From 410e1f0c3f6d31f7e4c24e42c3bff12773759960 Mon Sep 17 00:00:00 2001 From: Frank Tovar Date: Mon, 2 Feb 2026 14:40:38 +0100 Subject: [PATCH] updated MD files --- AGENTS.md | 22 ++-------------------- TASKS.md | 10 ---------- 2 files changed, 2 insertions(+), 30 deletions(-) delete mode 100644 TASKS.md diff --git a/AGENTS.md b/AGENTS.md index ddde461..3802d8b 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -11,7 +11,7 @@ Tech constraints: - ASP.NET Core Minimal API - Static HTML/CSS/JS (no Razor Pages, no Blazor, no HTMX) - SQLite via EF Core -- Cookie-based anonymous identity (no accounts) +- Username+Password identity (account stored in database) - Single active “session” (one room) unless extended later - Runs on IIS (Windows Server) @@ -30,10 +30,6 @@ Also see the other related files: API.md, IIS.md, SPEC.md - Results phase: only aggregated totals are shown. - **Minimal moving parts**: prefer `Program.cs` + a few small files over frameworks. -### “Ridiculously fast” bias -- Prefer “ship a working MVP” over architecture purity. -- Avoid introducing new dependencies unless they remove complexity. - --- ## Repo Layout Target @@ -53,21 +49,6 @@ Do not introduce MVC controllers, Razor Pages, Blazor, or SPA frameworks. --- -## Implementation Checklist (Codex should follow this order) - -1. App boots and serves static files -2. Cookie-based anonymous identity -3. Phase gating (server-side) -4. Suggest phase (blind input) -5. Reveal phase (read-only) -6. Vote phase (blind scoring) -7. Results phase (aggregated leaderboard) -8. Admin controls (phase switch, reset) -9. Factory reset (clear all data including players) for fresh testing/deploy -10. Suggest delete (players can delete their own suggestions during Suggest phase) - ---- - ## Security Notes - Cookie must be HttpOnly and SameSite=Strict @@ -81,5 +62,6 @@ Do not introduce MVC controllers, Razor Pages, Blazor, or SPA frameworks. - Implement API first, UI second - Keep changes small and testable - Prefer clarity over abstraction +- Avoid introducing new dependencies unless they remove complexity. - After every iteration, do a git commit with a brief summary of the changes as a commit message. - Keep endpoint logic in `Endpoints/` and shared helpers/DTOs in their folders to avoid Program.cs bloat. diff --git a/TASKS.md b/TASKS.md deleted file mode 100644 index 25e3ca5..0000000 --- a/TASKS.md +++ /dev/null @@ -1,10 +0,0 @@ -# CoopGameChooser Task List - -## Auth overhaul — username/password instead of random cookie -- [x] Data model: add username + password hash/salt to `Player`, enforce unique username, update `AppDbContext` config and create an EF migration; ensure factory reset seeds stay valid. -- [x] Cookie pipeline: refactor `UsePlayerIdentity` into a reader that only trusts existing `player` cookies; add helper to issue/clear the cookie after login/register while keeping HttpOnly/SameSite/Secure semantics. -- [x] Auth endpoints: add `/api/auth/register`, `/api/auth/login`, `/api/auth/logout`; registration creates the player, sets the `player` cookie, and stores display name; login validates password and reissues cookie; logout clears cookie. -- [x] Endpoint auth guard: replace `GetOrCreatePlayer` with a `GetAuthenticatedPlayer` helper that returns 401 when unauthenticated; update all suggest/vote/state endpoints to depend on an authenticated player without creating one implicitly. -- [x] Frontend UX: add login/register screen shown when `/api/me` returns 401; on success hide auth pane, preload name, then refresh phase data; include a logout control to clear local state. -- [x] Docs: update `API.md` (and `SPEC.md`) to document new auth flows, required auth for existing endpoints, and cookie token behavior. -- [x] Ops/migration notes: generate/apply migration, legacy players auto-assigned `legacy-xxxxxxxx` usernames with blank hashes; expect fresh registration or factory reset; IIS/base-path unaffected.