Phase 2.4 - Enhanced Profile Management
Features implemented:
- Get user profile endpoint
- Update user profile endpoint
- Delete user account endpoint with password confirmation
- Input validation on all profile fields
- Security: Password required for account deletion
- Security: All tokens revoked on deletion
New API endpoints:
- GET /api/users/me (protected)
- PUT /api/users/me (protected)
- DELETE /api/users/me (protected)
Security features:
- JWT token required for all operations
- Password confirmation required for deletion
- All tokens revoked on account deletion
- User data removed from database
- Input validation on all fields
Files modified:
- backend/src/handlers/users.rs
- backend/src/main.rs
Testing:
- backend/test-profile-management.sh
- backend/PROFILE-MANAGEMENT-IMPLEMENTED.md
Fixed issues:
- PasswordService has no new() method, use static methods directly
- Updated User model to use PasswordService::hash_password() directly
- Updated handlers to import verify_password function
- Fixed all password hashing and verification calls
Compilation errors resolved:
- error[E0599]: PasswordService::new() not found
- error[E0277]: Handler trait not implemented for setup_recovery
Files modified:
- backend/src/models/user.rs
- backend/src/handlers/auth.rs
- backend/src/auth/jwt.rs
Phase 2.4 - Password Recovery Feature
Features implemented:
- Zero-knowledge password recovery using recovery phrases
- Recovery phrases hashed with PBKDF2 (same as passwords)
- Setup recovery phrase endpoint (protected)
- Verify recovery phrase endpoint (public)
- Reset password with recovery phrase endpoint (public)
- Token invalidation on password reset
- Email verification stub fields added to User model
New API endpoints:
- POST /api/auth/recovery/setup (protected)
- POST /api/auth/recovery/verify (public)
- POST /api/auth/recovery/reset-password (public)
User model updates:
- recovery_phrase_hash field
- recovery_enabled field
- email_verified field (stub)
- verification_token field (stub)
- verification_expires field (stub)
Security features:
- Zero-knowledge proof (server never sees plaintext)
- Current password required to set/update phrase
- All tokens invalidated on password reset
- Token version incremented on password change
Files modified:
- backend/src/models/user.rs
- backend/src/handlers/auth.rs
- backend/src/main.rs
- backend/src/auth/jwt.rs
Documentation:
- backend/PASSWORD-RECOVERY-IMPLEMENTED.md
- backend/test-password-recovery.sh
- backend/PHASE-2.4-TODO.md (updated progress)
- Remove 28+ temporary debugging documentation files
- Remove temporary test scripts and log files
- Keep only essential files (quick-test.sh, EDITION2024-FIX.md)
- Create PHASE-2.4-SPEC.md with complete feature specifications
- Update STATUS.md with current progress and recent issues
- Ready to begin Phase 2.4 implementation
Our dependencies (time-core, getrandom, uuid, etc.) now require
Rust 1.85+ for edition2024 support.
Changes:
- Dockerfile.dev: Updated to rust:latest
- Dockerfile.prod: Updated to rust:latest for builder stage
This resolves the edition2024 compilation errors.
cargo-watch dependencies require Rust 1.85+ and edition2024.
For development, we can simply use 'cargo run' which works fine.
The server can be restarted with docker compose restart.
Problem:
- cargo-watch v8.5.3 requires Rust edition2024 which is not stable yet
- Even Rust 1.83 doesn't support edition2024
- Build fails with: feature 'edition2024' is required
Solution:
- Pin cargo-watch to version 8.4.0
- This version works perfectly with stable Rust 1.83
- No functional difference for development purposes
Change:
RUN cargo install cargo-watch
→ RUN cargo install cargo-watch --version 8.4.0
Added pull_policy: build to prevent Docker from using cached images
with old Rust version. This ensures the build uses Rust 1.83 as specified
in Dockerfile.dev.
Changes:
- Updated Rust from 1.75 to 1.83 in both Dockerfiles
- Fixed CMD syntax: changed single quotes to double quotes (JSON format)
Before: CMD ['cargo-watch', '-x', 'run']
After: CMD [cargo-watch, -x, run]
This fixes the cargo-watch compilation error that required edition2024.
Rust 1.83 supports all current crate features and editions.
Changes:
- Changed server port from 8000 to 6800 (in range 6500-6999 as requested)
- Updated all Docker Compose files (dev and prod)
- Updated all Dockerfiles (removed Cargo.lock dependency)
- Created backend/.dockerignore with Cargo.lock
- Added Cargo.lock to .gitignore (generated by cargo)
- Removed obsolete 'version' attribute from docker-compose files
- Updated all documentation to reflect new port:
* README.md
* thoughts/CONFIG.md
* thoughts/QUICKSTART.md
* thoughts/verification-report-phase-2.3.md
This fixes Docker build errors where Cargo.lock was not found during COPY operations.
Docker will now generate Cargo.lock during the build process as expected.
- Created Cargo.toml with all required dependencies
- Implemented health/ready endpoints
- Added Docker configuration (production + development)
- Configured docker-compose with resource limits
- Set up MongoDB service with persistence
- Verified build (cargo check passed)
- Prepared monorepo structure for mobile/web/shared
Next: Phase 2.2 (MongoDB connection and models)
