Skip to main content

Usability & Smoothness Tickets

Authentication & Account Creation

📋 JIRA-PROD-001: Fix iPhone Password Auto-Generation Issue

Status: DRAFT - Not Created Description: iPhone forces auto-generated password without allowing manual changes. Users get stuck with unwanted auto-generated passwords and cannot proceed with their preferred credentials.

Tasks:

  • Investigate iOS password field behavior and auto-fill restrictions
  • Implement password field that allows manual input on iOS
  • Add "Use custom password" option during account creation
  • Test on multiple iPhone models and iOS versions

📋 JIRA-PROD-002: Fix Password Field Interaction Issues

Status: DRAFT - Not Created Description: Users cannot highlight, copy, or alter password field content, making it impossible to correct or manage passwords during registration.

Tasks:

  • Enable text selection in password fields
  • Add copy password button/functionality
  • Implement password visibility toggle
  • Test password field interactions across devices

📋 JIRA-PROD-003: Resolve Password Manager Conflicts

Status: DRAFT - Not Created Description: 1Password and iPhone auto-fill conflict, resulting in wrong credentials being saved and preventing successful login attempts.

Tasks:

  • Implement proper autocomplete attributes for password fields
  • Add password manager detection logic
  • Create fallback for password manager conflicts
  • Test with major password managers (1Password, LastPass, Bitwarden, iOS Keychain)

📋 JIRA-PROD-004: Fix Password Reset Flow

Status: DRAFT - Not Created Description: Password reset links return "server IP address could not be found" errors, completely blocking users from recovering their accounts. This has failed four times for our doctor/influencer.

Tasks:

  • Debug password reset email generation and link formation
  • Fix DNS/routing issues with reset links
  • Implement retry mechanism for reset emails
  • Add password reset status tracking
  • Give them the option to reset password in the browser (not just in app)
  • Test reset flow end-to-end across email providers

❌ JIRA-PROD-005: Implement Custom Authentication System

Status: DECISION - Not Pursuing (Too much work, continuing with Firebase) Description: Move and create our own login mechanism so that we remove dependency on Firebase. This gives us full control over the authentication flow and user experience. Really make a solid authentication system.

Security Issue Discovered: On August 21, 2025, the system was attacked by bots that created 168 fake accounts by exploiting an unauthenticated public API endpoint. The attackers were able to inject fake Firebase-format account IDs directly through the /users endpoint without any authentication checks. These fake accounts exist in PostgreSQL with Firebase-style IDs but have no corresponding Firebase authentication records.

Root Cause: The user creation endpoint (POST /users) is marked as @Public() and lacks any authentication mechanism, allowing anyone to create accounts by posting directly to the API. The validation schema accepts an optional accountId parameter, which attackers exploited to inject fake Firebase IDs.

Tasks:

  • Design new authentication architecture
  • Implement JWT-based authentication system
  • Create user session management
  • Migrate existing users from Firebase
  • Implement secure password storage with proper hashing
  • Add rate limiting and security measures
  • Create authentication monitoring and alerting
  • CRITICAL: Implement shared secret authentication for user creation endpoint to prevent bot attacks

📋 JIRA-PROD-005A: Implement Shared Secret Authentication for User Creation

Status: DRAFT - Not Created Description: Add a shared secret mechanism between mobile apps and backend to prevent unauthorized account creation while maintaining seamless user experience. This provides immediate protection against bot attacks without requiring complex authentication flows during user registration.

Solution Architecture:

  • Add shared secret validation to the user creation endpoint
  • Mobile apps (iOS/Android) include secret in API requests
  • Web interface can also use the same shared secret mechanism
  • Secret is embedded in client applications (accepted trade-off for simplicity)

Implementation Details:

// Backend: Add header validation to POST /users endpoint
@Headers('X-Client-Auth') clientAuth: string

// Environment variable for all environments (dev/staging/prod)
CLIENT_SHARED_SECRET=eli_client_2025_secure_registration_token

// Mobile apps add header to all user creation requests
request.setValue("eli_client_2025_secure_registration_token", forHTTPHeaderField: "X-Client-Auth")

Security Considerations:

  • Shared secret is visible in client applications if decompiled
  • Provides protection against casual bot attacks and script kiddies
  • Can be rotated with new app releases if compromised
  • Combined with rate limiting provides effective protection layer

