4.4 KiB
4.4 KiB
Listify API Roadmap
This roadmap captures the next practical milestones for the Listify API. The project is currently a NestJS service with registration, email verification, login, refresh-token rotation, a JWT guard, event-based mail handling, Helmet, and focused auth tests. Runtime state is still in memory, mail delivery is logged/stubbed, and the README is still the default NestJS starter text.
Guiding Goals
- Build a reliable API for user accounts and list management.
- Move from prototype in-memory state to durable, observable production services.
- Keep security and test coverage ahead of user-facing feature expansion.
- Document setup, environment variables, and release workflows clearly enough for repeatable development.
Phase 1: Foundation Hardening
- Replace in-memory user and refresh-token maps with a database-backed persistence layer.
- Choose and configure the data stack, including migrations, local development setup, and test database strategy.
- Move configuration into a typed config module with explicit validation for JWT secrets, token lifetimes, base URLs, mail settings, and port.
- Replace the hard-coded verification URL with environment-aware URL generation.
- Add validation pipes globally so DTO validation is enforced consistently at API boundaries.
- Add CORS policy configuration for the intended frontend origins.
- Update the README with real Listify setup, scripts, environment variables, and testing instructions.
Phase 2: Authentication And Account Management
- Persist users, email verification tokens, refresh tokens, and token revocation metadata.
- Add logout and logout-all-devices endpoints.
- Add password reset request and password reset confirmation flows.
- Add resend verification email support with rate limiting.
- Strengthen password policy and add account lockout or throttling for repeated login failures.
- Add authenticated profile endpoints for viewing and updating basic account details.
- Add tests for persistence behavior, token expiry paths, logout, reset flows, and guard-protected routes.
Phase 3: Listify Product API
- Define the core domain model for lists, list items, ownership, ordering, completion state, and timestamps.
- Add CRUD endpoints for lists and list items.
- Enforce authorization so users can only access their own lists unless explicit sharing is introduced.
- Support item reordering, bulk completion, archive/delete flows, and basic filtering.
- Add pagination and query limits where list or item collections can grow.
- Add OpenAPI documentation for auth and list endpoints.
- Expand e2e coverage across the main account and list workflows.
Phase 4: Mail And Event Reliability
- Replace the stub mail service with a real provider integration behind the existing mail service boundary.
- Add HTML/text templates for verification and password reset emails.
- Add provider error handling, retries, and structured logging for mail delivery failures.
- Persist outbound email intent or event processing state if reliable delivery becomes required.
- Add tests around event listeners and mail provider adapters.
Phase 5: Platform Readiness
- Add structured request logging with correlation IDs.
- Add health and readiness endpoints for deployment checks.
- Add rate limiting for auth and high-volume endpoints.
- Add CI for linting, tests, coverage, and build verification.
- Add Docker or equivalent deployment packaging if the target runtime needs it.
- Add production environment documentation, secret management guidance, and rollback notes.
- Add dependency update and security audit routines.
Phase 6: Collaboration And Sharing
- Introduce list sharing or team/workspace concepts if required by the product direction.
- Add invitation flows, roles, and permissions for shared lists.
- Add audit-friendly activity events for important list and account changes.
- Consider real-time list updates once the core REST API is stable.
Open Decisions
- Database choice and migration tooling.
- Mail provider and whether delivery must be durable/retryable.
- Frontend base URL and allowed production origins.
- API versioning strategy.
- Whether shared lists are part of the initial product scope or a later collaboration feature.
Suggested Immediate Next Steps
- Select the database and migration approach.
- Add a typed configuration module and global validation pipe.
- Replace the default NestJS README with project-specific documentation.
- Implement persistent auth storage before expanding the list domain.