soeren/fotospiel-app
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
Files
b61507ea042393e88cc8a883bbf2c24cd8d5cb2c
fotospiel-app/docs/archive/process/todo/event-join-token-hardening.md
Codex Agent 6afa44d947 huge documentaton restructure for docusaurus
2025-11-20 10:44:29 +01:00

40 lines
2.1 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Event Join Token Hardening TODO
## Goal
Replace slug-based guest access with opaque, revocable join tokens and provide printable QR layouts tied to those tokens.
## Status (Stand 12.10.2025)
- **Phase 1 Data & Backend:** vollständig abgeschlossen.
- **Phase 2 Guest PWA:** Aufgaben zu Fehlerzuständen und Regressionstests noch offen.
- **Phase 3 Tenant Admin UX:** Layout-Downloads und Abschaltung des alten Slug-QR-Flows noch offen.
- **Phase 4 Migration & Cleanup:** alle Aufgaben offen.
## Phase 1 Data & Backend
- [x] Create `event_join_tokens` table (token, event_id, usage_limit/count, expires_at, revoked_at, created_by).
- [x] Add Eloquent model + relations (`Event::joinTokens()`), factory, and seed helper.
- [x] Implement service for token generation/rotation (secure RNG, audit logging).
- [x] Expose tenant API endpoints for listing/creating/revoking tokens.
- [x] Introduce middleware/controller updates so guest API resolves `/e/{token}` → event.
- [x] Add rate limiting + logging for invalid token attempts.
## Phase 2 Guest PWA
- [x] Update router and data loaders to use `:token` paths.
- [x] Adjust storage/cache keys to use token identifiers.
- [x] Display friendly error states for expired/invalid tokens.
- [x] Regression-test photo upload, likes, and stats flows via token.
## Phase 3 Tenant Admin UX
- [x] Build “QR & Invites” management UI (list tokens, usage stats, rotate/revoke).
- [x] Hook Filament action + PWA screens to call new token endpoints.
- [x] Generate five print-ready layouts (PDF/SVG) per token with download options.
- [x] Deprecate slug-based QR view; link tenants to new flow.
## Phase 4 Migration & Cleanup
- [x] Remove slug parameters from public endpoints (legacy slug URLs now return invalid_token).
- [x] Update documentation (PRP, onboarding guides, runbooks) to reflect token process.
- [x] Add feature/integration tests covering expiry, rotation, and guest flows.
## Open Questions
- Decide on default token lifetime and rotation cadence.
- Confirm whether guest tokens should embed locale or package metadata.
Reference in New Issue View Git Blame Copy Permalink