New initial page

.github/workflows/deploy.yml

@@ -0,0 +1,49 @@
+name: Deploy to GitHub Pages
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  build:
+    name: Build Docusaurus
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 18
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+      - name: Build website
+        run: npm run build
+
+      - name: Upload Build Artifact
+        uses: actions/upload-pages-artifact@v3
+        with:
+          path: build
+
+  deploy:
+    name: Deploy to GitHub Pages
+    needs: build
+
+    # Grant GITHUB_TOKEN the permissions required to make a Pages deployment
+    permissions:
+      pages: write # to deploy to Pages
+      id-token: write # to verify the deployment originates from an appropriate source
+
+    # Deploy to the github-pages environment
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+
+    runs-on: ubuntu-latest
+    steps:
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@v4

.github/workflows/test-deploy.yml

@@ -0,0 +1,24 @@
+name: Test deployment
+
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  test-deploy:
+    name: Test deployment
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 18
+          cache: npm
+
+      - name: Install dependencies
+        run: npm  ci
+      - name: Test build website
+        run: npm run build

.gitignore

@@ -0,0 +1,20 @@
+# Dependencies
+/node_modules
+
+# Production
+/build
+
+# Generated files
+.docusaurus
+.cache-loader
+
+# Misc
+.DS_Store
+.env.local
+.env.development.local
+.env.test.local
+.env.production.local
+
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*

.prettierignore

@@ -0,0 +1,15 @@
+.gitattributes
+.gitignore
+.prettierignore
+package-lock.json
+
+.vscode
+node_modules
+dist
+bin
+obj
+
+*.min.js
+.cache
+.yarn
+*.hbs

.prettierrc.json

@@ -0,0 +1,8 @@
+{
+    "$schema": "http://json.schemastore.org/prettierrc",
+    "tabWidth": 4,
+    "arrowParens": "avoid",
+    "printWidth": 140,
+    "trailingComma": "none",
+    "endOfLine": "auto"
+}

README.md

@@ -1 +1,41 @@
-# oneground.github.io
+# Website
+
+This website is built using [Docusaurus](https://docusaurus.io/), a modern static website generator.
+
+### Installation
+
+```
+$ yarn
+```
+
+### Local Development
+
+```
+$ yarn start
+```
+
+This command starts a local development server and opens up a browser window. Most changes are reflected live without having to restart the server.
+
+### Build
+
+```
+$ yarn build
+```
+
+This command generates static content into the `build` directory and can be served using any static contents hosting service.
+
+### Deployment
+
+Using SSH:
+
+```
+$ USE_SSH=true yarn deploy
+```
+
+Not using SSH:
+
+```
+$ GIT_USER=<Your GitHub username> yarn deploy
+```
+
+If you are using GitHub pages for hosting, this command is a convenient way to build the website and push to the `gh-pages` branch.

