# TODO List

## Security Improvements

### Make Server Secret Configurable
Currently, the server secret used for cookie encryption is not configurable and uses Rocket's default. We should:
- Add a configuration option for the server secret
- Allow it to be set via environment variable or config file
- Generate and persist a random secret on first run if none is provided
- Add documentation about the security implications of the secret

### Improve Session Management
Current session management is basic and needs improvement:
- Replace simple user_id cookie with a proper session system
- Add session expiry and renewal logic
- Store sessions in the database with proper cleanup
- Add ability to revoke sessions
- Consider adding "remember me" functionality
- Add session tracking (last used, IP, user agent, etc.)

Reference: [Current basic implementation in user.rs](src/user.rs) with the comment:
```rust
// TODO there should be a more complicated notion of a session
```