soeren/fotospiel-app
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
Files
0127114e597f5555fd9189eba35897e53fb109bb
fotospiel-app/docs/todo/event-join-token-hardening.md
Codex Agent a949c8d3af - Wired the checkout wizard for Google “comfort login”: added Socialite controller + dependency, new Google env 
hooks in config/services.php/.env.example, and updated wizard steps/controllers to store session payloads,
attach packages, and surface localized success/error states.
- Retooled payment handling for both Stripe and PayPal, adding richer status management in CheckoutController/
PayPalController, fallback flows in the wizard’s PaymentStep.tsx, and fresh feature tests for intent
creation, webhooks, and the wizard CTA.
- Introduced a consent-aware Matomo analytics stack: new consent context, cookie-banner UI, useAnalytics/
useCtaExperiment hooks, and MatomoTracker component, then instrumented marketing pages (Home, Packages,
Checkout) with localized copy and experiment tracking.
- Polished package presentation across marketing UIs by centralizing formatting in PresentsPackages, surfacing
localized description tables/placeholders, tuning badges/layouts, and syncing guest/marketing translations.
- Expanded docs & reference material (docs/prp/*, TODOs, public gallery overview) and added a Playwright smoke
test for the hero CTA while reconciling outstanding checklist items.
2025-10-19 11:41:03 +02:00

2.1 KiB
Raw Blame History

Event Join Token Hardening TODO

Goal

Replace slug-based guest access with opaque, revocable join tokens and provide printable QR layouts tied to those tokens.

Status (Stand 12.10.2025)

  • Phase 1 Data & Backend: vollständig abgeschlossen.
  • Phase 2 Guest PWA: Aufgaben zu Fehlerzuständen und Regressionstests noch offen.
  • Phase 3 Tenant Admin UX: Layout-Downloads und Abschaltung des alten Slug-QR-Flows noch offen.
  • Phase 4 Migration & Cleanup: alle Aufgaben offen.

Phase 1 Data & Backend

  • Create event_join_tokens table (token, event_id, usage_limit/count, expires_at, revoked_at, created_by).
  • Add Eloquent model + relations (Event::joinTokens()), factory, and seed helper.
  • Implement service for token generation/rotation (secure RNG, audit logging).
  • Expose tenant API endpoints for listing/creating/revoking tokens.
  • Introduce middleware/controller updates so guest API resolves /e/{token} → event.
  • Add rate limiting + logging for invalid token attempts.

Phase 2 Guest PWA

  • Update router and data loaders to use :token paths.
  • Adjust storage/cache keys to use token identifiers.
  • Display friendly error states for expired/invalid tokens.
  • Regression-test photo upload, likes, and stats flows via token.

Phase 3 Tenant Admin UX

  • Build “QR & Invites” management UI (list tokens, usage stats, rotate/revoke).
  • Hook Filament action + PWA screens to call new token endpoints.
  • Generate five print-ready layouts (PDF/SVG) per token with download options.
  • Deprecate slug-based QR view; link tenants to new flow.

Phase 4 Migration & Cleanup

  • Remove slug parameters from public endpoints (legacy slug URLs now return invalid_token).
  • Update documentation (PRP, onboarding guides, runbooks) to reflect token process.
  • Add feature/integration tests covering expiry, rotation, and guest flows.

Open Questions

  • Decide on default token lifetime and rotation cadence.
  • Confirm whether guest tokens should embed locale or package metadata.
Reference in New Issue View Git Blame Copy Permalink