blog/2024-12-03-best-practices-for-jwt-usage-in-apis.md

@@ -0,0 +1,81 @@
+---
+slug: best-practices-for-jwt-usage-in-apis
+title: Best Practices for JWT Usage in APIs
+authors: giedriusgrabauskas
+tags: [security]
+---
+
+# Best Practices for JWT Usage in APIs
+
+JSON Web Tokens (JWT) is an essential part of modern API ecosystems, providing a secure and efficient method for verifying user identities and exchanging information between parties. However, as with any security mechanism, improper implementation can introduce vulnerabilities.
+
+<!-- truncate -->
+
+## Core Concepts of JWT
+
+A JWT is a compact, URL-safe token format that encodes information in three parts:
+
+1. **Header:** Specifies the token type and signing algorithm.
+2. **Payload:** Carries the claims, which include user-related data or other metadata.
+3. **Signature:** Validates the token's integrity using a secret key or public/private key pair.
+
+When used appropriately, JWTs enable stateless authentication, eliminating the need for the server to store session data. The token itself holds all essential authentication information and expires after a defined period.
+
+## JWT Usage Recommendations for Your Applications
+
+To maximize security, we recommend the following best practices:
+
+### 1. Use Properly Configured Claims
+
+JWT claims are key-value pairs encoded into the token's payload. While you can include custom claims based on your API's needs, several standard claims form the backbone of a well-constructed JWT:
+
+- **iss (Issuer):** Identifies the entity that issued the JWT. Always explicitly set the `iss` claim to indicate the origin of the token. Both the API and consuming applications should agree on the expected `iss` value in advance, and the application generating the JWT should include its name or link in this claim. Tokens with missing or incorrect `iss` values may be rejected by the API for security purposes.
+
+- **exp (Expiration Time):** Sets the token's expiration date and time using a Unix timestamp. This ensures the token cannot be used indefinitely, even if it is compromised.
+
+- **aud (Audience):** Defines the intended audience for the token. By specifying the `aud` claim, an API can ensure that the token is meant for its use and not an unrelated service.
+
+- **iat (Issued At):** The timestamp of when the token was created, which can help detect tokens created in the future by malicious actors.
+
+### 2. Limit Token Lifetimes (`exp`)
+
+Long-lived tokens pose a significant risk if they are leaked or intercepted. To protect sensitive resources, set an appropriate expiration time (`exp`) when creating tokens (from 5 minutes to a few hours) and avoid using long expiration times (e.g., months or years) for tokens, especially those used in production.
+
+So, using short-lived tokens reduces the window for potential misuse when the token is compromised. Even if an unauthorized party gains access to a token, the inherent time restriction ensures its usability is limited.
+
+### 3. Secure Your Secrets
+
+When generating JWTs signed with symmetric algorithms, a secret key is used to sign and validate the token. If this secret is exposed, attackers can create their valid tokens. To prevent this:
+
+- Store secrets securely and never expose them in source code or client-side applications.
+- Rotate signing secrets periodically, at least each year, to minimize the impact of a potential breach.
+
+### 4. Use Trusted Libraries
+
+When implementing JWT functionality in your applications, selecting the correct library is crucial for ensuring security and reliability.
+
+- Use well-established libraries that are actively maintained, widely used, and trusted for their security.
+- Keep libraries up to date to address vulnerabilities and use dependency management tools to track outdated versions.
+- Avoid building custom implementations for JWT tokens, as they can lead to security gaps and missed edge-case scenarios.
+
+### 5. Assign Each Client ID to a Single Application (`client_id`)
+
+Each JWT token should be associated with a unique client ID for improved security and accountability, which must be dedicated to only one application.
+
+- **Traceability:** Enables effective tracking and auditing of each client’s actions.
+- **Prevent Token Sharing:** Ensures tokens are not shared across multiple clients, minimizing the risk of unauthorized access.
+- **Revocation:** Allows tokens issued to specific clients to be revoked without disrupting others.
+
+## Final Thoughts
+
+JWT tokens are a powerful tool for securing APIs, but their effectiveness depends on proper configuration and usage. By following the best practices - such as setting appropriate claims, and limiting token lifetime — you can build a robust and secure authentication system for your APIs.
+
+For detailed guidance on implementing JWT in your specific environment, you can find recommendations in JWT libraries and tools for your programming language or framework. Always stay informed about the latest security updates to evolve your implementation as threats and technologies change.
+
+## References
+
+- [RFC 7519: The official specification for JSON Web Tokens](https://datatracker.ietf.org/doc/html/rfc7519)
+- [Jwt.io - Introduction to JSON Web Tokens: A beginner-friendly guide to understanding JWTs](https://jwt.io/introduction)
+- [OWASP - Testing JSON Web Tokens: Detailed security testing methodologies for JWTs](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/10-Testing_JSON_Web_Tokens)
+- [OWASP - Attacking and Securing JWT: Insights into common JWT vulnerabilities and how to secure them](https://owasp.org/www-chapter-vancouver/assets/presentations/2020-01_Attacking_and_Securing_JWT.pdf)
+- [OWASP - JWT SECURITY: Short introduction in JWT security](https://owasp.org/www-chapter-belgium/assets/2021/2021-02-18/JWT-Security.pdf)

blog/authors.yml

@@ -0,0 +1,9 @@
+giedriusgrabauskas:
+    name: Giedrius Grabauskas
+    title: Software Architect @ Visma Roxit
+    url: https://github.com/Grabauskas
+    image_url: https://github.com/Grabauskas.png
+    page: true
+    socials:
+        github: Grabauskas
+        linkedin: giedriusgrabauskas

blog/tags.yml

@@ -0,0 +1,4 @@
+security:
+    label: Security
+    permalink: /security
+    description: Security related articles

changelog/2024/05-30-release-2024-05-28.5.md

@@ -0,0 +1,8 @@
+---
+slug: "2024-05-28.5"
+title: "2024-05-28.5"
+---
+
+| Component               | Release item                                   | Relevance for consumers (English)                                                                                                                                                                                                                                                                                                                                                                                             | Relevance for end users (Dutch) |
+| ----------------------- | ---------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------- |
+| All ZGW (change in CSV) | Authentication in ZCA/CSV New secrets endpoint | Authentication has been adjusted in preparation of making ZCA functions available for customers; There is a new endpoint on CSV for retrieving urls/secrets of external ZGW. In the case these are configured, it returns an array of components (DRC, ZRC etc) with ClientId, secret, and endpoint. In case OneGround is used, the same array is returned but without endpoints. The endpoint is a service to other modules. | Geen                            |

changelog/2024/06-04-release-2024.06.2.md

@@ -0,0 +1,8 @@
+---
+slug: "2024.06.2"
+title: "2024.06.2"
+---
+
+| Component               | Release item     | Relevance for consumers (English) | Relevance for end users (Dutch)                                                    |
+| ----------------------- | ---------------- | --------------------------------- | ---------------------------------------------------------------------------------- |
+| All ZGW (change in ZCA) | Bug fix ZSDMS UI | No impact                         | Medewerkers van Roxit konden geen data meer zien in ZCA -> ZSDMS. Dit is opgelost. |

