Skip to content

AkshayTeja3/docusign-clone

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

22 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

DocuSign Backend Architecture Engine

A clean backend infrastructure clone inspired by the core workflow concepts behind digital signature platforms such as DocuSign.

This backend engine orchestrates multi-party document signing workflows through stateless authentication, sequential and parallel signing state machines, event-driven audit logging, and decoupled notification processing.

The project focuses on modeling real-world business workflows, enforcing authorization boundaries, maintaining auditability, and structuring backend systems using clean separation of concerns within a Spring Boot ecosystem.


πŸ“‹ Table of Contents


πŸ› οΈ Tech Stack

Technology Purpose Selection Rationale
Java 17 Core Language Long-Term Support (LTS) release offering modern language features and strong type safety.
Spring Boot Application Framework Production-oriented framework providing dependency injection, configuration management, and rapid application development.
Spring Security + JWT Stateless Authentication Enables token-based authentication without maintaining server-side sessions.
Spring Data JPA Object-Relational Mapping Simplifies persistence through repository abstractions and transaction support.
PostgreSQL Relational Database Provides ACID guarantees and strong referential integrity for workflow state management.
Lombok Boilerplate Reduction Reduces repetitive code through compile-time generation of common methods.
Spring Events Event-Driven Communication Decouples auxiliary concerns such as auditing and notifications from core workflow execution.

πŸ—οΈ System Architecture

The application follows a layered architecture designed to separate responsibilities and keep business workflows predictable and maintainable.

[ HTTP Controller Layer ]  --> Handles request parsing and authentication context.
β”‚
[ Service Layer ]          --> Orchestrates business workflows and validation rules.
β”‚
[ Repository Layer ]       --> Encapsulates persistence operations.
β”‚
[ Domain Layer ]           --> Entities, enums, and workflow state boundaries.
β”‚
[ Event Layer ]            --> Handles audit and notification events.

Core workflow services publish application events whenever important business state transitions occur. Audit logging and notification creation subscribe to these events, allowing auxiliary concerns to remain decoupled from the primary signing workflow.

This design keeps business services focused on workflow execution while allowing supporting functionality to evolve independently.


πŸ—‚οΈ Domain Model

User

The primary actor within the system.

Implements Spring Security's "UserDetails" interface to integrate directly with the authentication layer.

A single account may act as both:

  • Document Sender
  • Document Signer

reflecting real-world usage where users can create and participate in signature workflows simultaneously.


Document

Represents uploaded document metadata.

The Document entity tracks ownership and storage metadata while remaining independent from workflow participation logic.

Lifecycle States:

DRAFT β†’ PENDING β†’ COMPLETED


SignatureRequest

The central workflow aggregate responsible for coordinating document signing activities.

It associates a document with one or more signers while tracking the overall completion state of the workflow.

Lifecycle States:

PENDING β†’ COMPLETED PENDING β†’ DECLINED


Signer

Represents an individual's participation slot within a workflow.

Encapsulates signer-specific metadata such as:

  • Signing Order
  • Signing Status
  • Signature Timestamp

This separation prevents workflow-specific state from polluting the global User entity.


SigningProcess

Captures forensic evidence associated with a completed signature action.

Stores:

  • Global UTC timestamp
  • Client IP address

to provide an immutable record of signature execution.


AuditLog

An append-only historical ledger that records significant system events.

Designed to support operational traceability and lifecycle reconstruction.


Notification

Represents user-facing alerts generated by workflow state transitions.

Notifications maintain their own lifecycle and read/unread state independent of workflow execution.


πŸ”’ Security & Defenses

1. Method-Level Authorization (BOLA / IDOR Mitigation)

To mitigate Broken Object-Level Authorization vulnerabilities, protected endpoints enforce ownership validation using Spring Security expressions and a custom evaluation component.

@PreAuthorize("@documentSecurityEvaluator.isParticipant(#requestId, principal.username)")

This validation ensures that only authorized participants associated with a workflow may access protected resources.


2. Temporal Normalization (UTC Timeline)

All audit and transactional timestamps use "java.time.Instant" rather than server-local time representations.

Benefits include:

  • Consistent global timestamps
  • Elimination of timezone ambiguity
  • Improved audit reliability

3. Workflow State Validation

Business workflows enforce explicit state transitions to prevent duplicate actions and invalid lifecycle progression.

Example:

if (signer.getStatus() == SignerStatus.DECLINED) {
    throw new IllegalStateException(
        "Business Logic Violation: This request has already been declined."
    );
}

This prevents repeated workflow execution caused by duplicate submissions or invalid state mutations.


