# Specs & Plans System specifications from ~/system/specs/drop-\*.md # System Specifications # drop-accessibility-spec # Drop Accessibility Audit Specification (WCAG 2.1 AA) **Version:** 1.0 **Date:** 2026-02-17 **Project:** Drop — Fintech Payment App **Compliance Standard:** WCAG 2.1 Level AA + Norwegian Universal Design Law **Author:** Architect Agent **Status:** Draft --- ## Executive Summary This specification defines the accessibility audit requirements for Drop, a fintech payment application serving all residents of Norway and Scandinavia. The audit ensures compliance with: 1. **WCAG 2.1 Level AA** — International accessibility standard 2. **Norwegian Law:** Likestillings- og diskrimineringsloven § 18 (Equality and Anti-Discrimination Act) 3. **IKT-forskriften** — Regulation for Universal Design of ICT Solutions 4. **Digitaliseringsdirektoratet (Digdir) Guidelines** — Norwegian government digital accessibility requirements **Legal Context:** Norway requires universal design of digital services for both public and private sectors. Non-compliance can result in fines from Digitaliseringsdirektoratet. WCAG 2.1 AA is the legal minimum standard in Norway. **Tech Stack:** Drop uses Next.js 16 + React 19 + Radix UI (which has built-in accessibility features) + Tailwind v4. The application is mobile-first, with most users on phones. --- ## 1. Norwegian Legal Requirements ### 1.1 Applicable Laws | Law/Regulation | Section | Requirement | |----------------|---------|-------------| | Likestillings- og diskrimineringsloven | § 18 | Prohibition of discrimination based on disability; duty to provide universal design | | Forskrift om universell utforming av IKT | All sections | Universal design of ICT solutions for public and private sectors (education, banking, commerce) | | Finanstilsynet Guidelines | N/A | Financial services must be accessible to all customers | | GDPR (DSGVO) | Article 25 | Privacy by design — accessible consent forms and data access requests | ### 1.2 Regulatory Bodies - **Digitaliseringsdirektoratet (Digdir):** Supervises universal design of ICT - **Likestillings- og diskrimineringsombudet (LDO):** Investigates discrimination complaints - **Finanstilsynet:** Financial services regulator (monitors customer protection) ### 1.3 Compliance Deadlines - **2025 Goal:** Norway universally designed by 2025 (national action plan) - **Drop Target:** Full WCAG 2.1 AA compliance before public launch (Q2 2026) - **Annual Monitoring:** Digdir annually monitors compliance — results reported to ESA/EU ### 1.4 Enforcement - **Fines:** Digitaliseringsdirektoratet can issue fines for non-compliance - **Discrimination Claims:** Users can file complaints with LDO - **Reputational Risk:** Public disclosure of accessibility failures impacts trust in fintech sector --- ## 2. WCAG 2.1 AA Success Criteria Checklist WCAG 2.1 AA includes **all 50 success criteria from WCAG 2.0 Level A/AA** plus **17 new criteria from WCAG 2.1**. Below is the complete checklist mapped to Drop features. ### 2.1 Principle 1: Perceivable Information and user interface components must be presentable to users in ways they can perceive. #### Guideline 1.1: Text Alternatives | ID | Criterion | Level | Drop Application | |----|-----------|-------|------------------| | 1.1.1 | Non-text Content | A | All images, icons, QR codes, logos have alt text or ARIA labels | **Drop Implementation:** - Drop logo: ` Drop logo - green rounded square with dollar icon

Tjeneste	Gebyr	Hastighet	Lojalitet
Drop	0.5%	Minutter	Bonuspoeng
Western Union	5-10%	1-3 dager	—
Wise	0.7-1.2%	1-2 dager	—
Tradisjonell bank	50-200 kr + FX	3-5 dager	—

` - Country flags in recipient list: `🇷🇸` - QR scanner UI: `

``` #### B. Stats Card ```tsx

Venner invitert

Har sendt penger

600 kr

Totalt tjent

``` #### C. Credits Balance ```tsx

150 kr

Tilgjengelig kreditt

50 kr utløper om 12 dager

``` #### D. Referral History ```tsx

Dine invitasjoner

{referrals.map(ref => (

{ref.refereeName}

{ref.signupDate}

{ref.status === 'pending' && '⏳ Venter på overføring'} {ref.status === 'completed' && '✅ +50 kr'}

))}

``` ### 6.6 Share Templates #### WhatsApp Message ``` Hei! 👋 Jeg bruker Drop for å sende penger hjem. De tar bare 0.5% gebyr (Western Union tar 10%!). Vi får begge 50 kr hvis du registrerer deg og sender din første overføring: https://getdrop.no?ref=MK3P7Z Helt gratis å prøve. Tar 2 minutter å sette opp med BankID. Mvh, [FirstName] ``` #### Email Template ``` Subject: Spar 90% på gebyrer når du sender penger Hei! Jeg bruker Drop for internasjonale pengeoverføringer. De tar bare 0.5% gebyr — ikke 5-10% som Western Union og banker. Vi får begge 50 kr hvis du registrerer deg via min lenke og sender din første overføring: 👉 https://getdrop.no?ref=MK3P7Z Drop er regulert i Norge og bruker BankID for sikkerhet. Pengene er fremme på minutter, ikke dager. Helt gratis å prøve. Ingen binding. Mvh, [FirstName] ``` #### SMS Template ``` Hei! Prøv Drop for pengeoverføringer (0.5% gebyr). Vi får begge 50 kr: getdrop.no?ref=MK3P7Z ``` --- ## 7. Campaign Tracking & Attribution ### 7.1 UTM Parameter Strategy **Standard UTM Structure:** ``` https://getdrop.no?utm_source={source}&utm_medium={medium}&utm_campaign={campaign}&utm_content={content}&utm_term={term} ``` **Campaign Matrix:** | Campaign Type | Source | Medium | Example | |--------------|--------|--------|---------| | Facebook Ads | facebook | cpc | utm_source=facebook&utm_medium=cpc&utm_campaign=launch_2026 | | Instagram Ads | instagram | cpc | utm_source=instagram&utm_medium=cpc&utm_campaign=qr_promo | | Google Ads | google | cpc | utm_source=google&utm_medium=cpc&utm_campaign=send_penger | | LinkedIn Organic | linkedin | social | utm_source=linkedin&utm_medium=social&utm_campaign=alem_post | | Email Newsletter | email | newsletter | utm_source=email&utm_medium=newsletter&utm_campaign=waitlist_launch | | Partner Link (SB1) | sparebank1 | partner | utm_source=sparebank1&utm_medium=partner&utm_campaign=coop | | Press Article | shifter | pr | utm_source=shifter&utm_medium=pr&utm_campaign=launch_coverage | | Referral Program | referral | organic | (handled separately via ?ref= param) | **Naming Conventions:** - `utm_source`: Platform name (lowercase, no spaces) - `utm_medium`: Traffic type (cpc, social, email, partner, pr, organic, display) - `utm_campaign`: Campaign identifier (snake_case, descriptive) - `utm_content`: Ad variation (ad_1, ad_2, hero_cta, footer_link) - `utm_term`: Keyword (Google Ads only) ### 7.2 UTM Tracking Implementation #### A. Client-Side Capture (Landing Page) **Add to `index.html` (before waitlist form):** ```javascript // Capture all UTM params + referral code const urlParams = new URLSearchParams(window.location.search); const utm = { source: urlParams.get('utm_source') || 'direct', medium: urlParams.get('utm_medium') || 'none', campaign: urlParams.get('utm_campaign') || '', content: urlParams.get('utm_content') || '', term: urlParams.get('utm_term') || '', referral: urlParams.get('ref') || '' }; // Store in localStorage (persist across pages) localStorage.setItem('drop_attribution', JSON.stringify(utm)); // Track landing (fire-and-forget) fetch('/api/analytics/track', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ event: 'page_view', page: window.location.pathname, utm: utm, timestamp: new Date().toISOString() }) }); ``` #### B. Waitlist Signup Attribution **Modify `/api/waitlist` to capture UTM:** ```typescript const utm = request.body.utm; // Sent from frontend await run( `INSERT INTO waitlist (id, email, utm_source, utm_medium, utm_campaign, utm_content, utm_term, referral_code, created_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?, datetime('now'))`, [ randomId('wait'), email, utm.source, utm.medium, utm.campaign, utm.content, utm.term, utm.referral ] ); ``` **Database Schema Update:** ```sql ALTER TABLE waitlist ADD COLUMN utm_source TEXT; ALTER TABLE waitlist ADD COLUMN utm_medium TEXT; ALTER TABLE waitlist ADD COLUMN utm_campaign TEXT; ALTER TABLE waitlist ADD COLUMN utm_content TEXT; ALTER TABLE waitlist ADD COLUMN utm_term TEXT; ALTER TABLE waitlist ADD COLUMN referral_code TEXT; ``` #### C. User Registration Attribution **Modify `/api/auth/register` to capture UTM:** ```typescript const utm = request.body.utm; // Retrieved from localStorage → sent in signup payload await run( `UPDATE users SET utm_source = ?, utm_medium = ?, utm_campaign = ?, utm_content = ?, utm_term = ?, referral_code = ? WHERE id = ?`, [utm.source, utm.medium, utm.campaign, utm.content, utm.term, utm.referral, userId] ); ``` **Database Schema Update:** ```sql ALTER TABLE users ADD COLUMN utm_source TEXT; ALTER TABLE users ADD COLUMN utm_medium TEXT; ALTER TABLE users ADD COLUMN utm_campaign TEXT; ALTER TABLE users ADD COLUMN utm_content TEXT; ALTER TABLE users ADD COLUMN utm_term TEXT; ``` ### 7.3 Attribution Reporting **Query: Waitlist Signups by Source** ```sql SELECT utm_source, utm_medium, utm_campaign, COUNT(*) as signups, COUNT(*) * 100.0 / (SELECT COUNT(*) FROM waitlist) as percentage FROM waitlist WHERE created_at > date('now', '-30 days') GROUP BY utm_source, utm_medium, utm_campaign ORDER BY signups DESC; ``` **Query: User Registrations by Source** ```sql SELECT utm_source, utm_medium, COUNT(*) as registrations, SUM(CASE WHEN kyc_status = 'approved' THEN 1 ELSE 0 END) as verified_users, ROUND(100.0 * SUM(CASE WHEN kyc_status = 'approved' THEN 1 ELSE 0 END) / COUNT(*), 2) as verification_rate FROM users WHERE created_at > date('now', '-30 days') GROUP BY utm_source, utm_medium ORDER BY registrations DESC; ``` **Query: Campaign ROI (Revenue per Source)** ```sql SELECT u.utm_source, u.utm_campaign, COUNT(DISTINCT u.id) as users, COUNT(DISTINCT t.id) as transactions, SUM(t.amount * 0.005) as revenue_generated, -- 0.5% fee revenue_generated / COUNT(DISTINCT u.id) as revenue_per_user FROM users u LEFT JOIN transactions t ON t.user_id = u.id WHERE u.created_at > date('now', '-30 days') GROUP BY u.utm_source, u.utm_campaign ORDER BY revenue_generated DESC; ``` ### 7.4 Conversion Pixels #### Facebook Pixel **Add to `` of landing page:** ```html ``` **Track Waitlist Signup:** ```javascript // In waitlist form submit handler if (response.ok) { fbq('track', 'Lead'); // Facebook standard event } ``` **Track Registration:** ```javascript // In /api/auth/register success callback fbq('track', 'CompleteRegistration'); // Facebook standard event ``` #### Google Ads Conversion Tracking **Add to ``:** ```html ``` **Track Conversion:** ```javascript // In waitlist form submit handler if (response.ok) { gtag('event', 'conversion', { 'send_to': 'AW-XXXXX/CONVERSION_LABEL', 'value': 1.0, 'currency': 'NOK' }); } ``` --- ## 8. Email Marketing Integration ### 8.1 Campaign Types **Note:** Email service layer already specified in `drop-email-system-spec.md`. This section defines marketing-specific campaigns. #### A. Waitlist Nurture Series (Pre-Launch) **Trigger:** User signs up for waitlist **Email 1 (Immediate):** Confirmation - Subject: "Du er på listen! 🎉" - Content: Confirm signup, set expectations (launch date), share referral link - CTA: "Inviter venner — hopp køen" **Email 2 (Day 7):** Educational - Subject: "Derfor tar banker så høye gebyrer" - Content: Explain remittance market, Western Union fees, Drop's pass-through model - CTA: "Les mer om Drop" **Email 3 (Day 14):** Social Proof - Subject: "2,000+ nordmenn venter allerede" - Content: Waitlist count, testimonials (when available), SpareBank 1 partnership mention - CTA: "Del med venner" **Email 4 (Day 21):** Product Demo - Subject: "Se hvordan Drop fungerer (90 sekunder)" - Content: Embed demo video, screenshot walkthrough - CTA: "Se videoen" **Email 5 (Pre-Launch -7 days):** Launch Countdown - Subject: "Drop lanseres om 7 dager!" - Content: Countdown timer, "first 1000 get 5 free transfers" reminder - CTA: "Sett påminnelse" **Email 6 (Launch Day):** App Available - Subject: "Drop er her! Last ned nå." - Content: App Store/Play Store links, onboarding guide - CTA: "Last ned gratis" #### B. Onboarding Series (Post-Registration) **Email 1 (After Registration):** Welcome - Subject: "Velkommen til Drop!" - Content: What to expect, link BankID reminder, first transfer incentive - CTA: "Fullfør profilen din" **Email 2 (Day 3, if no BankID):** Nudge - Subject: "Koble BankID — ta 2 minutter" - Content: Why BankID is required, security explanation - CTA: "Koble BankID" **Email 3 (Day 7, if no first transfer):** First Transfer Incentive - Subject: "Send din første overføring — få 50 kr" - Content: Referral credit reminder, fee comparison - CTA: "Send penger nå" #### C. Re-engagement Series (Dormant Users) **Trigger:** User hasn't sent a transfer in 30 days **Email 1 (Day 30):** Gentle Reminder - Subject: "Vi savner deg!" - Content: "It's been a while..." + new features announcement - CTA: "Send penger igjen" **Email 2 (Day 60):** Win-back Offer - Subject: "25 kr gratis på din neste overføring" - Content: Exclusive promo code (one-time use) - CTA: "Bruk koden" **Email 3 (Day 90):** Feedback Request - Subject: "Hvorfor sluttet du å bruke Drop?" - Content: Survey link (3 questions max) - CTA: "Del tilbakemelding" ### 8.2 Marketing Consent Management **Consent Collection (During Registration):** ```html Jeg ønsker å motta tips, tilbud og nyheter fra Drop (valgfritt) ``` **Database Schema (already in onboarding spec):** ```sql -- consents table already defined INSERT INTO consents (id, user_id, consent_type, granted, granted_at, ip_address) VALUES (?, ?, 'marketing', ?, datetime('now'), ?); ``` **Email Unsubscribe Link (Footer):** ```html

Vil du ikke lenger motta e-poster fra Drop? Avslutt abonnement

``` **Unsubscribe Endpoint:** ```typescript // GET /unsubscribe?token={jwt} const { userId } = verifyUnsubscribeToken(token); await run( `UPDATE consents SET granted = 0, withdrawn_at = datetime('now') WHERE user_id = ? AND consent_type = 'marketing'`, [userId] ); // Show confirmation page: "Du er fjernet fra listen." ``` ### 8.3 Email Automation Triggers **Trigger Table:** | Event | Delay | Campaign | Condition | |-------|-------|----------|-----------| | Waitlist signup | 0s | Waitlist Email 1 | — | | Waitlist signup | 7d | Waitlist Email 2 | If not registered | | Waitlist signup | 14d | Waitlist Email 3 | If not registered | | User registered | 0s | Onboarding Email 1 | — | | User registered | 3d | Onboarding Email 2 | If no BankID | | User registered | 7d | Onboarding Email 3 | If no transfer | | First transfer | 0s | First Transfer Receipt | — | | Last transfer | 30d | Re-engagement Email 1 | If no transfer in 30d | | Last transfer | 60d | Re-engagement Email 2 | If no transfer in 60d | **Implementation:** - Use cron job or scheduled task (runs every hour) - Query database for users matching trigger conditions - Call `sendEmail()` from email service layer - Mark email as sent in `email_log` table --- ## 9. Analytics & Reporting ### 9.1 Analytics Platform Selection **Options:** | Platform | Pros | Cons | Cost | |----------|------|------|------| | **Plausible** (RECOMMENDED) | GDPR-compliant, no cookies, simple, Norwegian data center | Fewer features than GA4 | €9/mo (10k pageviews) | | Google Analytics 4 | Free, comprehensive, industry standard | Cookie consent required, complex | Free | | Mixpanel | Event tracking, funnel analysis, cohorts | Expensive at scale | $20/mo (1k users) | | PostHog | Self-hosted option, session replay | Complex setup | $0 (self-hosted) | **Recommendation:** Start with **Plausible** for landing page (no cookie consent banner needed), add Mixpanel for in-app analytics post-launch. ### 9.2 Plausible Setup (Landing Page) **Add to ``:** ```html ``` **Track Custom Events:** ```javascript // Waitlist signup plausible('Waitlist Signup', { props: { source: utm.source } }); // Referral link click plausible('Referral Link Click', { props: { code: refCode } }); // CTA button click plausible('CTA Click', { props: { location: 'hero' } }); ``` **Plausible Goals (Configure in Dashboard):** - Waitlist Signup (pageview: /api/waitlist success) - App Store Click (custom event) - Play Store Click (custom event) - Referral Link Click (custom event) - Video Play (custom event) ### 9.3 In-App Analytics (Mixpanel) **Events to Track:** #### Acquisition - `user_registered` (properties: utm_source, utm_medium, referral_code) - `bankid_verified` (properties: time_to_verify_seconds) - `kyc_approved` (properties: time_to_approve_seconds) #### Activation - `first_transfer_completed` (properties: amount, currency, destination_country) - `qr_payment_completed` (properties: amount, merchant_name) - `bank_account_linked` (properties: bank_name) #### Engagement - `app_opened` (properties: session_count) - `screen_viewed` (properties: screen_name) - `transfer_initiated` (properties: amount, currency) - `transfer_cancelled` (properties: step, reason) #### Retention - `transfer_completed` (properties: amount, transfer_count, days_since_last_transfer) - `push_notification_received` (properties: type) - `push_notification_clicked` (properties: type) #### Referral - `referral_link_shared` (properties: channel: whatsapp|sms|email) - `referral_link_clicked` (properties: referrer_id) - `referral_reward_earned` (properties: amount, referee_id) #### Revenue - `fee_charged` (properties: amount_nok, transaction_type) - `credit_applied` (properties: amount, source) **Mixpanel People Properties:** ```typescript mixpanel.people.set({ "$email": user.email, "$name": `${user.firstName} ${user.lastName}`, "signup_date": user.createdAt, "utm_source": user.utmSource, "referral_code": user.referralCode, "total_transfers": user.transferCount, "total_revenue": user.totalFeesPaid, "kyc_status": user.kycStatus, "bankid_verified": user.bankidVerified }); ``` ### 9.4 Key Metrics Dashboard **Acquisition Metrics:** - Landing page visitors (unique) - Waitlist signups - Waitlist → Registration conversion rate - Registration → BankID verification rate - BankID → KYC approval rate - Overall conversion (Visitor → Verified User) **Activation Metrics:** - Time to first transfer (median) - First transfer completion rate (within 7 days of registration) - Average first transfer amount - QR payment adoption rate (% of users who scan at least 1 QR) **Engagement Metrics:** - DAU (Daily Active Users) - WAU (Weekly Active Users) - MAU (Monthly Active Users) - Transfers per user per month - Average transaction value **Retention Metrics:** - Day 1, 7, 30, 90 retention - Cohort analysis (users by signup month) - Churn rate (users with no transfer in 90 days) **Referral Metrics:** - Referral rate (% of users who share link) - Referral conversion rate (signups per shared link) - Viral coefficient (new users per existing user) - Referral ROI (LTV of referred users vs. non-referred) **Revenue Metrics:** - Total fee revenue (kr) - Revenue per user (kr) - Revenue per transfer (kr) - Credit redemption rate (% of credits used) **Campaign Performance:** - Cost per waitlist signup (CPA) - Cost per registration (CPA) - Cost per verified user (CPA) - ROAS (Return on Ad Spend) by channel --- ## 10. A/B Testing Framework ### 10.1 Testing Strategy **Goal:** Optimize conversion at every funnel step **Test Prioritization (ICE Framework):** | Test | Impact | Confidence | Ease | ICE Score | |------|--------|------------|------|-----------| | Hero CTA copy ("Bli med" vs "Registrer deg") | 8 | 9 | 10 | 27 | | Waitlist incentive ("5 free transfers" vs "50 kr credit") | 9 | 7 | 10 | 26 | | Feature order (Remittance first vs QR first) | 6 | 8 | 9 | 23 | | Phone mockup vs real screenshot | 7 | 6 | 8 | 21 | | Social proof placement (hero vs below features) | 5 | 7 | 9 | 21 | **Test Velocity:** 1 test every 2 weeks (minimum 2 weeks per test for statistical significance) ### 10.2 A/B Testing Tools **Options:** | Tool | Pros | Cons | Cost | |------|------|------|------| | **Vercel Edge Middleware** (RECOMMENDED) | Fast, server-side, free | Manual implementation | Free | | Google Optimize (Deprecated) | — | Sunset 2023 | — | | Optimizely | Visual editor, advanced targeting | Expensive | $50k+/year | | VWO | Visual editor, heatmaps | Complex setup | $199/mo | | PostHog | Open source, feature flags | Self-hosted complexity | Free (self-hosted) | **Recommendation:** Use **Vercel Edge Middleware** for simple A/B tests (free, fast, server-side). Upgrade to PostHog if feature flags needed. ### 10.3 Implementation (Vercel Edge Middleware) **File:** `middleware.ts` ```typescript import { NextRequest, NextResponse } from 'next/server'; export function middleware(request: NextRequest) { const { pathname } = request.nextUrl; // Only run A/B test on homepage if (pathname !== '/') return NextResponse.next(); // Check if user already has variant assigned let variant = request.cookies.get('ab_hero_cta')?.value; if (!variant) { // Assign variant (50/50 split) variant = Math.random() < 0.5 ? 'A' : 'B'; const response = NextResponse.next(); response.cookies.set('ab_hero_cta', variant, { maxAge: 30 * 24 * 60 * 60, // 30 days httpOnly: true, sameSite: 'lax' }); return response; } return NextResponse.next(); } ``` **Frontend (index.html):** ```javascript // Read variant from cookie const variant = document.cookie .split('; ') .find(row => row.startsWith('ab_hero_cta=')) ?.split('=')[1] || 'A'; // Update CTA based on variant const ctaButton = document.querySelector('.btn-gradient'); if (variant === 'B') { ctaButton.textContent = 'Registrer deg gratis'; // Variant B } else { ctaButton.textContent = 'Bli med på ventelisten'; // Variant A (control) } // Track variant in analytics plausible('pageview', { props: { ab_hero_cta: variant } }); ``` **Track Conversion:** ```javascript // In waitlist form submit handler plausible('Waitlist Signup', { props: { ab_hero_cta: variant, utm_source: utm.source } }); ``` **Analysis:** ```sql -- Conversion rate by variant SELECT ab_variant, COUNT(*) as views, SUM(CASE WHEN converted = 1 THEN 1 ELSE 0 END) as conversions, ROUND(100.0 * SUM(CASE WHEN converted = 1 THEN 1 ELSE 0 END) / COUNT(*), 2) as conversion_rate FROM analytics_events WHERE event_type = 'pageview' AND created_at > date('now', '-14 days') GROUP BY ab_variant; ``` **Statistical Significance Calculator:** - Use https://abtestguide.com/calc/ or similar - Minimum sample size: 385 per variant (95% confidence, 5% margin of error) - Run test until both variants reach minimum sample size --- ## 11. Content Marketing (Blog) ### 11.1 Blog Infrastructure **Goal:** SEO traffic + thought leadership **Platform Options:** | Option | Pros | Cons | |--------|------|------| | **Next.js MDX** (RECOMMENDED) | Same codebase, fast, full control | Manual implementation | | Substack | Easy setup, newsletter integration | External platform, limited branding | | Medium | Built-in audience | No domain control, paywall | | WordPress | SEO plugins, familiar | Separate hosting, slower | **Recommendation:** Next.js MDX (markdown files → static pages) ### 11.2 Blog Structure **Directory:** ``` /landing/blog/ ├── index.html # Blog homepage (list of posts) ├── slik-sender-du-penger-til-tyrkia.html ├── drop-vs-western-union.html ├── hvorfor-banker-tar-hoye-gebyrer.html └── qr-betaling-forklart.html ``` **Blog Post Template:** ```html [Post Title] — Drop Blog

[Post Title]

Publisert 15. mars 2026 · 5 min lesing

[Post content in HTML]

Prøv Drop gratis

Send penger til 30+ land med bare 0.5% gebyr.

Registrer deg

