Switch to a different backend framework

[sarahsporck]

Is your feature request related to a problem? Please describe. We recently discussed, that javalin as a lightweight server framework is probably not sufficient for an expanding, feature rich backend. As such @ztefanie proposed that we should move to another framework that provides better support for server plugins. In my opinion ktor seems to be the obvious alternative as we are developing a kotlin project. I already checked out what would need to be adjusted and assume this could be done in 15 to 20h. However, this should still be discussed in the team and other framework proposals are also welcome.

Describe the solution you'd like Refactor from javalin to ktor. Steps that need to be done:

• remove javalin
• migrate endpoints to ktor endpoints
• migrate graphql to graphql extension
• migrate context
• request logging

Steps that might make sense (but can probably be done separately):

• Use authorization plugin

Describe alternatives you've considered Use another framework, e.g. Spring Boot

Additional Context

• minimum amount of files that need to be adjusted: https://github.com/search?q=repo%3Adigitalfabrik%2Fentitlementcard%20javalin&type=code
• but probably also the graphql context

[ztefanie]

I want to suggest Spring Boot, but I think we really should put a lot of thoughts in this decision. Maybe we can talk about this at our next conference.

See a short comparision here: https://dev.to/sergiomarcial/spring-boot-vs-ktor-a-battle-of-kotlin-powered-application-servers-2p29 or here: https://bigknol.com/app-dev/ktor-vs-spring-a-guide-to-selecting-the-right-framework/

[michael-markl]

What are the pain points with the current setup?

[ztefanie]

Javalin does not support 2FA.

[michael-markl]

I think 2FA is not something I'd expect to be included in a web server library. Afaik, ktor or Spring don't offer that out of the box either (?). For a (time-based) 2FA we need to generate a secret, save it to the DB, and use a TOTP library (which we already depend on) to generate time based codes. Of course, there is more UI that needs to be written (such as QR code generation for the TOTP-App like Google Authenticator, login with and without TOTP code, catching error cases) and I would expect this to be more effort than the backend stuff. I feel like, no "framework" would make this easier to implement, unfortunately (but I might be wrong?).