space/jellomator
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1edb89884bf8fa546ea89ab2088ec2c9dd7d58c2
jellomator/TODO.md
Luna 1edb89884b
All checks were successful
docker / test (pull_request) Successful in 37s
Details
docker / build-and-push (pull_request) Has been skipped
Details
docker / build-verify-pr (pull_request) Successful in 40s
Details
ci: verify Docker image build on pull requests
2026-05-22 13:52:40 +00:00

69 lines
3.1 KiB
Markdown
Raw Blame History

# TODO
Concrete follow-up work for Jellomator, prioritized by implementation risk and user impact.
## P0 - Security and Reliability
- [x] Add session expiry and rotation.
- [x] Add `expires_at` and `last_seen_at` to `sessions`.
- [x] Reject expired tokens in `current_user`.
- [x] Rotate session token on login and periodically on use.
- [x] Harden auth endpoints.
- [x] Add login rate limiting by IP + username pair.
- [x] Add brute-force lockout window with clear error message.
- [x] Add optional CSRF protection for cookie-authenticated write routes.
- [x] Fix cookie/security defaults for deployment.
- [x] Set cookie `secure` from environment (true in production).
- [x] Make cookie max-age configurable.
- [x] Keep `httponly` and `samesite=lax`.
- [x] Add input and payload validation.
- [x] Validate URL scheme for links (`http`/`https` only).
- [x] Enforce max lengths for `name`, `category`, `description`, and `icon_url`.
- [x] Validate uploaded icon type and max file size before reading blob.
- [x] Add health/readiness endpoints.
- [x] `/healthz` returns `200` when process is up.
- [x] `/readyz` checks DB query + optional write test and returns `503` on failure.
## P1 - Data Model and Backend Quality
- [x] Replace string timestamps with DB-native datetime.
- [x] Migrate `created_at`/`updated_at` columns from `varchar` to `datetime`.
- [x] Use UTC consistently for writes and reads.
- [x] Add display ordering support.
- [x] Add `sort_order` column and stable ordering fallback by `name`.
- [x] Update read query to order by `enabled desc`, `sort_order`, `name`.
- [x] Remove duplicate connection pattern in create flow.
- [x] Use one DB transaction/connection per request path where possible.
- [x] Add backup and restore flow in admin API/UI.
- [x] Download full export.
- [x] Upload validated import with explicit confirmation.
- [x] Add dry-run validation mode before apply.
- [x] Add structured logging.
- [x] Log auth attempts, CRUD actions, and restore events with request IDs.
## P2 - UX and Product Improvements
- [x] Replace browser `alert()` with inline form errors/toasts.
- [x] Show server errors near submit controls.
- [x] Add success toasts for create/update/delete.
- [x] Remove forced reload in auth forms.
- [x] Replace `location.reload()` with state refresh only.
- [x] Keep SPA navigation predictable on setup/login/logout.
- [x] Add drag-and-drop ordering in admin.
- [x] Persist `sort_order` updates.
- [x] Provide keyboard-accessible move controls as fallback.
- [x] Add duplicate/cloning for links.
- [x] Pre-fill form from an existing link.
- [x] Save as new record with unique name validation.
- [x] Add public read-only mode toggle.
- [x] Hide admin entry points and editing affordances for non-admin view.
## P3 - Nice-to-Have
- Add multi-category support with normalization.
- Add audit history timeline in admin.
- Add JSON import/export for services with icons.
- Add keyboard shortcuts for search/quick launch.
- Add Open Graph metadata and richer SEO tags.
- [x] Add CI verification that builds container image for pull requests.
Reference in New Issue View Git Blame Copy Permalink