``` ### 11.3 Content Calendar (First 90 Days) **Goal:** 2 posts per week (8 posts/month) **Week 1-2 (SEO Foundation):** 1. "Slik sender du penger til Tyrkia fra Norge" (target: "send penger til tyrkia") 2. "Drop vs Western Union: Detaljert sammenligning" (target: "western union alternativ") **Week 3-4 (Educational):** 3. "Hvorfor tar banker så høye gebyrer på pengeoverføringer?" (thought leadership) 4. "QR-betaling forklart: Slik fungerer det" (target: "qr betaling") **Week 5-6 (Comparison):** 5. "Drop vs Wise: Hva er forskjellen?" (target: "wise alternativ") 6. "De beste måtene å sende penger til utlandet i 2026" (target: "billigste pengeoverføring") **Week 7-8 (Use Cases):** 7. "Slik sender du penger hjem til familie i utlandet" (emotional, storytelling) 8. "QR-betaling for småbedrifter: Guiden" (merchant-focused) **Content Distribution:** - Publish on blog - Share on LinkedIn (Alem's profile) - Send to waitlist (weekly digest) - Submit to relevant subreddits (r/norway, r/norge — carefully, no spam) --- ## 12. Social Media Strategy ### 12.1 Platform Prioritization | Platform | Priority | Audience | Content Type | Frequency | |----------|----------|----------|--------------|-----------| | **LinkedIn** | HIGH | Business audience, partnerships, press | Company updates, thought leadership | 3x/week | | **Instagram** | MEDIUM | Consumers, visual storytelling | Features, user stories, behind-the-scenes | 5x/week | | **Facebook** | MEDIUM | Broader consumer base, ads | Features, blog posts, ads | 3x/week | | **Twitter/X** | LOW | Tech audience, customer support | Quick updates, support responses | As needed | | **TikTok** | LOW (Future) | Young audience | Short-form video | 0x/week (post-launch) | ### 12.2 Account Setup **Handles (Claim ASAP):** - Instagram: @dropnorge - Facebook: facebook.com/dropnorge - LinkedIn: linkedin.com/company/drop-norge - Twitter: @dropnorge (or @drop_norge if taken) **Bio Template (Instagram):** ``` Drop — Enklere betalinger. Lavere gebyrer. 💸 0.5% gebyr på internasjonale overføringer 📱 QR-betaling i butikk 🇳🇴 Regulert i Norge ⬇️ Registrer deg for tidlig tilgang ``` **Link in Bio:** - getdrop.no?utm_source=instagram&utm_medium=social&utm_campaign=bio_link ### 12.3 Content Pillars **Pillar 1: Product Education (40%)** - How Drop works (carousel posts) - Fee comparison infographics - Feature announcements - Tutorial videos **Pillar 2: Customer Stories (30%)** - User testimonials (when available) - "How I saved X kr with Drop" posts - Behind-the-scenes (team, product development) **Pillar 3: Industry Insights (20%)** - Fintech news commentary - Regulatory updates (Finanstilsynet) - Market trends (remittance, payments) **Pillar 4: Culture & Values (10%)** - Team introductions - Company values - Community engagement ### 12.4 Content Calendar (First Month) **Week 1:** - Mon: Introduce Drop (carousel: What is Drop?) - Wed: Fee comparison infographic (Drop vs banks) - Fri: Behind-the-scenes (team building the app) **Week 2:** - Mon: Feature spotlight (QR payment) - Wed: Blog post share (Why banks charge high fees) - Fri: Waitlist milestone ("1,000 people signed up!") **Week 3:** - Mon: FAQ carousel (Is Drop a bank? No.) - Wed: Partnership announcement (SpareBank 1, if approved) - Fri: User story (when available, or placeholder) **Week 4:** - Mon: Tutorial video (How to send money with Drop) - Wed: Industry news commentary (PSD2 update) - Fri: Countdown to launch (if applicable) ### 12.5 Paid Social Ads (Post-Launch) **Budget:** 10,000 NOK/month (testing phase) **Campaign 1: Waitlist Signups (Pre-Launch)** - Platform: Facebook + Instagram - Objective: Lead generation - Audience: Norway, age 25-45, interests: fintech, travel, expat groups - Creative: Carousel (3 slides): Problem → Solution → CTA - CTA: "Registrer deg gratis" - Landing page: getdrop.no?utm_source=facebook&utm_medium=cpc&utm_campaign=waitlist_signups **Campaign 2: App Installs (Post-Launch)** - Platform: Google App Campaigns - Objective: App installs - Audience: Norway, keywords: "send penger", "pengeoverføring", "western union alternativ" - Ad copy: "Send penger med 0.5% gebyr. Last ned Drop gratis." - Bid strategy: Target CPA (50 NOK per install) **Campaign 3: Retargeting (Post-Launch)** - Platform: Facebook + Instagram - Objective: Conversions (first transfer) - Audience: Custom audience (registered users who haven't transferred) - Creative: "You're one step away. Complete your first transfer and get 50 kr." - Landing page: Deep link to app (drop://send) --- ## 13. Legal & Compliance ### 13.1 Markedsføringsloven Compliance **Key Requirements:** **1. Identification of Marketing:** All marketing communications must be clearly identifiable as such. Commercial emails must include "Annonse" or "Reklame" in subject line. **Example:** ``` Subject: [Annonse] Spar opptil 90% på pengeoverføringer ``` **2. Opt-In for Electronic Marketing:** Electronic marketing (email, SMS) to natural persons requires **prior consent** (opt-in). Exception: existing customer relationship + same product category. **Implementation:** - Checkbox on registration: "Jeg ønsker å motta tilbud fra Drop" (unchecked by default) - Record consent in `consents` table with timestamp and IP - Unsubscribe link in every email **3. Misleading Marketing Prohibition:** Cannot make false or misleading claims. All claims must be substantiable. **Examples of Compliant Claims:** - ✅ "0.5% gebyr" (true, documented in pricing) - ✅ "Regulert i Norge" (true when PSD2 license obtained) - ❌ "Billigst i Norge" (unsubstantiated, use "Fra 0.5% gebyr" instead) **4. Comparative Marketing:** Can compare with competitors (Western Union, Wise) if factually accurate and verifiable. **Example:** ``` Drop: 0.5% gebyr Western Union: 5-10% gebyr* *Basert på gjennomsnittlig gebyr for 5,000 NOK overføring til Tyrkia, per Western Union's offentlige prisliste (februar 2026). ``` **5. Environmental Claims:** Cannot make environmental claims ("grønn", "klimavennlig") without documentation. **Drop's Claims:** None planned. ### 13.2 GDPR Marketing Compliance **Cookie Consent:** Marketing cookies (Facebook Pixel, Google Ads) require **explicit consent** before loading. **Implementation (Cookie Consent Banner):** ```html ``` **Privacy Policy Update:** Add section on marketing data usage: ```markdown ## Markedsføring Vi bruker din e-postadresse for å sende deg markedsføringskommunikasjon kun hvis du har gitt samtykke. Du kan når som helst trekke tilbake ditt samtykke ved å klikke på "Avslutt abonnement" nederst i enhver e-post. Vi bruker informasjonskapsler fra Facebook og Google for å måle effektiviteten av våre annonser. Du kan blokkere disse informasjonskapslene ved å avvise dem i vår informasjonskapselbanner. ``` --- ## 14. Cost Analysis ### 14.1 Tool Costs (Monthly) | Tool | Purpose | Cost (NOK) | Notes | |------|---------|------------|-------| | **Domain (getdrop.no)** | Domain registration | 100 kr/year | Already paid via one.com | | **Vercel Hosting** | Landing page hosting | 0 kr | Free tier (sufficient for landing page) | | **Plausible Analytics** | Landing page analytics | 90 kr | €9/mo, GDPR-compliant | | **Resend** | Email service | 0 kr (MVP) | Free tier: 3,000 emails/mo (sufficient for waitlist) | | **Mixpanel** | In-app analytics | 200 kr | $20/mo for 1k users | | **Social Media Ads** | Facebook + Instagram + Google | 10,000 kr | Testing budget (can scale up/down) | | **Design Tools (Canva Pro)** | Social media graphics | 150 kr | For non-Figma assets | | **Mailchimp** (Optional) | Email campaigns | 400 kr | If Resend not enough (10k contacts) | **Total Monthly Cost (MVP):** ~440 kr **Total with Ads:** ~10,440 kr ### 14.2 Referral Program Budget **Assumptions:** - 1,000 users in first 3 months - 50% referred by existing users (500 referrals) - 80% complete first transfer (400 conversions) - 50 kr reward per conversion (both referrer + referee) **Calculation:** ``` 400 conversions × 50 kr (referrer) = 20,000 kr 400 conversions × 50 kr (referee) = 20,000 kr Total referral rewards: 40,000 kr ``` **ROI:** - Cost per acquisition: 40,000 kr / 400 users = 100 kr/user - LTV estimate (conservative): 500 kr/user (10 transfers × 50 kr avg fee) - ROI: 500 kr / 100 kr = 5x **Budget Allocation:** - Referral rewards: 40,000 kr (Q1) - Paid ads: 30,000 kr (Q1) - Tools: 1,320 kr (Q1) - **Total Q1 Marketing Budget: 71,320 kr** --- ## 15. Implementation Plan ### 15.1 Phase 1: Landing Page Optimization (Week 1-2) **Owner:** John + Frontend builder agent **Tasks:** 1. Add conversion tracking (Plausible) - [ ] Sign up for Plausible account - [ ] Add tracking script to index.html - [ ] Configure goals (waitlist signup, CTA clicks) - [ ] Test tracking (verify events in Plausible dashboard) 2. Optimize hero section - [ ] Replace "Last ned gratis" with "Bli med på ventelisten" - [ ] Add "De første 1000 får 5 gratis overføringer" subtext - [ ] Replace phone mockup with real screenshot from Figma Make 3. Add FAQ section - [ ] Create FAQ accordion component - [ ] Add 5 common questions (Er Drop en bank?, Hvor mye koster det?, etc.) - [ ] Add FAQ structured data (JSON-LD) 4. Add comparison table - [ ] Create Drop vs Western Union vs Wise vs Bank table - [ ] Add styling (match landing page design) 5. Mobile optimization - [ ] Add sticky CTA bar on mobile - [ ] Test on iPhone/Android (Safari, Chrome) 6. Page speed optimization - [ ] Preload hero fonts - [ ] Lazy load images below fold - [ ] Minify CSS - [ ] Test with Lighthouse (target: 95+ score) **Acceptance:** - [ ] Plausible tracking works (waitlist signups logged) - [ ] Hero CTA updated with incentive - [ ] FAQ section renders correctly - [ ] Comparison table displays on desktop + mobile - [ ] Mobile sticky bar appears below 768px width - [ ] Lighthouse score >= 95 --- ### 15.2 Phase 2: SEO Foundation (Week 3-4) **Owner:** John + Content agent (Ollama) **Tasks:** 1. Add structured data - [ ] Add Organization schema to homepage - [ ] Add FAQ schema to FAQ section - [ ] Validate with Google Rich Results Test 2. Create sitemap.xml - [ ] Generate sitemap with all pages - [ ] Submit to Google Search Console - [ ] Submit to Bing Webmaster Tools 3. Create robots.txt - [ ] Allow all except /api/ - [ ] Add sitemap reference 4. Create blog infrastructure - [ ] Create /blog/index.html (blog homepage) - [ ] Create blog post template - [ ] Write first 2 blog posts (Tyrkia guide, Drop vs WU) 5. Subpage creation - [ ] Create /send-penger.html (dedicated remittance page) - [ ] Create /qr-betaling.html (QR explainer) - [ ] Create /priser.html (pricing comparison) **Acceptance:** - [ ] Structured data validates in Google Rich Results Test - [ ] Sitemap submitted to Google + Bing - [ ] robots.txt accessible at /robots.txt - [ ] Blog homepage lists 2 posts - [ ] 3 subpages created and indexed --- ### 15.3 Phase 3: UTM & Attribution (Week 5-6) **Owner:** John + Backend builder agent **Tasks:** 1. Implement UTM tracking - [ ] Add client-side UTM capture to index.html - [ ] Store UTM in localStorage - [ ] Modify /api/waitlist to save UTM params - [ ] Add utm_* columns to waitlist table 2. Update registration flow - [ ] Modify /api/auth/register to capture UTM from localStorage - [ ] Add utm_* columns to users table - [ ] Test registration with UTM params 3. Create attribution reports - [ ] SQL query: Waitlist signups by source - [ ] SQL query: User registrations by source - [ ] SQL query: Revenue by source (post-launch) 4. Add conversion pixels - [ ] Add Facebook Pixel to landing page - [ ] Add Google Ads conversion tracking - [ ] Test pixel firing (Facebook Events Manager) **Acceptance:** - [ ] UTM params saved to waitlist table - [ ] UTM params saved to users table - [ ] Attribution reports run successfully - [ ] Facebook Pixel tracks PageView + Lead - [ ] Google Ads tracks conversions --- ### 15.4 Phase 4: Referral System (Week 7-10) **Owner:** John + Backend builder agent **Tasks:** 1. Database schema - [ ] Create referral_codes table - [ ] Create referral_tracking table - [ ] Create referral_credits table - [ ] Create indexes 2. Backend endpoints - [ ] POST /api/referrals/generate-code - [ ] POST /api/referrals/track-click - [ ] Modify /api/auth/register (signup attribution) - [ ] Modify /api/transactions/remittance (reward issuance) 3. Referral dashboard UI - [ ] Create /profile/referrals page - [ ] Referral link card - [ ] Stats card (invites, conversions, earnings) - [ ] Credits balance - [ ] Referral history 4. Share functionality - [ ] WhatsApp share button - [ ] SMS share button - [ ] Email share button - [ ] Copy link button 5. Fraud prevention - [ ] Implement self-referral check (device fingerprint) - [ ] Implement minimum transfer amount (500 kr) - [ ] Implement monthly credit cap (500 kr) - [ ] Implement velocity check (10/day) **Acceptance:** - [ ] Referral code auto-generated on first login - [ ] Referral link click tracked - [ ] Signup attributed to referrer - [ ] First transfer triggers reward issuance - [ ] Referral dashboard displays stats - [ ] Share buttons open WhatsApp/SMS/Email - [ ] Fraud checks block abuse --- ### 15.5 Phase 5: App Store Listings (Week 11-12) **Owner:** John + Designer agent (Ollama) + QA **Tasks:** 1. iOS App Store listing - [ ] Write app name, subtitle, description - [ ] Select keywords - [ ] Generate 6 screenshots from Figma Make export - [ ] Create app preview video (30 sec) - [ ] Submit for review (when app ready) 2. Google Play Store listing - [ ] Write title, short description, full description - [ ] Create feature graphic (1024x500) - [ ] Generate 4 screenshots (Android ratio) - [ ] Submit for review (when app ready) 3. ASO optimization - [ ] Research keywords in App Store Connect - [ ] A/B test icon variants (internal testing) - [ ] Localize for NO + EN **Acceptance:** - [ ] iOS listing drafted (not submitted until app ready) - [ ] Android listing drafted - [ ] Screenshots match Figma design - [ ] App preview video rendered and reviewed - [ ] Keyword research documented --- ### 15.6 Phase 6: Email Campaigns (Week 13-14) **Owner:** John + Backend builder agent **Tasks:** 1. Waitlist nurture series - [ ] Create 6 email templates (confirmation → launch) - [ ] Set up automation triggers (day 0, 7, 14, 21, pre-launch -7, launch) - [ ] Test emails (send to test@getdrop.no) 2. Onboarding series - [ ] Create 3 email templates (welcome → first transfer nudge) - [ ] Set up automation triggers (day 0, 3, 7) - [ ] Test emails 3. Re-engagement series - [ ] Create 3 email templates (gentle → win-back → survey) - [ ] Set up automation triggers (day 30, 60, 90) - [ ] Test emails 4. Marketing consent - [ ] Add checkbox to registration form - [ ] Record consent in consents table - [ ] Add unsubscribe link to all emails - [ ] Create unsubscribe endpoint **Acceptance:** - [ ] All email templates render correctly in Gmail/Outlook - [ ] Automation triggers fire correctly (test with dummy users) - [ ] Marketing consent checkbox works - [ ] Unsubscribe link works --- ### 15.7 Phase 7: Analytics & Reporting (Week 15-16) **Owner:** John + Data analyst agent (Ollama) **Tasks:** 1. Mixpanel setup - [ ] Create Mixpanel account - [ ] Add Mixpanel SDK to app - [ ] Implement 15 core events (user_registered, first_transfer_completed, etc.) - [ ] Set People properties (email, name, utm_source, etc.) 2. Dashboards - [ ] Create Acquisition Dashboard (visitors → verified users) - [ ] Create Activation Dashboard (first transfer rate) - [ ] Create Retention Dashboard (D1, D7, D30 retention) - [ ] Create Referral Dashboard (viral coefficient) - [ ] Create Revenue Dashboard (fee revenue, revenue per user) 3. Reports - [ ] Weekly funnel report (automated, sent to Alem) - [ ] Monthly cohort analysis - [ ] Campaign performance report (ROI by channel) **Acceptance:** - [ ] Mixpanel events tracked in app - [ ] 5 dashboards created in Mixpanel - [ ] Weekly report automation set up --- ### 15.8 Phase 8: Social Media Launch (Week 17-18) **Owner:** John + Marketer agent (Ollama) **Tasks:** 1. Account setup - [ ] Create @dropnorge Instagram - [ ] Create facebook.com/dropnorge - [ ] Create linkedin.com/company/drop-norge - [ ] Design profile pictures + cover photos 2. Content calendar - [ ] Create 30-day content calendar (spreadsheet) - [ ] Design 12 Instagram posts (Canva) - [ ] Write captions + hashtags 3. First month execution - [ ] Schedule posts (Buffer or Hootsuite) - [ ] Engage with comments - [ ] Cross-post to LinkedIn 4. Paid ads (when budget available) - [ ] Set up Facebook Ads Manager - [ ] Create waitlist signup campaign - [ ] Set budget: 5,000 kr/month (testing) - [ ] Monitor daily, optimize weekly **Acceptance:** - [ ] All 3 social accounts live - [ ] 30-day content calendar completed - [ ] First 12 posts designed - [ ] Posts scheduled for first week --- ## 16. Success Metrics (3 Months Post-Launch) ### 16.1 Acquisition | Metric | Target | Measurement | |--------|--------|-------------| | Waitlist signups | 5,000 | Waitlist table count | | Waitlist → Registration | 40% | (Registrations / Waitlist signups) × 100 | | Registration → BankID | 80% | (BankID verified / Registrations) × 100 | | BankID → KYC Approved | 90% | (KYC approved / BankID verified) × 100 | | **Overall Conversion** | **30%** | **(Verified users / Waitlist signups) × 100** | ### 16.2 Activation | Metric | Target | Measurement | |--------|--------|-------------| | First transfer (within 7 days) | 60% | (Users with 1+ transfer / Verified users) × 100 | | QR payment adoption | 20% | (Users with 1+ QR payment / Verified users) × 100 | | Average first transfer | 3,000 kr | AVG(first transfer amount) | ### 16.3 Engagement | Metric | Target | Measurement | |--------|--------|-------------| | DAU/MAU ratio | 25% | (Daily active users / Monthly active users) × 100 | | Transfers per user per month | 2.5 | Total transfers / Active users | | QR payments per user per month | 5 | Total QR payments / Active QR users | ### 16.4 Retention | Metric | Target | Measurement | |--------|--------|-------------| | Day 1 retention | 60% | % of users who return day after signup | | Day 7 retention | 40% | % of users who return within 7 days | | Day 30 retention | 25% | % of users who return within 30 days | ### 16.5 Referral | Metric | Target | Measurement | |--------|--------|-------------| | Referral rate | 30% | (Users who shared link / Total users) × 100 | | Referral conversion | 50% | (Signups from referrals / Referral link clicks) × 100 | | **Viral coefficient** | **0.65** | **(Referral rate × Referral conversion) = 30% × 50% = 15%** (Note: Revolut's 65% from referrals means 0.65 new users per existing user) | ### 16.6 Revenue | Metric | Target | Measurement | |--------|--------|-------------| | Total fee revenue | 100,000 kr | SUM(transaction fee) | | Revenue per user | 100 kr | Total revenue / Active users | | Revenue per transfer | 40 kr | Total revenue / Total transfers | ### 16.7 Marketing | Metric | Target | Measurement | |--------|--------|-------------| | Organic traffic (SEO) | 2,000 visitors/mo | Plausible analytics | | Social media followers | 1,500 | Instagram + Facebook + LinkedIn | | Blog subscribers | 500 | Email list opt-ins from blog | | Cost per acquisition (CPA) | 150 kr | Total ad spend / New users | --- ## 17. Risk Mitigation ### 17.1 Key Risks **Risk 1: Low Referral Adoption** - **Likelihood:** Medium - **Impact:** High (referral is primary acquisition channel) - **Mitigation:** - Increase incentive from 50 kr to 75 kr (test) - Add gamification (leaderboard: "Top 10 referrers get 500 kr bonus") - Make sharing easier (one-tap WhatsApp share) - Add social proof ("2,340 people referred their friends") **Risk 2: High Customer Acquisition Cost (CAC)** - **Likelihood:** Medium - **Impact:** High (unprofitable if CAC > LTV) - **Mitigation:** - Start with organic channels (SEO, content, social) before paid ads - Set strict CPA targets (max 150 kr per user) - Pause ads if CPA exceeds target 2 weeks in a row - Focus on viral growth (referral program) **Risk 3: Poor App Store Visibility** - **Likelihood:** Medium - **Impact:** High (low organic installs) - **Mitigation:** - ASO optimization (keyword research, compelling screenshots) - Incentivize reviews (push notification after 3rd transfer: "Enjoying Drop? Leave a review") - App Store ads (Apple Search Ads) with strict CPA - Cross-promote on landing page **Risk 4: Email Deliverability Issues** - **Likelihood:** Low - **Impact:** Medium (users miss onboarding emails) - **Mitigation:** - Use reputable ESP (Resend) with good sender reputation - Authenticate domain (SPF, DKIM, DMARC) - Monitor bounce rate (<5% acceptable) - Avoid spam triggers (no ALL CAPS, excessive exclamation marks) **Risk 5: Referral Fraud** - **Likelihood:** Medium - **Impact:** High (budget drain) - **Mitigation:** - Implement all fraud checks (self-referral, velocity, cap) - Monitor referral patterns weekly - Flag accounts with >10 referrals in 24h for manual review - BankID verification required before rewards --- ## 18. Acceptance Criteria ### 18.1 Landing Page - [ ] Hero CTA updated with incentive ("De første 1000...") - [ ] FAQ section added (5 questions min) - [ ] Comparison table added (Drop vs WU vs Wise vs Bank) - [ ] Mobile sticky CTA bar added - [ ] Plausible tracking installed and tested - [ ] Lighthouse score >= 95 ### 18.2 SEO - [ ] Sitemap.xml created and submitted to Google/Bing - [ ] robots.txt created - [ ] Structured data (Organization + FAQ) added and validated - [ ] 3 subpages created (/send-penger, /qr-betaling, /priser) - [ ] 2 blog posts published - [ ] All pages have unique title + meta description ### 18.3 UTM & Attribution - [ ] UTM params captured from URL - [ ] UTM params stored in waitlist + users tables - [ ] Attribution reports created (SQL queries) - [ ] Facebook Pixel installed and tracking - [ ] Google Ads conversion tracking installed ### 18.4 Referral System - [ ] Database schema created (3 tables + indexes) - [ ] Referral code auto-generated on first login - [ ] Referral link click tracked - [ ] Signup attribution works - [ ] First transfer triggers reward issuance - [ ] Referral dashboard UI complete - [ ] Share buttons functional (WhatsApp, SMS, Email) - [ ] Fraud prevention rules implemented ### 18.5 App Store Listings - [ ] iOS listing drafted (name, subtitle, description, keywords, screenshots, video) - [ ] Android listing drafted (title, short desc, full desc, graphics, screenshots) - [ ] ASO keyword research completed - [ ] All screenshots match Figma design ### 18.6 Email Marketing - [ ] Waitlist nurture series created (6 emails) - [ ] Onboarding series created (3 emails) - [ ] Re-engagement series created (3 emails) - [ ] Marketing consent checkbox added to registration - [ ] Unsubscribe link works - [ ] All emails tested in Gmail + Outlook ### 18.7 Analytics - [ ] Plausible installed (landing page) - [ ] Mixpanel installed (app) - [ ] 15 core events tracked (user_registered, first_transfer, etc.) - [ ] 5 dashboards created (Acquisition, Activation, Retention, Referral, Revenue) - [ ] Weekly funnel report automated ### 18.8 Social Media - [ ] Instagram, Facebook, LinkedIn accounts created - [ ] Profile pictures + bios complete - [ ] 30-day content calendar created - [ ] First 12 posts designed and scheduled - [ ] Paid ads campaign created (5,000 kr budget) --- ## 19. Rollout Timeline **Pre-Launch (Weeks 1-10):** - Weeks 1-2: Landing page optimization - Weeks 3-4: SEO foundation - Weeks 5-6: UTM & attribution - Weeks 7-10: Referral system **Launch Week (Week 11):** - Submit app to App Store + Play Store - Send launch email to waitlist - Publish launch blog post - Post on social media (organic) - Start paid ads (small budget: 2,000 kr/week) **Post-Launch (Weeks 12-16):** - Week 12: Monitor metrics daily, optimize landing page CTA (A/B test) - Week 13: Scale ads if CPA < 150 kr - Week 14: Publish 2nd + 3rd blog posts - Week 15: Analyze first month data, create reports - Week 16: Iterate on referral incentives based on data --- ## 20. Sources This specification was informed by research on Norwegian fintech regulations, app store optimization best practices, and referral program patterns from successful fintech companies: **Norwegian Regulations:** - [Fintech Laws and Regulations Report 2025-2026 Norway](https://iclg.com/practice-areas/fintech-laws-and-regulations/norway) - [Marketing - regjeringen.no](https://www.regjeringen.no/en/topics/consumers/marketing/id670317/) - [Act relating to the control of marketing and contract terms and conditions, etc - Lovdata](https://lovdata.no/dokument/NLE/lov/2009-01-09-2) - [Electronic marketing in Norway - Data Protection Laws of the World](https://www.dlapiperdataprotection.com/index.html?t=electronic-marketing&c=NO) **App Store Optimization:** - [Top ASO tips and best practices for 2026, brought to you by ASO experts](https://www.apptweak.com/en/aso-blog/app-store-optimization-aso-best-practices) - [App Store Optimization (ASO) Best Practices for 2026](https://www.wildnetedge.com/blogs/app-store-optimization-aso-best-practices) - [App Store Optimization Tips for Fintech Designers](https://www.telerik.com/blogs/app-store-optimization-tips-fintech-designers) - [A short guide to optimising ASO strategies for fintech apps](https://appfollow.io/blog/5-aso-tips-to-optimise-your-fintech-app) **Referral Programs & Fraud Prevention:** - [How Revolut Turned Referrals into a $4B Growth Machine](https://www.one-fs.com/p/inside-revoluts-viral-growth-engine) - [How to start a referral program for your fintech startup](https://blogs.referralrocket.io/start-referral-program-for-fintech-startup/) - [Design a Fraud-Proof Referral Program](https://help.impact.com/en/support/solutions/articles/155000001538-design-a-fraud-proof-referral-program) - [Revolut Referral Rewards: Refer-a-Friend Bonus and Referral Discounts 2026](https://referralcodes.com/shop/revolut-referral) --- **END OF SPEC** **Next Steps:** 1. Review this spec with Alem for approval 2. Create implementation tasks in Mission Control 3. Assign tasks to builder agents (Phase 1 → Phase 8) 4. Begin Phase 1 (Landing Page Optimization) **Questions for Alem:** 1. Approve referral incentive structure (50 kr dual-sided)? 2. Approve social media ad budget (10,000 kr/month testing)? 3. Preferred analytics platform (Plausible + Mixpanel recommended)? 4. Timeline for app launch (determines when to prepare App Store listings)? 5. Any specific SEO keywords to prioritize beyond the list in Section 4.1? # drop-mvp-pipeline-plan # Plan: Drop MVP Pipeline A-Z ## Research Summary ### Actual State (13.02.2026) **Phase 4 (Implementation) — 95% done, NOT 80% as PIPELINE.md says:** - 12 frontend pages: ALL wired to real API routes via fetch() - 24+ API routes: ALL working (auth, transactions, cards, merchants, rates, etc.) - SQLite DB: 6 tables + seed data, parameterized queries - Auth: JWT httpOnly cookies, rate limiting - Validation: hardened (backend + frontend), 18+ age check - Services: mock-swan/stripe/sumsub with config toggle (expected for MVP) - Rebrand: ALL pages rebranded to Stitch design - Tests: 126 unit + 91 e2e = 217 ALL GREEN **What's actually missing for MVP-ready:** 1. Full remittance E2E flow test (register → login → send money → verify) 2. .env.example + environment config for production 3. Docker build verification (Dockerfile exists but untested) 4. SQLite → needs volume mount for persistence in Docker 5. 5 test iterations per testing.md standard 6. Deploy to staging (Railway/Hetzner — cost analysis says 10-170 NOK/mo) 7. Domain config (getdrop.no) 8. Landing page deploy (static HTML, separate from app) 9. PIPELINE.md outdated — needs update **Infrastructure already built:** - Dockerfile: 3-stage build, standalone output ✅ - docker-compose.yml: app + postgres, healthchecks ✅ - next.config.ts: standalone, CSP headers, security headers ✅ - Cloud cost analysis: done ✅ **NOTE:** docker-compose.yml has postgres service but app uses SQLite. For MVP: deploy with SQLite + volume (Railway/Fly persistent disk). PostgreSQL migration is Phase 2 (200+ users) per cost analysis. ## Objective Take Drop from "works on localhost" to "deployed MVP on staging with full test coverage." 4 phases, no detours, no cosmetics. ## Team Orchestration ### Team Members | ID | Name | Role | Agent Type | |----|------|------|------------| | B1 | flow-test-builder | Write full remittance E2E flow + missing flow tests | builder | | V1 | test-validator | Run all 5 test levels, 5 iterations, verify coverage | validator | | B2 | deploy-prep-builder | Create .env.example, fix docker-compose for SQLite, test Docker build | builder | | V2 | deploy-validator | Verify Docker image builds and runs correctly | validator | | B3 | staging-builder | Deploy to Railway/Hetzner, configure domain, SSL | builder | | V3 | staging-validator | Verify staging is live, all pages load, API responds | validator | | B4 | pipeline-closer | Update PIPELINE.md, close MC tasks, create post-mortem | builder | ### Step-by-Step Tasks #### Phase 1: Complete Implementation (finish Phase 4) **Task 1:** Write missing E2E flow tests + update PIPELINE.md status - Owner: B1 - BlockedBy: none - Files: - `tests/e2e/full-flows.spec.ts` (NEW) - `project/PIPELINE.md` (UPDATE) - `.env.example` (NEW) - Instructions: 1. Read existing test files to understand patterns 2. Write full E2E tests for: - Complete registration → login → dashboard flow - Login → send money (remittance) → verify transaction in history - Login → scan QR → pay → verify in history - Login → view cards → order virtual card - Login → view accounts → check balances - Login → profile → logout → redirect to login 3. Create `.env.example` with all required vars: ``` JWT_SECRET=change-me-in-production NODE_ENV=production NEXT_PUBLIC_SERVICE_MODE=mock ``` 4. Update PIPELINE.md Phase 4 status to 100% 5. Run tests, fix any failures - Acceptance: - [ ] full-flows.spec.ts has 6+ complete user journey tests - [ ] All E2E tests pass (existing + new) - [ ] .env.example exists with documented vars - [ ] PIPELINE.md Phase 4 marked complete #### Phase 2: Testing (5 iterations per testing.md) **Task 2:** Run 5 test iterations across all levels, fix failures - Owner: V1 - BlockedBy: 1 - Instructions: 1. Read ~/system/rules/testing.md for requirements 2. Run iteration 1: `npx vitest run` + `npx playwright test` 3. Log results to `tests/logs/iteration-1.txt` 4. Fix any failures found 5. Repeat for iterations 2-5 6. Check coverage: `npx vitest run --coverage` (target 80%+) 7. Run regression tests: `npx vitest run tests/regression/` 8. Run performance tests: `npx vitest run tests/performance/` 9. Final summary of all 5 iterations - Acceptance: - [ ] 5 iterations logged in tests/logs/ - [ ] ALL tests pass on iteration 5 - [ ] Coverage report generated - [ ] No regressions - [ ] Performance benchmarks baselined #### Phase 3: Deploy to Staging **Task 3:** Prepare Docker for SQLite deployment - Owner: B2 - BlockedBy: 2 - Files: - `docker-compose.yml` (UPDATE — add SQLite volume, remove postgres for MVP) - `docker-compose.production.yml` (NEW — for future postgres) - `Dockerfile` (UPDATE if needed) - Instructions: 1. Read existing Dockerfile and docker-compose.yml 2. Create `docker-compose.mvp.yml` for SQLite deployment: - App service with SQLite volume mount - JWT_SECRET from env - Health check on /api/health - No postgres (not needed for MVP) 3. Keep existing docker-compose.yml as `docker-compose.production.yml` (postgres version) 4. Test: `docker build -t drop-app .` — must succeed 5. Test: `docker run -p 3000:3000 -e JWT_SECRET=test drop-app` — must serve pages 6. Verify /api/health, /login, /onboarding all respond 200 - Acceptance: - [ ] Docker image builds successfully - [ ] Docker container starts and serves pages - [ ] /api/health returns 200 - [ ] SQLite data persists across container restart (volume) - [ ] docker-compose.mvp.yml works with `docker-compose -f docker-compose.mvp.yml up` **Task 4:** Validate Docker deployment - Owner: V2 - BlockedBy: 3 - Acceptance: - [ ] Docker build < 2 minutes - [ ] Image size < 500MB - [ ] Container starts in < 10s - [ ] All API endpoints respond correctly - [ ] No security warnings in container logs **Task 5:** Deploy to staging (Railway or Hetzner) - Owner: B3 - BlockedBy: 4 - Instructions: 1. Read cloud-cost-analysis.md for recommended approach 2. Option A (Railway): `railway init` + `railway up` — easiest, persistent disk 3. Option B (Hetzner): Docker deploy to existing VPS if available 4. Configure: - JWT_SECRET (generate secure random) - NODE_ENV=production - Domain: staging.getdrop.no or drop-staging.alai.no 5. Set up SSL (Let's Encrypt / Cloudflare) 6. Verify all pages load on staging URL 7. Deploy landing page (static HTML) to same domain or subdomain - Acceptance: - [ ] Staging URL accessible via HTTPS - [ ] All 12 app pages load correctly - [ ] Login + registration flow works end-to-end - [ ] API health check passes - [ ] Landing page live **Task 6:** Validate staging deployment - Owner: V3 - BlockedBy: 5 - Instructions: 1. Hit staging URL — verify HTTPS, correct domain 2. Test all pages load (no 404, no 500) 3. Test registration flow end-to-end 4. Test login with demo credentials 5. Test send money flow 6. Test QR scan flow 7. Check security headers (CSP, HSTS, X-Frame-Options) 8. Check mobile responsiveness (375px viewport) - Acceptance: - [ ] All pages load via HTTPS - [ ] Registration + login works - [ ] Core flows work (send, scan, cards) - [ ] Security headers present - [ ] Mobile-friendly #### Phase 4: Close Pipeline **Task 7:** Update PIPELINE.md, close tasks, create summary - Owner: B4 - BlockedBy: 6 - Instructions: 1. Update PIPELINE.md: - Phase 4: ✅ Done - Phase 5: ✅ Done (5 iterations, all pass) - Phase 6: ✅ Done (staging live at URL) - Phase 7: 🔄 Monitoring 2. Close related MC tasks: #526, #608, #791-793 (update status) 3. Create post-mortem summary: - What was built - Test results - Staging URL - Known limitations (mock services, SQLite, no BankID) - Next steps for production (partner agreements, PostgreSQL, Finanstilsynet) 4. Post summary to HiveMind - Acceptance: - [ ] PIPELINE.md fully updated - [ ] MC tasks updated - [ ] Post-mortem written - [ ] HiveMind updated - [ ] Alem can access staging URL ## Validation Commands ```bash # Phase 1 — Tests cd ~/ALAI/products/Drop/src/drop-app npx vitest run # Unit tests npx playwright test # E2E tests # Phase 2 — Coverage npx vitest run --coverage # Phase 3 — Docker docker build -t drop-app . docker run -p 3001:3000 -e JWT_SECRET=test123 drop-app curl http://localhost:3001/api/health # Phase 4 — Staging curl -I https://staging.getdrop.no curl https://staging.getdrop.no/api/health ``` ## Risk Register | Risk | Impact | Mitigation | |------|--------|------------| | Docker build fails (native deps) | Blocks deploy | better-sqlite3 needs python/g++ in Dockerfile — already there | | Railway free tier limits | Slow staging | Upgrade to $5/mo Starter — within budget | | SQLite concurrent writes | Data corruption under load | MVP only, < 200 users. PostgreSQL in Phase 2 | | No real BankID | Can't verify real users | Expected for MVP. Mock BankID with DOB field | | No partner APIs (Swan/Stripe/Sumsub) | All transactions are mock | Expected. Partner agreements are business tasks, not code | ## Timeline | Phase | Tasks | Parallel? | Estimated | |-------|-------|-----------|-----------| | 1: Complete impl | Task 1 | Solo | 1 builder | | 2: Testing | Task 2 | Solo (blocked by 1) | 1 validator | | 3: Deploy | Tasks 3-6 | B2→V2→B3→V3 sequential | 2 builders + 2 validators | | 4: Close | Task 7 | Solo (blocked by 6) | 1 builder | **Total: 4 builders + 3 validators = 7 agent tasks** # drop-onboarding-flow-spec # Drop User Onboarding Flow Specification **Version:** 1.0 **Date:** 2026-02-17 **Author:** John (AI Director) **Project:** Drop Fintech Payment App **MC Task:** #1192 **Status:** Draft — Awaiting Approval --- ## 1. Executive Summary This specification defines the complete user onboarding flow for Drop, a fintech payment app that provides remittance and QR payment services using PSD2 pass-through architecture. The flow must enforce legal requirements (18+ age, Norwegian residency), implement BankID verification, and guide users through KYC compliance before enabling transactions. **Key Constraints:** - **Pass-through model:** Drop NEVER holds customer money. AISP reads balance, PISP initiates payments from user's bank account. - **Legal requirement:** Users must be 18+ and Norwegian residents (from `landing/pages/vilkar.html`) - **BankID mandatory:** Required before any transaction (PSD2 SCA compliance) - **KYC compliance:** Sumsub integration for identity verification (auto-approved in demo mode) --- ## 2. Flow Overview ### 2.1 High-Level Journey ``` Landing Page → Register → Phone OTP → Onboarding Tour → BankID Verification → KYC Check → Dashboard (1) (2) (3) (4) (5) (6) (7) ``` ### 2.2 State Diagram ``` ┌─────────────┐ │ VISITOR │ └──────┬──────┘ │ ▼ ┌─────────────┐ ┌──────────────┐ ┌─────────────┐ │ REGISTER │────▶│ PHONE_OTP │────▶│ ONBOARDING │ └─────────────┘ └──────────────┘ └──────┬──────┘ │ ▼ ┌─────────────┐ ┌──────────────┐ ┌─────────────┐ │ DASHBOARD │◀────│ KYC_CHECK │◀────│ BANKID │ └─────────────┘ └──────────────┘ └─────────────┘ │ ▼ ┌─────────────┐ │ VERIFIED │ (can transact) └─────────────┘ ``` ### 2.3 User States | State | Description | Can Transact? | Next Action | |-------|-------------|---------------|-------------| | `visitor` | Not registered | No | Register | | `registered` | Account created, no phone verification | No | Verify phone OTP | | `phone_verified` | Phone verified, no BankID | No | Complete onboarding tour | | `onboarded` | Tour complete, no BankID | No | Link BankID | | `bankid_linked` | BankID verified, pending KYC | No | Wait for KYC approval | | `kyc_approved` | Fully verified | Yes | Full access | | `kyc_pending` | KYC review in progress | No | Wait for approval | | `kyc_rejected` | KYC failed | No | Contact support | **State persistence:** Stored in `users` table: - `kyc_status` enum: 'pending', 'approved', 'rejected' - `phone_verified` boolean - `bankid_verified` boolean - `onboarding_completed` boolean (new field) --- ## 3. Detailed Flow Steps ### Step 1: Landing Page → Register **Route:** `/` → `/register` **Entry:** User clicks "Opprett konto" on landing page **UI Reference:** `mockups/figma-make-export/src/components/Login.tsx` (register section) #### Frontend (register/page.tsx) **Current Implementation:** - ✅ Form: First name, last name, email, phone (+47), date of birth, password - ✅ Client-side validation: email format, password complexity (8+ chars, upper/lower/digit) - ✅ Age validation: DOB must result in age >= 18 - ✅ XSS prevention: Blocks `

