Updated all jobs in the lint-and-build workflow to use the
Docker-labeled runner instead of ubuntu-latest.
Changes:
- lint job: runs-on: docker
- build job: runs-on: docker
- docker-build job: runs-on: docker
Benefits:
- Native Docker support
- Faster builds
- Better performance on local infrastructure
- Consistent with server setup
Phase 2.4 - Enhanced Profile Management
Features implemented:
- Get user profile endpoint
- Update user profile endpoint
- Delete user account endpoint with password confirmation
- Input validation on all profile fields
- Security: Password required for account deletion
- Security: All tokens revoked on deletion
New API endpoints:
- GET /api/users/me (protected)
- PUT /api/users/me (protected)
- DELETE /api/users/me (protected)
Security features:
- JWT token required for all operations
- Password confirmation required for deletion
- All tokens revoked on account deletion
- User data removed from database
- Input validation on all fields
Files modified:
- backend/src/handlers/users.rs
- backend/src/main.rs
Testing:
- backend/test-profile-management.sh
- backend/PROFILE-MANAGEMENT-IMPLEMENTED.md
Fixed issues:
- PasswordService has no new() method, use static methods directly
- Updated User model to use PasswordService::hash_password() directly
- Updated handlers to import verify_password function
- Fixed all password hashing and verification calls
Compilation errors resolved:
- error[E0599]: PasswordService::new() not found
- error[E0277]: Handler trait not implemented for setup_recovery
Files modified:
- backend/src/models/user.rs
- backend/src/handlers/auth.rs
- backend/src/auth/jwt.rs
Phase 2.4 - Password Recovery Feature
Features implemented:
- Zero-knowledge password recovery using recovery phrases
- Recovery phrases hashed with PBKDF2 (same as passwords)
- Setup recovery phrase endpoint (protected)
- Verify recovery phrase endpoint (public)
- Reset password with recovery phrase endpoint (public)
- Token invalidation on password reset
- Email verification stub fields added to User model
New API endpoints:
- POST /api/auth/recovery/setup (protected)
- POST /api/auth/recovery/verify (public)
- POST /api/auth/recovery/reset-password (public)
User model updates:
- recovery_phrase_hash field
- recovery_enabled field
- email_verified field (stub)
- verification_token field (stub)
- verification_expires field (stub)
Security features:
- Zero-knowledge proof (server never sees plaintext)
- Current password required to set/update phrase
- All tokens invalidated on password reset
- Token version incremented on password change
Files modified:
- backend/src/models/user.rs
- backend/src/handlers/auth.rs
- backend/src/main.rs
- backend/src/auth/jwt.rs
Documentation:
- backend/PASSWORD-RECOVERY-IMPLEMENTED.md
- backend/test-password-recovery.sh
- backend/PHASE-2.4-TODO.md (updated progress)
- Remove 28+ temporary debugging documentation files
- Remove temporary test scripts and log files
- Keep only essential files (quick-test.sh, EDITION2024-FIX.md)
- Create PHASE-2.4-SPEC.md with complete feature specifications
- Update STATUS.md with current progress and recent issues
- Ready to begin Phase 2.4 implementation
Our dependencies (time-core, getrandom, uuid, etc.) now require
Rust 1.85+ for edition2024 support.
Changes:
- Dockerfile.dev: Updated to rust:latest
- Dockerfile.prod: Updated to rust:latest for builder stage
This resolves the edition2024 compilation errors.
cargo-watch dependencies require Rust 1.85+ and edition2024.
For development, we can simply use 'cargo run' which works fine.
The server can be restarted with docker compose restart.
This script automates the Docker build and testing process:
- Stops and removes old containers
- Removes old images to force rebuild
- Builds without cache
- Starts services
- Shows logs
- Waits for server to be ready
- Tests health endpoints
Problem:
- cargo-watch v8.5.3 requires Rust edition2024 which is not stable yet
- Even Rust 1.83 doesn't support edition2024
- Build fails with: feature 'edition2024' is required
Solution:
- Pin cargo-watch to version 8.4.0
- This version works perfectly with stable Rust 1.83
- No functional difference for development purposes
Change:
RUN cargo install cargo-watch
→ RUN cargo install cargo-watch --version 8.4.0
Added pull_policy: build to prevent Docker from using cached images
with old Rust version. This ensures the build uses Rust 1.83 as specified
in Dockerfile.dev.
Changes:
- Updated Rust from 1.75 to 1.83 in both Dockerfiles
- Fixed CMD syntax: changed single quotes to double quotes (JSON format)
Before: CMD ['cargo-watch', '-x', 'run']
After: CMD [cargo-watch, -x, run]
This fixes the cargo-watch compilation error that required edition2024.
Rust 1.83 supports all current crate features and editions.
Changes:
- Changed server port from 8000 to 6800 (in range 6500-6999 as requested)
- Updated all Docker Compose files (dev and prod)
- Updated all Dockerfiles (removed Cargo.lock dependency)
- Created backend/.dockerignore with Cargo.lock
- Added Cargo.lock to .gitignore (generated by cargo)
- Removed obsolete 'version' attribute from docker-compose files
- Updated all documentation to reflect new port:
* README.md
* thoughts/CONFIG.md
* thoughts/QUICKSTART.md
* thoughts/verification-report-phase-2.3.md
This fixes Docker build errors where Cargo.lock was not found during COPY operations.
Docker will now generate Cargo.lock during the build process as expected.
Changes:
- Updated README.md with current Phase 2.3 completion status
- Added detailed development progress section
- Added backend API endpoints documentation
- Added environment configuration guide
- Added local development and Docker quick start
- Added deployment instructions
New Documentation:
- thoughts/CONFIG.md - Comprehensive configuration guide
- thoughts/QUICKSTART.md - 5-minute quick start guide
All configuration files are now documented and up-to-date.
