Replace deleteMany({}) with selective cleanup targeting only test data:
- events.test.js: Delete only test users (john_dancer, sarah_swings, mike_blues)
and test events (test-dance-festival-2025) before creating new ones
- matches.test.js: Clean up john_dancer, sarah_swings, mike_moves and
test-dance-festival slug specifically
- users.test.js: Remove only john_dancer and sarah_swings test users
in both beforeAll and afterAll hooks
- auth.test.js: Target specific test usernames/emails (testuser, newuser,
lockouttest, etc.) instead of all users
- auth-phase1.5.test.js: Clean up 12 specific test users by username/email
- socket.test.js: Add beforeAll cleanup for sockettest user to prevent
conflicts from previous test runs
- socket-webrtc.test.js: Clean up webrtc_user1 and webrtc_user2 before
creating them
Fix CORS configuration for tests:
- security.js: Add http://localhost:3000 to allowed origins in development
mode to fix app.test.js CORS test (was failing with 500 error)
Results: Improved from 125/223 passing to 137/223 passing (12 more tests fixed)
All test data cleanup now uses WHERE clauses with specific usernames/emails/slugs
instead of wiping entire tables with deleteMany({})
- Update auth.test.js to match current API error messages
- Registration success message includes email verification notice
- Duplicate credentials use generic message to prevent user enumeration
- Add test commands to Makefile
- make test: run all backend tests
- make test-watch: run tests in watch mode
- make test-coverage: run tests with coverage report
All auth tests now pass (19/19 ✓)
- Rename .env.example to .env.development.example
- Update docker-compose.yml to use env_file for dev backend
- Update .gitignore to ignore .env.development and .env.production
- Remove generic .env and .env.example in favor of:
* .env.development (dev) + .env.development.example (template)
* .env.production (prod) + .env.production.example (template)
- Add production Dockerfiles for frontend and backend
* Frontend: multi-stage build with nginx serving static files
* Backend: multi-stage build with Prisma generation
- Create production nginx configuration (nginx/conf.d.prod/)
* Routes to frontend-prod:80 and backend-prod:3000
* Supports WebSocket connections for Socket.IO
- Update docker-compose.yml to use production config
* Add env_file support for backend-prod
* Mount production nginx config directory
- Add .env.production.example template for deployment
Add complete WebRTC peer-to-peer file transfer functionality:
Backend changes:
- Add WebRTC signaling events to Socket.IO (offer, answer, ICE candidates)
- Implement authorization checks for match participants
- Add signaling relay between matched users
Frontend changes:
- Create useWebRTC hook for RTCPeerConnection management
- Implement RTCDataChannel with 16KB chunking for large files
- Add real-time progress monitoring for sender and receiver
- Implement automatic file download on receiver side
- Add connection state tracking and error handling
- Integrate WebRTC with MatchChatPage (replace mockup)
Configuration:
- Add Vite allowed hosts configuration via VITE_ALLOWED_HOSTS env var
- Support comma-separated host list or 'all' for development
- Add .env.example with configuration examples
- Update docker-compose.yml with default allowed hosts
Documentation:
- Add comprehensive WebRTC testing guide with troubleshooting
- Add quick test checklist for manual testing
- Document WebRTC flow, requirements, and success criteria
Features:
- End-to-end encrypted P2P transfer (DTLS)
- 16KB chunk size optimized for DataChannel
- Buffer management to prevent overflow
- Automatic connection establishment with 30s timeout
- Support for files of any size
- Real-time progress tracking
- Clean connection lifecycle management
- Created users.test.js with 25 tests covering all 4 endpoints:
* GET /api/users/me - get current user profile
* PATCH /api/users/me - update profile (all fields)
* PATCH /api/users/me/password - change password
* GET /api/users/:username - get public profile
* GET /api/users/:username/ratings - get user ratings
- All 25 tests passing (100%)
- controllers/user.js coverage: 90.16% (up from 8.19%)
- routes/users.js coverage: 81.81% (up from 27.27%)
- Tested email change with verification
- Tested password security and validation
- Created events.test.js with 34 tests covering all 10 endpoints:
* GET /api/events - list events with join status
* GET /api/events/:slug - event details
* GET /api/events/:slug/messages - event chat messages
* POST /api/events/checkin/:token - QR code checkin
* GET /api/events/:slug/details - detailed event info
* DELETE /api/events/:slug/leave - leave event
* POST /api/events/:slug/heats - add/update user heats
* GET /api/events/:slug/heats/me - get user's heats
* GET /api/events/:slug/heats/all - get all heats
* DELETE /api/events/:slug/heats/:id - delete heat
- All 34 tests passing (100%)
- events.js coverage: 82.02% (up from 8.98%)
- Branch coverage: 75%
- Function coverage: 88.23%
- Changed expected status from 404 to 403 for non-participant access
- Fixed rating response structure (data directly, not data.rating)
- Added testUser3 to setup to avoid duplicate match constraints
- Updated tests to use different user combinations to avoid conflicts
All 24 tests now passing (100%)
Coverage: matches.js improved to 76.58% statement coverage
- Created matches.test.js with 24 tests covering:
* Match creation and validation
* Match listing and filtering
* Match acceptance workflow
* Match deletion
* Rating creation and validation
* User ratings display
- Fixed Jest ES module issues:
* Added mock for jsdom to bypass parse5 compatibility
* Added mock for dompurify for test environment
* Updated package.json with moduleNameMapper
Test results: 19/24 passing (79%)
Remaining: 5 tests need investigation
Complete the match lifecycle with partner rating functionality.
