3.9 KiB
3.9 KiB
TODO - spotlight.cam
Active tasks and roadmap
Current Status
Phase: MVP Complete - Ready for Production Deployment Tests: 285/286 passing - 99.7% (73% coverage) Status: Awaiting infrastructure setup
High Priority Tasks
🔴 CRITICAL: Recording Stats Update Mechanism
- Issue: Fields
recordingsDoneandrecordingsReceivedexist in database but no mechanism to update them - Requirements:
- Analyze how to update these fields consistently with tier system and ratings
- Determine update trigger: after match completion? after rating? automatic on suggestion acceptance?
- Ensure consistency with existing rating system
- Consider edge cases: declined suggestions, cancelled matches, incomplete ratings
- Design API endpoints or automated triggers for stat updates
- Impact: Tier system fairness algorithm depends on accurate karma tracking
- Dependencies: Matches API, Ratings API, Recording Suggestions
Recently Completed (2025-11-29)
- 3-Tier Account System (BASIC/SUPPORTER/COMFORT) with fairness algorithm
- Dual Buffer System (prep before + rest after dancing)
- Clickable Usernames with @ prefix in profiles
- Country Flags in Event Chat
- Mobile-first Design Improvements (page titles on mobile)
- Recording Matching System Improvements (collision detection, schedule config)
- Test Bot for Automated Testing
Full history: See docs/archive/COMPLETED.md
Security Audit Findings
Critical Issues (Must Fix Before Production)
| Issue | Severity | File | Action |
|---|---|---|---|
| AWS Credentials in Git | 10/10 | .env.production |
Rotate & remove from history |
| Weak JWT Secret | 9/10 | .env.production |
Generate 64+ byte secret |
| Default DB Password | 8/10 | docker-compose.yml |
Remove default fallback |
High Priority Issues
| Issue | Severity | Action |
|---|---|---|
| Missing HTTPS/TLS | 8/10 | Configure SSL certificate |
| Missing nginx security headers | 6/10 | Add X-Frame-Options, CSP, etc. |
| Dependency vulnerabilities | HIGH | Run npm audit fix |
| Excessive body size (500M) | 4/10 | Reduce to 10M |
Positive Security Findings
- Strong authentication (JWT, bcrypt, email verification)
- Input validation (express-validator)
- Security headers (Helmet.js)
- Rate limiting implemented
- CORS configured
- SQL injection prevention (Prisma)
- Account lockout implemented
- WebRTC P2P (videos don't touch server)
Pre-Deployment Checklist
- Rotate AWS credentials, remove from Git history
- Generate strong JWT_SECRET (64+ bytes)
- Set strong PostgreSQL password
- Configure HTTPS/TLS
- Add nginx security headers
- Run npm audit fix
- Reduce nginx body size limit
Future Improvements (Optional)
UX Enhancements
- Activity Feed (timeline of user activities)
- Smart sort order (unread first, pending ratings)
- User statistics (total matches, average rating)
- Sidebar filters (by nationality, division)
Security Hardening
- Increase bcrypt rounds (10 → 12)
- Implement refresh token pattern
- Add Socket.IO rate limiting
- Sanitize chat messages
Infrastructure
- CI/CD pipeline (GitHub Actions)
- E2E tests (Playwright)
- Security logging
Progress Summary
| Phase | Status | Time |
|---|---|---|
| Phase 0: Frontend Mockup | ✅ Done | ~8h |
| Phase 1: Backend Foundation | ✅ Done | ~14h |
| Phase 1.5: Email & WSDC & Profiles | ✅ Done | ~12h |
| Phase 1.6: Competition Heats | ✅ Done | ~8h |
| Phase 2: Matches & Ratings | ✅ Done | ~10h |
| Phase 2.5: WebRTC P2P | ✅ Done | ~10h |
| Phase 3: MVP Finalization | ✅ Done | ~20h |
| Total MVP | ✅ Complete | ~82h |
Quick Commands
# Development
docker compose up --build
# Tests
docker compose exec backend npm test
# Access
http://localhost:8080
Last Updated: 2025-11-29
Full Details: See docs/archive/COMPLETED.md for implementation details