diff --git a/ayanova/devdocs/todo.txt b/ayanova/devdocs/todo.txt index f32a6b64..47d496cd 100644 --- a/ayanova/devdocs/todo.txt +++ b/ayanova/devdocs/todo.txt @@ -71,66 +71,8 @@ CURRENT TODOs CURRENT ITEM: -# DANGER DANGER - can make two users with the same login. that's not cricket! - - also User model, login and password are not set to required - - also auth route with dubious expectation about salt being only necessary differentiator and collection returned from login which should be one only now after this change - - - -todo: integration tests bombing due to side effect of dltoken creation changing concurrency token for User account - in high speed multiple login scenario, between fetch at start of auth and save of dl token concurrency token has changed by another login - which if same account login again breaks - FIX: fix below and implment new dl token plan will fix this - -todo: dl token and multiple logins - - what if user fetches dl token *after* login from route and server returns existing valid dl token from first jwt key login? - - but same issue really, because eventually the token expires and so what happens then, they've just logged in, fresh jwt but dltoken has 1 minute left on it - - possible steps: - user login - fetch session data after login - - route sees no dltoken or expired, generates new one and returns it - - User login again - fetch session data after login - - route sees valid dltoken still and just returns it -b4 removal of dltoken: -eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOiIxNTg4OTgwMDA3IiwiZXhwIjoiMTU4OTU4NDgwNyIsImlzcyI6ImF5YW5vdmEuY29tIiwiaWQiOiIxIiwibmFtZSI6IkF5YU5vdmEgQWRtaW5pc3RyYXRvciIsInVzZXJ0eXBlIjoxLCJheWFub3ZhL3JvbGVzIjoiMTMxMDcxIiwiZGx0IjoiYk1rMjluUVJranBIRkYwdjlYZHBNRlpUL0IyS3ZaVG1PTGhYZEp2dDVEYyJ9.GVKxfOcjk8bLtO3SFRio6epyLYwIYHEyCLCh4DC-bF8" -eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOiIxNTg4OTgwMDg0IiwiZXhwIjoiMTU4OTU4NDg4NCIsImlzcyI6ImF5YW5vdmEuY29tIiwiaWQiOiIxIiwibmFtZSI6IkF5YU5vdmEgQWRtaW5pc3RyYXRvciIsInVzZXJ0eXBlIjoxLCJheWFub3ZhL3JvbGVzIjoiMTMxMDcxIiwiZGx0IjoiWS9NTHBsS1pXamxEdHhPS0RuVzhsZTVXUkwxTEhtdVRVSHVycHBJeFEifQ.JAaTDJeDDajk7ljzfarWxG2luO3y4A67zIFqQw2CHAQ -after: -eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOiIxNTg4OTgzNDY5IiwiZXhwIjoiMTU4OTU4ODI2OSIsImlzcyI6ImF5YW5vdmEuY29tIiwiaWQiOiIxIn0.IWXZSGSJBGXS6AFQYF6ueA9xDFbcqpv3TVgA5fWQxMk -Final: -eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOiIxNTg5NTg4NzAzIiwiaXNzIjoiYXlhbm92YS5jb20iLCJpZCI6IjEifQ.A9sq8RahA96L31sbOy5OTNLRVdXg-BHBKlVlyGRkQIE - -todo: JWT tokens, revoking expiring etc, look at this: https://github.com/ptboyer/restful-api-design-tips#authentication -todo: PLANNING session tracking to prevent logging in from multiple devices with same account - - right now if I login as same user on another browser the download token becomes invalid on the first computer - - so wiki images don't load etc - - Perhaps we track the download token or something during certain requests to server so it can return a 403 and redirect to login if they are on another session - - or maybe the download route should return the not authenticated response to force login again - - maybe part of JWT session key of some kind that must be current to work to prevent multiple logins - - JWT TOKEN for image download?? - - JWT TOKEN too large? sb as tiny as possible, currently too much info in it? - ACTION: - - I've decided to *NOT* allow simultaneous same login sessions - - If user logs in then prior jwt is invalidated somehow (in db tracking) - - So user's won't share passwords, gives more control and security and supports future 2fa scenario - - This will absolutely FUCK UP the integration tests so I guess I need a workaround for that - - Actually, are they really logging in fresh again? I think it logs in once and then shares the token...must check - -todo: User dl token and other data in JWT not required should be fetched seperately - Currently in token WAY too much stuff: - { "iat", iat.ToUnixTimeSeconds().ToString() }, - { "exp", exp.ToUnixTimeSeconds().ToString() },//in payload exp must be in unix epoch time per standard - { "iss", "ayanova.com" }, - { "id", u.Id.ToString() }, - { "name", u.Name}, - { "usertype", u.UserType}, - { "ayanova/roles", ((int)u.Roles).ToString()}, - { "dlt", DownloadToken } - - - -Fix existing integration tests +todo: test for coded fix for can make two users with the same login. that's not cricket! + Add tests as I go while adding all the structure of the workorder and all ops TBD: Does a labor and other grandchild objects record really have an attachment, wiki, and custom fields? UI? Will it be a table or a whole form or...?? @@ -155,6 +97,7 @@ Finish off the v8 test export then get the below shit done so can move to stage ============================ +todo: Release AyaNova 7.x (bump version numbers) todo: ***CLEAN UP OR DELETE***