Steg 1 av 3

``` #### Backend (api/auth/register/route.ts) **Endpoint:** `POST /api/auth/register` **Request Body:** ```json { "email": "user@example.no", "password": "SecureP@ss123", "firstName": "Alem", "lastName": "Basic", "phone": "+4712345678", "dateOfBirth": "1990-01-01" } ``` **Validation:** ```typescript // Server-side (route.ts lines 33-72) if (!validateEmail(email)) errors.push("Valid email required"); // Password complexity (8 chars, upper, lower, digit, special) if (password.length < 8) errors.push("at least 8 characters"); if (!/[A-Z]/.test(password)) errors.push("uppercase letter"); if (!/[a-z]/.test(password)) errors.push("lowercase letter"); if (!/\d/.test(password)) errors.push("digit"); if (!/[!@#$%^&*(),.?":{}|<>]/.test(password)) errors.push("special character"); // Name validation if (!validateName(firstName)) errors.push("First name required"); // Phone validation if (!phoneClean.startsWith("+47")) errors.push("Norwegian phone number required"); // Age check (lines 59-71) const dob = new Date(dateOfBirth); let age = today.getFullYear() - dob.getFullYear(); if (monthDiff < 0 || (monthDiff === 0 && today.getDate() < dob.getDate())) age--; if (age < 18) errors.push("Du må være minst 18 år for å bruke Drop"); ``` **Database Insert:** ```sql INSERT INTO users ( id, email, password_hash, first_name, last_name, phone, date_of_birth, kyc_status, phone_verified, bankid_verified, onboarding_completed ) VALUES (?, ?, ?, ?, ?, ?, ?, 'pending', 0, 0, 0); ``` **Success Response:** ```json { "data": { "id": "usr_abc123", "email": "user@example.no", "firstName": "Alem", "lastName": "Basic", "dateOfBirth": "1990-01-01", "kycStatus": "pending", "createdAt": "2026-02-17T12:00:00Z" } } ``` **OTP Generation:** ```typescript // Generate 6-digit OTP (lines 109-133) const otpCode = String(crypto.randomInt(100000, 1000000)); // e.g., "842759" const expiresAt = new Date(Date.now() + 5 * 60 * 1000); // 5 minutes await run( "INSERT INTO otp_codes (id, user_id, code, expires_at, used) VALUES (?, ?, ?, ?, 0)", [otpId, userId, otpCode, expiresAt] ); // TODO: Send via SMS provider (Twilio/MessageBird) logger.info("OTP generated", { userId, phone }); ``` **Audit Log:** ```typescript logAudit({ userId: id, action: AuditAction.REGISTER, resourceType: "user", resourceId: id, details: { email }, ipAddress: ip, userAgent: request.headers.get("user-agent"), requestId, }); ``` **Error Cases:** | Error | HTTP | Reason | |-------|------|--------| | `validation_error` | 422 | Missing fields, invalid format, age < 18 | | `conflict` | 409 | Email already registered | | `rate_limited` | 429 | Too many registration attempts (10/min per IP) | **Rate Limiting:** ```typescript if (!(await rateLimit(ip, 10))) { return jsonError("rate_limited", "Too many requests", 429); } ``` --- ### Step 2: Register → Phone OTP Verification **Route:** `/register` (step: "verify") **Trigger:** Successful registration **UI Reference:** `mockups/figma-make-export/src/components/Login.tsx` (OTP screen) #### Frontend (register/page.tsx) **Current Implementation:** ```tsx // State machine (lines 9-10, 84-86) type Step = "info" | "verify" | "pin" | "success"; const [step, setStep] = useState("info"); // After registration success if (res.ok) { setStep("verify"); } // OTP Input (lines 291-328) setOtp(e.target.value.replace(/\D/g, "").slice(0, 6))} placeholder="000000" maxLength={6} className="h-14 w-full rounded-xl text-center text-2xl tracking-[0.5em] font-mono" /> // Validation const handleVerify = () => { if (otp.length === 6) { setStep("pin"); } }; ``` **UI Elements:** - Phone number display: "Vi sendte en 6-sifret kode til +47 12345678" - 6-digit input field (numeric only, monospace font, letter-spaced) - Expiry notice: "Koden er gyldig i 5 minutter" - Shield icon (security indicator) - "Bekreft" button (disabled until 6 digits entered) #### Backend (api/auth/verify-otp/route.ts) **Endpoint:** `POST /api/auth/verify-otp` **Request Body:** ```json { "phone": "+4712345678", "otp": "842759" } ``` **Validation Flow:** ```typescript // 1. Rate limiting: 5 attempts per minute per IP if (!(await rateLimit(ip, 5, 60000))) { return jsonError("rate_limited", "Too many OTP attempts", 429); } // 2. Find user by phone const user = await getOne<{ id: string }>( "SELECT id FROM users WHERE phone = ?", [phone] ); if (!user) { // Generic error to prevent user enumeration return jsonError("invalid_otp", "Invalid or expired code", 400); } // 3. Find valid, unused OTP for this user const otpRecord = await getOne( `SELECT id, code, expires_at FROM otp_codes WHERE user_id = ? AND used = 0 AND expires_at > ? ORDER BY created_at DESC LIMIT 1`, [user.id, now] ); // 4. Verify OTP match if (!otpRecord || otpRecord.code !== otp) { logAudit({ userId: user.id, action: "otp.verify_failed" }); return jsonError("invalid_otp", "Invalid or expired code", 400); } // 5. Mark OTP as used await run("UPDATE otp_codes SET used = 1 WHERE id = ?", [otpRecord.id]); // 6. Update user phone verification status await run("UPDATE users SET phone_verified = 1 WHERE id = ?", [user.id]); // 7. Audit log logAudit({ userId: user.id, action: "otp.verified", resourceType: "otp", resourceId: otpRecord.id, }); ``` **Success Response:** ```json { "data": { "verified": true } } ``` **Error Cases:** | Error | HTTP | Reason | |-------|------|--------| | `invalid_otp` | 400 | Wrong code, expired (>5 min), or already used | | `rate_limited` | 429 | Too many OTP attempts (5/min per IP) | | `bad_request` | 400 | Invalid OTP format (not 6 digits) | **Security Considerations:** - Generic error messages prevent user enumeration attacks - OTP codes expire after 5 minutes - One-time use enforced via `used` flag - Rate limiting prevents brute-force attacks (5 attempts/min) - Audit trail for all verification attempts **Edge Cases:** 1. **OTP expires:** User must request new OTP (requires re-registering or resend endpoint) 2. **Wrong OTP 5 times:** Rate limited for 1 minute 3. **User closes tab:** OTP still valid for 5 minutes, can return and verify 4. **Multiple OTPs generated:** Only latest unused OTP is valid --- ### Step 3: Phone OTP → PIN Setup **Route:** `/register` (step: "pin") **Trigger:** OTP verification success **UI Reference:** `mockups/figma-make-export/src/components/Login.tsx` (PIN screen) #### Frontend (register/page.tsx) **Current Implementation:** ```tsx // PIN State (lines 22) const [pin, setPin] = useState(""); // PIN Input Handler (lines 107-116) const handlePinInput = (key: string) => { if (key === "\u232B") { // Backspace symbol setPin((prev) => prev.slice(0, -1)); } else if (key && pin.length < 4) { const newPin = pin + key; setPin(newPin); if (newPin.length === 4) { setTimeout(() => setStep("success"), 300); } } }; // PIN Pad (lines 119, 360-373) const pinPad = ["1", "2", "3", "4", "5", "6", "7", "8", "9", "", "0", "\u232B"];

{pinPad.map((key, i) => ( ))}

``` **UI Elements:** - Lock icon (security indicator) - Heading: "Lag din PIN-kode" - Subtitle: "4-sifret PIN for rask tilgang" - 4 dots showing PIN entry progress (filled dots scale up) - 3x4 numeric keypad (1-9, 0, backspace) - No submit button (auto-submits on 4th digit) **PIN Indicator:** ```tsx