changelog/2024/06-12-release-2024.06.3.md

@@ -0,0 +1,9 @@
+---
+slug: 2024.06.3
+title: 2024.06.3
+---
+
+| Component | Release item                   | Relevance for consumers (English)                                                                                                                                                  | Relevance for end users (Dutch)                                               |
+| --------- | ------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------- |
+| DRC       | Business rule DRC-005 disabled | Status of document can be altered even if ontvangstdatum is filled (Api version 1.5 only, not previous versions)                                                                   | Status van het document kan veranderd worden ook al is ontvangstdatum gevuld. |
+| CSV       | Endpoint for ClientID's        | Api method for retrieving Api endpoints and credentials now supports filtering on application (rx.mission etc) and always returns information, be it for OneGround or external ZGW | Geen                                                                          |

changelog/2024/06-14-release-2024.06.4.md

@@ -0,0 +1,8 @@
+---
+slug: 2024.06.4
+title: 2024.06.4
+---
+
+| Component | Release item             | Relevance for consumers (English)                       | Relevance for end users (Dutch)                                            |
+| --------- | ------------------------ | ------------------------------------------------------- | -------------------------------------------------------------------------- |
+| All ZGW   | Redis cache optimization | ZTC should not throw an error when importing case types | Bij het importeren van zaaktypes trad vaak een fout op. Dit is nu opgelost |

changelog/2024/06-18-release-2024.06.8.md

@@ -0,0 +1,10 @@
+---
+slug: "2024.06.8"
+title: "2024.06.8: Better Ceph logging and authorization on UI functions"
+---
+
+| Component | Release item  | Relevance for consumers (English)                                                                                               | Relevance for end users (Dutch)                                                                                                                                    |
+| --------- | ------------- | ------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| DRC       | Ceph library  | The library for accessing Ceph, used for document storage, is updated to the newest version. This should improve error logging. | Geen                                                                                                                                                               |
+| ZCA       | Authorization | The authorization in ZCA now is entirely based on the activated modules in RAB and user permissions from RAB.                   | Het ZSDMS-menu is nu alleen benaderbaar voor gebuikers met de permissie functioneel beheer en alleen zichtbaar als uw organisatie de ZSDMS-module heeft afgenomen. |
+| ZCA       | Home page     | There is a home page in ZCA in which the permissions and available modules in OneGround are displayed.                          | Er is nu een landingspagina waarin de gebruiker permissies en modules van OneGround ziet.                                                                          |

changelog/2024/06-25-release-2024.06.12.md

@@ -0,0 +1,10 @@
+---
+slug: "2024.06.12"
+title: "2024.06.12: ZSDMS Synchronization Fix & ZCA UI improvements"
+---
+
+| Component | Release item           | Relevance for consumers (English)                                                                      | Relevance for end users (Dutch)                                                                                                              |
+| --------- | ---------------------- | ------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------- |
+| CSV       | Authorization          | Resolved synchronization issues in ZSDMS by fixing the authorization between internal Roxit services.  | In 2024.06.8 release is in ZSDMS een fout ontstaan en veroorzaakte dat GetDocumentMetaDataAsync niet meer functioneerde. Dit is nu opgelost. |
+| ZCA       | Secret View/Edit panel | Introduced new panel design for secret: added authorizations form, redesigned actions buttons.         | Geen                                                                                                                                         |
+| ZCA       | Secret List panel      | Added more columns to the table: authorizations column & information about last modifications columns. | Geen                                                                                                                                         |

changelog/2024/06-26-release-2024.06.14.md

@@ -0,0 +1,9 @@
+---
+slug: "2024.06.14"
+title: "2024.06.14: ZCA UI fixes"
+---
+
+| Component | Release item                | Relevance for consumers (English)                                              | Relevance for end users (Dutch)                                                                                 |
+| --------- | --------------------------- | ------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------- |
+| ZCA       | Authorize Applications page | Fixed authorization create form which was broken after the 2024.06.12 release. | Probleem opgelost met het maken van een autorisatieformulier dat niet meer werkte na de release van 2024.06.12. |
+| ZCA       | Secrets page                | Minor UI/UX improvements with bug fixes.                                       | Geen                                                                                                            |

changelog/2024/07-15-release-2024.07.4.md

@@ -0,0 +1,10 @@
+---
+slug: "2024.07.4"
+title: "2024.07.4: Caching bug in ZT - IOT relationship solved"
+---
+
+| Component | Relevance for consumers (English)                                                                                                                                               | Relevance for end users (Dutch)                                                                                                               |
+| --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
+| ZTC       | When an IOT was added to a published ZT (a so called 'correction') the cache was not updated leading to an error when a document with the IOT was related to a case with the ZT | Probleem opgelost bij het terugschrijven van het bewijsrapport van Validsign                                                                  |
+| ZTC       | When there was a caching error, the change on ZTC was also not committed. Now the change is processed in the database regardless an error in the cache.                         | Probleem opgelost bij het aanmaken van een nieuwe versie van het zaaktype                                                                     |
+| ZCA       |                                                                                                                                                                                 | Er is nu nog maar één menu-item voor het maken van autorisaties. Dit is geintegreerd met de functie om ClientID's aan te maken en te beheren. |