Backend changes:
- Add POST /api/matches/:slug/ratings endpoint to create ratings
* Validate score range (1-5)
* Prevent duplicate ratings (unique constraint per match+rater+rated)
* Auto-complete match when both users have rated
* Return detailed rating data with user and event info
- Add GET /api/users/:username/ratings endpoint to fetch user ratings
* Calculate and return average rating
* Include rater details and event context for each rating
* Limit to last 50 ratings
- Add hasRated field to GET /api/matches/:slug response
* Check if current user has already rated the match
* Enable frontend to prevent duplicate rating attempts
Frontend changes:
- Update RatePartnerPage to use real API instead of mocks
* Load match data and partner info
* Submit ratings with score, comment, and wouldCollaborateAgain
* Check hasRated flag and redirect if already rated
* Validate match status before allowing rating
* Show loading state and proper error handling
- Update MatchChatPage to show rating status
* Replace "Rate Partner" button with "✓ Rated" badge when user has rated
* Improve button text from "End & rate" to "Rate Partner"
- Add ratings API functions
* matchesAPI.createRating(slug, ratingData)
* ratingsAPI.getUserRatings(username)
User flow:
1. After match is accepted, users can rate each other
2. Click "Rate Partner" in chat to navigate to rating page
3. Submit 1-5 star rating with optional comment
4. Rating saved and user redirected to matches list
5. Chat shows "✓ Rated" badge instead of rating button
6. Match marked as 'completed' when both users have rated
7. Users cannot rate the same match twice
Security improvements:
- Add random CUID slugs to Match model to prevent ID enumeration attacks
- Update all match URLs from /matches/:id to /matches/:slug
- Keep numeric IDs for internal Socket.IO operations only
Backend changes:
- Add slug field to matches table with unique index
- Update all match endpoints to use slug-based lookups (GET, PUT, DELETE)
- Add GET /api/matches/:slug/messages endpoint to fetch message history
- Include matchSlug in all Socket.IO notifications
Frontend changes:
- Update all match routes to use slug parameter
- Update MatchesPage to use slug for accept/reject/navigate operations
- Update MatchChatPage to fetch match data by slug and load message history
- Update RatePartnerPage to use slug parameter
- Add matchesAPI.getMatchMessages() function
Bug fixes:
- Fix MatchChatPage not loading message history from database on mount
- Messages now persist and display correctly when users reconnect
Backend changes:
- Add matches API routes (POST, GET, PUT, DELETE)
- Create/accept/reject match requests
- Auto-create private chat rooms on match acceptance
- Socket.IO notifications for match events (received, accepted, cancelled)
- Users join personal rooms (user_{id}) for notifications
Frontend changes:
- Add MatchesPage component with inbox UI
- Matches navigation link with notification badge
- Real-time match request count updates
- Accept/reject match functionality
- Filter matches by status (all/pending/accepted)
- Integrate match requests in EventChatPage (UserPlus button)
Features:
- Send match requests to event participants
- Accept incoming match requests
- Real-time notifications via Socket.IO
- Automatic private chat room creation
- Match status tracking (pending/accepted/completed)
- Authorization checks (only participants can match)
- Duplicate match prevention
Security improvements:
- Add @default(cuid()) to Event.slug for auto-generated random slugs
- Prevent ID enumeration attacks (no more predictable slugs like "warsaw-dance-festival-2025")
- Event slugs now generated as secure cuid strings (e.g., "cmhz3lcgb00018vbn34v4phoi")
Test accounts:
- Add 3 test users to seed (john_dancer, sarah_swings, mike_blues)
- All users checked in to Warsaw Dance Festival 2025
- Pre-configured heats for testing matchmaking system
- Full profiles with WSDC IDs, social media, and locations
Seed improvements:
- Add bcryptjs for password hashing
- Add Prisma seed configuration to package.json
- Use worldsdcId for event upsert (instead of slug)
- Auto-generate event slugs via Prisma default
Documentation:
- Add test account credentials to SESSION_CONTEXT.md
- Document event slug security model
- Include sample heats for each test user
- Export getIO function from socket module
- Broadcast heats_updated event when user updates their heats
- Event includes userId, username, and updated heats array
