948c694ed6
Backend Changes:
- Added public API endpoint /api/public/log-404 (no auth required)
- Created backend/src/routes/public.js for public endpoints
- Added ACTIONS.SYSTEM_404 and CATEGORIES.system to activity log service
- Registered public routes in app.js
Frontend Changes:
- Created NotFoundPage.jsx with standalone layout (no auth required)
- Added publicAPI.log404() to log 404 access attempts
- Logs both authenticated and anonymous users
- Changed profile route from /@:username to /u/:username
- Made profile route public (removed ProtectedRoute wrapper)
- Updated all profile links from /@${username} to /u/${username} in:
- ChatMessage.jsx
- DashboardMatchCard.jsx
- MatchRequestCards.jsx
- MatchCard.jsx
- UserListItem.jsx
- MatchChatPage.jsx
- PublicProfilePage.jsx
Fixes:
- React Router doesn't support @ in path segments
- 404 page now accessible to non-authenticated users without redirect
- Profile route no longer catches all unmatched routes
spotlight.cam 🎥
P2P video exchange app for the dance community - matchmaking, chat, and WebRTC file transfer directly between users.
🎯 What is this?
Web application (PWA) enabling dance event participants to:
- Find recording partners via smart auto-matching
- Exchange competition videos peer-to-peer using WebRTC
- Rate collaborations and track partnership history
- Chat in real-time (event rooms + private 1:1 messages)
Key Feature: Direct browser-to-browser video file transfer using WebRTC DataChannel - no files stored on server, end-to-end encrypted (DTLS), tested up to 700MB+.
✅ Core Features
Authentication & Security
- JWT authentication with bcrypt password hashing
- Email verification via AWS SES (link + PIN code)
- Password reset workflow
- WSDC integration (auto-fill profile data from worldsdc.com)
- Event slugs (alphanumeric IDs preventing enumeration attacks)
- Security: CORS, CSRF, Helmet.js, rate limiting, account lockout
Events & Chat
- Event list from worldsdc.com
- Real-time event chat (Socket.IO) with active users sidebar
- Real-time active users list (instant updates when users join/leave)
- Infinite scroll message history
- Clickable usernames (/@{username}) with country flags
- Competitor numbers (bib numbers) display
- Message validation: 2000 character limit with visual counter
- Spam protection: rate limiting (10 msg/min), duplicate detection, profanity filter
- Polish + English profanity filtering
Auto-matching & Fairness System
- Smart recording assignment for competition heats
- 3-tier account system (BASIC/SUPPORTER/COMFORT) with fairness algorithm
- Karma tracking (recordingsDone vs recordingsReceived)
- Dual buffer system (prep time before + rest time after dancing)
- Collision detection (schedule conflicts, max recordings limit)
- Matching runs audit with origin_run_id tracking
- Incremental matching (preserves accepted/completed suggestions)
- Automated scheduler (cron-based)
Matchmaking & Private Chat
- Manual match requests with real-time notifications
- Private 1:1 chat for matched users
- Match slugs (CUID) preventing ID enumeration
WebRTC P2P File Transfer
- Browser-to-browser video file exchange (RTCDataChannel)
- 16KB chunking with progress monitoring
- STUN servers for NAT traversal
- E2E encryption (DTLS/SRTP)
- WebRTC capability detection
- User-friendly fallback when WebRTC blocked
- Tested up to 700MB+ file transfers
Ratings & Stats
- Partner ratings (1-5 stars, comments)
- "Would collaborate again" indicator
- Public rating display on user profiles
- Atomic stats updates (race condition prevention)
- Source filtering (auto vs manual matches)
- Auto-completion when both partners rated
User Profiles
- Public profiles (/@{username}) visible to logged-in users
- Social media links (YouTube, Instagram, Facebook, TikTok)
- Location (country + city with 195 countries)
- Profile statistics (matches, average rating, reviews)
Admin & Monitoring
- Activity Log System with real-time streaming dashboard
- Comprehensive audit trail (auth, events, matches, chat, admin actions)
- Filter logs by date range, action type, category, username, success/failure
- Real-time Socket.IO streaming (like
tail -f) - Admin-only access with requireAdmin middleware
- Statistics dashboard (total logs, failures, 24h activity)
PWA & Infrastructure
- Progressive Web App (offline support, iOS compatible)
- Docker Compose orchestration (nginx, frontend, backend, PostgreSQL)
- PostgreSQL 15 with Prisma ORM (12 tables)
- Admin CLI with REPL for operations
🛠️ Tech Stack
Frontend: React 18 + Vite + Tailwind CSS v3.4.0 + Socket.IO Client + WebRTC Backend: Node.js 20 + Express 4.18 + Socket.IO 4.8 + JWT + bcrypt Database: PostgreSQL 15 + Prisma ORM 5.22 Infrastructure: Docker Compose + Nginx + Alpine Linux Testing: Jest + Supertest (342 tests, 72.5% coverage, 100% passing ✅)
🚀 Quick Start
Prerequisites
- Docker and Docker Compose
1. Start the application
# Clone repository
git clone <repo-url>
cd spotlightcam
# Copy environment file
cp backend/.env.example backend/.env
# Start development mode
docker compose --profile dev up
# Open browser
http://localhost:8080
2. Test the application
Use seeded accounts:
- john@example.com / Dance123!
