TODO for Crafty Syntax 3.8.0

High Priority

Authentication System

Database vs Config File

The database (auth_providers table) is sufficient for storing:

• OAuth client credentials
• Provider configurations
• Active/Inactive status

Security Considerations

• Encrypt sensitive data (client_secret) in the database
• Add rate limiting for OAuth attempts
• Log all OAuth-related activities
• Add CSRF protection to admin forms
• Implement proper session handling for OAuth flows

OAuth/Passwordless Login

• Admin Setup Wizard
- [ ] Create admin interface for managing OAuth providers - [ ] Add form to add/edit OAuth providers (Google, GitHub, etc.) - [ ] Include step-by-step instructions with screenshots for each provider - [ ] Add validation for OAuth credentials - [ ] Test OAuth flow with multiple providers - [ ] Add ability to enable/disable authentication methods - [ ] Create backup authentication method if OAuth fails

Email Login (Magic Link/Passwordless)

• Implement Email-based Authentication
- [ ] Add email template system for magic links - [ ] Create token generation and validation system - [ ] Add rate limiting for email requests - [ ] Implement "Remember Me" functionality - [ ] Add login attempt logging - [ ] Make it configurable (enable/disable in admin) - [ ] Add IP-based rate limiting - [ ] Add email verification for first-time users - [ ] Support for custom SMTP settings

Security Considerations

• Encrypt sensitive data (client_secret, tokens) in the database
• Add rate limiting for all authentication attempts
• Log all authentication-related activities
• Add CSRF protection to all forms
• Implement proper session handling
• Add device fingerprinting for suspicious logins
• Implement account lockout after failed attempts
• Add password strength requirements
• Support for 2FA (Two-Factor Authentication)

Ontology Platform Integration

• Database Schema Updates
- [ ] Add SOT (Single Source of Truth) tables - [ ] Add Content tables - [ ] Add Network tables - [ ] Add Collection tables - [ ] Ensure backward compatibility with existing data

Public-Facing Ontology Pages

• Implement header/footer and navigation for:
- [ ] questions.php - [ ] content.php - [ ] events.php - [ ] channels.php - [ ] users.php - [ ] collections.php - [ ] Ensure consistent styling and responsive design - [ ] Add proper meta tags and SEO optimization

Pending Features

Database Layer

• Complete PDO wrapper implementation
- [ ] Test with MySQL - [ ] Test with PostgreSQL - [ ] Update all database queries to use prepared statements - [ ] Add transaction support where needed

Configuration

• Finalize new configuration structure
• Update setup wizard to support new PDO options
• Add database migration tool for existing installations

Security

• Implement CSRF protection
• Update password hashing to use modern algorithms
• Review and secure all Ontology Platform endpoints
• Implement proper access controls for public-facing pages

Documentation

• Update installation guide
• Add migration guide from 3.7.x to 3.8.0
• Document new configuration options

In Progress

PDO Integration

• Create PDO database wrapper
• Update database factory to support PDO
• Update configuration to support PDO options

UTC Time Handling

• Replace date() with gmdate()
• Replace mktime() with gmmktime()
• Implement timezone support for user accounts
- [ ] Add timezone column to livehelp_users table - [ ] Update user profile/registration to include timezone selection - [ ] Create utility function for timezone conversion (UTC to user's timezone)
• Update time displays throughout the application
- [ ] Chat timestamps - [ ] Report generation - [ ] Admin interface - [ ] Any other date/time displays
• Update API responses to include timezone information
• Document timezone handling for developers
• Test timezone functionality
- [ ] Different timezones - [ ] DST transitions - [ ] Cross-timezone chat

Testing

• Unit tests for new PDO wrapper
• Integration tests for database operations
• Browser compatibility testing

Known Issues

• None yet

Important Notes

• Crafty Syntax remains fully human-operated - no AI agents are embedded in CSLH
• All Ontology Platform integration is structural and data-model only
• Maintain backward compatibility where possible
• Database migrations should be idempotent
• Follow PSR-12 coding standards
• Document all new API endpoints and database schema changes