- Created migration 930_add_missing_foreign_keys.sql
- Added FK constraints for legacy fields: tracks.user_id, rooms.owner_id, messages.user_id, messages.parent_id
- Added FK constraint for audit_logs.user_id
- All constraints use ON DELETE SET NULL for legacy fields and audit_logs
- Verified primary foreign keys already have proper constraints in existing migrations
- Models already have proper GORM foreignKey tags
Phase: PHASE-1
Priority: P0
Progress: 12/267 (4.5%)
- Removed requireFeature guards from collaborator functions
- Updated addCollaborator to use unwrapped response format
- Implemented getCollaborators to call GET endpoint
- Enabled PLAYLIST_COLLABORATION feature flag
- All collaborator CRUD operations now functional
Phase: PHASE-1
Priority: P0
Progress: 10/267 (3.7%)
- Fixed queue_job_id: number -> string in hlsService.ts
- Fixed track_id: number -> string in trackService.ts
- Fixed id: number -> string in usePlaylistNotifications.ts
- Fixed Role.id, Permission.id, UserRole.id, UserRole.role_id, AssignRoleRequest.role_id: number -> string in role.ts
- Fixed playlist_id: number -> string in PlaylistAnalytics.tsx
- All IDs now consistently use string (UUID) type matching backend DTOs
- Backend already uses uuid.UUID for all entity IDs
Phase: PHASE-1
Priority: P0
Progress: 7/267 (2.6%)
- Added routes in router.go: POST, GET, PUT, DELETE /playlists/:id/collaborators
- Applied RequireOwnershipOrAdmin middleware to POST, PUT, DELETE routes
- GET route accessible to collaborators (service layer checks permissions)
- Fixed UpdateCollaboratorPermission handler to use RespondWithAppError
- All handlers already existed in playlist_handler.go
- All endpoints properly authenticated and ownership checks enforced
Phase: PHASE-1
Priority: P0
Progress: 5/267 (1.9%)
- Created TwoFactorHandler with SetupTwoFactor, VerifyTwoFactor, DisableTwoFactor, GetTwoFactorStatus
- Added routes: POST /auth/2fa/setup, POST /auth/2fa/verify, POST /auth/2fa/disable, GET /auth/2fa/status
- Updated LoginResponse DTO to include requires_2fa flag
- Updated Login handler to check 2FA status and return requires_2fa flag when enabled
- Reused existing TwoFactorService (already had QR generation and TOTP verification)
- Added VerifyTOTPCode helper method to TwoFactorService
- All endpoints properly authenticated with RequireAuth middleware
Phase: PHASE-1
Priority: P0
Progress: 4/267 (1.5%)
- Verified RequireOwnershipOrAdmin middleware is correctly applied to PUT/DELETE /tracks/:id
- Verified trackOwnerResolver correctly loads track from DB and returns user_id
- Added comprehensive integration tests for ownership verification
- Test: user cannot update another user's track (403 Forbidden)
- Test: user cannot delete another user's track (403 Forbidden)
- Test: admin can update any track (200 OK)
- Test: admin can delete any track (200 OK)
- Test: user can update own track (200 OK)
- Test: user can delete own track (200 OK)
- All tests pass
Phase: PHASE-1
Priority: P0
Progress: 2/267 (0.7%)
- Verified RequireOwnershipOrAdmin middleware is correctly applied to PUT /users/:id
- Added integration tests for ownership verification
- Test: user cannot update another user's profile (403 Forbidden)
- Test: admin can update any profile (200 OK)
- Test: user can update own profile (200 OK)
- All tests pass
Phase: PHASE-1
Priority: P0
Progress: 1/267 (0.4%)
- Unified token storage to use TokenStorage service
- Removed deprecated token-manager.ts
- Removed fallback storage logic in API client
- Updated tests and feature components to use TokenStorage
Resolves: INT-000002
Severity: P0
- Updated docker-compose.production.yml to set APP_ENV=production
- Added CORS_ALLOWED_ORIGINS configuration to backend-api service
- Created integration tracking documents
Resolves: INT-000001
Severity: P0
