v3.0.0 Release Wishlist about lad HOT 20 OPEN

Moved from #368:

• Drop momentjs
• moment and usage of i18n.api.t and i18n.translate in models, views, and email templates need to use localization of user
• Sitemap crawler
• Babel polyfill vs polyfill.io
• Two factor authentication
• Admin filtering by group, search by name/email
• User avatar upload (via lipo.io) (@niftylettuce will handle)
• Manifest PNG icon (@niftylettuce will handle)
• Figure out how to add lint-staged's xo --fix && git add to the template/package.json file (right now it errors out, see https://github.com/sudo-suhas/lint-staged-multi-pkg possibly we can use lerna or something)
• Record demo video and put it on README
• Lad LTS 1.0.0 "Chap"
• Lad email verification to verify account (otherwise someone can register in advance of someone else signing up for an account, then third party signs in with Google/GitHub)
• Deprecations:

  0|web      | ⚠  warning   The option `reconnectTries` is incompatible with the unified topology, please read more by visiting http://bit.ly/2D8WfT6 {
  0|web      |   app: {
  0|web      |     name: 'lad',
  0|web      |     version: '0.0.2',
  0|web      |     node: 'v12.10.0',
  0|web      |     hash: 'ecec4017fb14fd299e161b30b5e93c7c73f52041',
  0|web      |     environment: 'production',
  0|web      |     hostname: 'lad-demo-1',
  0|web      |     pid: 699
  0|web      |   }
  0|web      | }
  0|web      | ⚠  warning   The option `reconnectInterval` is incompatible with the unified topology, please read more by visiting http://bit.ly/2D8WfT6 {

• proxy server should remove "www" prefix from host on redirect
• server setup script needs --webroot-path #352 (?)
• Browser setAppInfo and parse-logs to parse this if it was passed
• Emails when security changes made (web/api account update or key rotation)
• Document all env vars that can be customized (e.g. rg "process.env" node_modules)

from lad.

• cabinjs/cabin#133

from lad.

cc @shaunwarman I added above "OTP tests need added" checkbox

from lad.

- [ ] OptimalBits/bull#1659 (no longer using Bull)

from lad.

• Programmatically include a polyfill.js file with required plugins (vs. using all plugins) via babel/babel-polyfills#13 (comment) and babel/babel#11583

from lad.

• Upgrade to pug v3.x+ once pugjs/pug#3260 is resolved

from lad.

• Referrer Header Policy https://scotthelme.co.uk/a-new-security-header-referrer-policy/

• Feature Header Policy https://scotthelme.co.uk/a-new-security-header-feature-policy/ too experimental per w3c/webappsec-permissions-policy#189 and helmetjs/feature-policy#6

from lad.

• Report-To header (we already have reportUri option being used in helmet)

from lad.

• Implement https://github.com/koajs/qs once new major version released

from lad.

• Managed translation override concept (also investigate why Markdown not working in mandarin.markdown())

from lad.

• Note that users must install gifsicle deps imagemin/gifsicle-bin#79

from lad.

• axe should only use parse-app-info in non-development and non-testing environment (configurable)

from lad.

• prefix koa cash keys with koa-cash: or something

from lad.

• X-Cached-Result: true (or false value) in koa-cash as an option addHeader: true enabled by default, and version bump it

from lad.

• improve caching by content-encoding gzip on fonts+svg (not sure why they aren't)

from lad.

• add cache policy option to koa-cash

from lad.

All of the above issues are now for v3.0.0 release or later.

from lad.

• Add ability to "Cancel" a pending email address change
• Investigate if reset password functionality circumvents 2FA
• Move /change-email to /my-account/change-email

from lad.

• Changing password should prompt for re-entry of password and OTP to continue
• Changing email should prompt for re-entry of password and OTP to continue

from lad.

• Configurable rate limit middleware that's specific to endpoints that send emails or insert data into database (e.g. contact form, signup, verify email, forgot password, reset password, change email, etc)

from lad.