- Non-blocking broadcast (won't fail request if socket fails)
- Add 3 new database tables: divisions, competition_types, event_user_heats
- Add seed data for 6 divisions (NEW, NOV, INT, ADV, ALL, CHA) and 2 competition types (J&J, STR)
- Add API endpoints for divisions and competition types
- Add heats management endpoints in events route (POST/GET/DELETE)
- Implement unique constraint: cannot have same role in same division+competition type
- Add participant verification before allowing heats management
- Support heat numbers 1-9 with optional Leader/Follower role
Users could gain unauthorized access to event chats by refreshing the page after leaving an event. The socket handler was automatically creating participation records when users joined rooms, completely bypassing the QR code check-in requirement. This fix verifies that users have legitimately checked in before allowing socket room access.
Backend:
- Use _count.participants for accurate real-time participant count
- Remove reliance on stale participantsCount column
Frontend:
- Show check-in requirement message for non-joined events
- Display "Open chat" button only for joined events
- Add dev-only "View details" button for QR code access during testing
- Improve visual feedback with amber-colored check-in notice
This ensures the participant count reflects actual checked-in users
and prevents unauthorized access to QR codes in production while
maintaining developer convenience in development mode.
Backend:
- Add event_checkin_tokens table with unique tokens per event
- Implement GET /api/events/:slug/details endpoint (on-demand token generation)
- Implement POST /api/events/checkin/:token endpoint (date validation only in production)
- Implement DELETE /api/events/:slug/leave endpoint
- Add comprehensive test suite for check-in endpoints
Frontend:
- Add EventDetailsPage with QR code display, participant list, and stats
- Add EventCheckinPage with success/error screens
- Add "Leave Event" button with confirmation modal to EventChatPage
- Install qrcode.react library for QR code generation
- Update routing and API client with new endpoints
Features:
- QR codes valid from (startDate-1d) to (endDate+1d)
- Development mode bypasses date validation for testing
- Automatic participant count tracking
- Duplicate check-in prevention
- Token reuse for same event (generated once, cached)
- Add backend entrypoint with automated Prisma migrations and client regeneration
- Add frontend entrypoint with dependency management
- Update Dockerfiles to use entrypoint scripts
- Ensures database schema stays in sync with Prisma Client after migrations
Replace sequential event IDs in URLs with unique alphanumeric slugs to prevent enumeration attacks. Event URLs now use format /events/{slug}/chat instead of /events/{id}/chat.
Backend changes:
- Add slug field (VARCHAR 50, unique) to Event model
- Create migration with auto-generated 12-char MD5-based slugs for existing events
- Update GET /api/events/:slug endpoint (changed from :id)
- Update GET /api/events/:slug/messages endpoint (changed from :eventId)
- Modify Socket.IO join_event_room to accept slug parameter
- Update send_event_message to use stored event context instead of passing eventId
Frontend changes:
- Update eventsAPI.getBySlug() method (changed from getById)
- Update eventsAPI.getMessages() to use slug parameter
- Change route from /events/:eventId/chat to /events/:slug/chat
- Update EventsPage to navigate using event.slug
- Update EventChatPage to fetch event data via slug and use slug in socket events
Security impact: Prevents attackers from discovering all events by iterating sequential IDs.
Backend:
- Add EventParticipant model to track user-event participation
- Create database migration for event_participants table
- Record participation when user joins event chat via Socket.IO
- Update GET /api/events to include isJoined flag for current user
- Sort events: joined events first, then by start date
- Add authenticate middleware to GET /api/events
Frontend:
- Replace mock events with real API data from backend
- Add loading and error states to EventsPage
- Display "Joined" badge on events user has joined
- Highlight joined events with colored border
- Show "Open chat" vs "Join chat" button text
- Auto-refresh events list when navigating back
When users join an event chat, this is now recorded in the database.
Joined events appear at the top of the list with visual indicators.
