- Update auth.test.js to match current API error messages
- Registration success message includes email verification notice
- Duplicate credentials use generic message to prevent user enumeration
- Add test commands to Makefile
- make test: run all backend tests
- make test-watch: run tests in watch mode
- make test-coverage: run tests with coverage report
All auth tests now pass (19/19 ✓)
- Add reusable Avatar with fallback, status dot, ring
- Replace <img> uses in Navbar, Profile, PublicProfile
- Use Avatar in MatchChatPage and EventChatPage messages and sidebars
- Fix own-message detection for snake_case payloads
- Add openrelay.metered.ca TURN servers for testing
- Support connections through symmetric NAT (mobile networks)
- Add TCP transport fallback for strict firewalls
- Enables P2P file transfer across different networks
- Create nginx.conf with try_files directive for React Router
- Update Dockerfile.prod to copy nginx configuration
- Fixes 404 errors on direct navigation to /login, /register, etc.
- Add gzip compression and static asset caching
- Change API_URL from hardcoded 'http://localhost:8080/api' to '/api'
- Change SOCKET_URL from hardcoded to window.location.origin
- Fixes production build connecting to wrong port
- Now works correctly in both dev (localhost:8080) and prod (localhost)
- Rename .env.example to .env.development.example
- Update docker-compose.yml to use env_file for dev backend
- Update .gitignore to ignore .env.development and .env.production
- Remove generic .env and .env.example in favor of:
* .env.development (dev) + .env.development.example (template)
* .env.production (prod) + .env.production.example (template)
- Add production Dockerfiles for frontend and backend
* Frontend: multi-stage build with nginx serving static files
* Backend: multi-stage build with Prisma generation
- Create production nginx configuration (nginx/conf.d.prod/)
* Routes to frontend-prod:80 and backend-prod:3000
* Supports WebSocket connections for Socket.IO
- Update docker-compose.yml to use production config
* Add env_file support for backend-prod
* Mount production nginx config directory
- Add .env.production.example template for deployment
Update README.md:
- Add landing page to features
- Update test coverage section (43% backend, 116 tests passing)
- Add WebRTC tests information (7 tests passing)
- Update project structure (HomePage, hooks, utils, tests)
- Add STUN servers to WebRTC features
- Remove STUN/TURN and server upload fallback from Next Up
- Update roadmap to Phase 3 in progress
- Update test flow with landing page
- Update progress to ~80%
Update SESSION_CONTEXT.md:
- Current phase: Phase 3 (MVP Finalization) in progress
- Add landing page and WebRTC tests to What Works Now
- Update What's Missing (remove STUN, add coverage improvement)
- Add HomePage to routes and key files
- Add useWebRTC, webrtcDetection, test files to key files
- Update socket.js description with WebRTC signaling
- Update final status with all completed phases
- Update progress and date
Create new HomePage component with:
- Hero section with CTAs for registration and login
- Features showcase highlighting WebRTC, matching, chat, security
- How it works section with 3-step process
- CTA section and footer with links
- Responsive design with gradient backgrounds
Update routing to show HomePage at / instead of redirecting to /events
Changed WebRTC config from localhost-only to STUN servers:
- Removed rtcConfigLocalhost (no longer needed)
- Using rtcConfig with Google STUN servers
- Enables NAT traversal for users on different networks
- Removed unnecessary iceCandidatePoolSize config
- Link sharing remains as fallback for blocked users
Updated documentation to reflect Phase 2.5 completion:
- Moved WebRTC from 'Next Up' to 'Implemented' features
- Added WebRTC to tech stack
- Updated test flow with real WebRTC details
- Marked Phase 2.5 as COMPLETED in roadmap
- Updated progress to ~78% overall
- Updated SESSION_CONTEXT.md current status and missing features
Implemented complete WebRTC peer-to-peer file transfer system for match chat:
**Core WebRTC Implementation:**
- Created useWebRTC hook with RTCPeerConnection and RTCDataChannel
- P2P file transfer with 16KB chunking for large files (tested up to 700MB)
- Real-time progress monitoring for sender and receiver
- Automatic file download on receiver side
- End-to-end encryption via DTLS (native WebRTC)
