Added opaque join-token support across backend and frontend: new migration/model/service/endpoints, guest controllers now resolve tokens, and the demo seeder seeds a token. Tenant event details list/manage tokens with copy/revoke actions, and the guest PWA uses tokens end-to-end (routing, storage, uploads, achievements, etc.). Docs TODO updated to reflect completed steps.
This commit is contained in:
Codex Agent
34
docs/todo/event-join-token-hardening.md
Normal file
34
docs/todo/event-join-token-hardening.md
Normal file
@@ -0,0 +1,34 @@
|
||||
# Event Join Token Hardening TODO
|
||||
|
||||
## Goal
|
||||
Replace slug-based guest access with opaque, revocable join tokens and provide printable QR layouts tied to those tokens.
|
||||
|
||||
## Phase 1 – Data & Backend
|
||||
- [x] Create `event_join_tokens` table (token, event_id, usage_limit/count, expires_at, revoked_at, created_by).
|
||||
- [x] Add Eloquent model + relations (`Event::joinTokens()`), factory, and seed helper.
|
||||
- [x] Implement service for token generation/rotation (secure RNG, audit logging).
|
||||
- [x] Expose tenant API endpoints for listing/creating/revoking tokens.
|
||||
- [x] Introduce middleware/controller updates so guest API resolves `/e/{token}` → event.
|
||||
- [ ] Add rate limiting + logging for invalid token attempts.
|
||||
|
||||
## Phase 2 – Guest PWA
|
||||
- [x] Update router and data loaders to use `:token` paths.
|
||||
- [x] Adjust storage/cache keys to use token identifiers.
|
||||
- [ ] Display friendly error states for expired/invalid tokens.
|
||||
- [ ] Regression-test photo upload, likes, and stats flows via token.
|
||||
|
||||
## Phase 3 – Tenant Admin UX
|
||||
- [x] Build “QR & Invites” management UI (list tokens, usage stats, rotate/revoke).
|
||||
- [x] Hook Filament action + PWA screens to call new token endpoints.
|
||||
- [ ] Generate five print-ready layouts (PDF/SVG) per token with download options.
|
||||
- [ ] Deprecate slug-based QR view; link tenants to new flow.
|
||||
|
||||
## Phase 4 – Migration & Cleanup
|
||||
- [ ] Backfill tokens for existing published events and notify tenants to reprint.
|
||||
- [ ] Remove slug parameters from public endpoints once traffic confirms token usage.
|
||||
- [ ] Update documentation (PRP, onboarding guides, runbooks) to reflect token process.
|
||||
- [ ] Add feature/integration tests covering expiry, rotation, and guest flows.
|
||||
|
||||
## Open Questions
|
||||
- Decide on default token lifetime and rotation cadence.
|
||||
- Confirm whether guest tokens should embed locale or package metadata.
|
||||
Reference in New Issue
Block a user