Skip to content

Release Note for eCommerce Server Platform - Version 1.0

Release Date

25th of April, 2025

Overview

This release marks the official deployment of the eCommerce Server Platform Version 1.0, developed as part of the Future Factory (IT) 2025 course at Jamk University of Applied Sciences. Built on PrestaShop, the platform delivers a scalable, secure, and user-friendly online store environment designed to meet modern eCommerce needs. The release includes core shopping features, payment integration, security configurations, and documentation for operational use.

This version is intended for demonstration and learning purposes and provides a strong base for future enhancements and real-world deployment scenarios.

New Features

  • Feature 002: Secure Service Access: This feature improves platform security by enforcing HTTPS across the service and implementing a secure password reset mechanism. These additions help protect user data, meet compliance requirements, and increase trust and usability. It also includes email verification, token expiration, and strong password enforcement for account recovery.
  • Feature 003: Dockerized Service Production: This feature introduces a fully containerized development and deployment workflow using Docker and Docker Compose. It enables developers to work in reproducible environments and integrate services such as MariaDB with minimal setup. Key benefits include simplified local development, improved consistency across environments, and easier integration with CI/CD pipelines. This feature also enhances service scalability and portability for operators.
  • Feature 010: Vulnerability Scanning Integration: This feature integrates an automated vulnerability scanning tool into the platform. It provides real-time alerts to developers about critical issues in dependencies and generates detailed reports for security officers and project managers. The goal is to improve software security by enabling proactive risk mitigation, improving visibility into vulnerabilities, and maintaining strong cybersecurity hygiene throughout the development process.
  • Feature 023: Payment Gateway Integration (Paytrail): This feature integrates the Paytrail payment gateway into the PrestaShop platform, enabling secure and reliable transaction processing. It supports common payment methods in Finland and provides a smooth checkout experience for users. The integration includes full configuration instructions, testing tools, and ensures compliance with local payment standards—making the store ready for real-world financial operations.
  • Feature 081: Efficient Bug Reporting and Triage: This feature introduces a structured bug tracking and triage process to support faster and more accurate debugging. It enables developers to view recent issues, filter new and old bugs using labels, and ensure bug reports include all necessary information for replication. It also allows commits to be linked with bug reports, improving traceability between code and issue resolution. These improvements result in a more responsive and organized development process.
  • Feature 192: Integration with Popular Payment Gateways: This feature expands payment options by supporting integration with a wide range of popular payment gateways including Stripe and Klarna. It is designed to give store owners the flexibility to offer secure and seamless checkout experiences for customers with diverse payment preferences. The integration improves customer trust, reduces cart abandonment, and ensures compliance with modern security standard

Enhancements

  • Improved Documentation: Added clear setup and configuration instructions for Paytrail, Stripe, and Klarna integration and deployment environment.
  • Payment Gateway integration: Added Paytrail, Stripe, and Klarna payment gateway integrations.
  • Automated testing: Added Robotframework to the code respositorys pipeline
  • MariaDB Database: Changed PrestaShop database from MYSQL to MariaDB
  • Improved Bug Tracking Workflow: Set up a structured bug reporting and triage process using GitLab issue boards. This enhancement improves issue visibility, responsibility assignment, and resolution tracking.
  • Security Enhancements: Introduced basic security hardening practices, including secure service access configuration and documentation for future improvements in authentication and data protection.
  • Modular Feature Design: Improved the architecture of feature implementation to better support modularity, reusability, and future expansion.
  • Security Reporting: Created a script that forms a report about security issues and vulnerabilities

Bug Fixes

  • Password in URL: Sensitive information, such as passwords, was passed via the URL, which can be logged or cached, creating a security risk.The passwords removed in the HTTP request.
  • Use of weak hash: Passwords or sensitive data were being hashed using weak algorithms MD5. The weak hash was removed and replaced with a secure strong alternative.
  • Use of cryptographically weak pseudo-random number generator (PRNG) - The system used non-cryptographic PRNGs for security-related functions like token generation.Replaced the code with crypto.randomBytes(256) in Node.js
  • Improper control of generation of code ('Code Injection') - User input was directly concatenated into code strings, enabling arbitrary code execution. For example executing non-constant commands. This can lead to command injection. Fixed it by removing the non constant command.
  • Improper neutralization of special elements used in an OS command ('OS Command Injection') - User inputs were directly passed to OS commands without sanitization, allowing command injection. Validated and sanitized all user inputs and replaced direct command execution with parameterized functions.

Known Issues

  • Issue 1: Robotframework needs some finetuning. Easier modularity could be achieved with containerized option.
  • Issue 2: Pipelines needed to be fixed often in bug fixing because pipelines were failing.
  • Issue 3: Bug fixing needed more clarification than the material.
  • Issue 4: Sending a security report via email is not possible due to the strict SMTP rules on both JAMK's and Google's servers.

Upgrade Instructions

This is the first release, upgrade instructions are added on later releases.

Acknowledgements

Special thanks to our project team LinearB for their contributions:

  • Burzachechi Sol – Documentation, Project Planning, and Testing

  • Helminen Valtteri – Testing

  • Hyvärinen Sami – Operations, and Technical Support

  • Iiskola Lassi – Team Lead, Project Planning, and Payment Integration

  • Kothalawala Jayani – Website Development, Bug Fixing

  • Suutarinen Eetu – Security, and Deployment

We also thank the Future Factory (IT) 2025 mentors and organizers, especially Marko “NarsuMan” Rintamäki, for guidance and support throughout the project.