{[0, 1, 2, 3].map((i) => (

i ? "bg-[#0B6E35] border-[#0B6E35] scale-110" : "border-[#E2E8F0]" }`} /> ))}

``` #### Backend Implementation **Missing Backend Endpoint:** No `/api/auth/set-pin` route exists. Current implementation only sets PIN in frontend state. **Required Implementation:** **Endpoint:** `POST /api/auth/set-pin` **Request Body:** ```json { "userId": "usr_abc123", "pin": "1234" } ``` **Backend Logic:** ```typescript // Validation if (!pin || typeof pin !== "string" || !/^\d{4}$/.test(pin)) { return jsonError("bad_request", "PIN must be 4 digits", 400); } // Security checks if (pin === "0000" || pin === "1234" || pin === "1111") { return jsonError("weak_pin", "PIN er for svak. Velg et annet nummer.", 400); } // Check sequential patterns (1234, 4321) if (pin === "1234" || pin === "4321" || pin === "5678") { return jsonError("weak_pin", "PIN kan ikke være en sekvens", 400); } // Check repeating digits (1111, 2222) if (/^(\d)\1{3}$/.test(pin)) { return jsonError("weak_pin", "PIN kan ikke være gjentatte siffer", 400); } // Hash PIN (bcrypt) const pinHash = await bcrypt.hash(pin, 12); // Update user await run( "UPDATE users SET pin_hash = ?, pin_set_at = datetime('now') WHERE id = ?", [pinHash, userId] ); // Audit log logAudit({ userId, action: "pin.set", resourceType: "user", resourceId: userId, }); return NextResponse.json({ data: { success: true } }); ``` **Database Schema Update:** ```sql ALTER TABLE users ADD COLUMN pin_hash TEXT; ALTER TABLE users ADD COLUMN pin_set_at TEXT; ``` **Error Cases:** | Error | HTTP | Reason | |-------|------|--------| | `weak_pin` | 400 | PIN is 0000, 1234, 1111, or sequential | | `bad_request` | 400 | PIN is not 4 digits | | `unauthorized` | 401 | User not authenticated | **Security Considerations:** - PIN stored as bcrypt hash, never plaintext - Weak PIN patterns rejected (0000, 1234, 1111, 1234, 4321) - PIN used for quick app unlock (not primary auth) - Audit trail for PIN changes **Gap Analysis:** - ❌ Backend endpoint missing - ❌ Frontend doesn't call backend (auto-advances to success without server confirmation) - ❌ No weak PIN validation - ❌ No database schema for `pin_hash` --- ### Step 4: PIN Setup → Onboarding Tour **Route:** `/register` (step: "success") → `/onboarding` **Trigger:** PIN set successfully **UI Reference:** `mockups/figma-make-export/src/components/Onboarding.tsx` #### Frontend (onboarding/page.tsx) **Current Implementation:** ```tsx // 4-step carousel (lines 8-181) const STEPS = [ { title: "Velkommen til Drop!", description: "Enklere betalinger. Lavere gebyrer.", content: , // Features: Remittance, QR, Security }, { title: "Dine fordeler", description: "Hvorfor velge Drop?", content: , // Lave gebyrer (0.5%), Raske transaksjoner, Direkte fra bank }, { title: "BankID-tilgang", description: "Koble til din bank", content: , // BankID/Vipps security info }, { title: "Ferdig!", description: "Du er klar til å bruke Drop", content: , // Next actions: Send money, Scan QR, View balance }, ]; // Navigation (lines 184-211) const [currentStep, setCurrentStep] = useState(0); const handleNext = () => { if (isLastStep) { router.push("/dashboard"); } else { setCurrentStep((prev) => prev + 1); } }; const handleSkip = () => { router.push("/dashboard"); }; ``` **Progress Indicator:** ```tsx

{STEPS.map((_, index) => (

))}

Steg {currentStep + 1} av {STEPS.length}

``` **Content Structure:** **Screen 1: Welcome** - Drop logo and tagline - 3 feature cards with icons: - 🌍 Send penger til utlandet (30+ land, lave gebyrer) - 📱 Betal med QR-kode (skann, betal fra bankkonto) - 🛡️ Trygt og sikkert (BankID koblet) **Screen 2: Benefits** - 3 benefit cards: - 💰 Lave gebyrer (gradient card) — "Kun halv prosent gebyr på remittance" - ⚡ Raske transaksjoner — "Pengene er fremme innen 1-2 virkedager" - 🏦 Direkte fra din bank — "Ingen mellomkonto. Pengene dine forblir i din bank" **Screen 3: BankID Connection** - Security explanation - BankID + Vipps logos - 3 checkmarks: - ✅ Kun du har tilgang til dine kontoer - ✅ Vi kan aldri flytte penger uten ditt samtykke - ✅ All data er kryptert og sikret **Screen 4: Ready** - ✅ Success icon (green circle with checkmark) - "Alt klart!" heading - Next actions list: - ✉️ Send penger til utlandet - 🔍 Skann QR for å betale - 💼 Se saldo fra dine kontoer **Navigation Controls:** - Back button (chevron left) — visible except on first screen - "Hopp over" button (top right) — hidden on last screen - "Fortsett" button (bottom) — changes to "Gå til Dashboard" on last screen #### Backend Implementation **Missing Backend Logic:** No backend tracking of onboarding completion. **Required Implementation:** **Endpoint:** `POST /api/onboarding/complete` **Request Body:** ```json { "userId": "usr_abc123" } ``` **Backend Logic:** ```typescript // Verify user is authenticated const { userId } = await getAuthUser(request); // Mark onboarding complete await run( "UPDATE users SET onboarding_completed = 1, onboarding_completed_at = datetime('now') WHERE id = ?", [userId] ); // Audit log logAudit({ userId, action: "onboarding.completed", resourceType: "user", resourceId: userId, }); return NextResponse.json({ data: { success: true } }); ``` **Database Schema Update:** ```sql ALTER TABLE users ADD COLUMN onboarding_completed INTEGER DEFAULT 0; ALTER TABLE users ADD COLUMN onboarding_completed_at TEXT; ``` **Skip Handling:** ```typescript // Allow skip but still mark as completed // This is UX flexibility — user chose to skip educational content ``` **Gap Analysis:** - ❌ Backend endpoint missing - ❌ No database tracking of onboarding completion - ❌ Cannot prevent users from accessing dashboard without completing onboarding - ✅ Frontend flow works correctly (4 screens, navigation, skip) --- ### Step 5: Onboarding Tour → BankID Verification **Route:** `/onboarding` → `/dashboard` → BankID modal/redirect **Trigger:** User clicks "Gå til Dashboard" on onboarding screen 4 **UI Reference:** `mockups/figma-make-export/src/components/Login.tsx` (BankID button) #### Frontend Flow **Current Implementation:** **Login Page BankID Button (login/page.tsx lines 7-21):** ```tsx function BankIDButton() { return ( BankID ); } ``` **Missing in Dashboard:** - No BankID verification prompt - No blocking UI for unverified users - No "Koble BankID" button or modal **Required Implementation:** **Dashboard BankID Prompt (dashboard/page.tsx):** ```tsx // Check user verification status const { user } = useAuth(); if (!user.bankid_verified) { return (

Koble til BankID

For å bruke Drop må du koble din bankkonto via BankID. Dette er påkrevd for sikkerhet.

Koble BankID

); } // Normal dashboard content... ``` **Blocking Strategy:** - Modal overlay (non-dismissable) - Blocks all dashboard features until BankID verified - Clear explanation of why it's required - Single CTA: "Koble BankID" #### Backend (api/auth/bankid/route.ts) **Endpoint:** `GET /api/auth/bankid` **Current Implementation:** ```typescript // Demo mode check if (isDemoMode()) { return NextResponse.json({ error: "bankid_unavailable", message: "BankID er ikke tilgjengelig i demo-modus", }, { status: 400 }); } // Production: OAuth2 OIDC flow const clientId = process.env.BANKID_CLIENT_ID; const redirectUri = process.env.BANKID_CALLBACK_URL; const authorizeUrl = process.env.BANKID_AUTHORIZE_URL; // Generate CSRF tokens const state = randomUUID(); const nonce = randomUUID(); // Store state in httpOnly cookie (5 min expiry) cookies().set("bankid_state", state, { httpOnly: true, secure: process.env.NODE_ENV === "production", sameSite: "lax", maxAge: 5 * 60, // 5 minutes path: "/", }); // Build OAuth authorize URL const params = new URLSearchParams({ client_id: clientId, redirect_uri: redirectUri, response_type: "code", scope: "openid profile", state, nonce, }); return NextResponse.json({ redirectUrl: `${authorizeUrl}?${params.toString()}`, }); ``` **OAuth Flow:** ``` User clicks "Koble BankID" ↓ GET /api/auth/bankid ↓ Generates state + nonce (CSRF protection) ↓ Stores state in httpOnly cookie (5 min expiry) ↓ Returns BankID OAuth authorize URL ↓ Frontend redirects to BankID ↓ User authenticates with BankID (mobile app) ↓ BankID redirects to /api/auth/bankid/callback?code=XXX&state=YYY ``` #### BankID Callback (api/auth/bankid/callback/route.ts) **Endpoint:** `GET /api/auth/bankid/callback` **Required Implementation:** ```typescript // 1. Verify state (CSRF protection) const { searchParams } = new URL(request.url); const code = searchParams.get("code"); const state = searchParams.get("state"); const storedState = cookies().get("bankid_state")?.value; if (!state || !storedState || state !== storedState) { return jsonError("invalid_state", "CSRF validation failed", 400); } // 2. Exchange code for tokens const tokenUrl = process.env.BANKID_TOKEN_URL; const tokenResponse = await fetch(tokenUrl, { method: "POST", headers: { "Content-Type": "application/x-www-form-urlencoded" }, body: new URLSearchParams({ grant_type: "authorization_code", code: code!, redirect_uri: process.env.BANKID_CALLBACK_URL!, client_id: process.env.BANKID_CLIENT_ID!, client_secret: process.env.BANKID_CLIENT_SECRET!, }), }); const tokens = await tokenResponse.json(); const { id_token, access_token } = tokens; // 3. Decode ID token (JWT with user info) const payload = await jwtVerify(id_token, publicKey); const { sub, name, birthdate, nin } = payload; // nin = fødselsnummer (11 digits) // 4. Extract DOB from fødselsnummer // Format: DDMMYYXXXXX (first 6 digits encode date) const day = nin.slice(0, 2); const month = nin.slice(2, 4); const year = nin.slice(4, 6); const fullYear = parseInt(year) < 40 ? `20${year}` : `19${year}`; const dobFromNin = `${fullYear}-${month}-${day}`; // 5. Verify age >= 18 const dob = new Date(dobFromNin); const age = calculateAge(dob); if (age < 18) { return jsonError("underage", "Du må være minst 18 år for å bruke Drop", 403); } // 6. Find or create user let user = await getOne("SELECT id FROM users WHERE national_id_hash = ?", [hashNin(nin)]); if (!user) { // Create user from BankID data const userId = randomId("usr"); await run( `INSERT INTO users ( id, email, first_name, last_name, date_of_birth, national_id_hash, bankid_verified, phone_verified, onboarding_completed, kyc_status ) VALUES (?, ?, ?, ?, ?, ?, 1, 1, 0, 'pending')`, [userId, null, name.split(" ")[0], name.split(" ")[1], dobFromNin, hashNin(nin)] ); user = { id: userId }; } // 7. Update existing user with BankID verification await run( `UPDATE users SET bankid_verified = 1, bankid_verified_at = datetime('now'), national_id_hash = ? WHERE id = ?`, [hashNin(nin), user.id] ); // 8. Initiate KYC verification const kycResult = await initiateKyc(user.id, email || `${user.id}@drop.placeholder`); await run("UPDATE users SET kyc_status = ? WHERE id = ?", [kycResult.status, user.id]); // 9. Set auth cookie await setAuthCookie({ userId: user.id, role: "user" }); // 10. Audit log logAudit({ userId: user.id, action: "bankid.verified", resourceType: "user", resourceId: user.id, details: { nin_last_4: nin.slice(-4) }, }); // 11. Redirect to dashboard or KYC widget if (kycResult.redirectUrl) { return NextResponse.redirect(kycResult.redirectUrl); } else { return NextResponse.redirect("/dashboard"); } ``` **Database Schema Update:** ```sql ALTER TABLE users ADD COLUMN national_id_hash TEXT UNIQUE; ALTER TABLE users ADD COLUMN bankid_verified INTEGER DEFAULT 0; ALTER TABLE users ADD COLUMN bankid_verified_at TEXT; ``` **Security Considerations:** - Fødselsnummer stored as SHA-256 hash, never plaintext - State token validates CSRF (prevents replay attacks) - State cookie expires after 5 minutes - ID token verified with BankID public key - Age verification double-checked from fødselsnummer **Error Cases:** | Error | HTTP | Reason | |-------|------|--------| | `invalid_state` | 400 | CSRF validation failed (state mismatch) | | `underage` | 403 | User is < 18 years old (extracted from fødselsnummer) | | `bankid_unavailable` | 400 | Demo mode (BankID not configured) | | `server_error` | 500 | Token exchange failed, invalid ID token | **Gap Analysis:** - ❌ Callback route missing implementation - ❌ No fødselsnummer parsing logic - ❌ No age verification from fødselsnummer - ❌ No database schema for `national_id_hash`, `bankid_verified` - ❌ Dashboard doesn't block unverified users --- ### Step 6: BankID → KYC Check **Route:** `/api/auth/bankid/callback` → KYC service → `/dashboard` **Trigger:** BankID verification success **Service:** Sumsub (KYC provider) #### KYC Service (lib/services/kyc.ts) **Current Implementation:** **Demo Mode:** ```typescript if (isDemoMode()) { return { status: "approved" }; } ``` **Production Mode:** ```typescript // 1. Create Sumsub applicant const applicantResponse = await fetch(`${apiUrl}/resources/applicants`, { method: "POST", headers: { "Content-Type": "application/json", "X-App-Token": appToken, "X-App-Access-Sig": secretKey, // HMAC signature in production }, body: JSON.stringify({ externalUserId: userId, email: email, levelName: "basic-kyc-level", }), }); const applicantData = await applicantResponse.json(); const applicantId = applicantData.id; // 2. Generate SDK access token const tokenResponse = await fetch(`${apiUrl}/resources/accessTokens`, { method: "POST", body: JSON.stringify({ userId: userId, ttlInSecs: 3600, // 1 hour validity }), }); const tokenData = await tokenResponse.json(); const widgetUrl = `https://cockpit.sumsub.com/embed/#/verification?accessToken=${tokenData.token}`; return { status: "pending", redirectUrl: widgetUrl, externalId: applicantId, }; ``` **KYC Check Flow:** ```typescript // Called from BankID callback after user verification const kycResult = await initiateKyc(userId, email); if (kycResult.status === "approved") { // Demo mode: immediate approval await run("UPDATE users SET kyc_status = 'approved' WHERE id = ?", [userId]); return NextResponse.redirect("/dashboard"); } else if (kycResult.redirectUrl) { // Production: redirect to Sumsub widget return NextResponse.redirect(kycResult.redirectUrl); } else if (kycResult.status === "pending") { // KYC in progress, redirect to dashboard with pending status await run("UPDATE users SET kyc_status = 'pending' WHERE id = ?", [userId]); return NextResponse.redirect("/dashboard"); } else { // KYC rejected await run("UPDATE users SET kyc_status = 'rejected' WHERE id = ?", [userId]); return NextResponse.redirect("/dashboard?kyc=rejected"); } ``` **Sumsub Webhook (api/webhooks/sumsub/route.ts):** **Required Implementation:** ```typescript // Webhook receives KYC status updates from Sumsub export async function POST(request: NextRequest) { const body = await request.json(); const { type, applicantId, reviewStatus, reviewResult } = body; // Verify webhook signature (HMAC) const signature = request.headers.get("x-payload-digest"); const expectedSignature = crypto .createHmac("sha256", process.env.SUMSUB_SECRET_KEY!) .update(JSON.stringify(body)) .digest("hex"); if (signature !== expectedSignature) { return jsonError("invalid_signature", "Webhook verification failed", 401); } // Find user by applicant ID const user = await getOne( "SELECT id FROM users WHERE kyc_external_id = ?", [applicantId] ); if (!user) { return jsonError("not_found", "User not found", 404); } // Map Sumsub status to our status let status: "approved" | "pending" | "rejected" = "pending"; if (reviewStatus === "completed" && reviewResult?.reviewAnswer === "GREEN") { status = "approved"; } else if (reviewStatus === "completed" && reviewResult?.reviewAnswer === "RED") { status = "rejected"; } // Update user KYC status await run( "UPDATE users SET kyc_status = ?, kyc_verified_at = datetime('now') WHERE id = ?", [status, user.id] ); // Audit log logAudit({ userId: user.id, action: `kyc.${status}`, resourceType: "user", resourceId: user.id, details: { applicantId, reviewStatus }, }); // Send notification if (status === "approved") { await sendNotification(user.id, { type: "kyc_approved", title: "Kontoen din er godkjent!", body: "Du kan nå bruke alle Drop-funksjoner.", }); } else if (status === "rejected") { await sendNotification(user.id, { type: "kyc_rejected", title: "Verifisering feilet", body: "Kontakt kundeservice for hjelp.", }); } return NextResponse.json({ success: true }); } ``` **Database Schema Update:** ```sql ALTER TABLE users ADD COLUMN kyc_external_id TEXT; ALTER TABLE users ADD COLUMN kyc_verified_at TEXT; ``` **KYC Status UI:** **Dashboard Pending State:** ```tsx if (user.kyc_status === "pending") { return (

Verifisering pågår

Vi gjennomgår dokumentene dine. Dette tar vanligvis 1-2 timer.

); } ``` **Dashboard Rejected State:** ```tsx if (user.kyc_status === "rejected") { return (

Verifisering feilet

Vi kunne ikke verifisere identiteten din. Kontakt kundeservice for hjelp.

); } ``` **Transaction Blocking:** ```typescript // All transaction endpoints must check KYC status if (user.kyc_status !== "approved") { return jsonError( "kyc_required", "Du må fullføre identitetsverifisering før du kan sende penger", 403 ); } ``` **Gap Analysis:** - ✅ KYC service implemented (demo + production modes) - ❌ Webhook handler missing - ❌ No UI for pending/rejected KYC states - ❌ No transaction blocking based on KYC status - ❌ No notification system for KYC status changes --- ### Step 7: KYC Approved → Full Dashboard Access **Route:** `/dashboard` (fully unlocked) **Trigger:** KYC status = 'approved' **UI Reference:** `mockups/figma-make-export/src/components/Dashboard.tsx` #### Dashboard Features (Unlocked After KYC) **Available Actions:** 1. **Send Money** → `/send` - Remittance to 30+ countries - PISP initiates payment from user's bank account - Shows exchange rates, fees, recipient details 2. **Scan QR** → `/scan` - QR code scanner for merchant payments - PISP initiates payment from user's bank account - Shows merchant name, amount, confirm screen 3. **Bank Accounts** → `/accounts` - View linked bank account balances (AISP cached reads) - Connect new bank accounts - Set primary account 4. **Transaction History** → `/transactions` - Full transaction list with filters (date, type, status) - Export to PDF/CSV - Search by recipient, amount, reference 5. **Notifications** → `/notifications` - Push notifications and transaction alerts - Mark as read, delete 6. **Profile/Settings** → `/profile` - Change PIN, password, email - Language preference (NO/EN) - Push notification settings - Delete account **Dashboard UI:** ```tsx

{/* Welcome banner */}

Hei, {user.firstName}!

Her er en oversikt over dine kontoer

{/* Balance card */}

Total saldo

{formatCurrency(totalBalance)} NOK

{/* Recent transactions */}

Siste transaksjoner

{transactions.slice(0, 5).map(tx => ( ))} Se alle →

``` **Access Control:** ```typescript // Middleware enforces KYC check on transaction routes export async function middleware(request: NextRequest) { const { pathname } = request.nextUrl; // Protected routes requiring KYC approval const transactionRoutes = ["/send", "/scan", "/api/transactions"]; const requiresKyc = transactionRoutes.some(route => pathname.startsWith(route)); if (requiresKyc) { const { user } = await getAuthUser(request); if (user.kyc_status !== "approved") { return NextResponse.redirect("/dashboard?kyc=pending"); } } return NextResponse.next(); } ``` --- ## 4. Database Schema ### 4.1 New Fields for `users` Table ```sql ALTER TABLE users ADD COLUMN phone_verified INTEGER DEFAULT 0; ALTER TABLE users ADD COLUMN bankid_verified INTEGER DEFAULT 0; ALTER TABLE users ADD COLUMN bankid_verified_at TEXT; ALTER TABLE users ADD COLUMN onboarding_completed INTEGER DEFAULT 0; ALTER TABLE users ADD COLUMN onboarding_completed_at TEXT; ALTER TABLE users ADD COLUMN national_id_hash TEXT UNIQUE; ALTER TABLE users ADD COLUMN kyc_external_id TEXT; ALTER TABLE users ADD COLUMN kyc_verified_at TEXT; ALTER TABLE users ADD COLUMN pin_hash TEXT; ALTER TABLE users ADD COLUMN pin_set_at TEXT; ``` ### 4.2 `onboarding_progress` Table **Purpose:** Track user onboarding state and drop-off points for analytics. ```sql CREATE TABLE IF NOT EXISTS onboarding_progress ( id TEXT PRIMARY KEY, user_id TEXT NOT NULL, step TEXT NOT NULL, -- 'register', 'phone_otp', 'pin_setup', 'onboarding_tour', 'bankid', 'kyc' status TEXT NOT NULL, -- 'started', 'completed', 'skipped', 'failed' started_at TEXT NOT NULL, completed_at TEXT, drop_reason TEXT, -- For analytics: 'timeout', 'error', 'user_exit' metadata TEXT, -- JSON with step-specific data FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE ); CREATE INDEX idx_onboarding_user ON onboarding_progress(user_id); CREATE INDEX idx_onboarding_step ON onboarding_progress(step); CREATE INDEX idx_onboarding_status ON onboarding_progress(status); ``` **Usage:** ```typescript // Track step start await run( `INSERT INTO onboarding_progress (id, user_id, step, status, started_at) VALUES (?, ?, ?, 'started', datetime('now'))`, [randomId("prog"), userId, "phone_otp"] ); // Track step completion await run( `UPDATE onboarding_progress SET status = 'completed', completed_at = datetime('now') WHERE user_id = ? AND step = ?`, [userId, "phone_otp"] ); // Track drop-off await run( `UPDATE onboarding_progress SET status = 'failed', drop_reason = 'otp_expired' WHERE user_id = ? AND step = ?`, [userId, "phone_otp"] ); ``` --- ## 5. API Endpoints Summary ### 5.1 Existing Endpoints | Endpoint | Method | Purpose | Status | |----------|--------|---------|--------| | `/api/auth/register` | POST | Create user account | ✅ Implemented | | `/api/auth/login` | POST | Email/password login | ✅ Implemented | | `/api/auth/verify-otp` | POST | Verify phone OTP | ✅ Implemented | | `/api/auth/bankid` | GET | Initiate BankID OAuth | ✅ Partial (no callback) | | `/api/auth/me` | GET | Get current user | ✅ Implemented | ### 5.2 New Endpoints Required | Endpoint | Method | Purpose | Priority | |----------|--------|---------|----------| | `/api/auth/set-pin` | POST | Set 4-digit PIN | HIGH | | `/api/auth/bankid/callback` | GET | BankID OAuth callback | HIGH | | `/api/onboarding/complete` | POST | Mark onboarding complete | MEDIUM | | `/api/webhooks/sumsub` | POST | KYC status updates | HIGH | | `/api/auth/resend-otp` | POST | Resend phone OTP | MEDIUM | | `/api/notifications` | GET | List user notifications | LOW | | `/api/notifications/:id/read` | PATCH | Mark notification as read | LOW | --- ## 6. Edge Cases & Error Handling ### 6.1 Age Verification Failure **Scenario:** User provides DOB indicating age < 18 **Frontend:** ```tsx if (age < 18) { setError("Du må være minst 18 år for å bruke Drop"); return; } ``` **Backend:** ```typescript if (age < 18) { return jsonError("underage", "Du må være minst 18 år for å bruke Drop", 403); } ``` **UI Treatment:** - Error message displayed in form - Red background (#EF4444/10) - No account creation - No "try again" option (legal requirement) **Legal Compliance:** - Vilkår.html section 3: "Du må være minst 18 år" - PSD2 compliance: Strong Customer Authentication requires adult age - AML regulation: No accounts for minors ### 6.2 BankID Verification Failure **Scenario 1: BankID returns fødselsnummer indicating age < 18** **Handling:** ```typescript const age = calculateAgeFromNin(nin); if (age < 18) { await run("DELETE FROM users WHERE id = ?", [userId]); // Remove account logAudit({ userId, action: "bankid.underage_rejection" }); return NextResponse.redirect("/register?error=underage"); } ``` **UI:** ```tsx // /register?error=underage

Verifisering feilet

BankID viser at du er under 18 år. Drop er kun tilgjengelig for voksne.

