| .. | ||
| app | ||
| deployment | ||
| lib | ||
| public | ||
| .gitignore | ||
| eslint.config.mjs | ||
| middleware.ts | ||
| next.config.ts | ||
| package-lock.json | ||
| package.json | ||
| README.md | ||
| run_local.sh | ||
| tsconfig.json | ||
🚀 MVP Next Steps – Post SES Setup
This document outlines the concrete next steps to build the MVP now that Amazon SES email delivery is fully configured and verified.
✅ Phase 0 — Email Infrastructure (COMPLETED)
Status: DONE
- SES domain verified (
juntekim.com) - DKIM, SPF, DMARC configured
- Custom MAIL FROM domain enabled
- Test email delivered to Gmail inbox
- SES production access requested
- SMTP credentials generated and stored securely
No further SES work is required for MVP.
🔐 Phase 1 — Magic Link Authentication (Core MVP)
1️⃣ Define Authentication Model
Decisions
- Email-only authentication (no passwords)
- Magic links are:
- Single-use
- Time-limited (e.g. 15 minutes)
- Hashed before storage
- No persistent email storage
Outcome
- Clear security model before implementation
2️⃣ Create Magic Link Token Table
Required fields
idemailtoken_hashexpires_atused_atcreated_at
Rules
- Never store raw tokens
- Reject expired tokens
- Reject reused tokens
- Mark token as used immediately after login
Outcome
- Database migration + model ready
3️⃣ Build Email Sending Adapter (SES SMTP)
Requirements
- Uses Amazon SES SMTP credentials
- Sends from
no-reply@juntekim.com - Generates secure magic link URLs
- Plain-text email (HTML later)
Example responsibility
sendMagicLink(email, url)
Outcome
- Single reusable email-sending utility
🔑 Phase 2 — NextAuth Integration
4️⃣ Configure NextAuth (Email Provider)
Actions
- Enable NextAuth Email provider
- Configure SES SMTP transport
- Disable default token storage
- Use custom DB token table
Outcome
- NextAuth initialized and functional
5️⃣ Implement /auth/callback Logic
Flow
- User clicks magic link
- Token is hashed and validated
- Token expiry checked
- Token marked as used
- Session created
- Redirect to app
Outcome
- End-to-end login flow works
6️⃣ Minimal Authentication UI
Pages
- Email input form
- “Check your email” confirmation screen
- Error states:
- Invalid token
- Expired token
- Already-used token
Outcome
- Usable authentication UX
🛡 Phase 3 — MVP Hardening (Still Lightweight)
7️⃣ Rate Limiting
Add limits for:
- Magic link requests per email
- Magic link requests per IP
Purpose:
- Prevent abuse
- Protect SES reputation
8️⃣ Basic Logging
Log only:
- Email requested
- Email send success/failure
- Login success/failure
Do not store email content.
9️⃣ Production Sanity Checks
Before real users:
- Test login on mobile + desktop
- Test Gmail + Outlook
- Test expired link behavior
- Test reused link rejection
🚦 MVP Definition of Done
The MVP is considered complete when:
- User enters email
- User receives magic link
- User clicks link
- User is authenticated
- Session persists
No additional features are required to ship.
🧠 Guiding Principles
- Infrastructure first (done)
- Security before UX polish
- Ship working flows early
- Avoid overbuilding before user feedback
🧩 Post-MVP (Optional, Later)
Do NOT block MVP on:
- HTML email templates
- Branded emails
- Email analytics
- Admin dashboards
- Multi-provider auth
- Password fallback
Ship first, iterate later.