- sarah@example.com / Swing456!
- mike@example.com / Blues789!
Flow:
- Login → Select event → Join chat
- Request match with another user → Accept
- Send video via WebRTC (P2P transfer)
- Rate partner after exchange
Commands
# Stop services
docker compose --profile dev down
# Rebuild after changes
docker compose --profile dev up --build
# Run tests
docker compose exec backend npm test
# Run specific test suite
docker compose exec backend npm test -- matching-algorithm.test.js
# Coverage report
docker compose exec backend npm run test:coverage
# Admin CLI
docker compose exec backend npm run cli -- users:list --limit 20
📊 Test Coverage
Backend: 342/342 tests passing - 100% ✅ (72.5% overall coverage)
Test Suites
- Matching Algorithm: 19/19 integration tests
- Fundamentals, collision detection, limits, fairness, edge cases
- Ratings & Stats Flow: 9/9 E2E tests
- Atomic updates, race prevention, idempotency
- Matching Runs Audit: 6/6 tests
- origin_run_id tracking, sequential runs, filtering
- Incremental Matching: 5/5 tests
- Recording Stats Integration: 6/6 tests
- WebRTC Signaling: 12/12 tests
- Socket.IO: 12/12 tests
- API Routes: Full CRUD coverage (auth, events, matches, dashboard)
Code Coverage Highlights
- matching.js: 94.71% statements, 91.5% branches
- routes/matches.js: 76.11% statements
- routes/events.js: 78.2% statements
Comprehensive test documentation: See docs/TESTING_MATCHING_RATINGS.md for detailed breakdown of all 45 matching/ratings tests.
📁 Project Structure
spotlightcam/
├── docker-compose.yml # Container orchestration (dev + prod profiles)
├── nginx/ # Nginx reverse proxy config
├── frontend/ # React PWA
│ ├── src/
│ │ ├── components/ # React components
│ │ ├── pages/ # Application pages
│ │ │ └── admin/ # Admin pages (ActivityLogsPage)
│ │ ├── hooks/ # Custom hooks (useWebRTC)
│ │ ├── contexts/ # AuthContext
│ │ ├── services/ # API client, Socket.IO client
│ │ └── constants/ # Status constants
│ ├── Dockerfile # Development container
│ └── Dockerfile.prod # Production build
├── backend/ # Node.js + Express API
│ ├── src/
│ │ ├── controllers/ # Auth, users, events, WSDC
│ │ ├── routes/ # API routes (events, matches, admin)
│ │ ├── services/ # Matching algorithm, activity logging
│ │ ├── middleware/ # Auth, admin access, message validation (spam protection)
│ │ ├── socket/ # Socket.IO handlers (chat, WebRTC signaling, admin logs)
│ │ └── __tests__/ # Jest tests (342 tests)
│ ├── prisma/
│ │ ├── schema.prisma # Database schema (12 tables)
│ │ └── migrations/ # Database migrations
│ ├── Dockerfile # Development container
│ └── Dockerfile.prod # Production build
└── docs/ # Documentation
├── SESSION_CONTEXT.md # Quick session context (for resuming work)
├── TODO.md # Active tasks & roadmap
├── ARCHITECTURE.md # Technical implementation details
├── DEPLOYMENT.md # Production deployment guide
├── MONITORING.md # Operations & monitoring
├── TESTING_MATCHING_RATINGS.md # Comprehensive test documentation
├── WEBRTC_TESTING_GUIDE.md # WebRTC testing guide
└── archive/ # Archived documentation
🗄️ Database Schema
12 tables with relations (Prisma ORM):
Core Tables:
users- Authentication, profile, social links, location, account tiers, isAdmin flagevents- Dance events with unique slugsevent_participants- User-event relationship, competitor numbersmatches- User pairings with CUID slugsratings- 1-5 stars, comments, statsApplied flagchat_rooms/messages- Real-time chat persistence
Matching System:
divisions/competition_types/event_user_heats- Competition heatsrecording_suggestions- Auto-matching results with collision detection, originRunIdmatching_runs- Audit trail (manual/scheduler, status, stats)
Admin & Monitoring:
activity_logs- Comprehensive audit trail with 18 action types, indexed for performance
Other:
event_checkin_tokens- QR code check-in
See docs/ARCHITECTURE.md for detailed schema documentation.