``` **Scenario 2: BankID OAuth fails (timeout, user cancels, invalid state)** **Handling:** ```typescript // Callback error handling if (!code || !state) { return NextResponse.redirect("/register?error=bankid_cancelled"); } if (state !== storedState) { logAudit({ action: "bankid.csrf_attempt", details: { ip } }); return jsonError("invalid_state", "CSRF validation failed", 400); } ``` **UI:** ```tsx // /register?error=bankid_cancelled

BankID-innlogging avbrutt

Du avbrøt BankID-prosessen. Prøv igjen for å fullføre registreringen.

``` **Scenario 3: BankID network timeout** **Handling:** ```typescript const controller = new AbortController(); const timeoutId = setTimeout(() => controller.abort(), 30000); const tokenResponse = await fetch(tokenUrl, { signal: controller.signal, // ... }); clearTimeout(timeoutId); ``` **Retry Strategy:** - 30-second timeout per OAuth step - Max 3 retry attempts - Exponential backoff: 5s → 10s → 20s - User-facing error: "BankID er ikke tilgjengelig. Prøv igjen senere." ### 6.3 KYC Rejection **Scenario:** Sumsub rejects user identity verification **Handling:** ```typescript // Webhook handler if (reviewStatus === "completed" && reviewResult?.reviewAnswer === "RED") { await run("UPDATE users SET kyc_status = 'rejected' WHERE id = ?", [userId]); await sendNotification(userId, { type: "kyc_rejected", title: "Verifisering feilet", body: "Kontakt kundeservice for hjelp.", }); logAudit({ userId, action: "kyc.rejected", details: { applicantId } }); } ``` **Dashboard UI:** ```tsx if (user.kyc_status === "rejected") { return (

Verifisering feilet

Vi kunne ikke verifisere identiteten din. Dette kan skyldes uklare dokumenter eller manglende informasjon.

Kontakt kundeservice på support@getdrop.no for hjelp.

); } ``` **Account State:** - User can log in but cannot transact - Profile accessible (change password, email) - Support ticket creation enabled - No remittance or QR payment access - Transaction history remains visible **Support Workflow:** 1. User contacts support@getdrop.no 2. Support agent reviews KYC rejection reason in Sumsub dashboard 3. Agent requests additional documents via email 4. User uploads documents to support ticket 5. Agent manually submits documents to Sumsub 6. Sumsub re-reviews → status updated via webhook 7. If approved: user notified, account unlocked ### 6.4 Phone OTP Timeout **Scenario:** User doesn't verify OTP within 5 minutes **Handling:** ```typescript // OTP expiry check (verify-otp/route.ts line 67) const now = new Date().toISOString(); const otpRecord = await getOne( `SELECT id, code, expires_at FROM otp_codes WHERE user_id = ? AND used = 0 AND expires_at > ? ORDER BY created_at DESC LIMIT 1`, [userId, now] ); if (!otpRecord) { return jsonError("invalid_otp", "Invalid or expired code", 400); } ``` **UI:** ```tsx // Show expired state after 5 minutes const [otpExpired, setOtpExpired] = useState(false); useEffect(() => { const timer = setTimeout(() => setOtpExpired(true), 5 * 60 * 1000); return () => clearTimeout(timer); }, []); if (otpExpired) { return (

Koden har utløpt.

); } ``` **Resend OTP Endpoint:** **Required Implementation:** **Endpoint:** `POST /api/auth/resend-otp` **Request Body:** ```json { "userId": "usr_abc123", "phone": "+4712345678" } ``` **Backend Logic:** ```typescript // Rate limit: Max 3 OTP sends per hour per user const recentOtps = await getOne( `SELECT COUNT(*) as count FROM otp_codes WHERE user_id = ? AND created_at > datetime('now', '-1 hour')`, [userId] ); if (recentOtps.count >= 3) { return jsonError("rate_limited", "For mange forsøk. Prøv igjen om 1 time.", 429); } // Mark old OTPs as used (prevent replay) await run("UPDATE otp_codes SET used = 1 WHERE user_id = ?", [userId]); // Generate new OTP const otpCode = String(crypto.randomInt(100000, 1000000)); const expiresAt = new Date(Date.now() + 5 * 60 * 1000).toISOString(); await run( "INSERT INTO otp_codes (id, user_id, code, expires_at) VALUES (?, ?, ?, ?)", [randomId("otp"), userId, otpCode, expiresAt] ); // TODO: Send via SMS provider logger.info("OTP resent", { userId, phone }); return NextResponse.json({ data: { sent: true } }); ``` **Error Cases:** | Error | HTTP | Reason | |-------|------|--------| | `rate_limited` | 429 | More than 3 OTP sends in 1 hour | | `bad_request` | 400 | Invalid user ID or phone | ### 6.5 User Abandons Onboarding **Scenario:** User registers but doesn't complete onboarding **Analytics Tracking:** ```typescript // Track drop-off points await run( `INSERT INTO onboarding_progress (id, user_id, step, status, started_at, drop_reason) VALUES (?, ?, ?, 'failed', datetime('now'), ?)`, [randomId("prog"), userId, "onboarding_tour", "user_exit"] ); ``` **Re-engagement Strategy:** **Email Reminder (24h after registration):** ``` Subject: Fullfør registreringen din på Drop Hei [FirstName], Vi la merke til at du startet registrering på Drop men ikke fullførte prosessen. Det tar bare 2 minutter å knytte BankID og få tilgang til: ✅ Lave gebyrer på remittance (0.5%) ✅ QR-betaling i butikk ✅ Direkte fra din bankkonto [Fullfør registrering] (CTA button) Mvh, Drop-teamet ``` **Dashboard Banner (returning user without BankID):** ```tsx if (user.bankid_verified === 0) { return (

Fullfør registreringen

Koble BankID for å få tilgang til alle funksjoner.

); } ``` **Analytics Metrics:** ```sql -- Onboarding funnel conversion rates SELECT step, COUNT(*) as started, SUM(CASE WHEN status = 'completed' THEN 1 ELSE 0 END) as completed, ROUND(100.0 * SUM(CASE WHEN status = 'completed' THEN 1 ELSE 0 END) / COUNT(*), 2) as conversion_rate FROM onboarding_progress GROUP BY step ORDER BY CASE step WHEN 'register' THEN 1 WHEN 'phone_otp' THEN 2 WHEN 'pin_setup' THEN 3 WHEN 'onboarding_tour' THEN 4 WHEN 'bankid' THEN 5 WHEN 'kyc' THEN 6 END; ``` **Expected Conversion Rates:** | Step | Expected Conversion | Drop-off Reason | |------|---------------------|-----------------| | Register → Phone OTP | 90% | OTP not received, user exits | | Phone OTP → PIN Setup | 95% | OTP timeout, wrong code | | PIN Setup → Onboarding Tour | 98% | Accidental exit | | Onboarding Tour → BankID | 70% | User skips, BankID unavailable | | BankID → KYC | 95% | BankID fails, user cancels | | KYC → Approved | 85% | Document issues, age < 18 | **Overall Conversion:** ~50% (from registration to fully verified) ### 6.6 Network Errors **Scenario:** API call fails due to network issues **Frontend Retry Strategy:** ```tsx async function fetchWithRetry(url: string, options: RequestInit, retries = 3) { for (let i = 0; i < retries; i++) { try { const res = await fetch(url, options); if (res.ok) return res; if (res.status >= 500 && i < retries - 1) { await new Promise(resolve => setTimeout(resolve, Math.pow(2, i) * 1000)); continue; } return res; } catch (error) { if (i === retries - 1) throw error; await new Promise(resolve => setTimeout(resolve, Math.pow(2, i) * 1000)); } } } ``` **User-Facing Error:** ```tsx

Noe gikk galt

Vi kunne ikke koble til serveren. Sjekk internettforbindelsen din.

``` --- ## 7. Analytics & Drop-off Tracking ### 7.1 Key Metrics | Metric | Definition | Target | |--------|------------|--------| | Registration Start Rate | Visitors → Registration page | 25% | | Registration Completion | Registration page → OTP sent | 90% | | OTP Verification Rate | OTP sent → OTP verified | 85% | | Onboarding Completion | OTP verified → Tour complete | 70% | | BankID Conversion | Tour complete → BankID verified | 80% | | KYC Approval Rate | BankID verified → KYC approved | 90% | | Overall Conversion | Visitors → Fully verified | 12% | | Time to Verify | Registration → KYC approved | < 2 hours | ### 7.2 Drop-off Points **Funnel Visualization:** ``` 100 visitors ↓ 25% (Registration Start Rate) 25 start registration ↓ 90% (Registration Completion) 23 send OTP ↓ 85% (OTP Verification Rate) 20 verify OTP ↓ 70% (Onboarding Completion) 14 complete tour ↓ 80% (BankID Conversion) 11 verify BankID ↓ 90% (KYC Approval Rate) 10 fully verified ``` **Drop-off Reasons:** | Step | Drop-off % | Top Reasons | |------|-----------|-------------| | Registration Form | 10% | Form too long, unclear requirements | | Phone OTP | 15% | OTP not received, timeout | | PIN Setup | 2% | Accidental exit | | Onboarding Tour | 30% | User skips (friction point) | | BankID | 20% | BankID unavailable, user doesn't have it | | KYC | 10% | Document issues, age verification fails | **Optimization Priorities:** 1. **HIGH:** Reduce onboarding tour drop-off (30% → 10%) - Make skippable without blocking BankID - Shorten from 4 screens to 2 screens - Add progress indicator showing "2 min to finish" 2. **MEDIUM:** Improve BankID conversion (80% → 90%) - Clearer explanation of why BankID is required - Add fallback: "Don't have BankID? Use Vipps instead" - Show trust signals (bank logos, security icons) 3. **LOW:** Reduce OTP drop-off (15% → 10%) - Add "Resend OTP" button immediately visible - Show estimated delivery time: "SMS arrives in 10-30 seconds" - Add troubleshooting tips: "Check spam folder" ### 7.3 Analytics Implementation **Event Tracking:** ```typescript // Track page views analytics.track("onboarding_step_viewed", { userId, step: "register", timestamp: Date.now(), }); // Track form interactions analytics.track("registration_form_submitted", { userId, fields: ["email", "phone", "dob"], timestamp: Date.now(), }); // Track errors analytics.track("otp_verification_failed", { userId, reason: "invalid_code", attempts: 3, timestamp: Date.now(), }); // Track completion analytics.track("onboarding_completed", { userId, duration: Date.now() - startTime, timestamp: Date.now(), }); ``` **Drop-off Report (Weekly):** ```sql -- Generate weekly onboarding funnel report WITH funnel AS ( SELECT 'Register' as step, 1 as step_order, COUNT(DISTINCT user_id) as users FROM onboarding_progress WHERE step = 'register' AND started_at > date('now', '-7 days') UNION ALL SELECT 'Phone OTP' as step, 2 as step_order, COUNT(DISTINCT user_id) as users FROM onboarding_progress WHERE step = 'phone_otp' AND status = 'completed' AND completed_at > date('now', '-7 days') -- ... repeat for each step ) SELECT step, users, LAG(users) OVER (ORDER BY step_order) as previous_step_users, ROUND(100.0 * users / LAG(users) OVER (ORDER BY step_order), 2) as conversion_rate FROM funnel ORDER BY step_order; ``` --- ## 8. Re-engagement Strategy ### 8.1 Email Triggers **Trigger 1: OTP Not Verified (1 hour after registration)** ``` Subject: Bekreft telefonnummeret ditt Hei [FirstName], Du er nesten ferdig med registreringen! Vi sendte en 6-sifret kode til +47 [Phone]. Hvis du ikke mottok koden, kan du be om en ny. [Fullfør registrering] Koden utløper om 5 minutter. ``` **Trigger 2: BankID Not Linked (24 hours after OTP verification)** ``` Subject: Koble BankID for å bruke Drop Hei [FirstName], For å bruke Drop må du koble BankID. Dette tar bare 1 minutt og sikrer at pengene dine er trygge. [Koble BankID nå] Hvorfor BankID? ✅ Kun du har tilgang til kontoen din ✅ Vi kan aldri flytte penger uten ditt samtykke ✅ All data er kryptert Mvh, Drop-teamet ``` **Trigger 3: KYC Pending (48 hours after BankID verification)** ``` Subject: Verifisering pågår Hei [FirstName], Vi gjennomgår dokumentene dine. Dette tar vanligvis 1-2 timer, men kan ta opptil 48 timer. Du får en varsling når kontoen din er godkjent. Har du spørsmål? Svar på denne e-posten. Mvh, Drop-teamet ``` ### 8.2 Push Notifications **Notification 1: OTP Resend Available** ```json { "type": "otp_resend", "title": "Ikke mottatt kode?", "body": "Trykk her for å sende en ny verifiseringskode", "action": "OPEN_APP", "data": { "screen": "register", "step": "verify" } } ``` **Notification 2: KYC Approved** ```json { "type": "kyc_approved", "title": "Kontoen din er godkjent! 🎉", "body": "Du kan nå sende penger og betale med QR", "action": "OPEN_APP", "data": { "screen": "dashboard" } } ``` **Notification 3: KYC Rejected** ```json { "type": "kyc_rejected", "title": "Verifisering feilet", "body": "Kontakt kundeservice for hjelp", "action": "OPEN_SUPPORT", "data": { "screen": "profile", "tab": "support" } } ``` ### 8.3 In-App Prompts **Dashboard Banner (BankID not linked):** ```tsx

Koble BankID for å låse opp alle funksjoner

Send penger til utlandet og betal i butikk med QR

``` **Transaction Attempt Without BankID:** ```tsx // User clicks "Send Money" without BankID

BankID påkrevd

For å sende penger må du først koble BankID. Dette sikrer at pengene dine er trygge.

