2.1 KiB
2.1 KiB
Event Join Token Hardening TODO
Goal
Replace slug-based guest access with opaque, revocable join tokens and provide printable QR layouts tied to those tokens.
Status (Stand 12.10.2025)
- Phase 1 – Data & Backend: vollständig abgeschlossen.
- Phase 2 – Guest PWA: Aufgaben zu Fehlerzuständen und Regressionstests noch offen.
- Phase 3 – Tenant Admin UX: Layout-Downloads und Abschaltung des alten Slug-QR-Flows noch offen.
- Phase 4 – Migration & Cleanup: alle Aufgaben offen.
Phase 1 – Data & Backend
- Create
event_join_tokenstable (token, event_id, usage_limit/count, expires_at, revoked_at, created_by). - Add Eloquent model + relations (
Event::joinTokens()), factory, and seed helper. - Implement service for token generation/rotation (secure RNG, audit logging).
- Expose tenant API endpoints for listing/creating/revoking tokens.
- Introduce middleware/controller updates so guest API resolves
/e/{token}→ event. - Add rate limiting + logging for invalid token attempts.
Phase 2 – Guest PWA
- Update router and data loaders to use
:tokenpaths. - Adjust storage/cache keys to use token identifiers.
- Display friendly error states for expired/invalid tokens.
- Regression-test photo upload, likes, and stats flows via token.
Phase 3 – Tenant Admin UX
- Build “QR & Invites” management UI (list tokens, usage stats, rotate/revoke).
- Hook Filament action + PWA screens to call new token endpoints.
- Generate five print-ready layouts (PDF/SVG) per token with download options.
- Deprecate slug-based QR view; link tenants to new flow.
Phase 4 – Migration & Cleanup
- Remove slug parameters from public endpoints (legacy slug URLs now return invalid_token).
- Update documentation (PRP, onboarding guides, runbooks) to reflect token process.
- Add feature/integration tests covering expiry, rotation, and guest flows.
Open Questions
- Decide on default token lifetime and rotation cadence.
- Confirm whether guest tokens should embed locale or package metadata.