v3.0.0 Release Wishlist

[niftylettuce]

2.0.0 Release Wishlist

Features

• [x] mandarin should automatically wrap placeholder tokens with <span class="notranslate">%s</span>
• [x] Remove auto-bind from any dependencies
• [x] Drop strength in favor of https://github.com/dropbox/zxcvbn (ref: https://github.com/forwardemail/forwardemail.net/issues/13)
• [x] Replace mongoose-json-select with better approach (current is not clean enough)
• [ ] last ip isn't stored when user registers
• [x] HTTP/2 issue https://bugs.chromium.org/p/chromium/issues/detail?id=1045328 and then upgrade @ladjs/api and @ladjs/web to use http2 again
• [x] Fix core bug with koa-redirect-loop (https://github.com/niftylettuce/koa-redirect-loop/issues/1)
• [x] Mongoose plugin that iterates over schema types using pre('validate') and post('save') hook to store an _original using rfdc(this) and does a deep diff comparison with human-friendly readable strings (e.g. versus manually comparing changes upon document updates - this would allow us to easily send emails to admins/users of changes to certain things) https://mongoosejs.com/docs/schematypes.html
• [x] Mongoose v5.6 is currently locked and needs upgraded to Mongoose v5.7, however Mongoose v5.7 has the new unified topology setup, which will require a rewrite to @ladjs/mongoose in order to handle reconnectTries and reconnection interval. I am not certain how to rewrite this now and would love support from the community.
• [x] Switch livereload to browser-sync and document it
• [x] Implement factor-bundle to reduce client-side bundle build sizes (see https://github.com/browserify/browserify#multiple-bundles, https://github.com/browserify/factor-bundle/issues/35#issuecomment-55052225)
• [ ] Nested + prefixed loggers for everything (e.g. @ladjs/bull, @ladjs/mongoose, etc. are prefixed with $appName:mongoose)
• [ ] Add Docker compose (PR #358, #357)
• [ ] Improve remark parsing for Markdown (https://github.com/niftylettuce/mandarin/issues/1)
• [ ] Add cache-pug-templates to cache Pug files (#343)
• [x] Port express-redirect-loop to Koa once (#363)
• [ ] Add mongoose-paranoid-plugin once https://github.com/euqen/mongoose-paranoid-plugin/issues/6 is resolved (#347)
• [ ] Add host validation (#346)
• [x] Fix installation warnings for custom-fonts-in-emails, font-awesome-assets, gulp-cloudfront, postcss-preset-env
• [ ] Switch off SweetAlert2 to use native Bootstrap modals and toast notifications
• [x] OTP tests need added

Thoughts

Swagger

Automatic code introspection and Swagger YAML file generation (parses routes, allows inline annotations for overriding/enhancing YAML file, parses mocks/tests for parameters and request body params, parses response for object and its properties, parses available status codes based off complete code coverage, uses widdershins -> shins and swagger-ui for "try it out" code blocks, postman integration, open api v3 spec testing)

[niftylettuce]

Moved from #368:

• [x] Drop momentjs
• [x] moment and usage of i18n.api.t and i18n.translate in models, views, and email templates need to use localization of user
• [ ] Sitemap crawler
• [x] Babel polyfill vs polyfill.io
• [x] Two factor authentication
• [ ] Admin filtering by group, search by name/email
• [ ] User avatar upload (via lipo.io) (@niftylettuce will handle)
• [ ] Manifest PNG icon (@niftylettuce will handle)
• [ ] Figure out how to add lint-staged's xo --fix && git add to the template/package.json file (right now it errors out, see https://github.com/sudo-suhas/lint-staged-multi-pkg possibly we can use lerna or something)
• [ ] Record demo video and put it on README
• [x] Lad LTS 1.0.0 "Chap"
• [x] Lad email verification to verify account (otherwise someone can register in advance of someone else signing up for an account, then third party signs in with Google/GitHub)
• [x] Deprecations:

  0|web      | ⚠  warning   The option `reconnectTries` is incompatible with the unified topology, please read more by visiting http://bit.ly/2D8WfT6 {
  0|web      |   app: {
  0|web      |     name: 'lad',
  0|web      |     version: '0.0.2',
  0|web      |     node: 'v12.10.0',
  0|web      |     hash: 'ecec4017fb14fd299e161b30b5e93c7c73f52041',
  0|web      |     environment: 'production',
  0|web      |     hostname: 'lad-demo-1',
  0|web      |     pid: 699
  0|web      |   }
  0|web      | }
  0|web      | ⚠  warning   The option `reconnectInterval` is incompatible with the unified topology, please read more by visiting http://bit.ly/2D8WfT6 {
  

• [x] proxy server should remove "www" prefix from host on redirect
• [x] server setup script needs --webroot-path #352 (?)
• [ ] Browser setAppInfo and parse-logs to parse this if it was passed
• [x] Emails when security changes made (web/api account update or key rotation)
• [x] Document all env vars that can be customized (e.g. rg "process.env" node_modules)

[niftylettuce]

• [ ] https://github.com/cabinjs/cabin/issues/133

[niftylettuce]

cc @shaunwarman I added above "OTP tests need added" checkbox

[niftylettuce]

~- [ ] https://github.com/OptimalBits/bull/issues/1659~ (no longer using Bull)

[niftylettuce]

• [ ] Programmatically include a polyfill.js file with required plugins (vs. using all plugins) via https://github.com/babel/babel-polyfills/pull/13#event-3362558265 and https://github.com/babel/babel/issues/11583

[niftylettuce]

• [x] Upgrade to pug v3.x+ once https://github.com/pugjs/pug/issues/3260 is resolved

[niftylettuce]

• [x] Referrer Header Policy https://scotthelme.co.uk/a-new-security-header-referrer-policy/

• [x] ~Feature Header Policy https://scotthelme.co.uk/a-new-security-header-feature-policy/~ too experimental per https://github.com/w3c/webappsec-feature-policy/issues/189 and https://github.com/helmetjs/feature-policy/issues/6

[niftylettuce]

• [x] Report-To header (we already have reportUri option being used in helmet)

[niftylettuce]

• [ ] Implement https://github.com/koajs/qs once new major version released

[niftylettuce]

• [ ] Managed translation override concept (also investigate why Markdown not working in mandarin.markdown())

[niftylettuce]

• [ ] Note that users must install gifsicle deps https://github.com/imagemin/gifsicle-bin/issues/79

[niftylettuce]

• [ ] axe should only use parse-app-info in non-development and non-testing environment (configurable)

[niftylettuce]

• [x] prefix koa cash keys with koa-cash: or something

[niftylettuce]

• [x] X-Cached-Result: true (or false value) in koa-cash as an option addHeader: true enabled by default, and version bump it

[niftylettuce]

• [x] improve caching by content-encoding gzip on fonts+svg (not sure why they aren't)

[niftylettuce]

• [x] add cache policy option to koa-cash

[niftylettuce]

All of the above issues are now for v3.0.0 release or later.

[niftylettuce]

• [ ] Add ability to "Cancel" a pending email address change
• [ ] Investigate if reset password functionality circumvents 2FA
• [ ] Move /change-email to /my-account/change-email

[niftylettuce]

• [ ] Changing password should prompt for re-entry of password and OTP to continue
• [ ] Changing email should prompt for re-entry of password and OTP to continue

[niftylettuce]

• [ ] Configurable rate limit middleware that's specific to endpoints that send emails or insert data into database (e.g. contact form, signup, verify email, forgot password, reset password, change email, etc)