``` --- ## 9. Legal Consents ### 9.1 Required Consents **Terms of Service:** - Checkbox at registration: "Jeg godtar [vilkårene for bruk](https://getdrop.no/vilkar)" - Must be checked to proceed - Links to `landing/pages/vilkar.html` **Privacy Policy:** - Checkbox at registration: "Jeg godtar [personvernerklæringen](https://getdrop.no/privacy)" - Must be checked to proceed - Links to `landing/pages/privacy.html` **PSD2 AISP/PISP Consent:** - Modal at BankID connection: ``` Tilgang til bankkontoen din Ved å koble BankID gir du Drop tillatelse til å: ✅ Lese saldo på din bankkonto (AISP) ✅ Initiere betalinger fra din bankkonto (PISP) Du kan trekke tilbake samtykket når som helst. [Godta og fortsett] [Avbryt] ``` **Marketing Consent (Optional):** - Checkbox at registration: "Jeg ønsker å motta tips og tilbud fra Drop (valgfritt)" - Default: unchecked - Can be changed later in settings ### 9.2 Consent Storage **Database Schema:** ```sql -- Table already exists (architecture-document.md line 157) CREATE TABLE IF NOT EXISTS consents ( id TEXT PRIMARY KEY, user_id TEXT NOT NULL, consent_type TEXT NOT NULL, -- 'terms', 'privacy', 'psd2_aisp', 'psd2_pisp', 'marketing' granted INTEGER NOT NULL, -- 0 or 1 granted_at TEXT, withdrawn_at TEXT, ip_address TEXT, FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE ); CREATE INDEX idx_consents_user ON consents(user_id); CREATE INDEX idx_consents_type ON consents(consent_type); ``` **Recording Consents:** ```typescript // At registration (terms + privacy) await run( `INSERT INTO consents (id, user_id, consent_type, granted, granted_at, ip_address) VALUES (?, ?, ?, 1, datetime('now'), ?)`, [randomId("con"), userId, "terms", ip] ); await run( `INSERT INTO consents (id, user_id, consent_type, granted, granted_at, ip_address) VALUES (?, ?, ?, 1, datetime('now'), ?)`, [randomId("con"), userId, "privacy", ip] ); // Optional marketing if (marketingConsent) { await run( `INSERT INTO consents (id, user_id, consent_type, granted, granted_at, ip_address) VALUES (?, ?, ?, 1, datetime('now'), ?)`, [randomId("con"), userId, "marketing", ip] ); } // At BankID connection (PSD2 AISP + PISP) await run( `INSERT INTO consents (id, user_id, consent_type, granted, granted_at, ip_address) VALUES (?, ?, ?, 1, datetime('now'), ?), (?, ?, ?, 1, datetime('now'), ?)`, [randomId("con"), userId, "psd2_aisp", ip, randomId("con"), userId, "psd2_pisp", ip] ); ``` **Withdrawing Consent:** ```typescript // User withdraws PSD2 consent (disconnect bank account) await run( `UPDATE consents SET granted = 0, withdrawn_at = datetime('now') WHERE user_id = ? AND consent_type IN ('psd2_aisp', 'psd2_pisp')`, [userId] ); // Unlink bank account await run("DELETE FROM bank_accounts WHERE user_id = ?", [userId]); // Audit log logAudit({ userId, action: "consent.withdrawn", resourceType: "consent", details: { types: ["psd2_aisp", "psd2_pisp"] }, }); ``` ### 9.3 GDPR Compliance **Right to Access:** ```typescript // GET /api/gdpr/data-export // Returns JSON with all user data { "user": { /* user record */ }, "bank_accounts": [ /* accounts */ ], "transactions": [ /* transactions */ ], "consents": [ /* consents */ ], "audit_log": [ /* audit entries */ ] } ``` **Right to Erasure:** ```typescript // DELETE /api/gdpr/delete-account // Soft delete: sets deleted_at, anonymizes PII await run( `UPDATE users SET email = 'deleted_' || id || '@drop.deleted', first_name = 'Deleted', last_name = 'User', phone = NULL, national_id_hash = NULL, deleted_at = datetime('now') WHERE id = ?`, [userId] ); // Anonymize audit logs (keep records for compliance, remove PII) await run( `UPDATE audit_log SET details = json_set(details, '$.email', 'REDACTED') WHERE user_id = ?`, [userId] ); ``` **Data Retention:** - Active users: indefinite - Deleted users: 90 days (then full purge) - Transaction records: 5 years (AML compliance) - Audit logs: 7 years (regulatory requirement) --- ## 10. Acceptance Criteria ### 10.1 Functional Requirements **Registration:** - [ ] User can register with email, password, name, phone, DOB - [ ] Age validation rejects users < 18 years - [ ] Password complexity enforced (8+ chars, upper, lower, digit, special) - [ ] Norwegian phone number required (+47) - [ ] Duplicate email detection - [ ] OTP generated and logged (SMS not sent in demo mode) **Phone OTP Verification:** - [ ] User receives 6-digit OTP (logged to console in demo mode) - [ ] OTP expires after 5 minutes - [ ] OTP marked as used after successful verification - [ ] Rate limiting: 5 OTP attempts per minute per IP - [ ] Generic error messages (no user enumeration) - [ ] Resend OTP functionality **PIN Setup:** - [ ] User sets 4-digit PIN - [ ] Weak PIN patterns rejected (0000, 1234, 1111, sequential) - [ ] PIN stored as bcrypt hash - [ ] Auto-advance to onboarding on 4th digit - [ ] Backend endpoint `/api/auth/set-pin` implemented **Onboarding Tour:** - [ ] 4-screen carousel (Welcome, Benefits, BankID, Ready) - [ ] Progress indicator shows current step - [ ] Skip button available (except last screen) - [ ] Back button visible (except first screen) - [ ] Tour completion tracked in database - [ ] Backend endpoint `/api/onboarding/complete` implemented **BankID Verification:** - [ ] User redirected to BankID OAuth flow - [ ] CSRF protection via state token - [ ] Callback extracts fødselsnummer from ID token - [ ] Age verification from fødselsnummer (reject if < 18) - [ ] Fødselsnummer stored as SHA-256 hash - [ ] `bankid_verified` flag set to 1 - [ ] KYC initiation triggered after BankID success - [ ] Dashboard blocks unverified users with modal **KYC Check:** - [ ] Demo mode: auto-approve KYC - [ ] Production mode: redirect to Sumsub widget - [ ] Webhook handler updates KYC status - [ ] Pending state shows yellow banner on dashboard - [ ] Rejected state shows red banner with support link - [ ] Transaction routes blocked until KYC approved - [ ] Push notification sent on KYC approval/rejection ### 10.2 Non-Functional Requirements **Performance:** - [ ] Registration API responds < 500ms (p95) - [ ] OTP verification API responds < 300ms (p95) - [ ] BankID OAuth redirect < 1s - [ ] Onboarding UI loads < 1.5s (FCP) **Security:** - [ ] Password hashed with bcrypt (rounds: 12) - [ ] PIN hashed with bcrypt (rounds: 12) - [ ] JWT in httpOnly cookie (no localStorage) - [ ] CSRF protection on BankID OAuth - [ ] Rate limiting on all auth endpoints - [ ] Audit trail for all user actions - [ ] No PII in logs (phone numbers hashed) **Accessibility:** - [ ] WCAG 2.1 AA compliance - [ ] Screen reader support - [ ] Keyboard navigation - [ ] Focus indicators on all interactive elements - [ ] Error messages accessible (aria-live regions) **Usability:** - [ ] Mobile-first responsive design - [ ] Touch targets >= 44px - [ ] Clear error messages (Norwegian) - [ ] Loading states for all async operations - [ ] Success/error feedback for all actions **Legal Compliance:** - [ ] Terms of Service consent required - [ ] Privacy Policy consent required - [ ] PSD2 AISP/PISP consent modal at BankID - [ ] Consent storage in database - [ ] Age requirement enforced (18+) - [ ] Norwegian residency requirement enforced (+47 phone, BankID) ### 10.3 Edge Case Coverage - [ ] Age < 18 rejected (frontend + backend + BankID) - [ ] BankID timeout handled gracefully - [ ] BankID user cancellation handled - [ ] KYC rejection flow implemented - [ ] OTP expiry handled with resend - [ ] Network errors retry with backoff - [ ] User abandonment tracked in analytics - [ ] Re-engagement emails triggered --- ## 11. Implementation Order ### Phase 1: Backend Foundations (Priority: HIGH) **Duration:** 2 days **Owner:** Backend agent 1. ✅ Database schema updates - Add new fields to `users` table (pin_hash, bankid_verified, onboarding_completed, national_id_hash) - Create `onboarding_progress` table - Create indexes 2. ✅ Missing API endpoints - `POST /api/auth/set-pin` - `GET /api/auth/bankid/callback` - `POST /api/onboarding/complete` - `POST /api/auth/resend-otp` - `POST /api/webhooks/sumsub` 3. ✅ Age verification logic - Extract DOB from fødselsnummer - Validate age >= 18 in BankID callback 4. ✅ Consent storage - Record consents at registration and BankID ### Phase 2: Frontend Fixes (Priority: HIGH) **Duration:** 1 day **Owner:** Frontend agent 1. ✅ PIN setup backend integration - Call `/api/auth/set-pin` after PIN entered - Validate weak PIN patterns - Handle errors 2. ✅ Onboarding completion tracking - Call `/api/onboarding/complete` on last screen 3. ✅ Dashboard BankID prompt - Non-dismissable modal for unverified users - "Koble BankID" button - Clear explanation 4. ✅ KYC status UI - Pending banner (yellow) - Rejected banner (red) with support link ### Phase 3: Edge Case Handling (Priority: MEDIUM) **Duration:** 1 day **Owner:** Backend + Frontend agents 1. ✅ OTP resend flow - Backend: Rate limiting (3 per hour) - Frontend: "Send ny kode" button 2. ✅ BankID error handling - Timeout retry - User cancellation - CSRF validation 3. ✅ KYC rejection flow - Webhook handler - Dashboard blocking UI - Support ticket creation ### Phase 4: Analytics & Re-engagement (Priority: LOW) **Duration:** 1 day **Owner:** Backend + Marketing 1. ✅ Drop-off tracking - Event logging in `onboarding_progress` - Funnel report SQL query 2. ✅ Email triggers - OTP not verified (1h) - BankID not linked (24h) - KYC pending (48h) 3. ✅ Push notifications - OTP resend available - KYC approved - KYC rejected ### Phase 5: Testing & Deployment (Priority: HIGH) **Duration:** 2 days **Owner:** QA agent + DevOps 1. ✅ Unit tests - Age validation (frontend + backend) - OTP verification - PIN validation - BankID callback 2. ✅ Integration tests - Full onboarding flow (register → KYC approved) - BankID OAuth flow - KYC webhook 3. ✅ E2E tests (Playwright) - Happy path: Register → Verify → BankID → Dashboard - Error path: Age < 18 → Rejected - Error path: BankID timeout → Retry 4. ✅ Deployment - Staging environment - Smoke tests - Production rollout --- ## 12. Success Metrics (3 Months Post-Launch) | Metric | Target | Measurement | |--------|--------|-------------| | Registration Completion | 85% | OTP sent / Registration started | | OTP Verification | 80% | OTP verified / OTP sent | | Onboarding Completion | 70% | Tour complete / OTP verified | | BankID Connection | 75% | BankID verified / Tour complete | | KYC Approval | 90% | KYC approved / BankID verified | | Overall Conversion | 40% | Fully verified / Registration started | | Time to Verify | < 2 hours | Median time from registration to KYC approval | | Drop-off Rate (Tour) | < 15% | Users who skip tour | | Re-engagement Open Rate | 25% | Email open rate for re-engagement campaigns | | Support Tickets (KYC) | < 5% | Tickets per verified user | --- ## 13. Rollout Plan ### 13.1 Soft Launch (Week 1) - **Audience:** Internal team (10 users) - **Goal:** Validate full flow, catch bugs - **KYC:** Demo mode (auto-approve) - **Monitoring:** Manual testing, bug reports in Slack ### 13.2 Beta Launch (Week 2-3) - **Audience:** Friends & family (50 users) - **Goal:** Gather UX feedback, measure conversion rates - **KYC:** Demo mode (auto-approve) - **Monitoring:** Analytics dashboard, user feedback survey ### 13.3 Limited Public Launch (Week 4-6) - **Audience:** Invite-only (500 users) - **Goal:** Test production BankID + KYC integration - **KYC:** Production mode (Sumsub) - **Monitoring:** Drop-off tracking, support ticket volume ### 13.4 Full Public Launch (Week 7+) - **Audience:** Open to all (Norway) - **Goal:** Scale to 10,000+ users - **KYC:** Production mode (Sumsub) - **Monitoring:** Weekly funnel reports, monthly conversion review --- ## 14. Appendix ### 14.1 Glossary | Term | Definition | |------|------------| | **AISP** | Account Information Service Provider (PSD2) — reads bank account balance | | **PISP** | Payment Initiation Service Provider (PSD2) — initiates payments from bank account | | **BankID** | Norwegian eID system (OAuth 2.0 OIDC) for identity verification | | **Fødselsnummer** | 11-digit Norwegian national ID (encodes DOB + unique ID) | | **KYC** | Know Your Customer — identity verification for AML compliance | | **Sumsub** | Third-party KYC provider (document verification) | | **OTP** | One-Time Password (6-digit SMS code) | | **SCA** | Strong Customer Authentication (PSD2 requirement) | | **Pass-through model** | Drop never holds customer money; all funds stay in user's bank | ### 14.2 References | Document | Location | |----------|----------| | Architecture Document | `project/architecture/architecture-document.md` | | Terms of Service | `landing/pages/vilkar.html` | | Privacy Policy | `landing/pages/privacy.html` | | Figma Make Export (UI Source of Truth) | `mockups/figma-make-export/src/components/` | | Current Onboarding Flow | `src/drop-app/src/app/onboarding/page.tsx` | | Current Register Flow | `src/drop-app/src/app/register/page.tsx` | | BankID OAuth | `src/drop-app/src/app/api/auth/bankid/route.ts` | | KYC Service | `src/drop-app/src/lib/services/kyc.ts` | ### 14.3 Related Tasks | Task | MC # | Description | Status | |------|------|-------------|--------| | Implement user registration | #947 | Email/password registration | ✅ Done | | Implement BankID OAuth | #948 | BankID integration | 🚧 Partial | | Implement KYC verification | #949 | Sumsub integration | 🚧 Partial | | Build onboarding tour | #950 | 4-screen carousel | ✅ Done | | Add consent tracking | #951 | GDPR compliance | ❌ Not started | | Analytics integration | #952 | Posthog/Mixpanel | ❌ Not started | --- **End of Specification** **Next Steps:** 1. Review this spec with Alem for approval 2. Create implementation tasks in Mission Control 3. Assign tasks to builder agents 4. Begin Phase 1 (Backend Foundations) **Questions for Alem:** 1. Preferred analytics platform (Posthog, Mixpanel, custom)? 2. SMS provider for OTP (Twilio, MessageBird)? 3. Email provider for re-engagement (SendGrid, Mailgun)? 4. KYC provider credentials (Sumsub account setup)? 5. BankID production credentials (when to request)? # drop-push-notifications-spec # Drop Push Notification Delivery Service — Implementation Spec **Project:** Drop (Fintech Payment App) **Task:** MC #1196 **Date:** 2026-02-17 **Author:** John (AI Director) --- ## 1. Executive Summary Drop currently has notification stubs (database table, UI, demo-mode service) but no actual push delivery infrastructure. This spec defines a production-ready push notification system covering: - Multi-platform delivery: Web Push (PWA primary), Firebase Cloud Messaging (Android future), APNs (iOS future) - Notification taxonomy with security and compliance categories - Device token management and lifecycle - User preference management per Norwegian marketing laws - Database schema for device tokens, notification queue, delivery logs - API endpoints for device registration and preference management - Integration with existing transaction and auth systems **MVP Recommendation:** Web Push (PWA) — Drop currently has web app only, mobile apps planned for future. Start with Web Push API + service workers, add FCM/APNs when React Native mobile apps ship. --- ## 2. Architecture Overview ### 2.1 Unified Push Service Layer **File:** `src/lib/push.ts` (NEW — replaces stub at `src/lib/services/notifications.ts`) Provider-agnostic push notification abstraction. All push sending goes through this module. **Interface:** ```typescript // src/lib/push.ts export interface DeviceToken { id: string; userId: string; platform: 'web' | 'android' | 'ios'; token: string; // For FCM/APNs, this is the device token endpoint?: string; // For Web Push, this is the subscription endpoint keys?: { // For Web Push only p256dh: string; auth: string; }; createdAt: string; lastUsedAt: string; } export interface NotificationPayload { userId: string; type: NotificationType; title: string; body: string; data?: Record; priority?: 'high' | 'normal' | 'low'; category?: string; // For iOS notification categories badge?: number; // Badge count (iOS/Android) sound?: string; // Sound file name } export interface DeliveryResult { success: boolean; messageId?: string; platform: 'web' | 'android' | 'ios'; error?: string; } // Core send function export async function sendPushNotification( payload: NotificationPayload ): Promise; // Device token management export async function registerDeviceToken( userId: string, platform: 'web' | 'android' | 'ios', token: string, keys?: { p256dh: string; auth: string; endpoint: string } ): Promise<{ success: boolean; error?: string }>; export async function unregisterDeviceToken( userId: string, deviceId: string ): Promise<{ success: boolean }>; export async function refreshDeviceToken( oldToken: string, newToken: string ): Promise<{ success: boolean }>; // Preference check export async function canSendNotification( userId: string, type: NotificationType ): Promise; ``` --- ### 2.2 Notification Type Taxonomy **Security Principle:** Transactional notifications = mandatory (no opt-out). Promotional = explicit consent required (Norwegian markedsføringsloven). ```typescript export type NotificationType = // TRANSACTIONAL (mandatory, no opt-out) | 'transfer_sent' // Money sent from user's account | 'transfer_received' // Money received into user's account | 'transfer_failed' // Transfer failed (bank rejected) | 'login_alert' // New device/location login | 'otp_code' // OTP code for 2FA (future) | 'password_changed' // Password changed (security alert) | 'bankid_linked' // BankID linked to account | 'bankid_unlinked' // BankID unlinked (security alert) | 'account_locked' // Account locked due to suspicious activity | 'kyc_approved' // KYC verification approved | 'kyc_rejected' // KYC verification rejected // ACCOUNT (opt-in, enabled by default) | 'transaction_summary' // Daily/weekly transaction summary | 'low_balance' // Bank account balance below threshold | 'rate_update' // Exchange rate update for pending transfer // PROMOTIONAL (opt-in, disabled by default, GDPR consent required) | 'referral' // Referral program | 'new_feature' // New feature announcement | 'special_offer'; // Special offers/promotions export const NOTIFICATION_CATEGORIES = { transactional: [ 'transfer_sent', 'transfer_received', 'transfer_failed', 'login_alert', 'otp_code', 'password_changed', 'bankid_linked', 'bankid_unlinked', 'account_locked', 'kyc_approved', 'kyc_rejected', ], account: [ 'transaction_summary', 'low_balance', 'rate_update', ], promotional: [ 'referral', 'new_feature', 'special_offer', ], } as const; export const NOTIFICATION_PRIORITY = { transfer_sent: 'high', transfer_received: 'high', transfer_failed: 'high', login_alert: 'high', otp_code: 'high', password_changed: 'high', bankid_unlinked: 'high', account_locked: 'high', kyc_approved: 'normal', kyc_rejected: 'normal', bankid_linked: 'normal', transaction_summary: 'normal', low_balance: 'normal', rate_update: 'low', referral: 'low', new_feature: 'low', special_offer: 'low', } as const; ``` **Norwegian Marketing Law Compliance:** - **Markedsføringsloven §15:** Promotional notifications require EXPLICIT prior consent (opt-in) - **GDPR Art. 6(1)(a):** Consent must be freely given, specific, informed, unambiguous - **Implementation:** Promotional notifications OFF by default, require explicit user action to enable - **Audit trail:** Log consent timestamp and context in `notification_preferences` table --- ### 2.3 Platform-Specific Implementations #### A. Web Push API (PRIMARY — MVP) **Tech Stack:** - Service worker (`public/sw.js`) handles push events - Web Push API (browser native, no SDK required) - `web-push` npm library (server-side, VAPID signing) **VAPID (Voluntary Application Server Identification):** - Generate keys: `npx web-push generate-vapid-keys` - Store in env: `VAPID_PUBLIC_KEY`, `VAPID_PRIVATE_KEY`, `VAPID_SUBJECT` (mailto:support@getdrop.no) **Client-Side Flow:** 1. User visits Drop PWA 2. Service worker registers (`/sw.js`) 3. User grants notification permission (browser prompt) 4. Client subscribes to push: `registration.pushManager.subscribe({ userVisibleOnly: true, applicationServerKey: VAPID_PUBLIC_KEY })` 5. Client sends subscription object to server: `POST /api/notifications/register-device` 6. Server stores subscription in `device_tokens` table **Server-Side Flow:** 1. Transaction completes → create notification in `notifications` table 2. Fetch user's Web Push subscriptions from `device_tokens` WHERE platform='web' 3. For each subscription: - Use `web-push` library to send notification - `webpush.sendNotification(subscription, JSON.stringify(payload))` 4. Log delivery result in `notification_log` **Service Worker (`public/sw.js`):** ```javascript // Listen for push events self.addEventListener('push', (event) => { const data = event.data ? event.data.json() : {}; const { title, body, icon, badge, data: customData } = data; const options = { body: body, icon: icon || '/icon-192.png', badge: badge || '/badge-72.png', data: customData, vibrate: [200, 100, 200], tag: data.type || 'default', requireInteraction: data.priority === 'high', }; event.waitUntil( self.registration.showNotification(title, options) ); }); // Handle notification click self.addEventListener('notificationclick', (event) => { event.notification.close(); const urlToOpen = event.notification.data?.url || '/dashboard'; event.waitUntil( clients.matchAll({ type: 'window', includeUncontrolled: true }).then((clientList) => { // If Drop is already open, focus it for (const client of clientList) { if (client.url.includes(urlToOpen) && 'focus' in client) { return client.focus(); } } // Otherwise, open new window if (clients.openWindow) { return clients.openWindow(urlToOpen); } }) ); }); ``` **Dependencies:** ```json { "dependencies": { "web-push": "^3.6.7" } } ``` **Env Vars:** ```bash # Web Push (VAPID keys) VAPID_PUBLIC_KEY=BN... # Public key (also exposed to client via /api/vapid-public-key) VAPID_PRIVATE_KEY=... # Private key (server-side only) VAPID_SUBJECT=mailto:support@getdrop.no ``` --- #### B. Firebase Cloud Messaging (FUTURE — Android) **When:** When React Native Android app ships. **Tech Stack:** - Firebase Cloud Messaging (FCM) HTTP v1 API - `firebase-admin` SDK (server-side) - `@react-native-firebase/messaging` (client-side) **Setup:** 1. Create Firebase project at console.firebase.google.com 2. Add Android app to Firebase project (package name: `no.getdrop.app`) 3. Download `google-services.json`, place in React Native Android project 4. Download service account key JSON for server 5. Set env var: `FIREBASE_SERVICE_ACCOUNT_KEY` (base64-encoded JSON) **Client-Side Flow (React Native):** ```typescript // React Native app startup import messaging from '@react-native-firebase/messaging'; async function registerForPushNotifications() { const authStatus = await messaging().requestPermission(); if (authStatus === messaging.AuthorizationStatus.AUTHORIZED) { const token = await messaging().getToken(); // Send to server: POST /api/notifications/register-device await fetch('/api/notifications/register-device', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ platform: 'android', token }), }); } } // Handle foreground messages messaging().onMessage(async (remoteMessage) => { // Show in-app notification UI }); // Handle background messages (background handler in index.js) messaging().setBackgroundMessageHandler(async (remoteMessage) => { console.log('Background message:', remoteMessage); }); // Handle token refresh messaging().onTokenRefresh((token) => { // Update server with new token }); ``` **Server-Side Flow:** ```typescript import admin from 'firebase-admin'; // Initialize Firebase Admin (once on startup) const serviceAccountKey = JSON.parse( Buffer.from(process.env.FIREBASE_SERVICE_ACCOUNT_KEY!, 'base64').toString('utf-8') ); admin.initializeApp({ credential: admin.credential.cert(serviceAccountKey), }); // Send notification async function sendFCMNotification(token: string, payload: NotificationPayload) { const message = { token: token, notification: { title: payload.title, body: payload.body, }, data: payload.data || {}, android: { priority: payload.priority === 'high' ? 