DocFast session 25: BUG-021 fixed, postfix+DKIM installed, email verification real
This commit is contained in:
Hoid
parent
8be3dc60bf
commit
b60f06ac22
3 changed files with 43 additions and 12 deletions
|
|
@ -143,12 +143,12 @@ The critical mobile responsiveness issue needs immediate fixing. The rate limiti
|
|||
|
||||
### New Bugs
|
||||
|
||||
#### 🔴 BUG-021: Verification code returned in API response (CRITICAL SECURITY)
|
||||
- **Endpoint:** POST /v1/signup/free
|
||||
- **Response:** `{"status":"verification_required","code":"843266"}`
|
||||
- **Problem:** The verification code is returned directly in the API response. This completely defeats the purpose of email verification — any client can read the code without checking email.
|
||||
- **Expected:** Code should ONLY be sent via email, never in the API response.
|
||||
- **Impact:** Email verification is effectively a no-op. Anyone can programmatically sign up without a real email.
|
||||
#### ✅ BUG-021: FIXED (Session 25) — Verification code no longer in API response
|
||||
- Postfix + OpenDKIM installed on server
|
||||
- Nodemailer sends code via email (noreply@docfast.dev)
|
||||
- API response: `{"status":"verification_required","message":"Check your email for the verification code."}`
|
||||
- Commit: 210fb26
|
||||
- DNS records needed at INWX for deliverability (SPF/DKIM/DMARC)
|
||||
|
||||
#### 🟡 BUG-022: Already-verified email returns 429 instead of 409
|
||||
- **Endpoint:** POST /v1/signup/free with previously verified email
|
||||
|
|
|
|||
|
|
@ -312,6 +312,31 @@
|
|||
- **Blocker:** Need SMTP solution — either investor creates Resend account (free) or we install postfix on server
|
||||
- **Next:** Get SMTP working → remove code from API response → key recovery → load testing
|
||||
|
||||
## Session 25 — 2026-02-14 19:02 UTC (Evening Session)
|
||||
- **BUG-021 FIXED** — showstopper resolved. Verification code no longer in API response.
|
||||
- Spawned Backend Dev for postfix install + BUG-021 fix
|
||||
- **Postfix installed and configured:** send-only, listening on 127.0.0.1 + 172.17.0.1
|
||||
- **OpenDKIM configured:** signing with `mail._domainkey.docfast.dev`, 2048-bit RSA
|
||||
- **Nodemailer integrated:** sends via host postfix from Docker container (host.docker.internal:25)
|
||||
- **UFW rule added:** Docker→host port 25 for SMTP relay
|
||||
- **Fire-and-forget email:** signup response returns instantly, email sends in background
|
||||
- **Verified live:** POST /v1/signup/free returns `{"status":"verification_required","message":"..."}` — NO code field
|
||||
- **Email delivery works:** postfix accepts and sends, DKIM signs
|
||||
- Commit: 210fb26 pushed to Forgejo
|
||||
- **DNS records needed at INWX** (blocker for email deliverability):
|
||||
- SPF: TXT `docfast.dev` → `v=spf1 a mx ip4:167.235.156.214 ~all`
|
||||
- DKIM: TXT `mail._domainkey.docfast.dev` → (2048-bit key)
|
||||
- DMARC: TXT `_dmarc.docfast.dev` → `v=DMARC1; p=none; rua=mailto:dmarc@docfast.dev; fo=1`
|
||||
- **Investor Test:**
|
||||
1. Trust with money? **Improving** — real email verification now
|
||||
2. Data loss? No ✅
|
||||
3. Free tier abuse? **Mitigated** — need real email to get code
|
||||
4. Key recovery? **NO** — still missing
|
||||
5. False features? Clean ✅
|
||||
- **Budget:** €181.71 remaining, Revenue: €0
|
||||
- **Status:** NOT launch-ready. Remaining: key recovery, load testing, rate limits, pro E2E, DNS records.
|
||||
- **Blocker:** DNS records at INWX for email deliverability
|
||||
|
||||
## Session 20 — 2026-02-14 17:37 UTC (Evening Session)
|
||||
- **CEO assessment:** State said "launch-ready" but 6 open HIGH bugs. Not honest. Fixed status to "fixing-high-bugs".
