# Phase 2.4 TODO List

**Started**: 2026-02-15 16:33:00 UTC

---

## Priority 1: Core Features (Must Have)

### Password Recovery
- [ ] Add `recovery_phrase_hash` field to User model
- [ ] Add `recovery_phrase_enabled` field to User model
- [ ] Create handler: `POST /api/auth/recovery/setup`
- [ ] Create handler: `POST /api/auth/recovery/verify`
- [ ] Create handler: `POST /api/auth/recovery/reset-password`
- [ ] Add rate limiting (5 attempts per hour)
- [ ] Write unit tests
- [ ] Write integration tests

### Email Verification
- [ ] Add `email_verified` field to User model
- [ ] Add `verification_token` field to User model
- [ ] Add `verification_expires` field to User model
- [ ] Create handler: `POST /api/auth/verify/send`
- [ ] Create handler: `GET /api/auth/verify/confirm`
- [ ] Create handler: `POST /api/auth/verify/resend`
- [ ] Add email service placeholder
- [ ] Write unit tests
- [ ] Write integration tests

### Enhanced Profile Management
- [ ] Update handler: `PUT /api/users/me`
- [ ] Add username validation
- [ ] Add full name field support
- [ ] Add profile picture URL support
- [ ] Create handler: `DELETE /api/users/me`
- [ ] Add password confirmation for deletion
- [ ] Write unit tests
- [ ] Write integration tests

---

## Priority 2: Account Settings (Should Have)

### Settings Management
- [ ] Create UserSettings model
- [ ] Add settings field to User model
- [ ] Create handler: `GET /api/users/me/settings`
- [ ] Create handler: `PUT /api/users/me/settings`
- [ ] Add email notifications toggle
- [ ] Add theme selection
- [ ] Add language selection
- [ ] Add timezone selection
- [ ] Write unit tests
- [ ] Write integration tests

### Password Change
- [ ] Create handler: `POST /api/users/me/change-password`
- [ ] Add current password verification
- [ ] Add new password validation
- [ ] Add rate limiting (3 attempts per hour)
- [ ] Log password changes
- [ ] Write unit tests
- [ ] Write integration tests

---

## Priority 3: Security & Performance (Nice to Have)

### Rate Limiting
- [ ] Install tower-governor dependency
- [ ] Create rate limiting middleware
- [ ] Apply to password recovery endpoint
- [ ] Apply to email verification endpoint
- [ ] Apply to password change endpoint
- [ ] Apply to login endpoint
- [ ] Configure Redis for rate limiting (optional)
- [ ] Write tests

### Security Enhancements
- [ ] Add audit logging for sensitive operations
- [ ] Add IP-based rate limiting
- [ ] Add account lockout after failed attempts
- [ ] Add email verification requirement check
- [ ] Add two-factor authentication prep work
- [ ] Write security tests

---

## Priority 4: Testing & Documentation

### Testing
- [ ] Write integration tests for password recovery flow
- [ ] Write integration tests for email verification flow
- [ ] Write integration tests for profile management
- [ ] Write integration tests for settings management
- [ ] Write rate limiting tests
- [ ] Add test coverage reporting
- [ ] Aim for 80%+ code coverage

### Documentation
- [ ] Update API documentation with new endpoints
- [ ] Add email verification flow diagram
- [ ] Add password recovery flow diagram
- [ ] Update quick start guide
- [ ] Add developer setup instructions
- [ ] Add deployment guide

---

## Implementation Order

### Week 1: Password Recovery
1. Monday: Update User model, create basic handlers
2. Tuesday: Implement rate limiting
3. Wednesday: Write unit tests
4. Thursday: Write integration tests
5. Friday: Code review and refinement

### Week 2: Email Verification
1. Monday: Update User model, create email service placeholder
2. Tuesday: Implement verification handlers
3. Wednesday: Implement token cleanup
4. Thursday: Write tests
5. Friday: Code review and refinement

### Week 3: Profile & Settings
1. Monday: Enhanced profile management
2. Tuesday: Account settings handlers
3. Wednesday: Password change handler
4. Thursday: Write tests
5. Friday: Code review and refinement

### Week 4: Polish & Deploy
1. Monday: Security enhancements
2. Tuesday: Performance optimization
3. Wednesday: Documentation updates
4. Thursday: Integration tests
5. Friday: Deploy to staging

---

## Dependencies

- ✅ Phase 2.3 (JWT Auth) must be complete
- ✅ MongoDB connection working
- ✅ Docker environment operational
- ⏳ Email service (can use placeholder for now)
- ⏳ Redis for rate limiting (optional, can use in-memory)

---

## Notes

- All new handlers must follow existing patterns
- Use existing PasswordService for hashing
- Use existing JwtService for tokens
- Follow Rust best practices and idioms
- Add error handling for all edge cases
- Add comprehensive logging
- Keep handlers simple and focused
- Use middleware for cross-cutting concerns

---

**Last Updated**: 2026-02-15 16:33:00 UTC