- ICE candidate exchange via Socket.IO signaling
- Support for host candidates (localhost testing)
**WebRTC Detection & User Experience:**
- Automatic WebRTC capability detection on page load
- Detects if ICE candidates can be generated (fails in Opera, privacy-focused browsers, VPNs)
- User-friendly warning component with fix suggestions
- Graceful degradation: disables WebRTC button when blocked
- Suggests alternative methods (video links via Google Drive/Dropbox)
**Socket.IO Improvements:**
- Fixed multiple socket instance creation issue
- Implemented socket instance reuse pattern
- Disabled React.StrictMode to prevent reconnection loops in development
**Technical Details:**
- RTCPeerConnection with configurable STUN servers (currently using localhost config)
- RTCDataChannel with ordered delivery
- Comprehensive logging for debugging (ICE gathering, connection states, signaling)
- Match room-based signaling relay via Socket.IO
- Authorization checks for all WebRTC signaling events
**Files Changed:**
- frontend/src/hooks/useWebRTC.js - Complete WebRTC implementation
- frontend/src/utils/webrtcDetection.js - WebRTC capability detection
- frontend/src/components/WebRTCWarning.jsx - User warning component
- frontend/src/pages/MatchChatPage.jsx - WebRTC integration
- frontend/src/services/socket.js - Socket instance reuse
- frontend/src/main.jsx - Disabled StrictMode for Socket.IO stability
**Testing:**
- ✅ Verified working in Chrome (ICE candidates generated)
- ✅ Tested with 700MB file transfer
- ✅ Detection working in Opera (shows warning when WebRTC blocked)
- ✅ P2P connection establishment and DataChannel opening
- ✅ File chunking and progress monitoring
**TODO:**
- Add STUN server configuration for production (NAT traversal)
- Consider server-based upload fallback for blocked users
Add complete WebRTC peer-to-peer file transfer functionality:
Backend changes:
- Add WebRTC signaling events to Socket.IO (offer, answer, ICE candidates)
- Implement authorization checks for match participants
- Add signaling relay between matched users
Frontend changes:
- Create useWebRTC hook for RTCPeerConnection management
- Implement RTCDataChannel with 16KB chunking for large files
- Add real-time progress monitoring for sender and receiver
- Implement automatic file download on receiver side
- Add connection state tracking and error handling
- Integrate WebRTC with MatchChatPage (replace mockup)
Configuration:
- Add Vite allowed hosts configuration via VITE_ALLOWED_HOSTS env var
- Support comma-separated host list or 'all' for development
- Add .env.example with configuration examples
- Update docker-compose.yml with default allowed hosts
Documentation:
- Add comprehensive WebRTC testing guide with troubleshooting
- Add quick test checklist for manual testing
- Document WebRTC flow, requirements, and success criteria
Features:
- End-to-end encrypted P2P transfer (DTLS)
- 16KB chunk size optimized for DataChannel
- Buffer management to prevent overflow
- Automatic connection establishment with 30s timeout
- Support for files of any size
- Real-time progress tracking
- Clean connection lifecycle management
- Created users.test.js with 25 tests covering all 4 endpoints:
* GET /api/users/me - get current user profile
* PATCH /api/users/me - update profile (all fields)
* PATCH /api/users/me/password - change password
* GET /api/users/:username - get public profile
* GET /api/users/:username/ratings - get user ratings
- All 25 tests passing (100%)
- controllers/user.js coverage: 90.16% (up from 8.19%)
- routes/users.js coverage: 81.81% (up from 27.27%)
- Tested email change with verification
- Tested password security and validation
- Created events.test.js with 34 tests covering all 10 endpoints:
* GET /api/events - list events with join status
* GET /api/events/:slug - event details
* GET /api/events/:slug/messages - event chat messages
* POST /api/events/checkin/:token - QR code checkin
* GET /api/events/:slug/details - detailed event info
* DELETE /api/events/:slug/leave - leave event
* POST /api/events/:slug/heats - add/update user heats
* GET /api/events/:slug/heats/me - get user's heats
* GET /api/events/:slug/heats/all - get all heats
* DELETE /api/events/:slug/heats/:id - delete heat
- All 34 tests passing (100%)
- events.js coverage: 82.02% (up from 8.98%)
- Branch coverage: 75%
- Function coverage: 88.23%
- Changed expected status from 404 to 403 for non-participant access
