sameboat-platform
diff --git a/‎README.md‎
Lines changed: 1 addition & 1 deletion b/‎README.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/ASAP.md‎
Lines changed: 101 additions & 0 deletions b/‎docs/ASAP.md‎
Lines changed: 101 additions & 0 deletions
diff --git a/‎docs/Weekly Plan Docs/Domain_&_Hosting_Checklist.md‎
Lines changed: 82 additions & 49 deletions b/‎docs/Weekly Plan Docs/Domain_&_Hosting_Checklist.md‎
Lines changed: 82 additions & 49 deletions
@@ -1,7 +1,7 @@
 ![Backend CI](https://github.com/ArchILLtect/sameboat-backend/actions/workflows/backend-ci.yml/badge.svg)
 # SameBoat Backend (Spring Boot + Java 21)
 
-> Quick Links: [Instructions (setup & migrations)](./docs/instructions.md) | [API Reference](./docs/api.md)
+> Quick Links: [Instructions (setup & migrations)](./docs/instructions.md) | [API Reference](./docs/api.md) | [Week 3 Plan](./docs/Weekly%20Plan%20Docs/week_3_plan_same_boat_honors_project_fall_2025.md) | Journals: [Index](./docs/journals/README.md) · [Week 1](./docs/journals/Week1-Journal.md) · [Week 2](./docs/journals/Week2-Journal.md)
 
 ## Run locally
 1. Copy `.env.example` → `.env` and fill appropriate JDBC DS values (or rely on defaults in `application.yml`).
 
