Files
listify/listify-api/ROADMAP.md
Bastian Wagner 537c7cbbee Initial
2026-06-09 09:45:33 +02:00

4.4 KiB

Listify API Roadmap

This roadmap captures the next practical milestones for the Listify API. The project is currently a NestJS service with registration, email verification, login, refresh-token rotation, a JWT guard, event-based mail handling, Helmet, and focused auth tests. Runtime state is still in memory, mail delivery is logged/stubbed, and the README is still the default NestJS starter text.

Guiding Goals

  • Build a reliable API for user accounts and list management.
  • Move from prototype in-memory state to durable, observable production services.
  • Keep security and test coverage ahead of user-facing feature expansion.
  • Document setup, environment variables, and release workflows clearly enough for repeatable development.

Phase 1: Foundation Hardening

  • Replace in-memory user and refresh-token maps with a database-backed persistence layer.
  • Choose and configure the data stack, including migrations, local development setup, and test database strategy.
  • Move configuration into a typed config module with explicit validation for JWT secrets, token lifetimes, base URLs, mail settings, and port.
  • Replace the hard-coded verification URL with environment-aware URL generation.
  • Add validation pipes globally so DTO validation is enforced consistently at API boundaries.
  • Add CORS policy configuration for the intended frontend origins.
  • Update the README with real Listify setup, scripts, environment variables, and testing instructions.

Phase 2: Authentication And Account Management

  • Persist users, email verification tokens, refresh tokens, and token revocation metadata.
  • Add logout and logout-all-devices endpoints.
  • Add password reset request and password reset confirmation flows.
  • Add resend verification email support with rate limiting.
  • Strengthen password policy and add account lockout or throttling for repeated login failures.
  • Add authenticated profile endpoints for viewing and updating basic account details.
  • Add tests for persistence behavior, token expiry paths, logout, reset flows, and guard-protected routes.

Phase 3: Listify Product API

  • Define the core domain model for lists, list items, ownership, ordering, completion state, and timestamps.
  • Add CRUD endpoints for lists and list items.
  • Enforce authorization so users can only access their own lists unless explicit sharing is introduced.
  • Support item reordering, bulk completion, archive/delete flows, and basic filtering.
  • Add pagination and query limits where list or item collections can grow.
  • Add OpenAPI documentation for auth and list endpoints.
  • Expand e2e coverage across the main account and list workflows.

Phase 4: Mail And Event Reliability

  • Replace the stub mail service with a real provider integration behind the existing mail service boundary.
  • Add HTML/text templates for verification and password reset emails.
  • Add provider error handling, retries, and structured logging for mail delivery failures.
  • Persist outbound email intent or event processing state if reliable delivery becomes required.
  • Add tests around event listeners and mail provider adapters.

Phase 5: Platform Readiness

  • Add structured request logging with correlation IDs.
  • Add health and readiness endpoints for deployment checks.
  • Add rate limiting for auth and high-volume endpoints.
  • Add CI for linting, tests, coverage, and build verification.
  • Add Docker or equivalent deployment packaging if the target runtime needs it.
  • Add production environment documentation, secret management guidance, and rollback notes.
  • Add dependency update and security audit routines.

Phase 6: Collaboration And Sharing

  • Introduce list sharing or team/workspace concepts if required by the product direction.
  • Add invitation flows, roles, and permissions for shared lists.
  • Add audit-friendly activity events for important list and account changes.
  • Consider real-time list updates once the core REST API is stable.

Open Decisions

  • Database choice and migration tooling.
  • Mail provider and whether delivery must be durable/retryable.
  • Frontend base URL and allowed production origins.
  • API versioning strategy.
  • Whether shared lists are part of the initial product scope or a later collaboration feature.

Suggested Immediate Next Steps

  1. Select the database and migration approach.
  2. Add a typed configuration module and global validation pipe.
  3. Replace the default NestJS README with project-specific documentation.
  4. Implement persistent auth storage before expanding the list domain.