soeren/fotospiel-app
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
Files
a949c8d3af5011b86e9ff07d3f7715cffe8e6013
fotospiel-app/docs/todo/security-hardening-epic.md
Codex Agent a949c8d3af - Wired the checkout wizard for Google “comfort login”: added Socialite controller + dependency, new Google env 
hooks in config/services.php/.env.example, and updated wizard steps/controllers to store session payloads,
attach packages, and surface localized success/error states.
- Retooled payment handling for both Stripe and PayPal, adding richer status management in CheckoutController/
PayPalController, fallback flows in the wizard’s PaymentStep.tsx, and fresh feature tests for intent
creation, webhooks, and the wizard CTA.
- Introduced a consent-aware Matomo analytics stack: new consent context, cookie-banner UI, useAnalytics/
useCtaExperiment hooks, and MatomoTracker component, then instrumented marketing pages (Home, Packages,
Checkout) with localized copy and experiment tracking.
- Polished package presentation across marketing UIs by centralizing formatting in PresentsPackages, surfacing
localized description tables/placeholders, tuning badges/layouts, and syncing guest/marketing translations.
- Expanded docs & reference material (docs/prp/*, TODOs, public gallery overview) and added a Playwright smoke
test for the hero CTA while reconciling outstanding checklist items.
2025-10-19 11:41:03 +02:00

2.2 KiB
Raw Blame History

Security Hardening Epic (Q4 2025)

Goal

Raise the baseline security posture across guest APIs, checkout, media storage, and identity flows so the platform can scale multi-tenant traffic with auditable, revocable access.

Workstreams

  1. Identity & OAuth (Backend Platform)

    • Dual-key rollout for JWT signing with rotation runbook and monitoring.
    • Refresh-token revocation tooling (per device/IP) and anomaly alerts.
    • Device fingerprint/subnet allowances documented and configurable.

  2. Guest Join Tokens (Guest Platform)

    • Store hashed tokens with irreversible lookups; migrate legacy data.
    • Add per-token usage analytics, alerting on spikes or expiry churn.
  • Extend gallery/photo rate limits (token + IP) and surface breach telemetry in storage dashboards.

  1. Public API Resilience (Core API)

    • Serve signed asset URLs instead of raw storage paths; expire appropriately.
    • Document incident response runbooks and playbooks for abuse mitigation.
    • Add synthetic monitors for /api/v1/gallery/* and upload endpoints.

  2. Media Pipeline & Storage (Media Services)

    • Integrate antivirus/EXIF scrubbers and streaming upload paths to avoid buffering.
    • Verify checksum integrity on hot → archive transfers with alert thresholds.
    • Surface storage target health (capacity, latency) in Super Admin dashboards.

  3. Payments & Webhooks (Billing)

    • Link Stripe/PayPal webhooks to checkout sessions with idempotency locks.
    • Add signature freshness validation + retry policies for provider outages.
    • Pipe failed capture events into credit ledger audits and operator alerts.

  4. Frontend & CSP (Marketing Frontend)

    • Replace unsafe-inline allowances with nonce/hash policies for Stripe + Matomo.
    • Gate analytics script injection behind consent with localised disclosures.
    • Broaden cookie banner layout to surface GDPR/legal copy clearly.

Deliverables

  • Updated docs (docs/prp/09-security-compliance.md, runbooks) with ownership & SLAs.
  • Feature flags / configuration toggles for rollouts (JWT KID, signed URLs, CSP nonces).
  • Monitoring dashboards + alerting coverage per workstream.
  • Integration and Playwright coverage validating the hardened flows.
Reference in New Issue View Git Blame Copy Permalink