Commit Graph

29 Commits

Author SHA1 Message Date
Ryan Chen 1f0effb902 Add privacy policy and terms of service pages
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-03 15:17:16 -04:00
Ryan Chen d005080aca Add attendee cap with required login for capped events
Hosts can optionally cap total attendance (RSVPs + plus-ones) when
creating an event. Capped events require guests to log in via the
existing email code flow; RSVPs are tied to accounts and deduped per
user. The event page shows spots left and replaces the form with a
full notice when the cap is reached; the server rejects over-cap
RSVPs and edits with 409 as a race backstop.

Also threads a safeNext-validated ?next= param through the login and
name-setup flow so guests land back on the event after signing in.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-10 19:36:57 -04:00
Ryan Chen 2aa3abf035 Rebuild legacy users table to add email and drop phone NOT NULL
The migration ALTER TABLE users ADD COLUMN email TEXT UNIQUE always
failed ("Cannot add a UNIQUE column" — SQLite doesn't support it), so
phone-era DBs never got an email column and verify 500'd with "no such
column: email". Even with the column added, phone NOT NULL would reject
email-only users. SQLite can't ALTER either change, so detect the legacy
shape (missing email column) and rebuild the table, preserving user ids
and sessions (FKs off so DROP TABLE doesn't cascade).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-10 19:13:37 -04:00
Ryan Chen 426df48901 Require login to create events when auth is enabled
Gate the home page and POST /events behind auth. Also add sqlite3 CLI
to the Docker image for DB inspection, and gitignore test.db files.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-10 19:07:26 -04:00
Ryan Chen 4915af0665 Fix login on legacy DBs: drop NOT NULL phone/email from verification_codes
Old prod DBs had verification_codes.phone (or email) as NOT NULL with no
default, so inserting a code via identifier-only failed silently — users
received an emailed code that was never stored, and verify always said
"Invalid or expired code." Drop the legacy columns in a migration and
stop swallowing the CreateVerificationCode error.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-10 19:07:18 -04:00
Ryan Chen 780a214c7d Refactor login to email-only, remove phone/SMS auth
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-06-09 17:40:37 -04:00
Ryan Chen 0719269bce Add SMS consent logging for Twilio compliance
Log phone, IP, and user agent to sms_consents table before sending
verification SMS. Add disclosure text to login form.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-29 09:46:43 -04:00
Ryan Chen 3afef25b4c Add admin location editing
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 23:05:17 -04:00
Ryan Chen 44c20d54ff Fix going count to only sum RSVPs, not claims + RSVPs
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-18 23:18:51 -04:00
Ryan Chen e7022124be Delete auto-RSVP on unclaim and count going from RSVPs only
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-18 23:15:48 -04:00
Ryan Chen 6e3fc9721a Add edit RSVP modal, plus-one tracking, and unified signup form
Merge RSVP + slot claim into a single form. Add plus_one field to RSVPs.
Add clickable RSVP names that open a modal to edit name/note/plus_one.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-18 23:11:11 -04:00
Ryan Chen fe5cdd92a1 Dedupe RSVPs and add tests for auto-RSVP on claim
Add migration to clean up duplicate RSVPs (keep earliest per event+name).
Add GetRsvpByName and DeleteDuplicateRsvps queries. Tests cover auto-RSVP
creation, duplicate prevention, and case-insensitive matching.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-18 22:55:21 -04:00
Ryan Chen 087becdf58 Auto-RSVP when claiming a slot
Claiming a slot now also adds the person to the going list if they
aren't already there (case-insensitive name match).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-18 22:53:17 -04:00
Ryan Chen 78ac8f3677 Add /healthz endpoint
Returns 200 ok if the DB is reachable, 503 if not.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-18 22:51:00 -04:00
Ryan Chen 3a6a4b6e9c Fix schema init crash on existing DBs with old verification_codes table
Move auth-related indexes into migrations so they run after column
additions. Previously CREATE INDEX on verification_codes(identifier)
would fail because the old table still had the email column.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-18 09:26:26 -04:00
Ryan Chen 997bc8c1c6 Allow token-only admin access for events with no owner
Skip the user ownership check when event.user_id is NULL so
existing events created before auth still work with their
admin links.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-18 09:07:26 -04:00
Ryan Chen d68a6629ac Gate admin routes behind auth and add copy guest link button
When auth is enabled, admin pages require the logged-in user to be
the event owner — unauthorized visitors get redirected to the guest
view, and admin actions return 403. Also adds a copy-to-clipboard
button in the admin bar and a Makefile for common commands.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-18 09:06:16 -04:00
Ryan Chen a0c4b28d1e Support both email and phone login
Auto-detect whether the user entered an email or phone number.
Email sends via Resend, phone sends via Twilio SMS. Users table
has nullable phone and email columns; verification_codes uses a
generic identifier field.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-18 08:53:29 -04:00
Ryan Chen 471cc3ad8c Switch to phone auth via Twilio SMS and add feature flag system
Replace email-based auth (Resend) with phone-based auth (Twilio SMS).
Add BBQ_FEATURES env var for toggling features at deploy time — when
auth is disabled, no login routes are registered and the app works
as before.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-18 08:45:15 -04:00
Ryan Chen b3203a7506 Include slot claimers in the Going list
The Going section now shows both RSVPs and people who claimed slots,
deduplicated by name (case-insensitive). Claim-only people don't get a
remove button—they unclaim from the slot card instead.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-17 08:12:09 -04:00
Ryan Chen 7b0efb3c45 Add markdown event descriptions for hosts to provide context
Hosts can now add a free-form description (with markdown rendering via
goldmark) when creating or editing events. Descriptions render safely
with no raw HTML passthrough. Includes ALTER TABLE migration for
existing databases.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-17 08:02:24 -04:00
Ryan Chen 4fc79d4491 Rename PORT to HOST_PORT in compose to avoid conflict with Go server
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-16 15:58:44 -04:00
Ryan Chen 26d1622f83 Support custom PORT in compose.yaml via .env
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-16 15:55:30 -04:00
Ryan Chen 53baf3a9c4 Add .env file support to compose.yaml
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-16 15:53:01 -04:00
Ryan Chen 6a70135a5d Add dynamic OG image generation for rich iMessage/social previews
Generates a branded 1200x630 PNG per event with title, date/time/location
using Go's image package and a custom bitmap font. Supports BBQ_BASE_URL
env var for absolute URLs required by link preview crawlers.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-16 15:50:24 -04:00
Ryan Chen ef3aa3e9c3 Harden inputs: sanitize lengths, request size limits, caps on slots/rsvps
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-15 10:28:06 -04:00
Ryan Chen d51e7fe867 Add RSVP support and Open Graph meta tags
People can now RSVP without claiming a slot. OG tags show
event title, date/time/location, and headcount in link previews.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-15 10:18:36 -04:00
Ryan Chen 2b08f81c8d Add README with build and deploy instructions
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-14 22:57:24 -04:00
Ryan Chen 8b32d98267 Initial commit: potluck signup app
Go + chi + SQLite + HTMX with SSE live updates.
Soft Brutalism design, emoji picker, Docker deploy.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-14 22:55:54 -04:00