Mobile App Instrumentation Requirements:

  • iOS app must include X-Client-Auth: eli_client_2025_secure_registration_token header in all user registration API calls
  • Android app must include X-Client-Auth: eli_client_2025_secure_registration_token header in all user registration API calls
  • Web frontend must include X-Client-Auth: eli_client_2025_secure_registration_token header in user registration requests
  • All client applications should handle 401 Unauthorized responses gracefully when shared secret is invalid

Tasks:

  • Add X-Client-Auth header validation to users.controller.ts
  • Add CLIENT_SHARED_SECRET environment variable to all environments
  • Update mobile apps to include shared secret header
  • Update web frontend to include shared secret header
  • Add rate limiting to user creation endpoint (10 accounts/hour per IP)
  • Test shared secret validation across all platforms
  • Document shared secret rotation procedure

📋 JIRA-PROD-006: Implement Social Login (Google and Apple)

Status: DRAFT - Not Created Description: Add social login (Google and Apple) - this will definitely improve the login experience by eliminating password friction entirely for most users.

Tasks:

  • Implement Google OAuth integration
  • Implement Apple Sign In
  • Create account linking for existing users
  • Handle social login edge cases (email already exists, etc.)
  • Design seamless onboarding flow for social login users
  • Add social login buttons to all auth screens
  • Test across all platforms (iOS, Android, Web)

❌ JIRA-PROD-007: Add SMS Verification Option

Status: DECISION - Not Pursuing (Less priority with Google/Apple auth) Description: Why not give them the access to get an SMS? SMS is usually quicker to validate an account than email verification.

Tasks:

  • Integrate SMS provider (Twilio/AWS SNS)
  • Implement phone number collection during signup
  • Create SMS verification code generation and validation
  • Add SMS as alternative to email verification
  • Implement SMS for password reset option
  • Handle international phone numbers
  • Add rate limiting for SMS to prevent abuse
  • Create fallback to email if SMS fails

📋 JIRA-PROD-008: Smooth Out Email Verification Flow

Status: DRAFT - Not Created Description: Smooth out the login so when somebody verifies the email, it opens up the app to verify (not to open up the email). Make verification seamless.

Tasks:

  • Implement deep linking for email verification
  • Auto-verify when user clicks link and app opens
  • Remove need to copy/paste verification codes
  • Add in-app verification status updates
  • Create smooth transition from verification to main app
  • Handle expired verification links gracefully
  • Add resend verification option in app

Results Display & Visualization

✅ JIRA-PROD-009: Fix Result Screen Freeze

Status: CREATED - Mobile App Project Description: App shows "complete" but doesn't display results, requiring users to force quit and restart the app multiple times. Marina had to hand-hold the doctor through laborious restarts.

Tasks:

  • Debug result loading state management
  • Implement timeout and retry for result fetching
  • Add loading indicators with progress
  • Create automatic refresh mechanism

✅ JIRA-PROD-010: Fix Wake-up Time Default and Detection

Status: CREATED - Mobile App Project Description: Graph shows wrong wake-up time (11:30 instead of 6:30) without prompting user, distorting the cortisol reference range and making result interpretation confusing even for an MD.

Tasks:

  • Add wake-up time prompt during test flow
  • Implement smart wake-up time detection from user data
  • Fix default wake-up time logic
  • Add wake-up time validation and confirmation

✅ JIRA-PROD-011: Fix Data Point Visualization Bug

Status: CREATED - Mobile App Project Description: Result point appears in wrong place on curve, making normal results look low/abnormal when they're actually normal.

Tasks:

  • Debug graph coordinate calculation
  • Fix data point placement algorithm
  • Add visual validation for point placement
  • Test across different screen sizes and orientations

✅ JIRA-PROD-012: Fix Reference Range Display After Wake-up Time Update

Status: CREATED - Mobile App Project Description: The reference range becomes completely distorted after updating wake-up time. As the MD said: "That's definitely not the normal reference range" - eroding trust in scientific accuracy.

Tasks:

  • Debug reference range recalculation logic
  • Implement proper curve refresh on wake-up time change
  • Add validation for reference range values
  • Test range display with various wake-up times