentials in the browser, allowing for persistent sessions when closing and reopening.

/contact and /about are linked in the footer, but results in a 404 for both routes. Don't know whether to hardcode the content of these pages or allow webmaster to edit external format/template files.

Aside from the temporary debug route, there doesn't currently exist any way for anyone to edit the site without accessing AWS services or the database. Should add a control panel that is only accessible to admins to allow adding, deleting, viewing, or updating resources.

How to replicate:

1. Upload file
2. Go to /control/files
3. Search for files utilizing "Uploaded after" or "Uploaded before" fields
4. No files are returned, no exception is thrown

Even forcing an exception with onTypeMismatch = OnTypeMismatch.EXCEPTION in the spec definition doesn't yield any different behavior. I suspect the suspect @Spec arguments need some weird format to actually parse.

Trying to view the details of a file via /view/{id} yields a fallback error page. Should change this to a specialized error page.

Anonymous users should have a lifespan limit of 60 minutes, while members should have a limit of 24 hours. However, the controller doesn't check for this and the underlying service assumes any user is a member. This allows any anonymous member to set lifespans up to 24 hours.

Certain field values that exist in the application.properties file (i.e. passwords, secret access keys, IP address, etc.) should not be viewable in plaintext. The Jasypt library looks to be an ideal solution.

Currently no feedback is communicated to the end user if they input an invalid value for any of the fields in the /login or /register pages.

• Use HTML input validation as much as possible
• Use jQuery as a backup
• Display server-sent error messages in browser

While email verification is functional, whether the user's email is verified or not doesn't actually affect their experience using the site. They should be treated as guest/anonymous users until their email is verified.

There is no authentication that happens when accessing the bulk delete files or update file route. It is not accounted for in the web security configuration, nor does the router have any @PreAuthorize annotation. This should absolutely not be the case, and should only be available to admins.

Currently end users can create accounts and can log in and log out of them, but cannot view their details, edit any of their details, nor check on their uploaded files.