@@ -0,0 +1,101 @@
+# ASAP Task List
+
+Purpose: High-priority items to unblock momentum immediately at the start of Week 3. Keep this file short-lived (archive after completion into journal or close as a PR).
+
+---
+## 1. Finish Week 2 Frontend Tasks
+**Goal:** Minimal end‑to‑end auth UX (login -> /me -> logout -> redirect on 401) plus basic profile display.
+
+| Subtask | Status | Priority | Notes / Next Action |
+|---------|--------|----------|----------------------|
+| Implement login form (email + password) | ☐ | P0 | POST /auth/login; show BAD_CREDENTIALS message |
+| Persist session via cookie automatically | ☐ | P0 | Browser handles; ensure fetch uses `credentials: 'include'` |
+| Global fetch wrapper w/ 401 handling | ☐ | P0 | Redirect to /login on UNAUTHENTICATED or SESSION_EXPIRED |
+| /me fetch on app mount (AuthProvider) | ☐ | P0 | Set user context; null if 401 |
+| Display user email/avatar placeholder | ☐ | P1 | Simple component (ProfileBadge) |
+| Logout button (POST /auth/logout) | ☐ | P1 | Clear UI state after 204 |
+| Patch profile (optional this sprint) | ☐ | P2 | Only if time; update displayName & bio |
+| Add MSW mocks for auth endpoints | ☐ | P1 | Mirror backend codes: BAD_CREDENTIALS, UNAUTHENTICATED, SESSION_EXPIRED |
+| Vitest tests: login success & 401 redirect | ☐ | P1 | Cover redirect logic + context update |
+| Coverage report (baseline) | ☐ | P2 | Document %; gate can come later |
+
+**Definition of Done (Frontend slice):** User can login, see their email, refresh retains session, expired session triggers redirect, logout returns to login screen.
+
+---
+## 2. Fix / Enhance Backend CI
+**Goal:** Strengthen pipeline fidelity & transparency. Current CI green but missing schema + stronger coverage signal.
+
+| Subtask | Status | Priority | Notes / Next Action |
+|---------|--------|----------|----------------------|
+| Add Testcontainers Postgres to main `verify` job | ☐ | P0 | Re-run migrations against real PG; adapt memory/timeouts |
+| Keep fast H2 job (matrix) for quick feedback | ☐ | P2 | Parallel speed vs fidelity balance |
+| Integrate migration immutability script (already) – enforce fail-fast | ☑ | Done | Present; ensure docs reference remains |
+| Promote migration profile to default (or separate job) | ☐ | P1 | Possibly `verify -Pwith-migration-test` in second job |
+| Publish JaCoCo report artifact | ☐ | P1 | Upload HTML for PR inspection |
+| Add coverage XML + PR comment (optional) | ☐ | P2 | Use action (e.g. codecov or custom) |
+| Raise coverage gate to 75% after new unit tests | ☐ | P1 | Only after added tests pass locally |
+| Add caching for Maven & Testcontainers layers | ☐ | P2 | Optimize build time |
+| Add CI badge for coverage (shields.io manual) | ☐ | P3 | After stable coverage baseline |
+| Lint / format check (Spotless or Checkstyle) | ☐ | P3 | Future quality gate |
+
+**Definition of Done (CI enhancement):** Main pipeline runs Postgres-backed migration & integration test job + coverage artifact; gate reflects intended minimum.
+
+---
+## 3. Add JavaDocs for New / Updated Classes
+**Goal:** Provide concise, high-value documentation for maintainability & onboarding.
+
+| Class / File | Status | Priority | Required Doc Elements |
+|--------------|--------|----------|-----------------------|
+| `AuthController` | ☐ | P0 | Purpose, endpoints summary, error codes mapping |
+| `SecurityConfig` | ☐ | P0 | Filter chain ordering, public vs protected endpoints |
+| `SessionAuthenticationFilter` | ☐ | P0 | Cookie extraction, expiry handling, context population |
+| `SameboatProperties` | ☐ | P0 | Property groups (auth, cookie, session, cors) |
+| `UserService` (new methods) | ☐ | P1 | Registration, normalization, hashing rationale |
+| `SessionService` (if present) | ☐ | P1 | Touch semantics, expiry strategy |
+| `UserController` (updated responses) | ☐ | P1 | Auth codes & validation errors |
+| DTOs: `RegisterRequest`, `LoginRequest`, `LoginResponse`, `UpdateUserRequest` | ☐ | P2 | Field intent, validation rules |
+| `ExpiredSessionIntegrationTest` | ☐ | P2 | Test purpose & scenario coverage |
+| `RegistrationIntegrationTest` | ☐ | P2 | Cases covered (duplicate, wrong password) |
+| `BadCookieIntegrationTest` | ☐ | P3 | Distinguish UNAUTHENTICATED vs BAD_CREDENTIALS |
+| `CorsConfig` | ☐ | P2 | Origins list binding & credentials rationale |
+| `UserEntity` (passwordHash note) | ☐ | P1 | Persistence constraints, lifecycle callbacks |
+
+### JavaDoc Style Guidelines
+- Start with a one-line summary sentence.
+- Include rationale if behavior differs from standard Spring conventions.
+- Reference error codes (`UNAUTHENTICATED`, `BAD_CREDENTIALS`, etc.) where relevant.
+- Avoid repeating self-evident field names; focus on intent & constraints.
+
+### Suggested Workflow
+1. Add JavaDocs to highest priority classes (controllers, security, filter, properties).
+2. Run `mvn -DskipTests javadoc:javadoc` to validate formatting.
+3. Follow with service / entity / DTOs.
+4. Mark table status as completed (☑) and remove table once all P0/P1 done.
+
+---
+## 4. Quick Win Order of Execution
+1. Add password complexity + unit test (backend) to unblock frontend expectation of error message structure.
+2. Implement frontend login flow & 401 redirect before rate limiting (ensures base path works).
+3. Integrate Testcontainers migration test into CI for realism.
+4. Add rate limiting + `RATE_LIMITED` error code & test.
+5. Add pruning scheduler & test (in-memory clock or manual expiry manipulation).
+6. JavaDocs pass P0 classes.
+7. Raise coverage gate after new unit tests.
+
+---
+## 5. Blocking Issues / Questions (Fill In)
+| Issue | Impact | Owner | Resolution Target |
+|-------|--------|-------|-------------------|
+| (example) Need decision: use Bucket4j vs simple Atomic counters | Could delay rate limit feature | TBD | Day 2 |
+| | | | |
+
+---
+## 6. Exit Criteria for Closing This File
+- All P0 + P1 tasks in sections 1–3 completed and referenced in Week 3 journal.
+- CI reflects new coverage gate and Postgres integration.
+- JavaDocs generated without warnings for P0 classes.
+- File archived (rename to `ASAP-closed-<date>.md`) or removed.
+
+---
+*Created: 2025-09-27*
+
@@ -10,6 +10,25 @@
 - Backend API: api.sameboat.<tld> → Render
 - DB: Neon (unchanged)
 
