Skip to content

20-07-2025

Pre-release
Pre-release
Compare
Choose a tag to compare
@fulleni fulleni released this 20 Jul 18:57
· 129 commits to main since this release
20-07-2025
94305fd
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

🚀 Authentication Overhaul & Production-Ready Enhancements

This release delivers a comprehensive overhaul of the API's authentication system and backend infrastructure. The primary focus has been on creating a seamless and secure experience for guest users converting to permanent accounts.

Simultaneously, we've executed a major push to harden the entire platform for production by migrating critical authentication data to a persistent store, externalizing sensitive configurations, and implementing performance-boosting database indexes.

✨ Seamless & Secure Guest User Conversion

The entire lifecycle for guest users has been re-architected to be more intelligent, secure, and streamlined.

  • Intelligent Sign-In Flow: The authentication process now smartly handles guest users. If a guest signs in with a new email, their account is seamlessly converted to a permanent one. If they use an email that already exists, they are logged into the existing permanent account, and their old guest data is securely cleaned up.
  • Simplified API: The dedicated /link-email endpoints have been removed. All guest conversion logic is now consolidated directly into the main sign-in flow, creating a simpler and more robust API surface.
  • Automated Token Invalidation & Cleanup: When a guest converts or signs into an existing account, their old guest token is automatically invalidated and their temporary guest account is deleted, preventing orphaned data and improving security.
  • Reliable User Data Provisioning: A centralized helper now ensures that all necessary user documents (like settings and preferences) are idempotently created for any new user, whether they register directly or are converted from a guest account.

🛡️ Production-Ready Security & Persistence

We've moved beyond in-memory solutions and hardcoded secrets to a more robust and secure architecture.

  • Persistent Authentication Data: Token blacklists and active verification codes are no longer stored in-memory. They are now persisted in dedicated MongoDB collections, ensuring they survive server restarts.
  • Automated Data Cleanup with TTL Indexes: We've implemented MongoDB's Time-To-Live (TTL) indexes on the new authentication collections. This automates the cleanup of expired tokens and verification codes directly within the database, ensuring excellent data hygiene with no manual intervention.
  • Externalized JWT Configuration: All sensitive JWT secrets, issuer URLs, and token expiry settings are now loaded from environment variables instead of being hardcoded, following security best practices.
  • Structured Logging: All print() statements have been replaced with a structured Logger, providing vastly improved observability for monitoring and debugging.

🚀 Performance & Backend Modernization

  • Automated Text Search Indexing: The database seeding process now automatically creates text search indexes on headlines, topics, and sources. This significantly improves the performance and efficiency of search operations.
  • Migration to MongoDB ObjectIDs: The application now uses MongoDB's native ObjectId for all unique identifier generation, replacing the generic uuid package. This aligns our ID strategy with our database technology.
  • Standardized Timestamps: The API now automatically and consistently sets createdAt and updatedAt fields for all new and updated data, ensuring data integrity.
Assets 2
Loading