- Fixed rating response structure (data directly, not data.rating)
- Added testUser3 to setup to avoid duplicate match constraints
- Updated tests to use different user combinations to avoid conflicts
All 24 tests now passing (100%)
Coverage: matches.js improved to 76.58% statement coverage
- Created matches.test.js with 24 tests covering:
* Match creation and validation
* Match listing and filtering
* Match acceptance workflow
* Match deletion
* Rating creation and validation
* User ratings display
- Fixed Jest ES module issues:
* Added mock for jsdom to bypass parse5 compatibility
* Added mock for dompurify for test environment
* Updated package.json with moduleNameMapper
Test results: 19/24 passing (79%)
Remaining: 5 tests need investigation
- Mark Phase 2 (Matches & Ratings API) as completed in all docs
- Add new Ratings & Reviews section to README
- Update roadmap and progress tracking (72% complete)
- Document all Phase 2 features and endpoints in COMPLETED.md
- Reorganize TODO.md for Phase 2.5 (WebRTC) as next priority
- Add comprehensive ratings section to PublicProfilePage showing average rating, individual reviews with comments, and collaboration preferences
- Make partner avatars and names clickable in MatchesPage and MatchChatPage to navigate to their public profiles
- Add hover effects on profile links for better UX
- Fetch and display ratings using ratingsAPI endpoint
Complete the match lifecycle with partner rating functionality.
Backend changes:
- Add POST /api/matches/:slug/ratings endpoint to create ratings
* Validate score range (1-5)
* Prevent duplicate ratings (unique constraint per match+rater+rated)
* Auto-complete match when both users have rated
* Return detailed rating data with user and event info
- Add GET /api/users/:username/ratings endpoint to fetch user ratings
* Calculate and return average rating
* Include rater details and event context for each rating
* Limit to last 50 ratings
- Add hasRated field to GET /api/matches/:slug response
* Check if current user has already rated the match
* Enable frontend to prevent duplicate rating attempts
Frontend changes:
- Update RatePartnerPage to use real API instead of mocks
* Load match data and partner info
* Submit ratings with score, comment, and wouldCollaborateAgain
* Check hasRated flag and redirect if already rated
* Validate match status before allowing rating
* Show loading state and proper error handling
- Update MatchChatPage to show rating status
* Replace "Rate Partner" button with "✓ Rated" badge when user has rated
* Improve button text from "End & rate" to "Rate Partner"
- Add ratings API functions
* matchesAPI.createRating(slug, ratingData)
* ratingsAPI.getUserRatings(username)
User flow:
1. After match is accepted, users can rate each other
2. Click "Rate Partner" in chat to navigate to rating page
3. Submit 1-5 star rating with optional comment
4. Rating saved and user redirected to matches list
5. Chat shows "✓ Rated" badge instead of rating button
6. Match marked as 'completed' when both users have rated
7. Users cannot rate the same match twice
Security improvements:
- Add random CUID slugs to Match model to prevent ID enumeration attacks
- Update all match URLs from /matches/:id to /matches/:slug
- Keep numeric IDs for internal Socket.IO operations only
Backend changes:
- Add slug field to matches table with unique index
- Update all match endpoints to use slug-based lookups (GET, PUT, DELETE)
- Add GET /api/matches/:slug/messages endpoint to fetch message history
- Include matchSlug in all Socket.IO notifications
Frontend changes:
- Update all match routes to use slug parameter
- Update MatchesPage to use slug for accept/reject/navigate operations
- Update MatchChatPage to fetch match data by slug and load message history
- Update RatePartnerPage to use slug parameter
- Add matchesAPI.getMatchMessages() function
Bug fixes:
- Fix MatchChatPage not loading message history from database on mount
- Messages now persist and display correctly when users reconnect
Backend changes:
- Add matches API routes (POST, GET, PUT, DELETE)
- Create/accept/reject match requests
- Auto-create private chat rooms on match acceptance
- Socket.IO notifications for match events (received, accepted, cancelled)
- Users join personal rooms (user_{id}) for notifications
Frontend changes:
- Add MatchesPage component with inbox UI
