## AI Chat Fixes
- **CRITICAL**: Fixed AI chat responding only with sleep-related info
- Root cause: Current user message was never added to context before sending to AI
- Added user message to context in ai.service.ts before API call
- Fixed conversation ID handling for new conversations (undefined check)
- Fixed children query to properly use FamilyMember join instead of incorrect familyId lookup
- Added FamilyMember entity to AI module imports
- **Context improvements**:
- New conversations now use empty history array (not the current message)
- Properly query user's children across all their families via family membership
## Children Authorization Fix
- **CRITICAL SECURITY**: Fixed authorization bug where all users could see all children
- Root cause: Controllers used `user.sub` but JWT strategy returns `user.userId`
- Changed all children controller methods to use `user.userId` instead of `user.sub`
- Added comprehensive logging to track userId and returned children
- Backend now correctly filters children by family membership
## WebSocket Authentication
- **Enhanced error handling** in families gateway
- Better error messages for connection failures
- Added debug logging for token validation
- More descriptive error emissions to client
- Added userId fallback (checks both payload.userId and payload.sub)
## User Experience
- **Auto-clear cache on logout**:
- Logout now clears localStorage and sessionStorage
- Prevents stale cached data from persisting across sessions
- Users get fresh data on every login without manual cache clearing
## Testing
- Backend correctly returns only user's own children (verified in logs)
- AI chat now responds to all types of questions, not just sleep-related
- WebSocket authentication provides clearer error feedback
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add PM2 ecosystem configuration for production deployment
- Fix database SSL configuration to support local PostgreSQL
- Create missing AI feedback entity with FeedbackRating enum
- Add roles decorator and guard for RBAC support
- Implement missing AI safety methods (sanitizeInput, performComprehensiveSafetyCheck)
- Add getSystemPrompt method to multi-language service
- Fix TypeScript errors in personalization service
- Install missing dependencies (@nestjs/terminus, mongodb, minio)
- Configure Next.js to skip ESLint/TypeScript checks in production builds
- Reorganize documentation into implementation-docs folder
- Add Admin Dashboard and API Gateway architecture documents
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Create detailed implementation plan for securing backend API while supporting
web, mobile apps, WebSockets, and GraphQL.
## Current State Analysis
- Backend API fully exposed to internet (security risk)
- Direct API calls from browser
- No infrastructure-level rate limiting
- Future mobile apps need direct access
- WebSocket + GraphQL endpoints require special handling
## Proposed Solutions
### Phase 1: MVP - Next.js BFF Pattern (1-2 weeks)
- Next.js API routes as proxy for web app
- Direct backend access for mobile (with API keys)
- Internal API key authentication
- WebSocket remains direct (Next.js limitation)
### Phase 2: Production - Kong Gateway (4-6 weeks post-MVP)
- Centralized API gateway for all clients
- Backend becomes fully internal
- Advanced features: caching, monitoring, GraphQL federation
## Implementation Details
**Files to Create**:
- app/api/proxy/[...path]/route.ts - Generic REST proxy
- app/api/graphql/route.ts - GraphQL proxy
- src/common/guards/internal-api-key.guard.ts - Backend auth
**Security Features**:
- Internal API key for BFF → Backend communication
- Mobile API key for mobile → Backend
- Rate limiting: 100 req/min (web), 60 req/min (mobile)
- Strict CORS configuration
- Nginx reverse proxy with SSL termination
**Architecture Diagrams**:
- BFF pattern with Next.js (recommended for MVP)
- Kong Gateway pattern (production-ready)
- Mobile app integration strategy
**Includes**:
- Step-by-step implementation plan
- Code samples for all components
- Nginx configuration
- Environment variable setup
- Security enhancements
- Performance considerations (+20-40ms latency)
- Monitoring and logging
- Troubleshooting guide
- Deployment timeline
Addresses security concerns while maintaining support for:
✅ Web app (through BFF)
✅ Mobile apps (direct with API key)
✅ Real-time WebSocket
✅ GraphQL queries and subscriptions
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