+### CURRENT IMPLEMENTATION SNAPSHOT (Week 2 end)
+| Area | Status | Notes |
+|------|--------|-------|
+| Domain purchased | Pending | No domain configured in repo yet |
+| DNS zone created (Cloudflare) | Pending | All references still placeholder `<tld>` |
+| Backend prod profile | Ready | `application-prod.yml` with secure cookie & CORS |
+| CORS origins config | Ready | Uses `sameboat.cors.allowed-origins` list (dev + placeholders) |
+| Session cookie name | Implemented | Primary `SBSESSION`, alias `sb_session` accepted at runtime |
+| Cookie domain logic | Ready | Configurable via `sameboat.cookie.domain` (prod profile sets `.sameboat.<tld>`) |
+| Secure flag (prod) | Ready | `sameboat.cookie.secure=true` in prod profile |
+| TTL (prod) | Ready | 14 days (`sameboat.session.ttl-days=14`) |
+| Registration & login | Implemented | Sets `SBSESSION` HttpOnly cookie |
+| Logout clearing cookie | Implemented | Max-Age=0 consistent with domain/secure settings |
+| Observability logs | Implemented | INFO login/logout, WARN expired/invalid session |
+| Frontend deploy integration | Pending | No Netlify domain wiring yet |
+| API host deployment | Pending | Render setup not documented in repo scripts |
+| OpenAPI exposure | Pending | No `/v3/api-docs` yet |
+| HSTS | Deferred | Add after domain + HTTPS stable |
+
 ### Prereqs
 - Pick <tld> and buy sameboat.<tld> on Cloudflare Registrar.
 - Frontend repo ready (Vite). Backend repo builds a runnable JAR (./mvnw package) or Docker image.
@@ -60,51 +79,34 @@ Create public/_redirects (or in project root) with:
   _(Render provides `$PORT`;` -Dserver.port=$PORT` ensures Spring listens correctly.)_
 
 #### Env vars (Render → Environment):
-- `SPRING_PROFILES_ACTIVE=prod`
-- `SPRING_DATASOURCE_URL=jdbc:postgresql://<neon-host>:5432/<db>?sslmode=require`
-- `SPRING_DATASOURCE_USERNAME=<user>`
-- `SPRING_DATASOURCE_PASSWORD=<pass>`
-- `SESSION_TTL_DAYS=14`
-- `COOKIE_DOMAIN=.sameboat.<tld>`
+```
+SPRING_PROFILES_ACTIVE=prod
+SPRING_DATASOURCE_URL=jdbc:postgresql://<neon-host>:5432/<db>?sslmode=require
+SPRING_DATASOURCE_USERNAME=<user>
+SPRING_DATASOURCE_PASSWORD=<pass>
+SAMEBOAT_COOKIE_DOMAIN=.sameboat.<tld>
+SAMEBOAT_COOKIE_SECURE=true
+SAMEBOAT_SESSION_TTL_DAYS=14
+SAMEBOAT_CORS_ALLOWED_ORIGINS=https://app.sameboat.<tld>,https://*.netlify.app
+```
+_(Spring relaxed binding maps environment uppercase underscore vars to sameboat.*)_
 
 #### Custom domain (Render)
-- Add api.sameboat.<tld> → complete DNS (already CNAME’d) → enable HTTPS.
+- Add api.sameboat.<tld> → complete DNS CNAME → enable HTTPS.
 
 ### 4) Backend CORS & Cookie (prod)
 
-Allow your real frontend + deploy previews; set cookie for parent domain:
-```text
-// CORS bean (prod)
-@Bean
-CorsConfigurationSource corsConfigurationSource() {
-var cfg = new CorsConfiguration();
-cfg.setAllowedOrigins(List.of(
-"https://app.sameboat.<tld>",
-"https://*.netlify.app" // Netlify Deploy Previews
-));
-cfg.setAllowedMethods(List.of("GET","POST","PUT","PATCH","DELETE","OPTIONS"));
-cfg.setAllowedHeaders(List.of("*"));
-cfg.setAllowCredentials(true);
-var src = new UrlBasedCorsConfigurationSource();
-src.registerCorsConfiguration("/**", cfg);
-return src;
-}
-```
-When issuing the session cookie on login:
+Current implementation (type-safe properties) already covers this; snippet illustrative only:
 ```java
-ResponseCookie cookie = ResponseCookie.from("sb_session", sessionId)
-.httpOnly(true)
-.secure(true)                 // prod
-.sameSite("Lax")
-.domain(".sameboat.<tld>")    // share across app/api subdomains
-.path("/")
-.maxAge(Duration.ofDays(14))
-.build();
-response.addHeader(HttpHeaders.SET_COOKIE, cookie.toString());
+// In production, properties drive these values:
+props.getCors().getAllowedOrigins(); // includes app.sameboat.<tld>, *.netlify.app
+props.getCookie().isSecure();        // true
+props.getCookie().getDomain();       // .sameboat.<tld>
+props.getSession().getTtlDays();     // 14
 ```
+Login cookie issuance uses `SBSESSION`; alias `sb_session` still accepted inbound.
 