🧰 Admin CLI
Quick operations via REPL or command mode:
# Start REPL
docker compose exec backend npm run cli
# List users
docker compose exec backend npm run cli -- users:list --limit 20
# Create user
docker compose exec backend npm run cli -- users:create --email admin@example.com --username admin --password 'Secret123!'
# Verify email
docker compose exec backend npm run cli -- users:verify --email admin@example.com
# List events
docker compose exec backend npm run cli -- events:list --limit 10
# Import WSDC events
docker compose exec backend npm run cli -- events:import:wsdc --dry-run --since 2024-01-01 --until 2024-12-31
# Event details
docker compose exec backend npm run cli -- events:details --slug warsaw-dance-2025
# Check-in user to event
docker compose exec backend npm run cli -- events:checkin --username john_doe --slug warsaw-dance-2025
# List matches
docker compose exec backend npm run cli -- matches:list --limit 20 --status accepted
REPL mode: Top-level await works for Prisma queries, e.g., await prisma.user.findMany({ take: 5 })
🔐 Security Features
Implemented:
- bcrypt password hashing (10 salt rounds)
- JWT authentication (httpOnly cookies in production)
- Email verification required
- Input validation (express-validator)
- SQL injection prevention (Prisma parameterized queries)
- XSS protection (input sanitization)
- Rate limiting (login: 5/15min, registration: 3/hour, email: 3/hour)
- CORS configuration
- CSRF protection
- Helmet.js security headers
- Account lockout after failed attempts
- Content Security Policy
- Unique slugs preventing ID enumeration
📖 Documentation
For quick start:
docs/SESSION_CONTEXT.md- Quick context for resuming sessions (recommended for AI assistants)
Main documentation:
docs/TODO.md- Active tasks, security audit, roadmapdocs/ARCHITECTURE.md- Technical details, WebRTC flow, API endpointsdocs/TESTING_MATCHING_RATINGS.md- Comprehensive test documentation (45 tests)docs/DEPLOYMENT.md- Production deployment guidedocs/MONITORING.md- Operations and monitoring
Testing guides:
docs/WEBRTC_TESTING_GUIDE.md- WebRTC P2P testing
Archived:
docs/archive/COMPLETED.md- Full history of completed featuresdocs/archive/PHASE_1.5.md- Phase 1.5 documentationdocs/archive/SECURITY_AUDIT.md- Security audit & fixes
🎯 Roadmap
✅ Completed Phases
Phase 0: Frontend mockup with routing Phase 1: Backend foundation (Node.js, Express, PostgreSQL, Socket.IO) Phase 1.5: Email verification (AWS SES), WSDC integration, profiles Phase 2: Matches & ratings API, message history Phase 2.5: WebRTC P2P file transfer with fallback UX Phase 3: MVP finalization (landing page, dashboard, security hardening, PWA, auto-matching) Phase 3.5: Activity Log System (admin monitoring, real-time streaming dashboard, 18 action types)
⏳ Future Extensions (Phase 4)
- User badges & trust system
- Push notifications
- Video compression
- Multi-file transfer
- Block users
🤝 Contributing
Development Guidelines:
- Code language: All code, strings, comments in ENGLISH
- Communication: POLISH with team
- Git commits: Standard format WITHOUT AI mentions
- Port: 8080 (not 80 in dev)
- Tailwind: v3.4.0 (NOT v4 - breaking changes)
Git workflow:
git status
git add .
git commit -m "feat: description"
📄 License
TBD
Status: MVP Complete ✅ | 342/342 tests passing (100%) | Production Ready Last Updated: 2025-12-03