# 🚀 MVP Next Steps – Post SES Setup This document outlines the concrete next steps to build the MVP now that Amazon SES email delivery is fully configured and verified. --- ## ✅ Phase 0 — Email Infrastructure (COMPLETED) **Status: DONE** - SES domain verified (`juntekim.com`) - DKIM, SPF, DMARC configured - Custom MAIL FROM domain enabled - Test email delivered to Gmail inbox - SES production access requested - SMTP credentials generated and stored securely No further SES work is required for MVP. --- ## 🔐 Phase 1 — Magic Link Authentication (Core MVP) ### 1️⃣ Define Authentication Model **Decisions** - Email-only authentication (no passwords) - Magic links are: - Single-use - Time-limited (e.g. 15 minutes) - Hashed before storage - No persistent email storage **Outcome** - Clear security model before implementation --- ### 2️⃣ Create Magic Link Token Table **Required fields** - `id` - `email` - `token_hash` - `expires_at` - `used_at` - `created_at` **Rules** - Never store raw tokens - Reject expired tokens - Reject reused tokens - Mark token as used immediately after login **Outcome** - Database migration + model ready --- ### 3️⃣ Build Email Sending Adapter (SES SMTP) **Requirements** - Uses Amazon SES SMTP credentials - Sends from `no-reply@juntekim.com` - Generates secure magic link URLs - Plain-text email (HTML later) **Example responsibility** - `sendMagicLink(email, url)` **Outcome** - Single reusable email-sending utility --- ## 🔑 Phase 2 — NextAuth Integration ### 4️⃣ Configure NextAuth (Email Provider) **Actions** - Enable NextAuth Email provider - Configure SES SMTP transport - Disable default token storage - Use custom DB token table **Outcome** - NextAuth initialized and functional --- ### 5️⃣ Implement `/auth/callback` Logic **Flow** 1. User clicks magic link 2. Token is hashed and validated 3. Token expiry checked 4. Token marked as used 5. Session created 6. Redirect to app **Outcome** - End-to-end login flow works --- ### 6️⃣ Minimal Authentication UI **Pages** - Email input form - “Check your email” confirmation screen - Error states: - Invalid token - Expired token - Already-used token **Outcome** - Usable authentication UX --- ## 🛡 Phase 3 — MVP Hardening (Still Lightweight) ### 7️⃣ Rate Limiting Add limits for: - Magic link requests per email - Magic link requests per IP Purpose: - Prevent abuse - Protect SES reputation --- ### 8️⃣ Basic Logging Log only: - Email requested - Email send success/failure - Login success/failure Do **not** store email content. --- ### 9️⃣ Production Sanity Checks Before real users: - Test login on mobile + desktop - Test Gmail + Outlook - Test expired link behavior - Test reused link rejection --- ## 🚦 MVP Definition of Done The MVP is considered complete when: - User enters email - User receives magic link - User clicks link - User is authenticated - Session persists No additional features are required to ship. --- ## 🧠 Guiding Principles - Infrastructure first (done) - Security before UX polish - Ship working flows early - Avoid overbuilding before user feedback --- ## 🧩 Post-MVP (Optional, Later) Do NOT block MVP on: - HTML email templates - Branded emails - Email analytics - Admin dashboards - Multi-provider auth - Password fallback Ship first, iterate later.