81 lines
4.4 KiB
Markdown
81 lines
4.4 KiB
Markdown
# Listify API Roadmap
|
|
|
|
This roadmap captures the next practical milestones for the Listify API. The project is currently a NestJS service with registration, email verification, login, refresh-token rotation, a JWT guard, event-based mail handling, Helmet, and focused auth tests. Runtime state is still in memory, mail delivery is logged/stubbed, and the README is still the default NestJS starter text.
|
|
|
|
## Guiding Goals
|
|
|
|
- Build a reliable API for user accounts and list management.
|
|
- Move from prototype in-memory state to durable, observable production services.
|
|
- Keep security and test coverage ahead of user-facing feature expansion.
|
|
- Document setup, environment variables, and release workflows clearly enough for repeatable development.
|
|
|
|
## Phase 1: Foundation Hardening
|
|
|
|
- Replace in-memory user and refresh-token maps with a database-backed persistence layer.
|
|
- Choose and configure the data stack, including migrations, local development setup, and test database strategy.
|
|
- Move configuration into a typed config module with explicit validation for JWT secrets, token lifetimes, base URLs, mail settings, and port.
|
|
- Replace the hard-coded verification URL with environment-aware URL generation.
|
|
- Add validation pipes globally so DTO validation is enforced consistently at API boundaries.
|
|
- Add CORS policy configuration for the intended frontend origins.
|
|
- Update the README with real Listify setup, scripts, environment variables, and testing instructions.
|
|
|
|
## Phase 2: Authentication And Account Management
|
|
|
|
- Persist users, email verification tokens, refresh tokens, and token revocation metadata.
|
|
- Add logout and logout-all-devices endpoints.
|
|
- Add password reset request and password reset confirmation flows.
|
|
- Add resend verification email support with rate limiting.
|
|
- Strengthen password policy and add account lockout or throttling for repeated login failures.
|
|
- Add authenticated profile endpoints for viewing and updating basic account details.
|
|
- Add tests for persistence behavior, token expiry paths, logout, reset flows, and guard-protected routes.
|
|
|
|
## Phase 3: Listify Product API
|
|
|
|
- Define the core domain model for lists, list items, ownership, ordering, completion state, and timestamps.
|
|
- Add CRUD endpoints for lists and list items.
|
|
- Enforce authorization so users can only access their own lists unless explicit sharing is introduced.
|
|
- Support item reordering, bulk completion, archive/delete flows, and basic filtering.
|
|
- Add pagination and query limits where list or item collections can grow.
|
|
- Add OpenAPI documentation for auth and list endpoints.
|
|
- Expand e2e coverage across the main account and list workflows.
|
|
|
|
## Phase 4: Mail And Event Reliability
|
|
|
|
- Replace the stub mail service with a real provider integration behind the existing mail service boundary.
|
|
- Add HTML/text templates for verification and password reset emails.
|
|
- Add provider error handling, retries, and structured logging for mail delivery failures.
|
|
- Persist outbound email intent or event processing state if reliable delivery becomes required.
|
|
- Add tests around event listeners and mail provider adapters.
|
|
|
|
## Phase 5: Platform Readiness
|
|
|
|
- Add structured request logging with correlation IDs.
|
|
- Add health and readiness endpoints for deployment checks.
|
|
- Add rate limiting for auth and high-volume endpoints.
|
|
- Add CI for linting, tests, coverage, and build verification.
|
|
- Add Docker or equivalent deployment packaging if the target runtime needs it.
|
|
- Add production environment documentation, secret management guidance, and rollback notes.
|
|
- Add dependency update and security audit routines.
|
|
|
|
## Phase 6: Collaboration And Sharing
|
|
|
|
- Introduce list sharing or team/workspace concepts if required by the product direction.
|
|
- Add invitation flows, roles, and permissions for shared lists.
|
|
- Add audit-friendly activity events for important list and account changes.
|
|
- Consider real-time list updates once the core REST API is stable.
|
|
|
|
## Open Decisions
|
|
|
|
- Database choice and migration tooling.
|
|
- Mail provider and whether delivery must be durable/retryable.
|
|
- Frontend base URL and allowed production origins.
|
|
- API versioning strategy.
|
|
- Whether shared lists are part of the initial product scope or a later collaboration feature.
|
|
|
|
## Suggested Immediate Next Steps
|
|
|
|
1. Select the database and migration approach.
|
|
2. Add a typed configuration module and global validation pipe.
|
|
3. Replace the default NestJS README with project-specific documentation.
|
|
4. Implement persistent auth storage before expanding the list domain.
|