4. Database-Level Integrity Constraints

Persistence rules enforce structural consistency beneath the application layer.

Example:

@Table(
    name = "signers",
    uniqueConstraints = {
        @UniqueConstraint(
            columnNames = {
                "signature_request_id",
                "signing_order"
            }
        )
    }
)

This prevents invalid workflow configurations containing duplicate signing positions.


πŸ”„ Signing Workflows

Parallel Workflow

All designated signers receive the request simultaneously.

Each signer may complete their action independently without waiting for others.

Suitable for:

  • Board approvals
  • Internal acknowledgements
  • Multi-party consent forms

Sequential Workflow

Signers must execute their actions according to a predefined signing order.

Example:

Signer #1 β†’ Signer #2 β†’ Signer #3

Attempts to sign out of order are rejected by workflow validation rules.

The ordering logic is enforced inside the workflow service layer rather than the persistence layer.


πŸ“‘ Audit & Notification System

Core services publish workflow events whenever significant state transitions occur.

[ Workflow Service ]
         β”‚
         β–Ό
   Audit Event
         β”‚
         β”œβ”€β”€β–Ί Audit Listener
         β”‚        └──► AuditLog Entry
         β”‚
         └──► Notification Listener
                  └──► Notification Entry

This design keeps workflow execution independent from supporting concerns while maintaining a complete historical record of system activity.


πŸ“¦ Project Structure

src/main/java/com/docusign/docusign/
β”œβ”€β”€ config/
β”œβ”€β”€ controller/
β”œβ”€β”€ domain/
β”œβ”€β”€ dto/
β”‚   β”œβ”€β”€ request/
β”‚   └── response/
β”œβ”€β”€ event/
β”œβ”€β”€ repository/
└── service/


πŸ“‘ API Endpoints

Authentication

POST /api/auth/register POST /api/auth/login


Documents

POST /api/documents/upload GET /api/documents/{id} GET /api/documents


Signature Requests

POST /api/signature-requests GET /api/signature-requests/{id} GET /api/signature-requests


Signer Workflow

GET /api/signer-workflow/pending POST /api/signer-workflow/requests/{requestId}/signers/{signerId}/decline


Signing Engine

POST /api/signing/{signerId}/sign


Audit & Notifications

GET /api/audit/{signatureRequestId} GET /api/notifications


⚠️ Production Gap Analysis & Planned Upgrades

While the project demonstrates a strong architectural foundation, the following enhancements remain for production-scale readiness.

πŸ”΄ Infrastructure Priorities

Storage Abstraction

Replace local filesystem storage with cloud object storage (AWS S3 or equivalent) and serve documents through pre-signed URLs.

Distributed Audit Processing

Move audit persistence into an isolated processing pipeline to further decouple workflow execution from historical record generation.


πŸ”΄ Data Consistency & Transaction Boundaries

Workflow Creation Atomicity

Signature request creation currently performs multiple persistence operations across related entities.

A future enhancement will introduce explicit transaction boundaries to guarantee atomic creation of requests and signer assignments under failure conditions.


πŸ”’ Authentication Enhancements

Rate Limiting

Introduce API rate limiting using Bucket4j or gateway-level throttling.

Email Verification

Require successful email verification before JWT issuance.


πŸ’Ύ Validation Improvements

Duplicate Registration Checks

Add application-level duplicate email validation before persistence.

Empty Signer Protection

Reject workflow requests that contain empty signer collections.


πŸ–₯️ API Contract Enhancements

Token Expiration Metadata

Expose expiration information within authentication responses.

Notification Deep Linking

Include workflow identifiers inside notification payloads to simplify client-side navigation.


πŸš€ Getting Started

Prerequisites

  • Java 17+
  • Maven 3.8+
  • PostgreSQL 14+

1.Clone Repository

git clone https://github.com/AkshayTeja3/docusign-clone.git
cd docusign-clone

2.Create Database

CREATE DATABASE docusign;

3.Configure Application Properties

spring.datasource.url=jdbc:postgresql://localhost:5432/docusign
spring.datasource.username=your_username
spring.datasource.password=your_password

spring.jpa.hibernate.ddl-auto=update



jwt.secret=your_secret
jwt.expiration=86400000

Run Application

./mvnw spring-boot:run

Developed as a backend engineering project focused on workflow orchestration, authorization boundaries, auditability, and clean service-layer design.

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages