v3.0.0 Release Wishlist

[niftylettuce]

2.0.0 Release Wishlist

Features

• mandarin should automatically wrap placeholder tokens with <span class="notranslate">%s</span>
• Remove auto-bind from any dependencies
• Drop strength in favor of https://github.com/dropbox/zxcvbn (ref: Password not strong enough forwardemail/forwardemail.net#13)
• Replace mongoose-json-select with better approach (current is not clean enough)
• last ip isn't stored when user registers
• HTTP/2 issue https://bugs.chromium.org/p/chromium/issues/detail?id=1045328 and then upgrade @ladjs/api and @ladjs/web to use http2 again
• Fix core bug with koa-redirect-loop (Core bug koa-redirect-loop#1)
• Mongoose plugin that iterates over schema types using pre('validate') and post('save') hook to store an _original using rfdc(this) and does a deep diff comparison with human-friendly readable strings (e.g. versus manually comparing changes upon document updates - this would allow us to easily send emails to admins/users of changes to certain things) https://mongoosejs.com/docs/schematypes.html
• Mongoose v5.6 is currently locked and needs upgraded to Mongoose v5.7, however Mongoose v5.7 has the new unified topology setup, which will require a rewrite to @ladjs/mongoose in order to handle reconnectTries and reconnection interval. I am not certain how to rewrite this now and would love support from the community.
• Switch livereload to browser-sync and document it
• Implement factor-bundle to reduce client-side bundle build sizes (see https://github.com/browserify/browserify#multiple-bundles, Example of how to use it as a browserify plugin browserify/factor-bundle#35 (comment))
• Nested + prefixed loggers for everything (e.g. @ladjs/bull, @ladjs/mongoose, etc. are prefixed with $appName:mongoose)
• Add Docker compose (PR Add docker compose to lad template #358, Add docker compose to setup development environment #357)
• Improve remark parsing for Markdown (Improve remark parsing for Markdown mandarin#1)
• Add cache-pug-templates to cache Pug files (Add cache-pug-templates #343)
• Port express-redirect-loop to Koa once (port express-redirect-loop to koa and integrate into @ladjs/web after fixing it #363)
• Add mongoose-paranoid-plugin once Count method does not support paranoid option - please update code and patch? euqen/mongoose-paranoid-plugin#6 is resolved (add mongoose-paranoid-plugin #347)
• Add host validation (Add host validation #346)
• Fix installation warnings for custom-fonts-in-emails, font-awesome-assets, gulp-cloudfront, postcss-preset-env
• Switch off SweetAlert2 to use native Bootstrap modals and toast notifications
• OTP tests need added

Thoughts

Swagger

Automatic code introspection and Swagger YAML file generation (parses routes, allows inline annotations for overriding/enhancing YAML file, parses mocks/tests for parameters and request body params, parses response for object and its properties, parses available status codes based off complete code coverage, uses widdershins -> shins and swagger-ui for "try it out" code blocks, postman integration, open api v3 spec testing)

[niftylettuce]

Moved from #368:

• Drop momentjs
• moment and usage of i18n.api.t and i18n.translate in models, views, and email templates need to use localization of user
• Sitemap crawler
• Babel polyfill vs polyfill.io
• Two factor authentication
• Admin filtering by group, search by name/email
• User avatar upload (via lipo.io) (@niftylettuce will handle)
• Manifest PNG icon (@niftylettuce will handle)
• Figure out how to add lint-staged's xo --fix && git add to the template/package.json file (right now it errors out, see https://github.com/sudo-suhas/lint-staged-multi-pkg possibly we can use lerna or something)
• Record demo video and put it on README
• Lad LTS 1.0.0 "Chap"
• Lad email verification to verify account (otherwise someone can register in advance of someone else signing up for an account, then third party signs in with Google/GitHub)
• Deprecations:

  0|web      | ⚠  warning   The option `reconnectTries` is incompatible with the unified topology, please read more by visiting http://bit.ly/2D8WfT6 {
  0|web      |   app: {
  0|web      |     name: 'lad',
  0|web      |     version: '0.0.2',
  0|web      |     node: 'v12.10.0',
  0|web      |     hash: 'ecec4017fb14fd299e161b30b5e93c7c73f52041',
  0|web      |     environment: 'production',
  0|web      |     hostname: 'lad-demo-1',
  0|web      |     pid: 699
  0|web      |   }
  0|web      | }
  0|web      | ⚠  warning   The option `reconnectInterval` is incompatible with the unified topology, please read more by visiting http://bit.ly/2D8WfT6 {

• proxy server should remove "www" prefix from host on redirect
• server setup script needs --webroot-path server setup script needs --webroot-path #352 (?)
• Browser setAppInfo and parse-logs to parse this if it was passed
• Emails when security changes made (web/api account update or key rotation)
• Document all env vars that can be customized (e.g. rg "process.env" node_modules)

[niftylettuce]

• HTTP2 does not support raw Response headers via res._header so an alternative will need to be discovered cabinjs/cabin#133

[niftylettuce]

cc @shaunwarman I added above "OTP tests need added" checkbox

[niftylettuce]

- [ ] OptimalBits/bull#1659 (no longer using Bull)

[niftylettuce]

• Programmatically include a polyfill.js file with required plugins (vs. using all plugins) via Add a shouldInjectPolyfill option to polyfill providers babel/babel-polyfills#13 (comment) and Programmatic list of polyfills? babel/babel#11583

[niftylettuce]

• Upgrade to pug v3.x+ once Breaking v3.x change pugjs/pug#3260 is resolved

[niftylettuce]

• Referrer Header Policy https://scotthelme.co.uk/a-new-security-header-referrer-policy/

• Feature Header Policy https://scotthelme.co.uk/a-new-security-header-feature-policy/ too experimental per Proposal: define default for all w3c/webappsec-permissions-policy#189 and Add a "disable everything" feature helmetjs/feature-policy#6

[niftylettuce]

• Report-To header (we already have reportUri option being used in helmet)

[niftylettuce]

• Implement https://github.com/koajs/qs once new major version released

[niftylettuce]

• Managed translation override concept (also investigate why Markdown not working in mandarin.markdown())

[niftylettuce]

• Note that users must install gifsicle deps Error: autoreconf -ivf  imagemin/gifsicle-bin#79

[niftylettuce]

• axe should only use parse-app-info in non-development and non-testing environment (configurable)

[niftylettuce]

• prefix koa cash keys with koa-cash: or something

[niftylettuce]

• X-Cached-Result: true (or false value) in koa-cash as an option addHeader: true enabled by default, and version bump it

[niftylettuce]

• improve caching by content-encoding gzip on fonts+svg (not sure why they aren't)

[niftylettuce]

• add cache policy option to koa-cash

[niftylettuce]

All of the above issues are now for v3.0.0 release or later.

[niftylettuce]

• Add ability to "Cancel" a pending email address change
• Investigate if reset password functionality circumvents 2FA
• Move /change-email to /my-account/change-email

[niftylettuce]

• Changing password should prompt for re-entry of password and OTP to continue
• Changing email should prompt for re-entry of password and OTP to continue

[niftylettuce]

• Configurable rate limit middleware that's specific to endpoints that send emails or insert data into database (e.g. contact form, signup, verify email, forgot password, reset password, change email, etc)