'high' : 'normal', notification: { sound: payload.sound || 'default', badge: payload.badge, }, }, }; const response = await admin.messaging().send(message); return response; // message ID } ``` **Dependencies:** ```json { "dependencies": { "firebase-admin": "^12.0.0" } } ``` **Env Vars:** ```bash FIREBASE_SERVICE_ACCOUNT_KEY=base64-encoded-json ``` **Cost:** FREE — FCM has no quota limits or pricing. --- #### C. Apple Push Notification service (FUTURE — iOS) **When:** When React Native iOS app ships. **Tech Stack:** - APNs HTTP/2 API - `apn` npm library (server-side) - `@react-native-firebase/messaging` (works for both FCM and APNs) **Setup:** 1. Create iOS app in Apple Developer account 2. Create Push Notification certificate or Auth Key (.p8 file) 3. Download .p8 file, note Key ID and Team ID 4. Set env vars: `APNS_KEY_ID`, `APNS_TEAM_ID`, `APNS_KEY_PATH` (or `APNS_KEY_CONTENT` as base64) **Server-Side Flow:** ```typescript import apn from 'apn'; // Initialize APNs provider const apnProvider = new apn.Provider({ token: { key: process.env.APNS_KEY_CONTENT!, // .p8 file content keyId: process.env.APNS_KEY_ID!, teamId: process.env.APNS_TEAM_ID!, }, production: process.env.NODE_ENV === 'production', }); // Send notification async function sendAPNsNotification(deviceToken: string, payload: NotificationPayload) { const notification = new apn.Notification(); notification.alert = { title: payload.title, body: payload.body, }; notification.badge = payload.badge; notification.sound = payload.sound || 'default'; notification.category = payload.category; notification.priority = payload.priority === 'high' ? 10 : 5; notification.payload = payload.data || {}; notification.topic = 'no.getdrop.app'; // iOS bundle ID const result = await apnProvider.send(notification, deviceToken); return result; // Array of { device, status } } ``` **Dependencies:** ```json { "dependencies": { "apn": "^2.2.0" } } ``` **Env Vars:** ```bash APNS_KEY_ID=ABC123XYZ APNS_TEAM_ID=DEF456UVW APNS_KEY_CONTENT=base64-encoded-p8-file ``` **Cost:** FREE — APNs has no quota or pricing. --- ## 3. Database Schema ### 3.1 New Tables #### `device_tokens` Stores push notification device tokens/subscriptions. **SQLite:** ```sql CREATE TABLE IF NOT EXISTS device_tokens ( id TEXT PRIMARY KEY, user_id TEXT NOT NULL REFERENCES users(id), platform TEXT NOT NULL CHECK(platform IN ('web','android','ios')), token TEXT, -- FCM/APNs device token (NULL for Web Push) endpoint TEXT, -- Web Push endpoint URL (NULL for FCM/APNs) p256dh_key TEXT, -- Web Push p256dh key (NULL for FCM/APNs) auth_key TEXT, -- Web Push auth key (NULL for FCM/APNs) user_agent TEXT, -- Browser/device info created_at TEXT DEFAULT (datetime('now')), last_used_at TEXT DEFAULT (datetime('now')), active INTEGER DEFAULT 1 -- 0 = deactivated (stale/unregistered) ); CREATE UNIQUE INDEX IF NOT EXISTS idx_device_tokens_token ON device_tokens(token) WHERE token IS NOT NULL; CREATE UNIQUE INDEX IF NOT EXISTS idx_device_tokens_endpoint ON device_tokens(endpoint) WHERE endpoint IS NOT NULL; CREATE INDEX IF NOT EXISTS idx_device_tokens_user ON device_tokens(user_id); CREATE INDEX IF NOT EXISTS idx_device_tokens_platform ON device_tokens(platform); CREATE INDEX IF NOT EXISTS idx_device_tokens_active ON device_tokens(active); ``` **PostgreSQL:** ```sql CREATE TABLE IF NOT EXISTS device_tokens ( id TEXT PRIMARY KEY, user_id TEXT NOT NULL REFERENCES users(id), platform TEXT NOT NULL CHECK(platform IN ('web','android','ios')), token TEXT, endpoint TEXT, p256dh_key TEXT, auth_key TEXT, user_agent TEXT, created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP, last_used_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP, active INTEGER DEFAULT 1 ); CREATE UNIQUE INDEX IF NOT EXISTS idx_device_tokens_token ON device_tokens(token) WHERE token IS NOT NULL; CREATE UNIQUE INDEX IF NOT EXISTS idx_device_tokens_endpoint ON device_tokens(endpoint) WHERE endpoint IS NOT NULL; CREATE INDEX IF NOT EXISTS idx_device_tokens_user ON device_tokens(user_id); CREATE INDEX IF NOT EXISTS idx_device_tokens_platform ON device_tokens(platform); CREATE INDEX IF NOT EXISTS idx_device_tokens_active ON device_tokens(active); ``` **Deduplication:** Same device registering multiple times → UPSERT on `token` or `endpoint` (updates `last_used_at`, reactivates if inactive). **Stale Token Cleanup:** Cron job (daily) marks tokens as inactive if `last_used_at` > 90 days OR if delivery fails with "token invalid" error. --- #### `notification_queue` Queue for deferred/retry delivery (future — MVP sends immediately). **SQLite:** ```sql CREATE TABLE IF NOT EXISTS notification_queue ( id TEXT PRIMARY KEY, user_id TEXT NOT NULL REFERENCES users(id), type TEXT NOT NULL, title TEXT NOT NULL, body TEXT NOT NULL, data TEXT, -- JSON string priority TEXT DEFAULT 'normal' CHECK(priority IN ('high','normal','low')), status TEXT DEFAULT 'pending' CHECK(status IN ('pending','sent','failed','cancelled')), attempts INTEGER DEFAULT 0, max_attempts INTEGER DEFAULT 3, next_retry_at TEXT, -- ISO timestamp created_at TEXT DEFAULT (datetime('now')), sent_at TEXT, error TEXT ); CREATE INDEX IF NOT EXISTS idx_queue_user ON notification_queue(user_id); CREATE INDEX IF NOT EXISTS idx_queue_status ON notification_queue(status); CREATE INDEX IF NOT EXISTS idx_queue_next_retry ON notification_queue(next_retry_at) WHERE status = 'pending'; ``` **PostgreSQL:** ```sql CREATE TABLE IF NOT EXISTS notification_queue ( id TEXT PRIMARY KEY, user_id TEXT NOT NULL REFERENCES users(id), type TEXT NOT NULL, title TEXT NOT NULL, body TEXT NOT NULL, data TEXT, priority TEXT DEFAULT 'normal' CHECK(priority IN ('high','normal','low')), status TEXT DEFAULT 'pending' CHECK(status IN ('pending','sent','failed','cancelled')), attempts INTEGER DEFAULT 0, max_attempts INTEGER DEFAULT 3, next_retry_at TIMESTAMP, created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP, sent_at TIMESTAMP, error TEXT ); CREATE INDEX IF NOT EXISTS idx_queue_user ON notification_queue(user_id); CREATE INDEX IF NOT EXISTS idx_queue_status ON notification_queue(status); CREATE INDEX IF NOT EXISTS idx_queue_next_retry ON notification_queue(next_retry_at) WHERE status = 'pending'; ``` **MVP Note:** Queue table created but not used initially. MVP sends notifications synchronously. Post-MVP: add background worker that processes queue with retry logic (exponential backoff). --- #### `notification_log` Audit log of all push notification deliveries. **SQLite:** ```sql CREATE TABLE IF NOT EXISTS notification_log ( id TEXT PRIMARY KEY, notification_id TEXT REFERENCES notifications(id), -- NULL for push-only (no in-app) user_id TEXT NOT NULL REFERENCES users(id), device_token_id TEXT REFERENCES device_tokens(id), platform TEXT NOT NULL CHECK(platform IN ('web','android','ios')), type TEXT NOT NULL, title TEXT NOT NULL, body TEXT NOT NULL, status TEXT NOT NULL CHECK(status IN ('sent','failed','skipped')), message_id TEXT, -- Provider message ID (FCM/APNs/Web Push) error TEXT, sent_at TEXT DEFAULT (datetime('now')) ); CREATE INDEX IF NOT EXISTS idx_notif_log_user ON notification_log(user_id); CREATE INDEX IF NOT EXISTS idx_notif_log_status ON notification_log(status); CREATE INDEX IF NOT EXISTS idx_notif_log_sent_at ON notification_log(sent_at); CREATE INDEX IF NOT EXISTS idx_notif_log_platform ON notification_log(platform); ``` **PostgreSQL:** ```sql CREATE TABLE IF NOT EXISTS notification_log ( id TEXT PRIMARY KEY, notification_id TEXT REFERENCES notifications(id), user_id TEXT NOT NULL REFERENCES users(id), device_token_id TEXT REFERENCES device_tokens(id), platform TEXT NOT NULL CHECK(platform IN ('web','android','ios')), type TEXT NOT NULL, title TEXT NOT NULL, body TEXT NOT NULL, status TEXT NOT NULL CHECK(status IN ('sent','failed','skipped')), message_id TEXT, error TEXT, sent_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP ); CREATE INDEX IF NOT EXISTS idx_notif_log_user ON notification_log(user_id); CREATE INDEX IF NOT EXISTS idx_notif_log_status ON notification_log(status); CREATE INDEX IF NOT EXISTS idx_notif_log_sent_at ON notification_log(sent_at); CREATE INDEX IF NOT EXISTS idx_notif_log_platform ON notification_log(platform); ``` **Retention:** Keep indefinitely for audit trail (fintech compliance). Monitoring queries: ```sql -- Delivery rate last 24h SELECT platform, COUNT(*) as total, SUM(CASE WHEN status='sent' THEN 1 ELSE 0 END) as sent, SUM(CASE WHEN status='failed' THEN 1 ELSE 0 END) as failed FROM notification_log WHERE sent_at > datetime('now', '-1 day') GROUP BY platform; -- Failure reasons SELECT error, COUNT(*) as count FROM notification_log WHERE status='failed' AND sent_at > datetime('now', '-7 days') GROUP BY error ORDER BY count DESC LIMIT 10; ``` --- #### `notification_preferences` User preferences for notification types (opt-in/opt-out, quiet hours). **SQLite:** ```sql CREATE TABLE IF NOT EXISTS notification_preferences ( id TEXT PRIMARY KEY, user_id TEXT NOT NULL REFERENCES users(id), category TEXT NOT NULL CHECK(category IN ('transactional','account','promotional')), enabled INTEGER DEFAULT 1, quiet_hours_start TEXT, -- HH:MM format (e.g., "22:00") quiet_hours_end TEXT, -- HH:MM format (e.g., "08:00") created_at TEXT DEFAULT (datetime('now')), updated_at TEXT DEFAULT (datetime('now')) ); CREATE UNIQUE INDEX IF NOT EXISTS idx_notif_pref_user_cat ON notification_preferences(user_id, category); ``` **PostgreSQL:** ```sql CREATE TABLE IF NOT EXISTS notification_preferences ( id TEXT PRIMARY KEY, user_id TEXT NOT NULL REFERENCES users(id), category TEXT NOT NULL CHECK(category IN ('transactional','account','promotional')), enabled INTEGER DEFAULT 1, quiet_hours_start TEXT, quiet_hours_end TEXT, created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP, updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP ); CREATE UNIQUE INDEX IF NOT EXISTS idx_notif_pref_user_cat ON notification_preferences(user_id, category); ``` **Default behavior:** - Transactional: ALWAYS enabled (row doesn't exist = enabled, quiet hours ignored) - Account: Enabled by default (created on first app launch) - Promotional: Disabled by default (created on first app launch) **Quiet hours logic:** - If notification type = transactional → send immediately (ignore quiet hours) - Otherwise, check user's local time (use timezone from user profile or default to Europe/Oslo) - If current time is between `quiet_hours_start` and `quiet_hours_end` → queue for later (send at `quiet_hours_end`) --- ### 3.2 Schema Changes to Existing Tables #### `notifications` (existing table — ADD columns) **Additions:** ```sql -- SQLite migration ALTER TABLE notifications ADD COLUMN notification_type TEXT; ALTER TABLE notifications ADD COLUMN priority TEXT DEFAULT 'normal' CHECK(priority IN ('high','normal','low')); ALTER TABLE notifications ADD COLUMN data TEXT; -- JSON string with extra context ``` **PostgreSQL migration:** ```sql ALTER TABLE notifications ADD COLUMN notification_type TEXT; ALTER TABLE notifications ADD COLUMN priority TEXT DEFAULT 'normal'; ALTER TABLE notifications ADD COLUMN data TEXT; ALTER TABLE notifications ADD CONSTRAINT notifications_priority_check CHECK (priority IN ('high','normal','low')); ``` **Purpose:** Existing `notifications` table stores in-app notifications. New columns allow linking in-app notifications to push notifications (same notification shows in both Notifications screen AND push). --- ## 4. API Endpoints ### 4.1 POST `/api/notifications/register-device` **Purpose:** Register device token for push notifications. **Auth:** Required (bearer token). **Request:** ```json { "platform": "web", "token": "fcm-token-or-apns-token", // For FCM/APNs "subscription": { // For Web Push only "endpoint": "https://fcm.googleapis.com/...", "keys": { "p256dh": "base64-encoded-p256dh", "auth": "base64-encoded-auth" } }, "userAgent": "Mozilla/5.0 ..." } ``` **Response (200):** ```json { "data": { "deviceId": "dtk_abc123", "registered": true } } ``` **Errors:** - 400: Missing platform or token/subscription - 401: Unauthorized - 409: Device already registered (returns existing deviceId) **Logic:** 1. Validate platform ('web', 'android', 'ios') 2. For Web Push: validate subscription object (endpoint, keys.p256dh, keys.auth) 3. For FCM/APNs: validate token format 4. Check if token/endpoint already exists: - If exists → update `last_used_at`, set `active=1`, return existing ID - If not exists → insert new row 5. Return deviceId **File:** `src/app/api/notifications/register-device/route.ts` (NEW) --- ### 4.2 DELETE `/api/notifications/devices/:deviceId` **Purpose:** Unregister device token (user logs out or revokes permission). **Auth:** Required. **Response (200):** ```json { "data": { "success": true } } ``` **Logic:** 1. Verify device belongs to authenticated user 2. Set `active=0` (soft delete — keep for audit trail) **File:** `src/app/api/notifications/devices/[deviceId]/route.ts` (NEW) --- ### 4.3 GET `/api/notifications/preferences` **Purpose:** Get user's notification preferences. **Auth:** Required. **Response (200):** ```json { "data": { "transactional": { "enabled": true, "canDisable": false }, "account": { "enabled": true, "canDisable": true }, "promotional": { "enabled": false, "canDisable": true }, "quietHours": { "enabled": false, "start": null, "end": null } } } ``` **Logic:** 1. Fetch rows from `notification_preferences` WHERE user_id = ? 2. If no rows exist → create defaults (transactional=1, account=1, promotional=0) 3. Return preferences **File:** `src/app/api/notifications/preferences/route.ts` (NEW, GET handler) --- ### 4.4 PUT `/api/notifications/preferences` **Purpose:** Update user's notification preferences. **Auth:** Required. **Request:** ```json { "account": { "enabled": true }, "promotional": { "enabled": false }, "quietHours": { "enabled": true, "start": "22:00", "end": "08:00" } } ``` **Response (200):** ```json { "data": { "updated": true } } ``` **Errors:** - 400: Invalid category or quiet hours format - 403: Attempt to disable transactional notifications **Logic:** 1. Validate categories (cannot disable transactional) 2. Validate quiet hours format (HH:MM, 00:00-23:59) 3. UPSERT preferences into `notification_preferences` table 4. Update `updated_at = now()` **File:** `src/app/api/notifications/preferences/route.ts` (NEW, PUT handler) --- ### 4.5 GET `/api/notifications/history` **Purpose:** Get user's push notification delivery history (debugging/audit). **Auth:** Required. **Query params:** - `limit` (default: 50, max: 100) - `offset` (default: 0) **Response (200):** ```json { "data": [ { "id": "nlog_abc123", "type": "transfer_received", "title": "Du mottok penger", "platform": "web", "status": "sent", "sentAt": "2026-02-17T14:30:00Z" } ], "pagination": { "limit": 50, "offset": 0, "total": 123 } } ``` **Logic:** 1. Query `notification_log` WHERE user_id = ? ORDER BY sent_at DESC LIMIT ? OFFSET ? 2. Count total rows for pagination 3. Return list **File:** `src/app/api/notifications/history/route.ts` (NEW) --- ### 4.6 GET `/api/vapid-public-key` **Purpose:** Expose VAPID public key to client for Web Push subscription. **Auth:** Not required (public endpoint). **Response (200):** ```json { "publicKey": "BN4GvZtEZiZuqaasbD-..." } ``` **File:** `src/app/api/vapid-public-key/route.ts` (NEW) --- ## 5. Integration Points ### 5.1 Transaction Complete (Remittance + QR Payment) **Files to modify:** - `src/app/api/transactions/remittance/route.ts` - `src/app/api/transactions/qr-payment/route.ts` **After transaction status = 'completed':** ```typescript import { sendPushNotification } from '@/lib/push'; import { randomId } from '@/lib/utils'; // Create in-app notification (existing table) const notificationId = randomId('ntf'); await run( `INSERT INTO notifications (id, user_id, type, title, body, notification_type, priority, data) VALUES (?, ?, ?, ?, ?, ?, ?, ?)`, [ notificationId, userId, 'transaction_complete', 'Transaksjon fullført', `${amount} ${currency} sendt til ${recipientName}`, 'transfer_sent', 'high', JSON.stringify({ transactionId: txId, amount, currency }), ] ); // Send push notification await sendPushNotification({ userId: userId, type: 'transfer_sent', title: 'Transaksjon fullført', body: `${amount} ${currency} sendt til ${recipientName}`, priority: 'high', data: { transactionId: txId, amount, currency, url: `/dashboard/transactions/${txId}`, }, }); // If recipient is a Drop user, notify them if (recipientUserId) { const recipientNotifId = randomId('ntf'); await run( `INSERT INTO notifications (id, user_id, type, title, body, notification_type, priority, data) VALUES (?, ?, ?, ?, ?, ?, ?, ?)`, [ recipientNotifId, recipientUserId, 'transaction_complete', 'Du mottok penger', `${amount} ${currency} fra ${senderName}`, 'transfer_received', 'high', JSON.stringify({ transactionId: txId, amount, currency }), ] ); await sendPushNotification({ userId: recipientUserId, type: 'transfer_received', title: 'Du mottok penger', body: `${amount} ${currency} fra ${senderName}`, priority: 'high', data: { transactionId: txId, amount, currency, url: `/dashboard/transactions/${txId}`, }, }); } ``` --- ### 5.2 Login Alert (New Device) **File to modify:** `src/app/api/auth/login/route.ts` **After successful login:** ```typescript import crypto from 'crypto'; import { sendPushNotification } from '@/lib/push'; const ip = getClientIp(request); const userAgent = request.headers.get('user-agent') || 'Unknown'; // Generate device fingerprint const deviceFingerprint = crypto.createHash('sha256') .update(`${ip}:${userAgent}`) .digest('hex'); // Check if device is new const existingDevice = await getOne<{ id: string }>( "SELECT id FROM sessions WHERE user_id = ? AND device_fingerprint = ?", [userId, deviceFingerprint] ); if (!existingDevice) { // New device → send login alert const notificationId = randomId('ntf'); await run( `INSERT INTO notifications (id, user_id, type, title, body, notification_type, priority, data) VALUES (?, ?, ?, ?, ?, ?, ?, ?)`, [ notificationId, userId, 'security', 'Ny pålogging oppdaget', `Pålogging fra ${userAgent.slice(0, 50)}`, 'login_alert', 'high', JSON.stringify({ ip, userAgent }), ] ); await sendPushNotification({ userId: userId, type: 'login_alert', title: 'Ny pålogging oppdaget', body: `Pålogging fra ${userAgent.slice(0, 50)}`, priority: 'high', data: { ip, userAgent, url: '/profile/security', }, }); } // Add device_fingerprint to session insert (schema change needed) await run( `INSERT INTO sessions (id, user_id, token_hash, expires_at, device_fingerprint) VALUES (?, ?, ?, ?, ?)`, [sessionId, userId, tokenHash, expiresAt, deviceFingerprint] ); ``` **Schema change:** ```sql -- Add to sessions table ALTER TABLE sessions ADD COLUMN device_fingerprint TEXT; CREATE INDEX IF NOT EXISTS idx_sessions_device ON sessions(device_fingerprint); ``` --- ### 5.3 Account Events (KYC, BankID, Password Change) **Files to modify:** - `src/app/api/auth/change-password/route.ts` (if exists, else create) - `src/app/api/kyc/verify/route.ts` (if exists) - `src/app/api/bankid/link/route.ts` (if exists) **Pattern (same for all):** ```typescript // After event (e.g., password changed) await sendPushNotification({ userId: userId, type: 'password_changed', title: 'Passord endret', body: 'Passordet ditt ble nettopp endret. Hvis dette ikke var deg, kontakt support umiddelbart.', priority: 'high', data: { timestamp: new Date().toISOString(), url: '/profile/security', }, }); ``` --- ## 6. User Preference Management UI ### 6.1 Notification Settings Screen **File to create:** `src/app/profile/notifications/page.tsx` (MODIFY existing if exists) **UI Components:** 1. **Permission Status** — Shows if browser/OS notifications enabled - If not enabled → show "Enable Notifications" button → triggers browser permission prompt 2. **Category Toggles:** - Transactional: Always ON (disabled toggle, grayed out, "Required for security") - Account: Toggle (ON by default) - Promotional: Toggle (OFF by default, show consent text) 3. **Quiet Hours:** - Toggle "Enable Quiet Hours" - Time pickers: Start time (default 22:00), End time (default 08:00) - Note: "Transactional notifications (security alerts, payments) will still be sent" 4. **Device List:** - Shows registered devices (platform, last used) - "Remove" button per device **Client-Side Logic:** ```typescript // Check if push notifications supported if ('serviceWorker' in navigator && 'PushManager' in window) { // Check current permission const permission = Notification.permission; if (permission === 'default') { // Show "Enable Notifications" button } else if (permission === 'granted') { // Subscribe to push const registration = await navigator.serviceWorker.ready; const subscription = await registration.pushManager.subscribe({ userVisibleOnly: true, applicationServerKey: urlBase64ToUint8Array(vapidPublicKey), }); // Send to server await fetch('/api/notifications/register-device', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ platform: 'web', subscription: subscription.toJSON(), userAgent: navigator.userAgent, }), }); } else { // Permission denied → show "Notifications blocked" message } } ``` **Promotional Consent UI:** ```tsx

