space/jellomator
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
911d9ed6832fc61a9c0f93a023e26df8a98d1b97
jellomator/TODO.md

3.0 KiB
Raw Blame History

TODO

Concrete follow-up work for Jellomator, prioritized by implementation risk and user impact.

P0 - Security and Reliability

  • Add session expiry and rotation.
    • Add expires_at and last_seen_at to sessions.
    • Reject expired tokens in current_user.
    • Rotate session token on login and periodically on use.
  • Harden auth endpoints.
    • Add login rate limiting by IP + username pair.
    • Add brute-force lockout window with clear error message.
    • Add optional CSRF protection for cookie-authenticated write routes.
  • Fix cookie/security defaults for deployment.
    • Set cookie secure from environment (true in production).
    • Make cookie max-age configurable.
    • Keep httponly and samesite=lax.
  • Add input and payload validation.
    • Validate URL scheme for links (http/https only).
    • Enforce max lengths for name, category, description, and icon_url.
    • Validate uploaded icon type and max file size before reading blob.
  • Add health/readiness endpoints.
    • /healthz returns 200 when process is up.
    • /readyz checks DB query + optional write test and returns 503 on failure.

P1 - Data Model and Backend Quality

  • Replace string timestamps with DB-native datetime.
    • Migrate created_at/updated_at columns from varchar to datetime.
    • Use UTC consistently for writes and reads.
  • Add display ordering support.
    • Add sort_order column and stable ordering fallback by name.
    • Update read query to order by enabled desc, sort_order, name.
  • Remove duplicate connection pattern in create flow.
    • Use one DB transaction/connection per request path where possible.
  • Add backup and restore flow in admin API/UI.
    • Download full export.
    • Upload validated import with explicit confirmation.
    • Add dry-run validation mode before apply.
  • Add structured logging.
    • Log auth attempts, CRUD actions, and restore events with request IDs.

P2 - UX and Product Improvements

  • Replace browser alert() with inline form errors/toasts.
    • Show server errors near submit controls.
    • Add success toasts for create/update/delete.
  • Remove forced reload in auth forms.
    • Replace location.reload() with state refresh only.
    • Keep SPA navigation predictable on setup/login/logout.
  • Add drag-and-drop ordering in admin.
    • Persist sort_order updates.
    • Provide keyboard-accessible move controls as fallback.
  • Add duplicate/cloning for links.
    • Pre-fill form from an existing link.
    • Save as new record with unique name validation.
  • Add public read-only mode toggle.
    • Hide admin entry points and editing affordances for non-admin view.

P3 - Nice-to-Have

  • Add multi-category support with normalization.
  • Add audit history timeline in admin.
  • Add JSON import/export for services with icons.
  • Add keyboard shortcuts for search/quick launch.
  • Add Open Graph metadata and richer SEO tags.
  • Add CI verification that builds container image for pull requests.
Reference in New Issue View Git Blame Copy Permalink