alvaro/normogen
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
normogen/backend/PHASE-2.4-TODO.md

4.7 KiB
Raw Blame History

Phase 2.4 TODO List

Started: 2026-02-15 16:33:00 UTC

Priority 1: Core Features (Must Have)

Password Recovery

  • Add recovery_phrase_hash field to User model
  • Add recovery_phrase_enabled field to User model
  • Create handler: POST /api/auth/recovery/setup
  • Create handler: POST /api/auth/recovery/verify
  • Create handler: POST /api/auth/recovery/reset-password
  • Add rate limiting (5 attempts per hour)
  • Write unit tests
  • Write integration tests

Email Verification

  • Add email_verified field to User model
  • Add verification_token field to User model
  • Add verification_expires field to User model
  • Create handler: POST /api/auth/verify/send
  • Create handler: GET /api/auth/verify/confirm
  • Create handler: POST /api/auth/verify/resend
  • Add email service placeholder
  • Write unit tests
  • Write integration tests

Enhanced Profile Management

  • Update handler: PUT /api/users/me
  • Add username validation
  • Add full name field support
  • Add profile picture URL support
  • Create handler: DELETE /api/users/me
  • Add password confirmation for deletion
  • Write unit tests
  • Write integration tests

Priority 2: Account Settings (Should Have)

Settings Management

  • Create UserSettings model
  • Add settings field to User model
  • Create handler: GET /api/users/me/settings
  • Create handler: PUT /api/users/me/settings
  • Add email notifications toggle
  • Add theme selection
  • Add language selection
  • Add timezone selection
  • Write unit tests
  • Write integration tests

Password Change

  • Create handler: POST /api/users/me/change-password
  • Add current password verification
  • Add new password validation
  • Add rate limiting (3 attempts per hour)
  • Log password changes
  • Write unit tests
  • Write integration tests

Priority 3: Security & Performance (Nice to Have)

Rate Limiting

  • Install tower-governor dependency
  • Create rate limiting middleware
  • Apply to password recovery endpoint
  • Apply to email verification endpoint
  • Apply to password change endpoint
  • Apply to login endpoint
  • Configure Redis for rate limiting (optional)
  • Write tests

Security Enhancements

  • Add audit logging for sensitive operations
  • Add IP-based rate limiting
  • Add account lockout after failed attempts
  • Add email verification requirement check
  • Add two-factor authentication prep work
  • Write security tests

Priority 4: Testing & Documentation

Testing

  • Write integration tests for password recovery flow
  • Write integration tests for email verification flow
  • Write integration tests for profile management
  • Write integration tests for settings management
  • Write rate limiting tests
  • Add test coverage reporting
  • Aim for 80%+ code coverage

Documentation

  • Update API documentation with new endpoints
  • Add email verification flow diagram
  • Add password recovery flow diagram
  • Update quick start guide
  • Add developer setup instructions
  • Add deployment guide

Implementation Order

Week 1: Password Recovery

  1. Monday: Update User model, create basic handlers
  2. Tuesday: Implement rate limiting
  3. Wednesday: Write unit tests
  4. Thursday: Write integration tests
  5. Friday: Code review and refinement

Week 2: Email Verification

  1. Monday: Update User model, create email service placeholder
  2. Tuesday: Implement verification handlers
  3. Wednesday: Implement token cleanup
  4. Thursday: Write tests
  5. Friday: Code review and refinement

Week 3: Profile & Settings

  1. Monday: Enhanced profile management
  2. Tuesday: Account settings handlers
  3. Wednesday: Password change handler
  4. Thursday: Write tests
  5. Friday: Code review and refinement

Week 4: Polish & Deploy

  1. Monday: Security enhancements
  2. Tuesday: Performance optimization
  3. Wednesday: Documentation updates
  4. Thursday: Integration tests
  5. Friday: Deploy to staging

Dependencies

  • Phase 2.3 (JWT Auth) must be complete
  • MongoDB connection working
  • Docker environment operational
  • Email service (can use placeholder for now)
  • Redis for rate limiting (optional, can use in-memory)

Notes

  • All new handlers must follow existing patterns
  • Use existing PasswordService for hashing
  • Use existing JwtService for tokens
  • Follow Rust best practices and idioms
  • Add error handling for all edge cases
  • Add comprehensive logging
  • Keep handlers simple and focused
  • Use middleware for cross-cutting concerns

Last Updated: 2026-02-15 16:33:00 UTC