Closes four gaps the Swagger audit flagged as blocking a full MVP demo,
plus a general documentation pass.
P0 — Forgot/Reset password (auth)
- POST /auth/forgot-password (anti-enumeration: always 200)
- POST /auth/reset-password
- Reuses the Redis-OTP pattern from email/phone change; new key prefix
auth:password_reset_otp with 15-min TTL.
- Emits PasswordResetRequestedEvent; new listener in notifications
dispatches the existing password.reset email template (otp +
expiryMinutes variables already in template.service.ts).
- UserEntity gains changePassword(HashedPassword) domain method; reset
also revokes all refresh tokens for the user.
P0 — Favorites module
- New SavedListing Prisma model (unique(userId, listingId)) with User
and Listing back-relations; schema pushed via db push since the
remote DB was out of sync with migration history.
- New apps/api/src/modules/favorites/ module following the reviews
module's shape (DDD/CQRS: domain repo + Prisma impl + 2 commands
+ 2 queries + controller).
- POST /favorites/:listingId, DELETE /favorites/:listingId,
GET /favorites (paginated), GET /favorites/:listingId/check. All
guarded by JwtAuthGuard.
- FavoritesModule wired into AppModule.
P1 — Resend OTP (auth)
- POST /auth/resend-otp for EMAIL_CHANGE | PHONE_CHANGE. Reads the
pending OTP payload out of Redis and re-emits the original event
without minting a new code, so TTL semantics stay intact. Password
reset resend is done by re-POSTing /auth/forgot-password and is
deliberately not in this enum.
P1 — Agent self-upgrade (agents)
- POST /agents/me/upgrade lets a BUYER/SELLER convert to AGENT. Creates
an Agent row (isVerified=false) and flips User.role in one
$transaction. Rejects if already AGENT/ADMIN or if an Agent row
already exists.
P2 — Swagger enrichment
- @ApiConsumes('multipart/form-data') + body schema on listings media
upload.
- GET /subscriptions/quota/:metric now enumerates the real metric
values from METRIC_TO_PLAN_FIELD.
- POST /avm/batch and /analytics/valuation/batch document the max=50
batch size from their DTO's @ArrayMaxSize.
- GET /admin/dashboard gains a realistic response example schema.
- Admin-gated endpoints in projects/transfer/industrial gain concrete
400/401/403/404 responses.
Swagger endpoint count: 170 → 178. Typecheck clean.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Add NotificationChannelPort domain port for SMS/transactional channels.
- Refactor StringeeSmsService to implement the port; routes OTP template
keys through the tighter otp bucket and transactional keys through the
wider bucket.
- Add SmsRateLimiterService using a Redis sorted-set sliding window with
per-minute + per-hour limits per phone; fails open on Redis errors.
- Rate-limit violations throw DomainException(TOO_MANY_REQUESTS, 429)
with retryAfterSeconds in the details payload.
- Cover adapter + rate limiter with unit tests (22 specs); all 148
notifications tests still green.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Add emitResidentialEvent helper on NotificationsGateway that fans
residential:price-drop, residential:new-listing-in-project, and
residential:inquiry-reply to the user's /notifications room.
- Wire three CQRS @EventsHandler listeners on ListingPriceChangedEvent
(only when newPrice < oldPrice, match saved searches),
ListingApprovedEvent (match saved searches with filters.projectId
against property.projectDevelopmentId), and InquiryReadEvent
(notify inquiry author).
- Redis pub/sub fan-out already handled by RedisIoAdapter from
TEC-2766, so these broadcasts work across API instances.
- Unit tests for all three listeners and the new gateway helper.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Add RedisIoAdapter (shared/infra) for multi-instance Socket.IO fan-out
with graceful fallback to the in-memory IoAdapter when Redis is
unreachable.
- Pin Socket.IO heartbeat (pingInterval/pingTimeout/connectTimeout)
via env-tunable gateway options for reconnect stability.
- Expose Prometheus metrics on /notifications: goodgo_ws_connected_clients
(Gauge) and goodgo_ws_messages_total (Counter) with namespace/event/
direction labels. Wired through MetricsService and tracked across
connect/disconnect + emits.
- Unit tests: RedisIoAdapter connect/fallback/close, new MetricsService
WS helpers, and gateway metric increments/decrements on auth paths.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
TEC-2722 — PATCH /api/v1/auth/profile now accepts phoneNumber alongside
fullName, avatarUrl, and email. Phone changes are deferred until the user
confirms the SMS OTP via POST /api/v1/auth/profile/verify-phone, mirroring
the existing email-change OTP flow.
- Add PhoneChangeRequestedEvent + user.phone_change_otp SMS template
- Add VerifyPhoneChangeHandler with Redis-backed 10-minute OTP
- Re-check phone uniqueness at verify time to catch races
- Extend unit tests for UpdateProfileHandler + add VerifyPhoneChangeHandler spec
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Email changes via PATCH /api/v1/auth/profile now require OTP verification
instead of updating immediately. A 6-digit code is sent to the new email
address and must be confirmed via POST /api/v1/auth/profile/verify-email
within 10 minutes. Also fixes pre-existing web valuation test failures
(formatPrice output format, removed comparables section, missing
QueryClientProvider wrapper).
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Add 5 new event listeners (listing.approved, listing.rejected, payment.confirmed,
subscription.expiring, inquiry.received), 3 new Handlebars templates, readAt field
for in-app read/unread tracking, unread/mark-as-read API endpoints, and unit tests.
All 57 notification tests pass, lint clean, typecheck clean.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Apply QuotaGuard + @RequireQuota to listing creation and analytics endpoints
- Add QuotaExceeded domain event emitted when quota is exceeded
- Create ListingCreatedUsageHandler to auto-meter usage on listing creation
- Create QuotaExceededListener to send email notifications on quota exceeded
- Add maxAnalyticsQueries and maxMediaUploads fields to Plan model
- Add quota.exceeded email notification template
- Define quota limits per plan tier in seed data
- Add 15 unit tests covering guard, event handler, listener, and event
Co-Authored-By: Paperclip <noreply@paperclip.ing>
