Add full system audit reports and Telegram Mini App debug handoff
- Three-stream audit (security / logic / performance) with 35+ findings derived from actual source code, each with file:line and remediation - Audit Index cross-references criticals across streams into prioritized fix tiers: immediately / before soft launch / before public launch - Telegram Mini App debug handoff documenting what was implemented and all remaining work items with exact file lists and test commands - Updated architecture, data model, auth API, and registration flow docs to reflect Telegram auth, TON wallet, and email verification additions Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -328,9 +328,11 @@ Routes are nested under `/api/auth/` via `passkeyRoutes`. Service: `passkeyServi
|
||||
| HTTP | App code | Meaning |
|
||||
| --- | --- | --- |
|
||||
| 400 | `Validation Error` | `express-validator` rejected the body |
|
||||
| 401 | — | Bad credentials / missing token |
|
||||
| 403 | — | Email not verified or insufficient role |
|
||||
| 401 | — | Bad credentials / missing token / invalid Telegram signature |
|
||||
| 403 | — | Email not verified, insufficient role, or blocked Telegram account |
|
||||
| 409 | `USER_EXISTS` | Email already in use |
|
||||
| 409 | `TELEGRAM_REPLAY` | Reused Telegram Mini App `initData` (replay protection) |
|
||||
| 423 | — | Account temporarily locked after failed logins |
|
||||
| 429 | — | Rate-limited (auth tier: 10 req / 15 min / IP) |
|
||||
|
||||
See [[Error Codes]] for the global error shape.
|
||||
|
||||
Reference in New Issue
Block a user