- Add GET /api/users/:username endpoint for public profiles
- Create PublicProfilePage component with user stats and info
- Add getUserByUsername function to API service
- Add /:username route to App.jsx
- Display user info: name, location, stats, WSDC ID, social links
- Only show public data (no email or sensitive information)
- Accessible only to authenticated users
Users can now view public profiles of other users by visiting
/<username>. The profile displays stats, location, WSDC ID, and
social media links.
- Add country and city fields to User model
- Create database migration for location fields
- Add validation for country and city (max 100 characters)
- Create countries.js with complete list of 195 countries
- Add country dropdown select and city text input to profile page
- Include country and city in GET /api/users/me response
- Update profile form to support location data
Users can now select their country from a dropdown list of all
countries and enter their city name.
- Add YouTube, Instagram, Facebook, and TikTok URL fields to User model
- Create database migration for social media link columns
- Add custom validators to ensure URLs contain correct domains
- Update profile page with social media input fields
- Include social media URLs in GET /api/users/me response
- Add icons for each social platform in the UI
Users can now add links to their social media profiles. Each field
validates that the URL contains the appropriate domain (e.g.,
instagram.com for Instagram, youtube.com/youtu.be for YouTube).
- Add useEffect to pre-fill profile form with current user data
- Add WSDC ID field to profile edit form with numeric validation
- Update backend to accept wsdcId in profile updates with null handling
- Add wsdcId validation to updateProfileValidation middleware
- Include firstName, lastName, wsdcId in GET /api/users/me response
Fixes issue where profile inputs were empty on page load and allows
users to update their WSDC ID.
Backend changes:
- Add PATCH /api/users/me endpoint for profile updates (firstName, lastName, email)
- Add PATCH /api/users/me/password endpoint for password change
- Email change triggers re-verification flow (emailVerified=false, new verification token/code)
- Send verification email automatically on email change
- Return new JWT token when email changes (to update emailVerified status)
- Add validation for profile update and password change
- Create user controller with updateProfile and changePassword functions
Frontend changes:
- Add ProfilePage with tabbed interface (Profile & Password tabs)
- Profile tab: Edit firstName, lastName, email
- Password tab: Change password (requires current password)
- Add Profile link to navigation bar
- Add authAPI.updateProfile() and authAPI.changePassword() functions
- Update AuthContext user data when profile is updated
- Display success/error messages for profile and password updates
Security:
- Username cannot be changed (permanent identifier)
- Email uniqueness validation
- Password change requires current password
- Email change forces re-verification to prevent hijacking
User flow:
1. User edits profile and changes email
2. Backend sets emailVerified=false and generates new verification tokens
3. Verification email sent to new address
4. User must verify new email to access all features
5. Banner appears until email is verified
Backend changes:
- Socket.IO: Send last 20 messages on join_event_room
- REST API: Add GET /api/events/:eventId/messages endpoint with pagination
- Support for 'before' cursor-based pagination for loading older messages
Frontend changes:
- Load initial 20 messages when joining event chat
- Implement infinite scroll to load older messages on scroll to top
- Add loading indicator for older messages
- Preserve scroll position when loading older messages
- Add eventsAPI.getMessages() function for pagination
User experience:
- New users see last 20 messages immediately
- Scrolling up automatically loads older messages in batches of 20
- Smooth scrolling experience with position restoration
Note: Messages are encrypted in transit via HTTPS/WSS but stored
as plain text in database (no E2E encryption).
The verification banner was reappearing after login/refresh because
the /api/users/me endpoint was not returning the emailVerified field.
This ensures the frontend always has access to the current email
verification status when loading user data.
Changes:
- Updated AWS_REGION to eu-central-1 in env examples
- Fixed email verification to return new JWT token with updated emailVerified status
- Added updateUser function to AuthContext for token refresh
- Updated frontend to save new token after email verification
- Fixed variable naming conflict (token vs jwtToken) in verification endpoints
- Changed WSDC ID placeholder from 26997 to 12345
This ensures the verification banner disappears immediately after
email verification without requiring re-login.
Simplified Docker Compose configuration by using native profiles
instead of override files, following best practices.
Changes:
- Consolidated docker-compose.yml with --profile dev/prod support
- Removed docker-compose.dev.yml and docker-compose.prod.yml
- Updated all documentation for new usage pattern
- Created comprehensive README.md and DEPLOYMENT.md
- Simplified commands: 'docker compose --profile dev up'
Environment-specific configurations:
- Development: relaxed security, hot reload, exposed ports
- Production: strict security, optimized builds, restricted access
This approach is cleaner, more maintainable, and follows Docker
Compose best practices.