- Matches navigation link with notification badge
- Real-time match request count updates
- Accept/reject match functionality
- Filter matches by status (all/pending/accepted)
- Integrate match requests in EventChatPage (UserPlus button)
Features:
- Send match requests to event participants
- Accept incoming match requests
- Real-time notifications via Socket.IO
- Automatic private chat room creation
- Match status tracking (pending/accepted/completed)
- Authorization checks (only participants can match)
- Duplicate match prevention
- Show current user's heats in header next to connection status
- Display format: 'Your heats: J&J NOV 1 L, STR INT 2 L'
- Always visible - no need to click Edit Heats to see them
- Styled as badges matching sidebar heat badges
- Add existingHeats prop to HeatsBanner component
- Load and format existing heats into form fields
- Pass myHeats to HeatsBanner in edit modal
- Users can now edit their heats instead of starting from scratch
- Fix participant data structure mapping (use p.userId instead of p.user.id)
- Backend returns flat participant objects, not nested user objects
- Remove debug console.log statements
- Participants list now correctly displays all checked-in users
- Display all event participants (not just online users)
- Add online/offline status indicator (green/gray dot)
- Sort users: online first, then offline
- Show participant count and online count separately
- Load participants via /api/events/:slug/details endpoint
- Users can see who's checked in and has declared heats even when offline
This allows users to see the full picture of event participation,
not just who's currently connected to the chat.
Security improvements:
- Add @default(cuid()) to Event.slug for auto-generated random slugs
- Prevent ID enumeration attacks (no more predictable slugs like "warsaw-dance-festival-2025")
- Event slugs now generated as secure cuid strings (e.g., "cmhz3lcgb00018vbn34v4phoi")
Test accounts:
- Add 3 test users to seed (john_dancer, sarah_swings, mike_blues)
- All users checked in to Warsaw Dance Festival 2025
- Pre-configured heats for testing matchmaking system
- Full profiles with WSDC IDs, social media, and locations
Seed improvements:
- Add bcryptjs for password hashing
- Add Prisma seed configuration to package.json
- Use worldsdcId for event upsert (instead of slug)
- Auto-generate event slugs via Prisma default
Documentation:
- Add test account credentials to SESSION_CONTEXT.md
- Document event slug security model
- Include sample heats for each test user
- Add state management for heats (myHeats, userHeats Map, showHeatsBanner, hideMyHeats, showHeatsModal)
- Load user's heats and all users' heats on component mount
- Display HeatsBanner when user has no heats declared
- Add "Edit Heats" button in header for users with declared heats
- Add modal for editing heats via HeatsBanner component
- Display heat badges under usernames in sidebar (format: J&J NOV 1 L)
- Show max 3 badges per user, with "+N" indicator for more
- Add filter checkbox to hide users from same heats
- Implement filter logic (hide if ANY heat matches: division + competition_type + heat_number)
- Disable UserPlus (match) button for users without declared heats
- Add Socket.IO heats_updated listener for real-time updates
- Update todo list to mark EventChatPage integration as completed
- Export getIO function from socket module
- Broadcast heats_updated event when user updates their heats
- Event includes userId, username, and updated heats array
- Non-blocking broadcast (won't fail request if socket fails)
- Add 3 new database tables: divisions, competition_types, event_user_heats
- Add seed data for 6 divisions (NEW, NOV, INT, ADV, ALL, CHA) and 2 competition types (J&J, STR)
- Add API endpoints for divisions and competition types
- Add heats management endpoints in events route (POST/GET/DELETE)
- Implement unique constraint: cannot have same role in same division+competition type
- Add participant verification before allowing heats management
- Support heat numbers 1-9 with optional Leader/Follower role
Users could gain unauthorized access to event chats by refreshing the page after leaving an event. The socket handler was automatically creating participation records when users joined rooms, completely bypassing the QR code check-in requirement. This fix verifies that users have legitimately checked in before allowing socket room access.
