Ryan Kegel
ebaef16daf
All checks were successful
Chore App Build, Test, and Push Docker Images / build-and-push (push) Successful in 3m23s
- Introduced a dual-token system for user authentication: a short-lived access token and a long-lived rotating refresh token. - Created a new RefreshToken model to manage refresh tokens securely. - Updated auth_api.py to handle login, refresh, and logout processes with the new token system. - Enhanced security measures including token rotation and theft detection. - Updated frontend to handle token refresh on 401 errors and adjusted SSE authentication. - Removed CORS middleware as it's unnecessary behind the nginx proxy. - Added tests to ensure functionality and security of the new token system.
Reward - Chore & Reward Management System
A family-friendly application for managing chores, tasks, and rewards for children.
🏗️ Architecture
- Backend: Flask (Python) with TinyDB for data persistence
- Frontend: Vue 3 (TypeScript) with real-time SSE updates
- Deployment: Docker with nginx reverse proxy
🚀 Getting Started
Backend
cd backend
python -m venv .venv
.venv\Scripts\activate # Windows
source .venv/bin/activate # Linux/Mac
pip install -r requirements.txt
python -m flask run --host=0.0.0.0 --port=5000
Frontend
cd frontend/vue-app
npm install
npm run dev
🔧 Configuration
Environment Variables
| Variable | Description | Default |
|---|---|---|
ACCOUNT_DELETION_THRESHOLD_HOURS |
Hours to wait before deleting marked accounts | 720 (30 days) |
DB_ENV |
Database environment (prod or test) |
prod |
DATA_ENV |
Data directory environment (prod or test) |
prod |
Account Deletion Scheduler
The application includes an automated account deletion scheduler that removes user accounts marked for deletion after a configurable threshold period.
Key Features:
- Runs every hour checking for accounts due for deletion
- Configurable threshold between 24 hours (minimum) and 720 hours (maximum)
- Automatic retry on failure (max 3 attempts)
- Restart-safe: recovers from interruptions during deletion
Deletion Process: When an account is marked for deletion, the scheduler will automatically:
- Remove all pending rewards for the user's children
- Remove all children belonging to the user
- Remove all user-created tasks
- Remove all user-created rewards
- Remove uploaded images from database
- Delete user's image directory from filesystem
- Remove the user account
Configuration: Set the deletion threshold via environment variable:
export ACCOUNT_DELETION_THRESHOLD_HOURS=168 # 7 days
Monitoring:
- Logs are written to
logs/account_deletion.logwith rotation (10MB max, 5 backups) - Check logs for deletion summaries and any errors
🔌 API Endpoints
Admin Endpoints
All admin endpoints require JWT authentication and admin role.
Note: Admin users must be created manually or via the provided script (backend/scripts/create_admin.py). The admin role cannot be assigned through the signup API for security reasons.
Creating an Admin User:
cd backend
python scripts/create_admin.py
Account Deletion Management
GET /api/admin/deletion-queue- View users pending deletionGET /api/admin/deletion-threshold- Get current deletion thresholdPUT /api/admin/deletion-threshold- Update deletion threshold (24-720 hours)POST /api/admin/deletion-queue/trigger- Manually trigger deletion scheduler
User Endpoints
POST /api/user/mark-for-deletion- Mark current user's account for deletionGET /api/me- Get current user infoPOST /api/login- User loginPOST /api/logout- User logout
🧪 Testing
Backend Tests
cd backend
pytest tests/
Frontend Tests
cd frontend/vue-app
npm run test
📝 Features
- ✅ User authentication with JWT tokens
- ✅ Child profile management
- ✅ Task assignment and tracking
- ✅ Reward system
- ✅ Real-time updates via SSE
- ✅ Image upload and management
- ✅ Account deletion with grace period
- ✅ Automated cleanup scheduler
🔒 Security
- JWT tokens stored in HttpOnly, Secure, SameSite=Strict cookies
- Role-Based Access Control (RBAC): Admin endpoints protected by admin role validation
- Admin users can only be created via direct database manipulation or provided script
- Regular users cannot escalate privileges to admin
- Account deletion requires email confirmation
- Marked accounts blocked from login immediately
📁 Project Structure
.
├── backend/
│ ├── api/ # REST API endpoints
│ ├── config/ # Configuration files
│ ├── db/ # TinyDB setup
│ ├── events/ # SSE event system
│ ├── models/ # Data models
│ ├── tests/ # Backend tests
│ └── utils/ # Utilities (scheduler, etc)
├── frontend/
│ └── vue-app/
│ └── src/
│ ├── common/ # Shared utilities
│ ├── components/ # Vue components
│ └── layout/ # Layout components
└── .github/
└── specs/ # Feature specifications
🛠️ Development
For detailed development patterns and conventions, see .github/copilot-instructions.md.
📚 References
- Reset flow (token validation, JWT invalidation, cross-tab logout sync):
docs/reset-password-reference.md
📄 License
Private project - All rights reserved.