- Create biometric API client with WebAuthn methods
- Add BiometricSettings component for credential management
- Support Face ID, Touch ID, Windows Hello enrollment
- Display list of enrolled credentials with metadata
- Add/remove/rename biometric credentials
- Check browser and platform authenticator support
- Integrate into settings page with animations
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Create webauthn_credentials table migration (V011)
- Add WebAuthnCredential entity for storing biometric credentials
- Implement BiometricAuthService with SimpleWebAuthn v13 API
- Add 8 biometric auth endpoints (register/verify/credentials/manage)
- Add loginWithExternalAuth method to AuthService for biometric login
- Support Face ID, Touch ID, Windows Hello, and Android biometrics
- Store challenges in-memory (can be moved to Redis in production)
- Include credential management (list, delete, rename)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Implements user interface for viewing and managing active sessions:
Session Management Features:
- SessionsManagement component with full session management UI
- List all active sessions with device information
- Platform-specific icons (Computer, Phone, Tablet)
- Current session indicator with green chip
- Session details: device fingerprint, platform, last used, created date
- Revoke individual sessions with confirmation dialog
- Revoke all sessions except current with bulk action
- Real-time session count display
User Experience:
- Visual device type indicators
- Human-readable time formatting (e.g., "2 hours ago")
- Current session clearly marked and protected from removal
- Warning dialogs before revoking sessions
- Success/error feedback with alerts
- Loading states for all operations
- Empty state handling
API Integration:
- Sessions API client in lib/api/sessions.ts
- Get all sessions
- Get session count
- Revoke specific session
- Revoke all sessions except current
- Proper error handling and user feedback
Settings Page Integration:
- Added Sessions Management section
- Placed after Security/MFA settings
- Animated transitions with staggered delays
- Maintains consistent settings page layout
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Implements MFA verification dialog for login flow:
MFA Verification Features:
- MFAVerificationDialog component for code entry
- TOTP code input (6-digit authenticator app code)
- Email code input with auto-send on dialog open
- Backup code support mentioned in help text
- Resend email code functionality
- Auto-focus on code input field
- Large, centered code input for easy entry
- Real-time validation (6-digit code required)
Login Flow Integration:
- Detect MFA requirement from login API error
- Show MFA dialog when MFA is enabled for user
- Handle MFA verification success with token storage
- Allow cancellation to retry login
- Seamless transition after successful verification
User Experience:
- Email codes sent automatically
- Visual feedback for code sending/verification
- Error alerts for invalid codes
- Loading states for all async operations
- Clean, focused dialog design
- Tip about backup codes
Implementation Details:
- Integrated with existing login page
- Error handling for MFA-required responses
- Token storage after MFA verification
- Navigation after successful MFA
- Support for both TOTP and Email MFA methods
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Implements device trust management with ability to view, trust, and remove devices:
Device Trust Features:
- DeviceTrustService for managing DeviceRegistry entries
- List all user devices with trust status
- List trusted devices only
- Trust/untrust specific devices
- Remove devices completely
- Remove all devices except current one
- Get device counts (total, trusted, untrusted)
- Device information includes fingerprint, platform, last seen, trust status
API Endpoints:
- GET /api/v1/auth/devices - List all user devices
- GET /api/v1/auth/devices/trusted - List trusted devices only
- GET /api/v1/auth/devices/count - Get device counts
- POST /api/v1/auth/devices/:deviceId/trust - Mark device as trusted
- DELETE /api/v1/auth/devices/:deviceId/trust - Revoke device trust
- DELETE /api/v1/auth/devices/:deviceId - Remove device completely
- DELETE /api/v1/auth/devices - Remove all devices except current
Implementation Details:
- Prevents removing current device (security)
- Warns when revoking trust from current device
- Cascade deletes refresh tokens when device is removed
- Marks current device for UI indication
- Orders devices by last seen (most recent first)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Implements user session management with ability to view and revoke active sessions:
Session Management Features:
- SessionService for managing refresh tokens as sessions
- List all active sessions with device information
- Revoke specific session by ID
- Revoke all sessions except current one
- Get active session count
- Session information includes device fingerprint, platform, last used, IP
API Endpoints:
- GET /api/v1/auth/sessions - List all user sessions
- DELETE /api/v1/auth/sessions/:sessionId - Revoke specific session
- DELETE /api/v1/auth/sessions - Revoke all sessions except current
- GET /api/v1/auth/sessions/count - Get active session count
Implementation Details:
- Joins RefreshToken with DeviceRegistry for device info
- Prevents revoking current session (use logout instead)
- Marks sessions as current for UI indication
- Orders sessions by creation date (newest first)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Implements TOTP (Google Authenticator) and Email-based MFA:
Backend Features:
- MFA database fields (mfa_enabled, mfa_method, totp_secret, backup_codes)
- V010 migration for MFA support
- MFAService with TOTP and Email MFA support
- QR code generation for Google Authenticator setup
- 10 backup codes per user (hashed storage)
- Email verification codes (6-digit, 5min expiry)
- MFA verification with backup code support
API Endpoints:
- GET /api/v1/auth/mfa/status
- POST /api/v1/auth/mfa/totp/setup
- POST /api/v1/auth/mfa/totp/enable
- POST /api/v1/auth/mfa/email/setup
- POST /api/v1/auth/mfa/email/send-code
- POST /api/v1/auth/mfa/verify
- DELETE /api/v1/auth/mfa
- POST /api/v1/auth/mfa/backup-codes/regenerate
Dependencies: otplib, qrcode
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Implemented comprehensive rate limiting for API security:
- Created custom Next.js-native rate limiter using in-memory store
- Added 5 rate limit configurations:
- authLimiter: 5 requests/15min for login/register/password-reset
- aiLimiter: 10 requests/hour for AI assistant queries
- trackingLimiter: 30 requests/min for activity tracking
- readLimiter: 100 requests/min for read-only endpoints
- sensitiveLimiter: 3 requests/hour for sensitive operations
- Applied rate limiting to endpoints:
- /api/auth/login, /api/auth/register, /api/auth/password-reset
- /api/ai/chat
- /api/tracking/feeding (GET and POST)
- Rate limit responses include standard headers:
- RateLimit-Limit, RateLimit-Remaining, RateLimit-Reset
- Retry-After header with seconds until reset
- Tested with 7 sequential requests - first 5 passed, last 2 blocked with 429
Note: Current implementation uses in-memory store. For production with
multiple instances, migrate to Redis-backed storage for distributed
rate limiting.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Changed network detection to only mark as offline on actual network errors,
not on HTTP errors like 404. This fixes the issue where the app shows
'You are offline' even when connected, which happens when accessing through
a reverse proxy where the /api/health endpoint might not be properly routed.
