165 lines
4.7 KiB
Markdown
165 lines
4.7 KiB
Markdown
# Phase 2.4 TODO List
|
|
|
|
**Started**: 2026-02-15 16:33:00 UTC
|
|
|
|
---
|
|
|
|
## Priority 1: Core Features (Must Have)
|
|
|
|
### Password Recovery
|
|
- [ ] Add `recovery_phrase_hash` field to User model
|
|
- [ ] Add `recovery_phrase_enabled` field to User model
|
|
- [ ] Create handler: `POST /api/auth/recovery/setup`
|
|
- [ ] Create handler: `POST /api/auth/recovery/verify`
|
|
- [ ] Create handler: `POST /api/auth/recovery/reset-password`
|
|
- [ ] Add rate limiting (5 attempts per hour)
|
|
- [ ] Write unit tests
|
|
- [ ] Write integration tests
|
|
|
|
### Email Verification
|
|
- [ ] Add `email_verified` field to User model
|
|
- [ ] Add `verification_token` field to User model
|
|
- [ ] Add `verification_expires` field to User model
|
|
- [ ] Create handler: `POST /api/auth/verify/send`
|
|
- [ ] Create handler: `GET /api/auth/verify/confirm`
|
|
- [ ] Create handler: `POST /api/auth/verify/resend`
|
|
- [ ] Add email service placeholder
|
|
- [ ] Write unit tests
|
|
- [ ] Write integration tests
|
|
|
|
### Enhanced Profile Management
|
|
- [ ] Update handler: `PUT /api/users/me`
|
|
- [ ] Add username validation
|
|
- [ ] Add full name field support
|
|
- [ ] Add profile picture URL support
|
|
- [ ] Create handler: `DELETE /api/users/me`
|
|
- [ ] Add password confirmation for deletion
|
|
- [ ] Write unit tests
|
|
- [ ] Write integration tests
|
|
|
|
---
|
|
|
|
## Priority 2: Account Settings (Should Have)
|
|
|
|
### Settings Management
|
|
- [ ] Create UserSettings model
|
|
- [ ] Add settings field to User model
|
|
- [ ] Create handler: `GET /api/users/me/settings`
|
|
- [ ] Create handler: `PUT /api/users/me/settings`
|
|
- [ ] Add email notifications toggle
|
|
- [ ] Add theme selection
|
|
- [ ] Add language selection
|
|
- [ ] Add timezone selection
|
|
- [ ] Write unit tests
|
|
- [ ] Write integration tests
|
|
|
|
### Password Change
|
|
- [ ] Create handler: `POST /api/users/me/change-password`
|
|
- [ ] Add current password verification
|
|
- [ ] Add new password validation
|
|
- [ ] Add rate limiting (3 attempts per hour)
|
|
- [ ] Log password changes
|
|
- [ ] Write unit tests
|
|
- [ ] Write integration tests
|
|
|
|
---
|
|
|
|
## Priority 3: Security & Performance (Nice to Have)
|
|
|
|
### Rate Limiting
|
|
- [ ] Install tower-governor dependency
|
|
- [ ] Create rate limiting middleware
|
|
- [ ] Apply to password recovery endpoint
|
|
- [ ] Apply to email verification endpoint
|
|
- [ ] Apply to password change endpoint
|
|
- [ ] Apply to login endpoint
|
|
- [ ] Configure Redis for rate limiting (optional)
|
|
- [ ] Write tests
|
|
|
|
### Security Enhancements
|
|
- [ ] Add audit logging for sensitive operations
|
|
- [ ] Add IP-based rate limiting
|
|
- [ ] Add account lockout after failed attempts
|
|
- [ ] Add email verification requirement check
|
|
- [ ] Add two-factor authentication prep work
|
|
- [ ] Write security tests
|
|
|
|
---
|
|
|
|
## Priority 4: Testing & Documentation
|
|
|
|
### Testing
|
|
- [ ] Write integration tests for password recovery flow
|
|
- [ ] Write integration tests for email verification flow
|
|
- [ ] Write integration tests for profile management
|
|
- [ ] Write integration tests for settings management
|
|
- [ ] Write rate limiting tests
|
|
- [ ] Add test coverage reporting
|
|
- [ ] Aim for 80%+ code coverage
|
|
|
|
### Documentation
|
|
- [ ] Update API documentation with new endpoints
|
|
- [ ] Add email verification flow diagram
|
|
- [ ] Add password recovery flow diagram
|
|
- [ ] Update quick start guide
|
|
- [ ] Add developer setup instructions
|
|
- [ ] Add deployment guide
|
|
|
|
---
|
|
|
|
## Implementation Order
|
|
|
|
### Week 1: Password Recovery
|
|
1. Monday: Update User model, create basic handlers
|
|
2. Tuesday: Implement rate limiting
|
|
3. Wednesday: Write unit tests
|
|
4. Thursday: Write integration tests
|
|
5. Friday: Code review and refinement
|
|
|
|
### Week 2: Email Verification
|
|
1. Monday: Update User model, create email service placeholder
|
|
2. Tuesday: Implement verification handlers
|
|
3. Wednesday: Implement token cleanup
|
|
4. Thursday: Write tests
|
|
5. Friday: Code review and refinement
|
|
|
|
### Week 3: Profile & Settings
|
|
1. Monday: Enhanced profile management
|
|
2. Tuesday: Account settings handlers
|
|
3. Wednesday: Password change handler
|
|
4. Thursday: Write tests
|
|
5. Friday: Code review and refinement
|
|
|
|
### Week 4: Polish & Deploy
|
|
1. Monday: Security enhancements
|
|
2. Tuesday: Performance optimization
|
|
3. Wednesday: Documentation updates
|
|
4. Thursday: Integration tests
|
|
5. Friday: Deploy to staging
|
|
|
|
---
|
|
|
|
## Dependencies
|
|
|
|
- ✅ Phase 2.3 (JWT Auth) must be complete
|
|
- ✅ MongoDB connection working
|
|
- ✅ Docker environment operational
|
|
- ⏳ Email service (can use placeholder for now)
|
|
- ⏳ Redis for rate limiting (optional, can use in-memory)
|
|
|
|
---
|
|
|
|
## Notes
|
|
|
|
- All new handlers must follow existing patterns
|
|
- Use existing PasswordService for hashing
|
|
- Use existing JwtService for tokens
|
|
- Follow Rust best practices and idioms
|
|
- Add error handling for all edge cases
|
|
- Add comprehensive logging
|
|
- Keep handlers simple and focused
|
|
- Use middleware for cross-cutting concerns
|
|
|
|
---
|
|
|
|
**Last Updated**: 2026-02-15 16:33:00 UTC
|