-
Implement custom server session backend, see gin-contrib/sessions
-
Find/implement OAuth2 solution for Spotify authentication
-
Add tests with go testing tools
-
Conditional requests (Caching)
- Improve CSP support
- Add HTTPOnly or SecureOnly support to cookies
- Add CSRF token support?
- Parity with index (unauthenticated)
- Spotify OAuth2 integration
- Parity with auth routes
- Parity with index (authenticated)
- Get user data
- Get user's own playlists
- Render user data
- Render user playlists
- Log Out
- Parity with playlist endpoint
- Parity with search endpoint
Note: The Android client app authenticates with Spotify directly.
- Change playlist endpoint to PATCH instead of current GET, also don't redirect
- Update the Party's current playlist asynchronously
- Add search
- For tracks
- For artists
- For albums
- Expose "See more results in Spotify" href
- Get access tokens for searching via Client Credentials Flow if session is unauthorized with Spotify
-
Add Guests model
- JSON blob (Array of):
- Name
- Alias (Future use?)
- Only modifiable by a checked in Guest (guest ID/index stored in session)
- Check-In Status (checked_in: boolean)
- A guest is simply invited by default
- A checked in guest is in attendance
- JSON blob (Array of):
-
Add Playlist (TrackList) model
- Fields:
- JSON blob (Array of):
- Spotify Track ID
- Name
- Artist
- Began playing timestamp
- Duration (in seconds)
- Contributor name
- Contributor ID (index in Guest array)
- Timestamps
- JSON blob (Array of):
- Show duration on frontend
- Fields:
-
Add a Party Model
- Fields:
- Location JSON blob:
- Host name
- Location/address string
- Scheduled time?
- Facebook inegration?
- Room code (NULL when party has ended)
- Random four letter combination
- Ended flag
- Current Track (Now Playing)
- NULL or JSON blob:
- Spotify Track ID
- Name
- Artist
- Contributor name
- Contributor ID (index in Guest array)
- NULL or JSON blob:
- Queue foreign key (To TrackList)
- History foreign key (To TrackList)
- Guests foreign key
- Location JSON blob:
- Fields:
Party Access Tokens authenticate API access for party guests. (Party hosts authenticate separately with Spotify.)
- Add access token delivery
- Sign generated tokens using a strong signature (token secret, cryptographic hash)
- Store tokens in Redis
- No persistence necessary for guest tokens, parties are ephemeral
- Deliver token inside a secure cookie
- Deliver a Party Access Token to pseudo-authenticated guests
- Those who have joined a party with valid party ID and over SSL with CORS Origin validation
- Store originating Origin and validate subsequent requests given the request's Party Access Token
- Recurring job to clean expired tokens
- Party access tokens expire after 30 minutes of disuse
- Automatically refresh token expiration time via ping/pong
-
Server-Sent Events data integration for party state updates sent to clients
- Push TrackList and Party model updates to guests
- Gin comes ready built for SSE
- go-broadcast
-
Scalable Server-Sent Events data integration via Redis PubSub
- Current implementation keeps connection info in memory
- This will not scale to multiple Heroku dynos
-
WebSockets streaming data integration?- Do I need full duplex send/receive sockets? Probably not in most cases
- Future?
-
Playback history (History) endpoint (As TrackList)
- History endpoint
- Pagination
- 20 tracks, by default, per page
limitandoffsetquery params
- With SSE support (Sent via party,
/events/party, stream ashistoryevent)- Updates when current track changes
- Most recent track first
- Clients may use a track's
began_playingtimestamp to show timeago info
-
Playback future (Queue) endpoint (As TrackList)
- Queue endpoint
- Pagination
- 10 tracks, by default, per page
limitandoffsetquery params
- With SSE support (Sent via party,
/events/party, stream asqueueevent)- Updates when current track changes
- Updates when guests contribute tracks
- Server keeps track of whole Queue
- Hosts may view whole queue
- Guests may only see first page of queue (First page w/ default page size; ignore page query params)
-
Add Party endpoints
- Create (Start?)
- End (Stop/Quit?)
- Get current party
- Join a party
- Via authorized room code
- Check-In via OAuth provider
- With SSE support (Update clients with Guest-list)
- Connect to Facebook event (Future?)
-
Add search suggestions (autocomplete)?
- Maybe better with a WebSocket?
-
Mobile app authentication
- Open
/auth/loginin a web view - Redirect back to new
/auth/finishedendpoint- Render:
Logged in as $name$ : <a href=/auth/logout>Logout</a> - Mobile app handles redirection back here
- Render:
- Spotify access token delivery
- Only deliver access token, server manages refresh
- Spotify token refresh endpoint
/auth/refresh- Responds with refreshed token
- Open
-
Playback
- Pick a playlist for a party
- Pull all of the playlist's tracks
- Shuffle the playlist
- Play the party's playlist
- Pause the party's playlist
- Skip the current track
- Search to add to queue
- State change notifications (WebSockets?)
- Pick a playlist for a party
- Add Join Party endpoint
- With Party foreign key
- Should there be a party list? No
- User facing "room" code for guests to enter (Like Jackbox. 456,976 combinations with 4 letters, but I'm using any alpha-numeric combination of four characters, 13,845,841 possible combinations)
- Facebook integration (Future)
- Contribution
- Add (suggest) a song
- Limit maximum number of suggestions per timeframe (hour?)
- Suggest that a song should be skipped
- Require a minimum number of votes (5? fraction of party attendants?)
- Join a party given its room code
- unauthenticated ⇒ pseudo-authenticated (Via room code authorization)
- Check-In to a Party (authenticated)
- OAuth2 third-party authentication schemes
- GitHub
- Others?
- OAuth2 third-party authentication schemes
- Music Quiz modeled after Spotify iQuiz
- Users can submit songs, albums, and artists for inclusion to the communal quiz game beforehand.
- Display a call to action on the TV UI and to guests that they may participate.
- Prevent users from selecting songs from singles or hide the album art (Singles are too easy to guess given their album art).
- Section V: Users & Data
-
Obtain explicit consent for users' email address?
- "5. You shall not email Spotify users unless you obtain their explicit consent or obtain their email address and permission through means other than Spotify."
-
Delete all Spotify Content upon logout/inactivity
- "7. Spotify user data can be cached only for operating your SDA. If a Spotify user logs out of your SDA or becomes inactive, you will delete any Spotify Content related to that user stored on your servers. To be clear, you are not permitted to store Spotify Content related to a Spotify user or otherwise request user data if a Spotify user is not using your SDA."
-
Add 'Delete Account' functionality.
- "8. You must provide all users with a working mechanism to disconnect their Spotify Account from your application at any time and provide clear instructions on how to do so. Further, when a user disconnects their Spotify account, you agree to delete and no longer request or process any of that Spotify user’s data."
-
Write an EULA/Terms of Use and a Privacy Policy for Party
- "10. You must have an end user agreement and privacy policy. Any access, use, processing, and disclosure of Spotify user data shall comply with (i) these Developer Terms; (ii) your end user license agreement; (iii) your privacy policy; and (iv) applicable laws and regulations."
- See subsection 12 about requirements for EULA/Terms of Use
- See subsection 13 about requirements for Privacy Policy
-
TODO: Get resources for Go/TypeScript WebSockets
TODO: Get resources for Go OAuth providers (Facebook, Google, Twitter, GitHub, etc.) and super pretty frontend login buttons