 ---
-
 ### 5) Frontend dev settings (unchanged)
 
 - [ ] `frontend-sameboat/.env.local`:
@@ -114,12 +116,11 @@ VITE_API_BASE=/api
 - [ ] `vite.config.ts` dev proxy:
 ```ts
 server: {
-proxy: { '/api': { target: 'http://localhost:8080', changeOrigin: true } }
+  proxy: { '/api': { target: 'http://localhost:8080', changeOrigin: true } }
 }
 ```
 
 ---
-
 ### 6) Verification checklist
 
 #### DNS/TLS
@@ -128,28 +129,60 @@ proxy: { '/api': { target: 'http://localhost:8080', changeOrigin: true } }
 - [ ] Apex https://sameboat.<tld> redirects to https://app.sameboat.<tld>.
 
 #### CORS & Cookies
-- [ ] From `app.sameboat.<tld>`, login sets sb_session; Secure; SameSite=Lax; Domain=.sameboat.<tld>.
-- [ ] XHR to `https://api.sameboat.<tld>/api/me` includes cookie and returns 200.
+- [ ] From `app.sameboat.<tld>`, login sets `SBSESSION` (Secure, HttpOnly, SameSite=Lax, Domain=.sameboat.<tld>).  
+- [ ] XHR to `https://api.sameboat.<tld>/api/me` includes cookie → 200.
+- [ ] Expired session returns 401 JSON `{ "error": "SESSION_EXPIRED" }`.
+- [ ] Garbage cookie returns 401 JSON `{ "error": "UNAUTHENTICATED" }`.
 
 #### Netlify Previews
-- [ ] A Deploy Preview domain (e.g., `https://deploy-preview-123--<site>.netlify.app`) can call the API (CORS allow list includes `*.netlify.app`).
+- [ ] A Deploy Preview (e.g., `https://deploy-preview-123--<site>.netlify.app`) can call API (CORS allow list includes `*.netlify.app`).
 
 #### Backend logs
-- [ ] INFO on login/logout; WARN on invalid/expired session (as implemented).
+- [ ] INFO lines on login/logout; WARN on invalid/expired session visible in Render logs.
 
 ---
-
 ### 7) Nice-to-haves (later)
-- [ ] Enable HSTS in Cloudflare (after you confirm HTTPS everywhere).
+- [ ] Enable HSTS in Cloudflare (after HTTPS confirmed) & set min TLS 1.2.
 - [ ] Add OpenAPI (`springdoc-openapi`) to serve `/v3/api-docs`; generate TS types in FE.
-- [ ] Add ruleset requiring Backend CI checks to pass (already done).
-- [ ] Move repos to GitHub org; centralize secrets and rules.
+- [ ] WAF / rate limiting rule (basic bot mitigation) in Cloudflare.
+- [ ] Structured JSON logging (trace correlation) for auth events.
+- [ ] Observability: add `/actuator/metrics` + remote scraping.
 
 ---
-
 ### 8) Rollback plan (just in case)
-- [ ] Keep the old URLs live until new ones are verified.
-- [ ] If something breaks, point `app.` back to the Netlify default subdomain and `api`. back to Render’s `.onrender.com` origin (DNS CNAME changes are instant; allow up to a few minutes for global propagation).
+- [ ] Keep the old URLs (default Netlify & Render) live until new ones are verified.
+- [ ] If issues arise, revert DNS CNAMEs to provider defaults; TTL low (300s) to speed rollback.
+
+---
+### 9) Post‑Week 2 Action Items
+| Priority | Action | Rationale |
+|----------|--------|-----------|
+| High | Acquire domain & provision Cloudflare zone | Unblocks all prod validation |
+| High | Deploy backend to Render with prod profile | Validate secure cookie + CORS in real env |
+| High | Deploy frontend to Netlify with API base pointing to Render | End‑to‑end session test |
+| Medium | Add migration test to main CI (Testcontainers) | Prevent drift & enforce schema early |
+| Medium | Add rate limiting / basic abuse guard | Mitigate brute force on login |
+| Medium | OpenAPI generation + publish docs | Improve FE contract stability |
+| Low | Session pruning job | Control table growth |
+| Low | Add HSTS + security headers | Harden prod edge |
+
+### 10) Quick Validation Script (once deployed)
+```bash
+# Health
+curl -i https://api.sameboat.<tld>/actuator/health
+
+# Register user
+curl -i -X POST https://api.sameboat.<tld>/auth/register \
+  -H 'Content-Type: application/json' \
+  -d '{"email":"smoke@sameboat.<tld>","password":"Abcdef1!"}'
+
+# Extract cookie then call /me
+COOKIE=$(curl -i -s https://api.sameboat.<tld>/auth/login \
+  -H 'Content-Type: application/json' \
+  -d '{"email":"smoke@sameboat.<tld>","password":"Abcdef1!"}' | grep -Fi Set-Cookie | sed 's/;.*//')
+
+curl -i https://api.sameboat.<tld>/me -H "Cookie: $COOKIE"
+```
 
 ---
 _For broader architecture overview see `docs/Architecture.md`._