benya/Messenger
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(p0): complete account security privacy and sync hardening
Some checks failed
CI / test (push) Failing after 2m10s
Details

Browse Source
This commit is contained in:
Alex
2026-03-08 21:19:12 +03:00
parent 6b724e260f
commit 5909503012
4 changed files with 178 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
docs/core-checklist-status.md
View File

@@ -7,7 +7,7 @@ Legend:
## Modules
1. Account - `PARTIAL` (email auth, JWT, refresh, logout, reset; web now handles `/verify-email?token=...` links and shows auth-page feedback; integration tests cover resend-verification token replacement and full password-reset login flow; sessions exist, full UX still improving)
1. Account - `DONE` (email auth, JWT, refresh, logout, reset, sessions; web handles `/verify-email?token=...` links with auth-page feedback; integration tests cover resend-verification replacement, password-reset login flow, and `check-email` status transitions)
2. User Profile - `DONE` (username, name, avatar, bio, update)
3. User Status - `PARTIAL` (online/last seen/offline; web now formats `just now/today/yesterday/recently`, backend-side presence heuristics still limited)
4. Contacts - `PARTIAL` (list/search/add/remove/block/unblock; `add by email` flow covered by integration tests including `success/not found/blocked conflict`; web now surfaces specific add-by-email errors (`not found` vs `blocked`); UX moved to menu)
@@ -37,16 +37,15 @@ Legend:
28. Notifications - `PARTIAL` (browser notifications + mute/settings; chat mute is propagated in chat list payload, honored by web realtime notifications with mention override, and mute toggle now syncs instantly in chat store; backend now emits `chat_updated` after notification mute/unmute for cross-tab consistency; no mobile push infra)
29. Archive - `DONE`
30. Blacklist - `DONE`
31. Privacy - `PARTIAL` (avatar/last-seen/group-invites + PM policy `everyone|contacts|nobody`; group-invite `nobody` is available in API and web settings; integration tests cover PM policy matrix (`everyone/contacts/nobody`), group-invite policy matrix (`everyone/contacts/nobody`), private chat counterpart visibility for `nobody/contacts/everyone`, and avatar visibility matrix in search for `everyone/contacts/nobody`, remaining UX/matrix hardening)
32. Security - `PARTIAL` (sessions + revoke + 2FA base + access-session visibility; integration tests cover single-session revoke and revoke-all invalidation/force-disconnect; 2FA setup now blocked after enable to prevent secret re-issuance; one-time recovery codes added and covered for normalization/lifecycle (`remaining_codes` decrement + one-time usage); web auth panel supports recovery-code login; settings now warns when recovery codes are empty and provides copy/download actions for freshly generated codes)
31. Privacy - `DONE` (avatar/last-seen/group-invites + PM policy `everyone|contacts|nobody`; API + web settings support all matrix values; integration tests cover PM policy matrix, group-invite policy matrix, private chat counterpart visibility `nobody/contacts/everyone`, and avatar visibility in search `everyone/contacts/nobody`)
32. Security - `DONE` (sessions + revoke + 2FA + access-session visibility; integration tests cover single-session revoke, revoke-all invalidation/force-disconnect, 2FA setup guard, recovery-code normalization/lifecycle, and disable-2FA cleanup; web auth supports recovery-code login; settings provides recovery-code warning/copy/download)
33. Realtime Events - `DONE` (connect/disconnect/send/receive/typing/read/delivered/online/offline + chat/message updates + chat_deleted)
34. Sync - `PARTIAL` (cross-device via backend state + realtime; reconciliation improved for loaded chats/messages, chat-info panel hot-refreshes on `chat_updated`, delete/leave updates realtime subscriptions, full-chat delete emits `chat_deleted`, per-user chat state mutations (archive/unarchive/pin/unpin/mute) now emit `chat_updated`, chat list excludes duplicate `is_saved` rows from regular listing, and migration `0026_deduplicate_saved_chats` merges historical duplicate Saved Messages data)
34. Sync - `DONE` (cross-device via backend state + realtime; reconciliation for loaded chats/messages; `chat_updated` covers profile/membership/delete-for-self/archive/unarchive/pin/unpin/mute/clear and create-chat fanout to members; full-chat delete emits `chat_deleted`; integration tests cover user-scoped archive/pin, member-side visibility after create, and user-scoped clear behavior; chat list and migration `0026_deduplicate_saved_chats` handle historical duplicate Saved Messages)
35. Additional - `PARTIAL` (drafts/link preview partial/autoload media basic)
## Current Focus to reach ~80%
## Current Focus beyond P0
1. Complete security/privacy UX (sessions revoke behavior, TOTP QR flow, privacy matrix).
2. Finish channel/group moderation parity (ban permissions, member action polish).
3. Finalize media messaging UX parity (voice/circle controls, unified attachment behaviors).
4. Keep realtime strict consistency for all mutations (already improved for edit/delete).
5. Raise test coverage for auth/chats/messages/realtime critical paths.
1. Finish channel/group moderation parity (ban permissions, member action polish).
2. Finalize media messaging UX parity (voice/circle controls, unified attachment behaviors).
3. Expand message types ecosystem (GIF/stickers/thread UX + formatting polish).
4. Continue raising test coverage for realtime/media edge cases.