Add in-app POTA log upload (Cognito auth spike)#154
Open
patrickrb wants to merge 1 commit into
Open
Conversation
POTA's activation-log upload is gated by AWS Cognito (SRP) then a plain multipart POST to api.pota.app/adif. The pool/client IDs are public (they ship in pota.app's JS bundle and the open-source pota-adif-upload crate), so the app can log in with the user's pota.app account and upload directly instead of bouncing through the website. The pota module already produced correct per-park ADIF and hit the public spot endpoints; the only missing piece was the Cognito login. - PotaAuth: USER_SRP_AUTH login via aws-android-sdk-cognitoidentityprovider, refresh token persisted in a private SharedPreferences, fresh ID tokens minted via REFRESH_TOKEN_AUTH (raw JSON POST, no SDK). - PotaClient.uploadAdif()/getJobs(): multipart POST /adif with the raw ID token in Authorization (no Bearer prefix), plus job-status read. - PotaAdifExporter.buildActivationAdif(): extracted so the share-sheet and upload paths emit identical bytes. - PotaScreen History tab: primary "Upload to POTA" button + sign-in dialog; first upload prompts login, then it is silent. Share-ADIF / Open-pota.app fallbacks are unchanged. Spike scope: refresh token is stored in plaintext (matches the existing QRZ password storage) -- EncryptedSharedPreferences is a planned follow-up. Rides POTA's undocumented API, so the manual fallbacks stay. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## dev #154 +/- ##
==========================================
- Coverage 6.24% 6.19% -0.05%
Complexity 669 669
==========================================
Files 267 268 +1
Lines 30584 30829 +245
Branches 4763 4831 +68
==========================================
Hits 1910 1910
- Misses 28533 28778 +245
Partials 141 141
🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds in-app POTA activation-log upload, so activators can submit logs directly from the app instead of exporting an ADIF and uploading it on the pota.app website.
How POTA's upload works (reverse-engineered)
The pota.app uploader is a static SPA over an AWS backend. Auth is the work; the upload is trivial. POTA's Cognito pool/client IDs are public (shipped in pota.app's JS bundle, also reproduced in the open-source
pota-adif-uploadRust client):USER_SRP_AUTH→PASSWORD_VERIFIER→ JWT ID tokenus-east-2, poolus-east-2_nA5jZ0klh, client7hluqct0n2nckib7i7sd5753oa(no client secret)POST https://api.pota.app/adif, headerAuthorization: <ID token>(raw JWT, noBearer),multipart/form-datawith a singleadifpartGET https://api.pota.app/user/jobsThe user signs in with their normal pota.app account email + password.
Changes
PotaAuth.kt(new) — Cognito SRP login viaaws-android-sdk-cognitoidentityprovider; refresh token persisted in a privatepota_authSharedPreferences; fresh ID tokens minted viaREFRESH_TOKEN_AUTH(a plain JSON POST — no SRP, no SDK).PotaClient.uploadAdif()/getJobs()— multipartPOST /adifwith the raw ID token; job-status read.PotaAdifExporter.buildActivationAdif()— extracted from the share path so share-sheet and upload emit byte-identical ADIF.PotaScreenHistory tab — primary Upload to POTA button + sign-in dialog. First upload prompts login; afterwards the stored refresh token mints tokens silently. Existing Share ADIF / Open pota.app fallbacks unchanged.build.gradle— addscom.amazonaws:aws-android-sdk-cognitoidentityprovider:2.76.0.Status / scope
This is an auth spike:
assembleDebugis green (AWS SDK resolves, Kotlin/dex/package clean), but the live round-trip (real SRP login + a realPOST /adifaccepted by POTA) still needs to be exercised on-device with a real pota.app account — no device was attached at build time.Follow-ups before this is "done":
Authorizationand multipart shape are accepted; check/user/jobs)EncryptedSharedPreferences(currently plaintext, matching the existing QRZ password storage — could cover both)buildActivationAdifparity +PotaAuthtoken cachingCaveats
Rides POTA's undocumented API (same path potashell and the Rust CLI use). POTA could rotate the client ID or change the endpoint without notice, so the manual Share/Open fallbacks intentionally stay.
🤖 Generated with Claude Code