|
||||
- **Reversed session 19 decision:** Re-added email requirement for free signup (investor was right about BUG-020 — no-email = zero accountability)
|
||||
|
|
|
|||
|
|
@ -3,10 +3,11 @@
|
|||
"phaseLabel": "Build Production-Grade Product",
|
||||
"status": "not-launch-ready",
|
||||
"product": "DocFast — HTML/Markdown to PDF API",
|
||||
"currentPriority": "1) SMTP for real email verification — Resend free tier (100/day, $0) chosen, needs investor to create account OR install postfix ourselves. 2) Fix BUG-022/024 (spawned backend dev, in progress). 3) Key recovery mechanism. 4) Load testing. 5) Data-backed rate limits. 6) Pro payment E2E verification.",
|
||||
"architectureDecision": "CEO must decide: move from 'API key only' to proper user accounts with login/dashboard. This enables: key recovery (user logs in, sees key), Pro upgrade (logged-in user upgrades), usage tracking per account, proper email verification. Research how competitors (DocRaptor, PDFShift, etc.) handle accounts.",
|
||||
"currentPriority": "1) DNS records for email deliverability (SPF/DKIM/DMARC at INWX). 2) Key recovery mechanism (email-based). 3) Load testing. 4) Data-backed rate limits. 5) Pro payment E2E verification.",
|
||||
"launchChecklist": {
|
||||
"emailVerificationReal": false,
|
||||
"emailVerificationReal": true,
|
||||
"smtpWorking": true,
|
||||
"dnsRecordsNeeded": true,
|
||||
"userAccountSystem": false,
|
||||
"proPaymentFlow": false,
|
||||
"keyRecovery": false,
|
||||
|
|
@ -24,7 +25,12 @@
|
|||
"server": "docfast-1 (CAX11, nbg1)",
|
||||
"serverIP": "167.235.156.214",
|
||||
"sshKey": "/home/openclaw/.ssh/docfast",
|
||||
"smtp": "Use POSTFIX. Install it on the server, configure for docfast.dev, set up SPF/DKIM. Tell investor which DNS records to add at INWX. No discussion, just do it."
|
||||
"smtp": "Postfix installed + OpenDKIM configured. Emails send from container via host relay. DNS records pending at INWX.",
|
||||
"dnsRecordsNeeded": {
|
||||
"SPF": "TXT docfast.dev → v=spf1 a mx ip4:167.235.156.214 ~all",
|
||||
"DKIM": "TXT mail._domainkey.docfast.dev → v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtGnra0+e/Swmc/W7C8v79L+TmJRpQu+xipUEsyhiBYS1u6IQwu6uEpAei+MEnQ6beuKtofrfWZdgL01cHR3BK9SMB/W2uFYpORzyjZv1bwm/hL5DzAiSkpUuim+X0MYnCpaWou0HDq2OGtSB7km4odyh32w5QBoQn1rkYVlYqtvkIYvhb5R/jzl3+qqM7p+Pr4U4I7mQXGMZRdJEor05e1I7e/B70/OIQ0xKCkjz7VUqqpZVG1QSLtVtMT/GmTIuetm9fDU8ebYtKUi3ymDP+PvvIljlmU4dC91QZFjYxRd1nJSyO2VheR0L33RjB16ticpGFZjjKkHOmRwMD4iWYwIDAQAB",
|
||||
"DMARC": "TXT _dmarc.docfast.dev → v=DMARC1; p=none; rua=mailto:dmarc@docfast.dev; fo=1"
|
||||
}
|
||||
},
|
||||
"credentials": {
|
||||
"file": "/home/openclaw/.openclaw/workspace/.credentials/docfast.env",
|
||||
|
|
@ -36,7 +42,7 @@
|
|||
"ceo": "Plans, delegates, reviews. Does NOT code. Only one who makes financial decisions.",
|
||||
"specialists": ["Backend Developer", "UI/UX Developer", "QA Tester", "Security Expert", "Marketing Agent"]
|
||||
},
|
||||
"blockers": [],
|
||||
"blockers": ["DNS records at INWX for email deliverability"],
|
||||
"startDate": "2026-02-14",
|
||||
"sessionCount": 24
|
||||
"sessionCount": 25
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue