sachet-server/TODO.txt

[ ]: not started
[-]: in progress
[x]: done
[!]: wontfix
[?]: maybe

[x] authentication
	[x] /users/login POST
	[x] /users/logout POST
	[x] /users/extend POST

[x] permissions
	[x] change the db schema
		[x] use a library for serializing classes
		[x] permissions are:
			- create file
			- modify any file
			- delete any file
			- lock/unlock any file
				no modification, no deletion
			- list all files
			- admin
				doesn't imply other privileges directly,
				but means you can set them to yourself
	[x] /users/<user> GET
		this endpoint will now contain permission data too
	[x] /users/<user> PATCH
	[x] /users/<user> PUT
		we'll use these to set permissions

	[x] make the "generic model api"
		endpoints like /users/<id> and /admin/settings
		that directly get/set models will inherit from this class
		any authentication/permission logic belongs to the children class

		[x] make schemas members of their parent models

	[x] settings endpoint
		[x] initialize settings to defaults

		[x] tests
		[x] /admin/settings GET
		[x] /admin/settings PATCH
		[x] /admin/settings PUT
			settings will set the default non-authenticated user's permissions

[x] linter

[x] file management backend
	we want to abstract away the filesystem
	[x] write todos for this entry
		read, write, list
		but how are we going to implement metadata and stuff?
		are we going to use UUIDs?
		hashing?

	[x] create the module sachet.storage
		[x] class Storage
			generic storage
			- get handle to file
			- list files
		[x] class File
			- delete file
			- r/w file
			- read metadata
			- write metadata
			- rename file

		our "real" classes will inherit from the Storage interface
		and they will replace all the methods (and the File class)

		[x] class FileSystem
			just hook up python's os filesystem to FileSystem

			[x] rewrite tests
			[x] class File
				- create file and its associated metadata file
				- delete file
				- r/w file
				- read metadata
				- write metadata
				- rename file

[x] file sharing
	[x] Share model
		[x] docstring

	[x] auth_required: require certain permissions

	metadata
		[x] /files POST
			client will post metadata as json
			returns a 201 and set Location header to the created entry
			depends on create file permission
		[x] /files/<file> PUT
			metadata update
		[x] /files/<file> PATCH
			metadata update
		[x] /files/<file> GET
			metadata get
		[x] /files/<file> DELETE
			deletes file

	files
		[x] /files/<file>/content POST
			uploads file
		[x] /files/<file>/content PUT
			modifies file
		[x] /files/<file>/content GET
			downloads file, depends on read permission

	[x] debugging

	[x] testing

	[x] metadata
		[x] implement a filename for Share
		[x] test filename

	[x] test modification

	[x] implement listing files
		[x] split POST off ModelClass
			one class will be for editing models themselves
			other class, ModelListClass
				POST creates a new Model
				GET lists all models (paginated)
		[x] implement ModelListClass GET (pagination!)

	[x] implement anonymous permissions
		[x] test adversarial conditions

	[x] fix that one bug where sending a non-int page number causes 500
		[x] write a test case to prevent it

	[x] fix modification
		supposedly users should only be able to modify their own pastes

	locking
		[x] add locked attribute to Share
		[x] implement authorization to modify/delete
		[x] implement changing lock/unlock state
			setting a bool flag in /files/<file> PUT/PATCH/POST
			has the be authorized, though

[!] access docstrings without starting up the webserver
	https://stackoverflow.com/questions/18214612/how-to-access-app-config-in-a-blueprint
	instead of importing app, import this

[x] database migrations
[x] database cleanup
	move all the cleanup to a flask cmd
	"delete where date < expiry"

[x] write in README about db cleanup and migrations

[x] implement chunked upload
	[x] Upload model
		does not have a REST API endpoint
		[x] upload_id (primary key a.k.a. dzuuid)
		[x] backref to Share
		[x] list of Chunks
		[x] datetime
	[x] Chunk model
		does not have a REST API endpoint
		[x] id (autoincrement)
		[x] index
		[x] backref to Upload
		[x] datetime

	we will store chunks as individual files: share uuid + suffix
	suffix is
	- upload uuid (prevents race condition for two concurrent uploads)
	- chunk index
	
	[x] write tests for chunked upload
	[?] write more rigorous tests
		poke at the chunks themselves
		what happens when you send chunks in a race condition,
		at the wrong time, with the wrong permissions, etc?

	[x] investigate why share_id is set to none
	[x] clear out chunk files after they're used
	[x] clear out files after they are deleted

[x] implement chunked download
	[x] implement File.size
		[x] write tests
	[x] write test for Range
	[x] implement HTTP 416
		[x] write appropriate tests

[x] write periodic cleanup for crusty stale uploads and chunks
	so right now the issue is that the chunk on_delete event isn't triggering
	and we're leaving random files on the disk

[x] add /users API
	[x] fix url for users (returned when posting)
		[x] create test case
	[x] add /users DELETE
		[x] added test case
		[x] add a note for this in the docs
	[x] password change endpoint
		[x] tests
		[x] docs

[x] investigate "FOREIGN KEY constraint failed"

[x] investigate what happens when you change ownership of a share to a
	non-existent user
	add a note maybe to the docs
	[x] add note about ownership transfers
	[x] add note that setting owner to null allows anon users to own it

[x] make sure that reserved names like `login`, `renew` are actually necessary
	right now we're only implementing them on the CLI interface
	maybe it doesn't matter because we're using POST only for these
	and users don't have POST
	[x] if they're not necessary we'll tear out the safeguards
	[x] also add a warning to related endpoints to be careful

[x] fix bug where users can modify other users' shares' metadata

[x] proper documentation
	[x] use a linter on docstrings
	[x] Authentication
	[x] Paginated APIs
	[x] Permissions
	[x] User API
		[x] url_for docs
	[x] Admin API
		[x] anon perms
	[x] Files API
		[x] metadata API
		[x] list API
			[x] url_for docs
		[x] content API
			[x] chunked upload protocol
			[x] POST
			[x] PUT
			[x] GET
		[x] lock API
			(reference this in permissions)
			(reference this in the files schema)
	[x] cli
	[x] getting started (dev)

[x] implement /whoami endpoint
	[x] tests
	[x] docs

[ ] expose filesize in share info

[ ] investigate cleanup being in the user subcmd
[ ] investigate cleanup cmd triggering foreign key failure

[ ] if you create a new user without a required field it gives 500
[ ] if you create a new user with the same name as an existing one it gives 500
[x] if you try to read a share with an invalid uuid it gives 500

[ ] investigate if you can interfere with an upload by setting the same id

[ ] prod deployment config WSGI
	[ ] write info about this in docs
TODO.txt: uploaded 2023-05-31 20:33:09 -04:00			`[ ]: not started`
			`[-]: in progress`
			`[x]: done`
			`[!]: wontfix`
			`[?]: maybe`

			`[x] authentication`
			`[x] /users/login POST`
			`[x] /users/logout POST`
			`[x] /users/extend POST`

			`[x] permissions`
			`[x] change the db schema`
			`[x] use a library for serializing classes`
			`[x] permissions are:`
			`- create file`
			`- modify any file`
			`- delete any file`
			`- lock/unlock any file`
			`no modification, no deletion`
			`- list all files`
			`- admin`
			`doesn't imply other privileges directly,`
			`but means you can set them to yourself`
			`[x] /users/<user> GET`
			`this endpoint will now contain permission data too`
			`[x] /users/<user> PATCH`
			`[x] /users/<user> PUT`
			`we'll use these to set permissions`

			`[x] make the "generic model api"`
			`endpoints like /users/<id> and /admin/settings`
			`that directly get/set models will inherit from this class`
			`any authentication/permission logic belongs to the children class`

			`[x] make schemas members of their parent models`

			`[x] settings endpoint`
			`[x] initialize settings to defaults`

			`[x] tests`
			`[x] /admin/settings GET`
			`[x] /admin/settings PATCH`
			`[x] /admin/settings PUT`
			`settings will set the default non-authenticated user's permissions`

			`[x] linter`

			`[x] file management backend`
			`we want to abstract away the filesystem`
			`[x] write todos for this entry`
			`read, write, list`
			`but how are we going to implement metadata and stuff?`
			`are we going to use UUIDs?`
			`hashing?`

			`[x] create the module sachet.storage`
			`[x] class Storage`
			`generic storage`
			`- get handle to file`
			`- list files`
			`[x] class File`
			`- delete file`
			`- r/w file`
			`- read metadata`
			`- write metadata`
			`- rename file`

			`our "real" classes will inherit from the Storage interface`
			`and they will replace all the methods (and the File class)`

			`[x] class FileSystem`
			`just hook up python's os filesystem to FileSystem`

			`[x] rewrite tests`
			`[x] class File`
			`- create file and its associated metadata file`
			`- delete file`
			`- r/w file`
			`- read metadata`
			`- write metadata`
			`- rename file`

			`[x] file sharing`
			`[x] Share model`
			`[x] docstring`

			`[x] auth_required: require certain permissions`

			`metadata`
			`[x] /files POST`
			`client will post metadata as json`
			`returns a 201 and set Location header to the created entry`
			`depends on create file permission`
			`[x] /files/<file> PUT`
			`metadata update`
			`[x] /files/<file> PATCH`
			`metadata update`
			`[x] /files/<file> GET`
			`metadata get`
			`[x] /files/<file> DELETE`
			`deletes file`

			`files`
			`[x] /files/<file>/content POST`
			`uploads file`
			`[x] /files/<file>/content PUT`
			`modifies file`
			`[x] /files/<file>/content GET`
			`downloads file, depends on read permission`

			`[x] debugging`

			`[x] testing`

			`[x] metadata`
			`[x] implement a filename for Share`
			`[x] test filename`

			`[x] test modification`

			`[x] implement listing files`
			`[x] split POST off ModelClass`
			`one class will be for editing models themselves`
			`other class, ModelListClass`
			`POST creates a new Model`
			`GET lists all models (paginated)`
			`[x] implement ModelListClass GET (pagination!)`

			`[x] implement anonymous permissions`
			`[x] test adversarial conditions`

			`[x] fix that one bug where sending a non-int page number causes 500`
			`[x] write a test case to prevent it`

			`[x] fix modification`
			`supposedly users should only be able to modify their own pastes`

			`locking`
			`[x] add locked attribute to Share`
			`[x] implement authorization to modify/delete`
			`[x] implement changing lock/unlock state`
			`setting a bool flag in /files/<file> PUT/PATCH/POST`
			`has the be authorized, though`

			`[!] access docstrings without starting up the webserver`
			`https://stackoverflow.com/questions/18214612/how-to-access-app-config-in-a-blueprint`
			`instead of importing app, import this`

			`[x] database migrations`
			`[x] database cleanup`
			`move all the cleanup to a flask cmd`
			`"delete where date < expiry"`

			`[x] write in README about db cleanup and migrations`

			`[x] implement chunked upload`
			`[x] Upload model`
			`does not have a REST API endpoint`
			`[x] upload_id (primary key a.k.a. dzuuid)`
			`[x] backref to Share`
			`[x] list of Chunks`
			`[x] datetime`
			`[x] Chunk model`
			`does not have a REST API endpoint`
			`[x] id (autoincrement)`
			`[x] index`
			`[x] backref to Upload`
			`[x] datetime`

			`we will store chunks as individual files: share uuid + suffix`
			`suffix is`
			`- upload uuid (prevents race condition for two concurrent uploads)`
			`- chunk index`

			`[x] write tests for chunked upload`
			`[?] write more rigorous tests`
			`poke at the chunks themselves`
			`what happens when you send chunks in a race condition,`
			`at the wrong time, with the wrong permissions, etc?`

			`[x] investigate why share_id is set to none`
			`[x] clear out chunk files after they're used`
			`[x] clear out files after they are deleted`

			`[x] implement chunked download`
			`[x] implement File.size`
			`[x] write tests`
			`[x] write test for Range`
			`[x] implement HTTP 416`
			`[x] write appropriate tests`

			`[x] write periodic cleanup for crusty stale uploads and chunks`
			`so right now the issue is that the chunk on_delete event isn't triggering`
			`and we're leaving random files on the disk`

			`[x] add /users API`
			`[x] fix url for users (returned when posting)`
			`[x] create test case`
			`[x] add /users DELETE`
			`[x] added test case`
			`[x] add a note for this in the docs`
			`[x] password change endpoint`
			`[x] tests`
			`[x] docs`

			`[x] investigate "FOREIGN KEY constraint failed"`

			`[x] investigate what happens when you change ownership of a share to a`
			`non-existent user`
			`add a note maybe to the docs`
			`[x] add note about ownership transfers`
			`[x] add note that setting owner to null allows anon users to own it`

			[x] make sure that reserved names like `login`, `renew` are actually necessary
			`right now we're only implementing them on the CLI interface`
			`maybe it doesn't matter because we're using POST only for these`
			`and users don't have POST`
			`[x] if they're not necessary we'll tear out the safeguards`
			`[x] also add a warning to related endpoints to be careful`

			`[x] fix bug where users can modify other users' shares' metadata`

			`[x] proper documentation`
			`[x] use a linter on docstrings`
			`[x] Authentication`
			`[x] Paginated APIs`
			`[x] Permissions`
			`[x] User API`
			`[x] url_for docs`
			`[x] Admin API`
			`[x] anon perms`
			`[x] Files API`
			`[x] metadata API`
			`[x] list API`
			`[x] url_for docs`
			`[x] content API`
			`[x] chunked upload protocol`
			`[x] POST`
			`[x] PUT`
			`[x] GET`
			`[x] lock API`
			`(reference this in permissions)`
			`(reference this in the files schema)`
			`[x] cli`
			`[x] getting started (dev)`

/whoami: implemented tests and docs added too 2023-06-15 12:46:26 -04:00			`[x] implement /whoami endpoint`
			`[x] tests`
			`[x] docs`

/files: better malformed UUID handling 2023-07-18 13:26:48 -04:00			`[ ] expose filesize in share info`

TODO.txt: uploaded 2023-05-31 20:33:09 -04:00			`[ ] investigate cleanup being in the user subcmd`
			`[ ] investigate cleanup cmd triggering foreign key failure`

TODO.txt: added tasks 2023-07-12 21:03:26 -04:00			`[ ] if you create a new user without a required field it gives 500`
			`[ ] if you create a new user with the same name as an existing one it gives 500`
/files: better malformed UUID handling 2023-07-18 13:26:48 -04:00			`[x] if you try to read a share with an invalid uuid it gives 500`
TODO.txt: added tasks 2023-07-12 21:03:26 -04:00
			`[ ] investigate if you can interfere with an upload by setting the same id`

TODO.txt: uploaded 2023-05-31 20:33:09 -04:00			`[ ] prod deployment config WSGI`
			`[ ] write info about this in docs`