Now the app will show as online as long as it can reach the server
(any HTTP response), and only show offline on true connection failures.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Created /api/health endpoint that returns 200 OK to allow Redux
network detection middleware to properly check connectivity status.
Without this endpoint, the app was showing as offline even when
connected to the internet.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Added Redux Provider to app layout and simplified Redux store to work
properly with Next.js SSR.
**Changes:**
- Added ReduxProvider wrapper to root layout (app/layout.tsx)
- Fixed ReduxProvider TypeScript type (React.ReactNode)
- Simplified store configuration by removing @redux-offline package
- Removed packages incompatible with SSR:
- @redux-offline/redux-offline
- redux-persist
- localforage
- Re-added NetworkStatusIndicator to main page (now works with Redux)
- Kept custom offline middleware and sync middleware for offline-first functionality
**Why:**
The @redux-offline package and localforage try to access browser APIs (IndexedDB,
localStorage) during SSR, causing "No available storage method found" errors.
Our custom offline middleware provides the same functionality without SSR issues.
**Result:**
Redux store now works correctly with:
- Network status detection
- Offline action queuing
- Custom sync middleware
- Activities and children slices with optimistic updates
Next step: Can add redux-persist back with proper SSR guards if needed.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
The NetworkStatusIndicator component requires Redux Provider to be set up,
which is not yet integrated in the app. Removed it from the main page to
prevent "could not find react-redux context value" errors.
NetworkStatusIndicator will be added back once Redux Provider is properly
configured in the app root.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Implemented React error boundaries to catch and handle errors gracefully:
**Core Error Handling Components:**
- Created ErrorBoundary class component with error catching and logging
- Created specialized fallback UIs (MinimalErrorFallback, DataErrorFallback,
ComponentErrorFallback, FormErrorFallback, ChartErrorFallback, ImageErrorFallback)
- Added withErrorBoundary HOC for easy component wrapping
- Created errorLogger service with Sentry integration placeholder
**Error Logging Service (errorLogger.ts):**
- Centralized error logging with severity levels (FATAL, ERROR, WARNING, INFO, DEBUG)
- Context enrichment (URL, userAgent, timestamp, environment)
- Local storage of last 10 errors in sessionStorage for debugging
- User context management (setUser, clearUser)
- Breadcrumb support for debugging trails
**App Integration:**
- Wrapped root layout with top-level ErrorBoundary for catastrophic errors
- Added NetworkStatusIndicator to main page for offline sync visibility
- Wrapped daily summary section with isolated DataErrorFallback
- Added error boundary to AI assistant page with ComponentErrorFallback
- Wrapped feeding tracking form with FormErrorFallback using withErrorBoundary HOC
- Protected analytics charts with isolated ChartErrorFallback boundaries
**Error Recovery Features:**
- Isolated error boundaries prevent cascade failures
- Retry buttons on all fallback UIs
- Error count tracking with user warnings
- Development-mode error details display
- Automatic error logging to service (when Sentry integrated)
Next: Integration with Sentry for production error tracking
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Backend changes:
- Add password reset token database migration (V011)
- Create email service with Mailgun integration (EU/US regions)
- Implement password reset flow with secure token generation
- Add email verification endpoints and logic
- Create beautiful HTML email templates for reset and verification
- Add password reset DTOs with validation
- Update User entity with email verification fields
Frontend changes:
- Create forgot password page with email submission
- Create reset password page with token validation
- Add email verification banner component
- Integrate verification banner into main dashboard
- Add password requirements and validation UI
Features:
- Mailgun API ready for EU and US regions
- Secure token expiration (1h for reset, 24h for verification)
- Rate limiting on resend (2min interval)
- Protection against email enumeration
- IP address and user agent tracking
- Token reuse prevention
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Fixed AI chat response display (response.data.data.message)
- Fixed onboarding to save children to database with validation
- Fixed AI conversation ID length (VARCHAR 30, nanoid 12)
- Added gender selection to onboarding
- All database migrations V001-V010 completed
- Backend: NestJS with Azure OpenAI integration
- Frontend: Next.js with Material-UI
- Docker: PostgreSQL, Redis, MongoDB, MinIO
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
