soeren/fotospiel-app
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
Files
a949c8d3af5011b86e9ff07d3f7715cffe8e6013
fotospiel-app/docs/todo/event-join-token-hardening.md
Codex Agent a949c8d3af - Wired the checkout wizard for Google “comfort login”: added Socialite controller + dependency, new Google env 
hooks in config/services.php/.env.example, and updated wizard steps/controllers to store session payloads,
attach packages, and surface localized success/error states.
- Retooled payment handling for both Stripe and PayPal, adding richer status management in CheckoutController/
PayPalController, fallback flows in the wizard’s PaymentStep.tsx, and fresh feature tests for intent
creation, webhooks, and the wizard CTA.
- Introduced a consent-aware Matomo analytics stack: new consent context, cookie-banner UI, useAnalytics/
useCtaExperiment hooks, and MatomoTracker component, then instrumented marketing pages (Home, Packages,
Checkout) with localized copy and experiment tracking.
- Polished package presentation across marketing UIs by centralizing formatting in PresentsPackages, surfacing
localized description tables/placeholders, tuning badges/layouts, and syncing guest/marketing translations.
- Expanded docs & reference material (docs/prp/*, TODOs, public gallery overview) and added a Playwright smoke
test for the hero CTA while reconciling outstanding checklist items.
2025-10-19 11:41:03 +02:00

40 lines
2.1 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Event Join Token Hardening TODO
## Goal
Replace slug-based guest access with opaque, revocable join tokens and provide printable QR layouts tied to those tokens.
## Status (Stand 12.10.2025)
- **Phase 1 Data & Backend:** vollständig abgeschlossen.
- **Phase 2 Guest PWA:** Aufgaben zu Fehlerzuständen und Regressionstests noch offen.
- **Phase 3 Tenant Admin UX:** Layout-Downloads und Abschaltung des alten Slug-QR-Flows noch offen.
- **Phase 4 Migration & Cleanup:** alle Aufgaben offen.
## Phase 1 Data & Backend
- [x] Create `event_join_tokens` table (token, event_id, usage_limit/count, expires_at, revoked_at, created_by).
- [x] Add Eloquent model + relations (`Event::joinTokens()`), factory, and seed helper.
- [x] Implement service for token generation/rotation (secure RNG, audit logging).
- [x] Expose tenant API endpoints for listing/creating/revoking tokens.
- [x] Introduce middleware/controller updates so guest API resolves `/e/{token}` → event.
- [x] Add rate limiting + logging for invalid token attempts.
## Phase 2 Guest PWA
- [x] Update router and data loaders to use `:token` paths.
- [x] Adjust storage/cache keys to use token identifiers.
- [x] Display friendly error states for expired/invalid tokens.
- [x] Regression-test photo upload, likes, and stats flows via token.
## Phase 3 Tenant Admin UX
- [x] Build “QR & Invites” management UI (list tokens, usage stats, rotate/revoke).
- [x] Hook Filament action + PWA screens to call new token endpoints.
- [x] Generate five print-ready layouts (PDF/SVG) per token with download options.
- [x] Deprecate slug-based QR view; link tenants to new flow.
## Phase 4 Migration & Cleanup
- [x] Remove slug parameters from public endpoints (legacy slug URLs now return invalid_token).
- [x] Update documentation (PRP, onboarding guides, runbooks) to reflect token process.
- [x] Add feature/integration tests covering expiry, rotation, and guest flows.
## Open Questions
- Decide on default token lifetime and rotation cadence.
- Confirm whether guest tokens should embed locale or package metadata.
Reference in New Issue View Git Blame Copy Permalink