Enhanced WSDC registration flow with auto-lookup and account validation:
Backend changes:
- Add accountExists flag to WSDC lookup endpoint
- Check database for existing users with WSDC ID
- Fix Prisma binary target for Alpine Linux Docker containers
Frontend changes:
- Auto-lookup WSDC data after entering 4+ digits (500ms debounce)
- Show live preview dropdown with dancer information
- Display warning if account with WSDC ID already exists
- Block registration and suggest login for existing accounts
- Improve UX with real-time validation feedback
- Add CheckCircle, XCircle, AlertCircle icons for visual feedback
This prevents duplicate WSDC ID registrations and provides immediate
feedback to users, improving the registration experience.
Tested with:
- ID 26111 (Vince Yap) - new account allowed
- ID 26997 (Radoslaw) - existing account blocked
Backend features:
- AWS SES email service with HTML templates
- Email verification with dual method (link + 6-digit PIN code)
- Password reset workflow with secure tokens
- WSDC API proxy for dancer lookup and auto-fill registration
- Extended User model with verification and WSDC fields
- Email verification middleware for protected routes
Frontend features:
- Two-step registration with WSDC ID lookup
- Password strength indicator component
- Email verification page with code input
- Password reset flow (request + reset pages)
- Verification banner for unverified users
- Updated authentication context and API service
Testing:
- 65 unit tests with 100% coverage of new features
- Tests for auth utils, email service, WSDC controller, and middleware
- Integration tests for full authentication flows
- Comprehensive mocking of AWS SES and external APIs
Database:
- Migration: add WSDC fields (firstName, lastName, wsdcId)
- Migration: add email verification fields (token, code, expiry)
- Migration: add password reset fields (token, expiry)
Documentation:
- Complete Phase 1.5 documentation
- Test suite documentation and best practices
- Updated session context with new features
Implemented WebSocket-based real-time messaging for both event rooms and private match chats using Socket.IO with comprehensive test coverage.
Backend changes:
- Installed socket.io@4.8.1 for WebSocket server
- Created Socket.IO server with JWT authentication middleware
- Implemented event room management (join/leave/messages)
- Added active users tracking with real-time updates
- Implemented private match room messaging
- Integrated Socket.IO with Express HTTP server
- Messages are persisted to PostgreSQL via Prisma
- Added 12 comprehensive unit tests (89.13% coverage)
Frontend changes:
- Installed socket.io-client for WebSocket connections
- Created socket service layer for connection management
- Updated EventChatPage with real-time messaging
- Updated MatchChatPage with real-time private chat
- Added connection status indicators (● Connected/Disconnected)
- Disabled message input when not connected
Infrastructure:
- Updated nginx config to proxy WebSocket connections at /socket.io
- Added Upgrade and Connection headers for WebSocket support
- Set long timeouts (7d) for persistent WebSocket connections
Key features:
- JWT-authenticated socket connections
- Room-based architecture for events and matches
- Real-time message broadcasting
- Active users list with automatic updates
- Automatic cleanup on disconnect
- Message persistence in database
Test coverage:
- 12 tests passing (authentication, event rooms, match rooms, disconnect, errors)
- Socket.IO module: 89.13% statements, 81.81% branches, 91.66% functions
- Overall coverage: 81.19%
Phase 1, Step 4 completed. Ready for Phase 2 (Core Features).
Phase 1 - Step 2: PostgreSQL Setup
**Infrastructure:**
- Add PostgreSQL 15 Alpine container to docker-compose.yml
- Configure persistent volume for database data
- Update backend Dockerfile with OpenSSL for Prisma compatibility
**Database Schema (Prisma):**
- 6 tables: users, events, chat_rooms, messages, matches, ratings
- Foreign key relationships and cascading deletes
- Performance indexes on frequently queried columns
- Unique constraints for data integrity
**Prisma Setup:**
- Prisma Client for database queries
- Migration system with initial migration
- Seed script with 4 test events and chat rooms
- Database connection utility with singleton pattern
**API Implementation:**
- GET /api/events - List all events (with filtering and sorting)
- GET /api/events/:id - Get single event with relations
- Database connection test on server startup
- Graceful database disconnect on shutdown
**Seed Data:**
- Warsaw Dance Festival 2025
- Swing Camp Barcelona 2025
- Blues Week Herräng 2025
- Krakow Swing Connection 2025
**Testing:**
- Database connection verified ✅
- API endpoints returning data from PostgreSQL ✅
- Migrations applied successfully ✅
All systems operational 🚀