{ if (enabled) { // Show consent dialog const confirmed = await showConsentDialog( "Markedsføringsvarsler", "Jeg samtykker til å motta tilbud, anbefalinger og produktoppdateringer fra Drop. " + "Jeg kan trekke tilbake samtykket når som helst i innstillinger." ); if (confirmed) { await updatePreferences({ promotional: { enabled: true } }); } } else { await updatePreferences({ promotional: { enabled: false } }); } }} /> Tilbud og kampanjer

Motta tilbud, anbefalinger og produktoppdateringer (krever samtykke)

``` --- ## 7. Norwegian Marketing Law Compliance ### 7.1 Markedsføringsloven §15 (Marketing Consent) **Law:** Promotional electronic messages (email, SMS, push) require EXPLICIT prior consent from recipient. **Drop Implementation:** - Promotional notifications OFF by default - User must actively enable in settings - Consent dialog shows clear purpose ("tilbud, anbefalinger, produktoppdateringer") - Consent timestamp logged in `notification_preferences.updated_at` - User can withdraw consent at any time (toggle OFF) **Audit trail:** ```sql -- Query: Show consent history for user SELECT user_id, category, enabled, created_at, updated_at FROM notification_preferences WHERE user_id = ? AND category = 'promotional'; ``` --- ### 7.2 GDPR Compliance **Art. 6(1)(a) — Consent as legal basis:** - Consent must be freely given, specific, informed, unambiguous - Drop: ✅ Toggle + consent dialog = unambiguous affirmative action - Drop: ✅ Separate toggle for promotional (not bundled with account/transactional) **Art. 7 — Conditions for consent:** - Burden of proof: controller must demonstrate consent was given - Drop: ✅ `notification_preferences` table logs timestamp and enabled status **Art. 17 — Right to erasure:** - User can delete account → all notification preferences deleted (CASCADE on user_id FK) --- ## 8. Security Considerations ### 8.1 No Sensitive Data in Push Payload **Risk:** Push notifications travel through third-party servers (FCM, APNs, Web Push service). Payload can be logged/intercepted. **Mitigation:** - NEVER include: passwords, tokens, full card numbers, bank account numbers - DO include: generic message ("Du mottok penger") + deep link to app - Sensitive details fetched AFTER user opens app (authenticated API call) **Example (GOOD):** ```json { "title": "Ny transaksjon", "body": "Du mottok kr 2 500,00", "data": { "transactionId": "tx_abc123", "url": "/dashboard/transactions/tx_abc123" } } ``` **Example (BAD):** ```json { "title": "Ny transaksjon", "body": "Du mottok kr 2 500,00 fra John Doe (john@example.com) til konto 1234.56.78901", "data": { ... } } ``` --- ### 8.2 Token Encryption at Rest **Risk:** Device tokens stored in plain text in DB → if DB compromised, attacker can send spam push notifications to all users. **Mitigation (Post-MVP):** - Encrypt `token`, `endpoint`, `p256dh_key`, `auth_key` columns at rest - Use AES-256-GCM with key stored in env var (`DEVICE_TOKEN_ENCRYPTION_KEY`) - Decrypt on read, encrypt on write **MVP:** Store in plain text (same risk level as session tokens — if DB is compromised, session tokens are also exposed). Add encryption in Phase 2. --- ### 8.3 Rate Limiting **Risk:** Attacker with stolen session token spams push notifications to user or all users. **Mitigation:** - Per-user rate limit: max 100 push notifications per hour - Global rate limit: max 10,000 push notifications per hour (protect against abuse) - Rate limit key: `push:{userId}:{hour}` **Implementation:** ```typescript import { checkRateLimit } from '@/lib/rate-limit'; async function sendPushNotification(payload: NotificationPayload) { const hour = new Date().toISOString().slice(0, 13); // "2026-02-17T14" const rateLimitKey = `push:${payload.userId}:${hour}`; const allowed = await checkRateLimit(rateLimitKey, 100, 3600); // 100 per hour if (!allowed) { console.warn(`[Push] Rate limit exceeded for user ${payload.userId}`); return [{ success: false, error: 'Rate limit exceeded', platform: 'web' }]; } // Send notification... } ``` --- ## 9. Monitoring & Alerting ### 9.1 Delivery Metrics **Dashboard queries (daily cron or on-demand):** ```sql -- Delivery rate by platform (last 24h) SELECT platform, COUNT(*) as total, ROUND(AVG(CASE WHEN status='sent' THEN 1.0 ELSE 0.0 END) * 100, 2) as success_rate FROM notification_log WHERE sent_at > datetime('now', '-1 day') GROUP BY platform; -- Opt-out rate by category SELECT category, COUNT(*) as total_users, SUM(CASE WHEN enabled=0 THEN 1 ELSE 0 END) as opted_out, ROUND(AVG(CASE WHEN enabled=0 THEN 1.0 ELSE 0.0 END) * 100, 2) as opt_out_rate FROM notification_preferences GROUP BY category; -- Top failure reasons SELECT error, COUNT(*) as count, platform FROM notification_log WHERE status='failed' AND sent_at > datetime('now', '-7 days') GROUP BY error, platform ORDER BY count DESC LIMIT 10; ``` --- ### 9.2 Alerts (Slack/Email) **Trigger conditions:** - Delivery rate drops below 90% (hourly check) - More than 100 failures in 1 hour - Web Push VAPID keys missing on startup - FCM/APNs credentials invalid (auth error) **Implementation (future):** ```typescript // In src/lib/alerts.ts (from drop-supporting-systems-plan.md) await sendSlackAlert({ severity: 'high', message: `Push notification delivery rate dropped to ${rate}% (platform: ${platform})`, link: 'http://localhost:3030/monitoring/push', }); ``` --- ## 10. Cost Analysis | Platform | Setup Cost | Operating Cost | Free Tier | Paid Tier | |----------|-----------|----------------|-----------|-----------| | **Web Push** | 0 kr | 0 kr | Unlimited (browser-managed) | N/A | | **FCM (Android)** | 0 kr | 0 kr | Unlimited | N/A | | **APNs (iOS)** | 794 kr/year (Apple Developer) | 0 kr | Unlimited | N/A | **Total Annual Cost:** 794 kr (Apple Developer membership only). **Infrastructure cost:** Minimal — push notification sending is lightweight (HTTP requests), no message queue or worker needed for MVP. **Post-MVP (if >100k push/day):** Consider message queue (BullMQ + Redis, ~200 kr/month on Railway/Fly.io). --- ## 11. Implementation Plan ### Phase 1: Web Push (MVP) — 3 days **Day 1: Backend Infrastructure (6h)** - Create `device_tokens`, `notification_queue`, `notification_log`, `notification_preferences` tables - Implement `src/lib/push.ts` with Web Push support - Generate VAPID keys, add to env vars - Create API endpoints: - POST `/api/notifications/register-device` - GET `/api/notifications/preferences` - PUT `/api/notifications/preferences` - GET `/api/vapid-public-key` **Day 2: Frontend Integration (6h)** - Create service worker `public/sw.js` (push event listener) - Register service worker in `src/app/layout.tsx` - Build notification settings UI (`src/app/profile/notifications/page.tsx`) - Implement permission request flow - Test Web Push subscription registration **Day 3: Integration + Testing (6h)** - Integrate push notifications into transaction routes (remittance, QR payment) - Integrate login alert into auth/login route - Add `device_fingerprint` column to `sessions` table - Test end-to-end flows: - Register device → send test notification → receive on device - Complete transaction → receive push notification - Login from new device → receive security alert - Update preferences → verify opt-out works - Deploy to staging **Total: 18 hours (3 days @ 6h/day)** --- ### Phase 2: FCM (Android) — 1 day (FUTURE) **When:** React Native Android app ready for testing. **Tasks:** - Set up Firebase project, download service account key - Implement FCM support in `src/lib/push.ts` - Add `firebase-admin` dependency - Test with React Native app --- ### Phase 3: APNs (iOS) — 1 day (FUTURE) **When:** React Native iOS app ready for testing. **Tasks:** - Generate APNs Auth Key (.p8 file) from Apple Developer account - Implement APNs support in `src/lib/push.ts` - Add `apn` dependency - Test with React Native app --- ### Phase 4: Advanced Features — 2 days (FUTURE) **Features:** - Background queue + retry logic (BullMQ + Redis) - Quiet hours enforcement (defer notifications to later) - Rich notifications (images, actions, reply) - Device token encryption at rest - Admin dashboard for monitoring delivery rates --- ## 12. Testing Strategy ### 12.1 Unit Tests **Test files to create:** - `tests/unit/push.test.ts` — Test `sendPushNotification()`, `registerDeviceToken()`, preference checks - `tests/unit/notification-preferences.test.ts` — Test default preferences, opt-in/opt-out logic **Coverage:** - ✅ Transactional notifications always sent (ignore preferences) - ✅ Account notifications respect opt-out - ✅ Promotional notifications require opt-in - ✅ Quiet hours respected (except transactional) - ✅ Rate limiting enforced - ✅ Device token deduplication (same token = update, not insert) --- ### 12.2 Integration Tests **Test files to create:** - `tests/integration/push-flow.test.ts` — End-to-end push notification flow **Scenarios:** 1. **Register device → send notification → verify log entry** - POST `/api/notifications/register-device` with Web Push subscription - Trigger transaction → verify `notification_log` entry created with status='sent' 2. **Opt-out → verify notification skipped** - Update preferences: account notifications OFF - Trigger transaction → verify notification NOT sent (status='skipped' in log) 3. **Login alert → new device** - Login from new User-Agent → verify login alert notification sent 4. **Promotional consent → verify GDPR compliance** - Enable promotional notifications → verify `notification_preferences.updated_at` updated --- ### 12.3 Manual Testing Checklist - [ ] Web Push permission prompt appears on first visit - [ ] Notification received after granting permission - [ ] Notification click opens correct URL in app - [ ] Notification settings UI shows correct state (enabled/disabled per category) - [ ] Quiet hours toggle works (notifications deferred) - [ ] Device removal works (device marked inactive) - [ ] Promotional consent dialog shows before enabling - [ ] Rate limit enforced (send 101 notifications → last one fails) --- ## 13. Success Metrics ### Week 1 (Post-Deployment) - [ ] 0 push notification failures (delivery rate 100%) - [ ] <5% users block notifications after permission prompt - [ ] 0 GDPR complaints about unsolicited promotional notifications ### Month 1 - [ ] >70% users with push notifications enabled - [ ] >50% notification open rate (click-through from push to app) - [ ] <10% opt-out rate for account notifications - [ ] 0 support tickets about missing notifications ### Quarter 1 - [ ] Push notifications enabled for all transaction types - [ ] Login alerts sent for 100% of new device logins - [ ] Promotional notifications available (consent flow tested) - [ ] FCM/APNs integration ready for mobile app launch --- ## 14. Rollout Strategy ### Staging (1 week) - Deploy Web Push to staging environment - Test with internal users (Alem, team) - Verify DNS/HTTPS setup (Web Push requires HTTPS) - Check spam score (should be N/A for push, unlike email) ### Production (Gradual) - **Week 1:** Enable Web Push for NEW users only (flag in `users` table: `push_enabled`) - **Week 2:** Monitor delivery rate, opt-out rate, open rate - **Week 3:** Enable for ALL users (remove flag, make default) - **Week 4:** Enable transactional notifications (transaction receipts, login alerts) - **Month 2:** Enable account notifications (summaries, low balance) - **Month 3:** Enable promotional notifications (with consent flow) --- ## 15. Acceptance Criteria **Push Service Layer:** - [ ] `sendPushNotification()` sends via Web Push in production - [ ] `sendPushNotification()` logs to console in demo mode - [ ] `registerDeviceToken()` stores device token in DB - [ ] Device token deduplication works (UPSERT on endpoint/token) - [ ] Stale token cleanup marks inactive tokens (>90 days) **Database:** - [ ] All tables created on `initDb()` - [ ] Indexes exist for performance queries - [ ] Default preferences created on first app launch **API Endpoints:** - [ ] POST `/api/notifications/register-device` registers Web Push subscription - [ ] GET `/api/notifications/preferences` returns user preferences - [ ] PUT `/api/notifications/preferences` updates preferences - [ ] GET `/api/vapid-public-key` exposes public key **Integration:** - [ ] Transaction completion sends push notification to sender - [ ] Transfer received sends push notification to recipient (if Drop user) - [ ] Login from new device sends security alert - [ ] Promotional notifications require consent dialog **Compliance:** - [ ] Transactional notifications always sent (no opt-out) - [ ] Promotional notifications OFF by default - [ ] Consent timestamp logged in DB - [ ] No sensitive data in push payload **UI:** - [ ] Notification settings screen shows category toggles - [ ] Quiet hours UI functional - [ ] Device list shows registered devices - [ ] Permission prompt appears on first visit --- ## 16. Dependencies **Add to `package.json`:** ```json { "dependencies": { "web-push": "^3.6.7" } } ``` **Future (when mobile apps ship):** ```json { "dependencies": { "firebase-admin": "^12.0.0", "apn": "^2.2.0" } } ``` **Install:** ```bash cd ~/ALAI/products/Drop/src/drop-app npm install web-push ``` --- ## 17. Env Vars **Add to `.env.example`:** ```bash # --- Push Notifications --- # Web Push (VAPID keys) # Generate: npx web-push generate-vapid-keys VAPID_PUBLIC_KEY=BN... VAPID_PRIVATE_KEY=... VAPID_SUBJECT=mailto:support@getdrop.no # Firebase Cloud Messaging (future - Android) # FIREBASE_SERVICE_ACCOUNT_KEY=base64-encoded-json # Apple Push Notification service (future - iOS) # APNS_KEY_ID=ABC123XYZ # APNS_TEAM_ID=DEF456UVW # APNS_KEY_CONTENT=base64-encoded-p8-file ``` **Generate VAPID keys:** ```bash npx web-push generate-vapid-keys # Outputs: # Public Key: BN4GvZtEZiZuqaasbD-... # Private Key: ... ``` --- ## 18. File List **Files to CREATE:** ``` src/lib/push.ts # Push notification service layer src/app/api/notifications/register-device/route.ts # Device registration endpoint src/app/api/notifications/devices/[deviceId]/route.ts # Device unregister endpoint src/app/api/notifications/preferences/route.ts # Preferences GET/PUT endpoints src/app/api/notifications/history/route.ts # Notification history endpoint src/app/api/vapid-public-key/route.ts # VAPID public key endpoint public/sw.js # Service worker (push event listener) tests/unit/push.test.ts # Unit tests for push service tests/integration/push-flow.test.ts # Integration tests ``` **Files to MODIFY:** ``` src/lib/db.ts # Add device_tokens, notification_queue, notification_log, notification_preferences tables src/lib/db.ts # Add notification_type, priority, data columns to notifications table src/lib/db.ts # Add device_fingerprint column to sessions table src/app/api/transactions/remittance/route.ts # Add push notification on completion src/app/api/transactions/qr-payment/route.ts # Add push notification on completion src/app/api/auth/login/route.ts # Add login alert for new devices src/app/profile/notifications/page.tsx # Modify to add preference toggles src/app/layout.tsx # Register service worker .env.example # Add VAPID_* env vars package.json # Add web-push dependency src/lib/services/notifications.ts # DELETE (replaced by src/lib/push.ts) ``` **Total:** 9 new files, 11 modified files. --- **END OF SPEC** # drop-rebrand-plan # Plan: Drop Full Rebrand ## Objective Rebrand all Drop screens (12 app pages + 13 landing pages) to match Alem's approved Stitch design. Plus logo, branding assets, and email templates. ## Source of Truth - Stitch reference: `/Users/makinja/ALAI/products/Drop/design/stitch-login-reference.png` - Design system: `/Users/makinja/ALAI/products/Drop/design/design-system-reference.md` - Login page (already rebranded): `src/drop-app/src/app/login/page.tsx` ## Team Orchestration ### Team Members | ID | Name | Role | Agent Type | |----|------|------|------------| | B1 | logo-builder | Export/create logo, generate all asset sizes | builder | | V1 | logo-validator | Verify all logo assets exist and are correct | validator | | B2 | app-auth-builder | Rebrand Login + Onboarding pages | builder | | B3 | app-core-builder | Rebrand Dashboard + Home + Send + Scan pages | builder | | B4 | app-util-builder | Rebrand Cards + Accounts + Profile + History + Merchant pages | builder | | V2 | app-validator | Verify all 12 app pages match design system | validator | | B5 | landing-main-builder | Rebrand landing index + product pages | builder | | B6 | landing-info-builder | Rebrand company + legal landing pages | builder | | V3 | landing-validator | Verify all 13 landing pages match design system | validator | | B7 | branding-builder | Email templates + OG images + favicon | builder | | V4 | branding-validator | Verify email templates and brand assets | validator | ### Step-by-Step Tasks #### Phase 1: Logo & Brand Foundation **Task 1:** Create/export Drop logo and all brand assets - Owner: B1 - BlockedBy: none - Files: `src/drop-app/public/drop-icon.png`, `src/drop-app/public/favicon.svg`, `brand/logo-icon.svg`, `brand/app-icon.svg`, `brand/favicon.svg`, `src/drop-app/src/components/drop-logo.tsx` - Instructions: 1. Read the Stitch reference image at `design/stitch-login-reference.png` 2. The logo is: green rounded square (#0B6E35) with white $ symbol and circular transfer arrows, plus gold (#D4A017) accent dot 3. Create a clean SVG version of this logo 4. Generate PNG versions: drop-icon.png (128x128, 256x256), icon-200.png, icon-48.png 5. Create favicon.svg using Drop green (#0B6E35) not ALAI green 6. Update drop-logo.tsx: DropAppIcon should render the new logo SVG inline 7. Update brand/ directory SVG files - Acceptance: - [ ] drop-icon.png exists in public/ at 128x128 minimum - [ ] favicon.svg uses #0B6E35 - [ ] drop-logo.tsx DropAppIcon renders new logo - [ ] All brand/ SVGs updated **Task 2:** Validate logo and brand assets - Owner: V1 - BlockedBy: 1 - Acceptance: All logo files exist, correct colors, no broken references #### Phase 2: App Pages (parallel) **Task 3:** Rebrand Login + Onboarding - Owner: B2 - BlockedBy: none - Files: `src/drop-app/src/app/login/page.tsx`, `src/drop-app/src/app/onboarding/page.tsx` - Instructions: 1. Read design-system-reference.md 2. Login is already close to target — refine if needed 3. Onboarding: apply same design language (gray bg, white cards, green buttons, Fraunces headings) 4. Keep all existing logic (form validation, API calls, state management) - Acceptance: - [ ] Login matches Stitch reference - [ ] Onboarding uses same design language - [ ] All form logic preserved **Task 4:** Rebrand Dashboard + Home + Send + Scan - Owner: B3 - BlockedBy: none - Files: `src/drop-app/src/app/page.tsx`, `src/drop-app/src/app/dashboard/page.tsx`, `src/drop-app/src/app/send/page.tsx`, `src/drop-app/src/app/scan/page.tsx` - Instructions: 1. Read design-system-reference.md AND current login/page.tsx as reference 2. These pages use BottomNav — use the "app pages WITH bottom nav" layout pattern 3. Dashboard: main screen after login — balance display, quick actions, recent transactions 4. Home: app entry point, likely redirect or welcome 5. Send: 4-step money transfer flow — preserve all step logic 6. Scan: QR scanner — preserve camera/scan logic 7. Keep ALL business logic, only change visual styling - Acceptance: - [ ] All 4 pages use consistent design system - [ ] BottomNav present on all pages - [ ] All existing functionality preserved **Task 5:** Rebrand Cards + Accounts + Profile + History + Merchant - Owner: B4 - BlockedBy: none - Files: `src/drop-app/src/app/cards/page.tsx`, `src/drop-app/src/app/accounts/page.tsx`, `src/drop-app/src/app/profile/page.tsx`, `src/drop-app/src/app/history/page.tsx`, `src/drop-app/src/app/merchant/page.tsx` - Instructions: 1. Read design-system-reference.md AND current login/page.tsx as reference 2. All pages use BottomNav layout pattern 3. Cards: virtual/physical card management 4. Accounts: linked bank accounts list 5. Profile: user settings and preferences 6. History: transaction list with filters 7. Merchant: merchant onboarding flow 8. logo-preview/page.tsx can be deleted or simplified 9. Keep ALL business logic, only change visual styling - Acceptance: - [ ] All 5 pages use consistent design system - [ ] BottomNav on all pages - [ ] All existing functionality preserved **Task 6:** Validate all app pages - Owner: V2 - BlockedBy: 3, 4, 5 - Acceptance: - [ ] All 12 pages load without errors - [ ] Consistent color palette (#0B6E35, #D4A017, #EEEEEE, #1A1A1A) - [ ] Consistent typography (Fraunces headings, DM Sans body) - [ ] BottomNav on all pages except login/onboarding - [ ] No hardcoded wrong colors or fonts #### Phase 3: Landing Pages (parallel) **Task 7:** Rebrand landing index + product pages - Owner: B5 - BlockedBy: none - Files: `landing/index.html`, `landing/pages/send-penger.html`, `landing/pages/qr-betaling.html`, `landing/pages/priser.html`, `landing/pages/sikkerhet.html` - Instructions: 1. Read design-system-reference.md (Landing Page section) 2. These are static HTML — use CSS variables + Google Fonts CDN 3. Main index: hero section, features, CTA, footer 4. Product pages: detailed feature descriptions 5. Consistent navbar and footer across all pages 6. Colors: same as app (#0B6E35, #D4A017, #EEEEEE, white) 7. Desktop-responsive (max-width 1200px, mobile-friendly) 8. Use favicon.svg with Drop green - Acceptance: - [ ] All 5 pages share consistent navbar/footer - [ ] Same color palette as app - [ ] Responsive (375px to 1440px) - [ ] No broken links between pages **Task 8:** Rebrand landing company + legal pages - Owner: B6 - BlockedBy: none - Files: `landing/pages/om-drop.html`, `landing/pages/karriere.html`, `landing/pages/presse.html`, `landing/pages/kontakt.html`, `landing/pages/personvern.html`, `landing/pages/vilkar.html`, `landing/pages/lisenser.html`, `landing/pages/cookies.html` - Instructions: 1. Read design-system-reference.md (Landing Page section) 2. Read landing/index.html for navbar/footer pattern (use same) 3. Company pages (om-drop, karriere, presse, kontakt): content + design 4. Legal pages (personvern, vilkar, lisenser, cookies): clean readable text layout 5. Consistent with the main landing page style - Acceptance: - [ ] All 8 pages share same navbar/footer as index - [ ] Consistent colors and typography - [ ] Legal pages readable and well-structured - [ ] All internal links work **Task 9:** Validate all landing pages - Owner: V3 - BlockedBy: 7, 8 - Acceptance: - [ ] All 13 pages render correctly - [ ] Consistent design across all pages - [ ] All links work - [ ] Mobile responsive #### Phase 4: Email & Remaining Branding **Task 10:** Create email templates + OG images - Owner: B7 - BlockedBy: 1 - Files: new `src/drop-app/src/email-templates/` directory, `brand/og-image.html` - Instructions: 1. Create HTML email templates (inline CSS, 600px max-width): - welcome.html — Welcome to Drop - transaction-receipt.html — Payment confirmation - password-reset.html — Reset password link 2. Use Drop brand colors, logo, "Send money. Simply." tagline 3. Update og-image.html in brand/ to match new design 4. All emails must work in Gmail, Outlook, Apple Mail - Acceptance: - [ ] 3 email templates created - [ ] Valid HTML email (inline CSS, table layout) - [ ] Drop branding consistent - [ ] OG image updated **Task 11:** Validate email templates and branding - Owner: V4 - BlockedBy: 10 - Acceptance: - [ ] Email templates have inline CSS - [ ] No external CSS/JS dependencies - [ ] Drop logo and colors present - [ ] OG image renders correctly ## Validation Commands ```bash # App — dev server cd /Users/makinja/ALAI/products/Drop/src/drop-app && npm run build # Landing — open in browser open /Users/makinja/ALAI/products/Drop/landing/index.html # Check all files exist ls -la /Users/makinja/ALAI/products/Drop/src/drop-app/public/drop-icon.png ls -la /Users/makinja/ALAI/products/Drop/src/drop-app/public/favicon.svg ls -la /Users/makinja/ALAI/products/Drop/brand/logo-icon.svg ``` # drop-sms-otp-spec # Drop SMS/OTP 2FA Implementation Specification **Version:** 1.0 **Date:** 2026-02-17 **Author:** John (AI Director) **Status:** DRAFT — AWAITING APPROVAL **MC Task:** #1189 --- ## Executive Summary This specification defines the implementation of SMS-based Two-Factor Authentication (2FA) for Drop's high-value financial transactions. Drop already uses BankID for primary authentication — this adds SMS OTP as a second factor for critical operations (remittance, QR payments, account changes). **Key Points:** - **Scope:** Transaction verification ONLY (not login replacement) - **Target:** Norwegian users (+47 validation) - **Provider:** SMS gateway integration (Twilio recommended, see comparison) - **Storage:** SQLite `otp_tokens` table with 5-min expiry - **Rate limiting:** Anti-abuse protection per user/IP - **Fallback:** BankID re-auth if SMS fails --- ## 1. Requirements Analysis ### 1.1 Functional Requirements | ID | Requirement | Priority | Rationale | |----|-------------|----------|-----------| | FR-1 | Send 6-digit OTP via SMS on remittance initiation | HIGH | Primary security control | | FR-2 | Verify OTP before processing transaction | HIGH | Prevents unauthorized transfers | | FR-3 | Rate limit OTP requests (3/hour per user) | HIGH | Anti-abuse, anti-spam | | FR-4 | Expire OTP after 5 minutes | HIGH | Security best practice | | FR-5 | Support Norwegian phone numbers (+47) | HIGH | Target market | | FR-6 | Block reused/expired OTPs | HIGH | Prevent replay attacks | | FR-7 | Fallback to BankID re-auth if SMS fails | MEDIUM | Accessibility, reliability | | FR-8 | Audit log all OTP operations | MEDIUM | Compliance, debugging | | FR-9 | Allow user to resend OTP (1x per transaction) | MEDIUM | UX improvement | | FR-10 | Support OTP for QR payments | MEDIUM | Future feature parity | ### 1.2 Non-Functional Requirements | ID | Requirement | Target | Measurement | |----|-------------|--------|-------------| | NFR-1 | SMS delivery time | < 30 seconds | Provider SLA | | NFR-2 | OTP generation time | < 100ms | Server-side perf | | NFR-3 | Verification latency | < 200ms | Database lookup + validation | | NFR-4 | Availability | 99.9% | Provider uptime | | NFR-5 | SMS delivery rate | > 95% | Provider metrics | | NFR-6 | Cost per OTP | < 0.10 NOK | Budget constraint | ### 1.3 User Stories **US-1: Remittance with OTP** AS a Drop user WHEN I initiate a remittance transfer THEN I receive an SMS with a 6-digit code AND I enter the code within 5 minutes AND the transaction proceeds only if the code is correct **US-2: Failed SMS fallback** AS a Drop user WHEN I don't receive the OTP SMS within 30 seconds THEN I can request a resend (1x) OR re-authenticate with BankID AND the transaction completes via the fallback method **US-3: Rate limiting protection** AS a Drop user WHEN I request more than 3 OTPs in 1 hour THEN I receive an error message AND must wait or use BankID fallback --- ## 2. SMS Provider Comparison ### 2.1 Provider Research | Provider | Pricing (Norway) | Delivery Time | Reliability | Integration Complexity | Notes | |----------|------------------|---------------|-------------|------------------------|-------| | **Twilio** | ~$0.065 (~0.70 NOK) | < 10s | 99.95% | Low (REST API) | Industry standard, good docs, auto-scaling | | **MessageBird (Bird)** | ~$0.008-0.065 | < 15s | 99.9% | Low (REST API) | 90% cheaper than Twilio on bulk, Norway-specific pricing unclear | | **Vonage** | €0.0057-0.0642 (~0.06-0.70 NOK) | < 20s | 99.5% | Medium (complex API) | Voice fallback available | | **BudgetSMS** | €0.048 (~0.52 NOK) | < 30s | 95% | Low (HTTP/XML) | Lower cost, lower reliability | | **PSWinCom (DASH)** | Not public | Unknown | Unknown | Unknown | Norwegian provider, requires quote | | **Intelecom** | Not public | Unknown | Unknown | Unknown | Norwegian provider, requires quote | **Recommendation: Twilio** **Rationale:** 1. **Proven reliability** — 99.95% uptime, < 10s delivery globally 2. **Developer-friendly** — Node.js SDK, webhook support, excellent docs 3. **Scalability** — Auto-volume pricing, no manual negotiation 4. **Norway coverage** — Tier 1 country, consistent delivery 5. **Cost acceptable** — ~0.70 NOK per SMS, budget allows < 0.10 NOK per OTP (TBD: verify with Alem) 6. **Fallback options** — Voice OTP available if SMS fails **Alternative: MessageBird (if cost is critical)** - 90% cheaper on bulk volume - Need to verify Norway-specific pricing - Slightly longer delivery time (< 15s vs < 10s) **Decision:** Use Twilio for MVP. Re-evaluate cost after 1000 transactions. ### 2.2 Cost Analysis **Assumptions:** - 500 remittance transactions/month (MVP target) - 1.2 OTP per transaction (20% resend rate) - Twilio pricing: $0.065/SMS (~0.70 NOK) **Monthly Cost:** - 500 tx × 1.2 OTP = 600 SMS - 600 × 0.70 NOK = **420 NOK/month** (~€35) **Annual Cost:** ~5,000 NOK (~€420) **Cost per transaction:** 0.84 NOK (acceptable for fintech) --- ## 3. Architecture Design ### 3.1 System Flow ``` ┌─────────────┐ │ User │ │ (Browser) │ └─────┬───────┘ │ 1. POST /api/transactions/remittance ▼ ┌─────────────────────────────────────┐ │ Next.js API Route │ │ /api/transactions/remittance │ │ │ │ 1. Validate transaction data │ │ 2. Check user KYC status │ │ 3. Generate 6-digit OTP │ │ 4. Store OTP in DB (expires 5min) │ │ 5. Call Twilio API → send SMS │ │ 6. Return transaction_pending │ └─────┬───────────────────────────────┘ │ 2. SMS sent ▼ ┌─────────────┐ │ Twilio │ │ SMS API │ └─────┬───────┘ │ 3. Deliver SMS to +47 number ▼ ┌─────────────┐ │ User │ │ (Phone) │ └─────┬───────┘ │ 4. User enters OTP code ▼ ┌─────────────────────────────────────┐ │ Next.js API Route │ │ /api/otp/verify │ │ │ │ 1. Lookup OTP in DB │ │ 2. Validate: not expired, correct │ │ 3. Mark OTP as used │ │ 4. Process transaction via PISP │ │ 5. Return transaction_completed │ └─────────────────────────────────────┘ ``` ### 3.2 Database Schema **New Table: `otp_tokens`** ```sql CREATE TABLE IF NOT EXISTS otp_tokens ( id TEXT PRIMARY KEY, -- otp_xxxxx user_id TEXT NOT NULL, -- FK to users.id phone_number TEXT NOT NULL, -- E.164 format (+47...) code TEXT NOT NULL, -- 6-digit numeric code (plain, NOT hashed — short-lived) purpose TEXT NOT NULL, -- 'remittance', 'qr_payment', 'account_change' transaction_id TEXT, -- FK to transactions.id (nullable) status TEXT NOT NULL, -- 'pending', 'verified', 'expired', 'failed' attempts INTEGER DEFAULT 0, -- Verification attempts (max 3) resend_count INTEGER DEFAULT 0, -- Resend attempts (max 1) created_at TEXT DEFAULT (datetime('now')), expires_at TEXT NOT NULL, -- 5 minutes from created_at verified_at TEXT, -- Timestamp when verified ip_address TEXT, -- Request IP for audit user_agent TEXT, -- Request user agent FOREIGN KEY (user_id) REFERENCES users(id), FOREIGN KEY (transaction_id) REFERENCES transactions(id) ); CREATE INDEX idx_otp_user_status ON otp_tokens(user_id, status); CREATE INDEX idx_otp_expires ON otp_tokens(expires_at); CREATE INDEX idx_otp_transaction ON otp_tokens(transaction_id); ``` **Why NOT hash the OTP code?** - **Short-lived:** 5-min expiry makes brute-force impractical - **Single-use:** Deleted/marked used after verification - **Performance:** Plain lookup faster than bcrypt compare (< 200ms target) - **Industry standard:** Most OTP providers store plain (Twilio, Auth0, Firebase) **Security mitigations:** - Rate limiting (3 OTP requests/hour per user) - Max 3 verification attempts per OTP - SQLite file encryption at rest (OS-level) - Audit logging all OTP operations --- ## 4. API Endpoints ### 4.1 POST /api/otp/send **Purpose:** Generate and send OTP via SMS **Request:** ```json { "purpose": "remittance", "transactionId": "tx_rem_xyz123", "phoneNumber": "+4798765432" } ``` **Response (200):** ```json { "success": true, "data": { "otpId": "otp_abc123", "expiresAt": "2026-02-17T15:05:00Z", "sentTo": "+47 XXX XX 432", "canResend": true, "resendAfter": "2026-02-17T15:01:00Z" } } ``` **Validation:** - User must be authenticated (JWT) - User must have KYC approved - Purpose must be: `remittance`, `qr_payment`, `account_change` - Phone number must be +47 (Norwegian) - Rate limit: 3 requests/hour per user ### 4.2 POST /api/otp/verify **Request:** ```json { "otpId": "otp_abc123", "code": "123456", "transactionId": "tx_rem_xyz123" } ``` **Response (200):** ```json { "success": true, "data": { "verified": true, "transactionId": "tx_rem_xyz123" } } ``` ### 4.3 POST /api/otp/resend **Request:** ```json { "otpId": "otp_abc123" } ``` **Response (200):** ```json { "success": true, "data": { "otpId": "otp_abc123", "sentTo": "+47 XXX XX 432", "expiresAt": "2026-02-17T15:05:00Z" } } ``` --- ## 5. Transaction Flow Integration **New Flow (with OTP 2FA):** ``` 1. POST /api/transactions/remittance → Create transaction (status: pending_2fa) → Generate OTP → Send SMS → Return 202 { otpId, transactionId } 2. User receives SMS, enters code 3. POST /api/otp/verify → Verify code → Update transaction (status: processing) → Initiate PISP payment → Return 200 { verified: true } ``` --- ## 6. Rate Limiting Strategy | Scope | Limit | Window | Action | |-------|-------|--------|--------| | **Per User** | 3 OTP requests | 1 hour | Block, suggest BankID | | **Per IP** | 10 OTP requests | 1 hour | Block, abuse detection | | **Per Phone** | 5 OTP requests | 1 hour | Block, anti-spam | | **Verification** | 3 tries | Per OTP | Mark failed, require new | | **Resend** | 1 resend | Per OTP | Block, suggest BankID | --- ## 7. Security Considerations | Threat | Severity | Mitigation | |--------|----------|------------| | **SMS Interception** | HIGH | Short expiry (5 min), single-use, audit log | | **Brute Force** | MEDIUM | Max 3 attempts, rate limiting | | **SMS Bombing** | MEDIUM | Rate limiting (3/hour per user) | | **SIM Swap** | HIGH | BankID fallback, anomaly detection (future) | | **Replay Attack** | LOW | Single-use, status tracking | ### Phone Number Validation ```typescript function validateNorwegianPhone(phone: string): boolean { const cleaned = phone.replace(/[\s-]/g, ''); const regex = /^\+47\d{8}$/; return regex.test(cleaned); } ``` --- ## 8. Service Implementation ### 8.1 File Structure ``` src/drop-app/src/lib/services/ ├── otp.ts # NEW — OTP service ├── twilio.ts # NEW — Twilio client ├── index.ts # Export services └── __tests__/ ├── otp.test.ts └── twilio.test.ts ``` ### 8.2 OTP Service Interface ```typescript export interface OtpService { generate(userId: string, phone: string, purpose: string): Promise<{ otpId: string; expiresAt: string }>; send(otpId: string): Promise; verify(otpId: string, code: string, userId: string): Promise; resend(otpId: string): Promise; cleanup(): Promise; // Cron job } ``` ### 8.3 Twilio Service **Environment Variables:** ```bash TWILIO_ACCOUNT_SID=AC... TWILIO_AUTH_TOKEN=... TWILIO_FROM_NUMBER=+47XXXXXXXX ``` --- ## 9. Frontend Integration ### 9.1 UI Components **`OtpInput.tsx`** — 6-digit code input - Auto-advance on digit entry - Paste support - Mobile numeric keyboard - Accessibility (ARIA labels) **`OtpDialog.tsx`** — Modal for OTP entry - Countdown timer (5 min) - Resend button (appears after 30s) - BankID fallback link - Error messages --- ## 10. Testing Strategy **Unit Tests:** - ✅ Generate OTP creates 6-digit code - ✅ Verify OTP accepts correct code - ✅ Verify OTP rejects wrong code - ✅ Verify OTP rejects expired code - ✅ Resend OTP blocks after 1 resend **Integration Tests:** - ✅ /api/otp/send requires auth + KYC - ✅ /api/otp/verify validates code - ✅ Rate limiting enforced **E2E Tests (Playwright):** - ✅ Complete remittance with OTP - ✅ Resend OTP flow - ✅ BankID fallback --- ## 11. Deployment Plan **Phase 1: Backend (Week 1)** 1. Database migration: `otp_tokens` table 2. OTP service + Twilio service 3. API routes: send, verify, resend 4. Unit + integration tests **Phase 2: Frontend (Week 2)** 5. OtpInput + OtpDialog components 6. Modify remittance flow 7. E2E tests **Phase 3: Deployment (Week 3)** 8. Twilio production setup 9. Staging deployment + manual test 10. Production deploy (feature flag) 11. Monitor metrics 12. Enable for all users ### Feature Flag ```typescript const OTP_ENABLED = process.env.FEATURE_OTP_2FA === 'true'; ``` Rollout: 10% → monitor → 100% --- ## 12. Acceptance Criteria **Functional:** - [ ] User receives SMS OTP within 30s - [ ] User can verify OTP and complete transaction - [ ] User can resend OTP (1x) - [ ] Rate limiting blocks after 3/hour - [ ] OTP expires after 5 minutes - [ ] Audit log captures all operations **Non-Functional:** - [ ] SMS delivery < 30s (95th percentile) - [ ] Verification latency < 200ms - [ ] Cost per OTP < 0.10 NOK - [ ] Availability > 99.9% **Security:** - [ ] Norwegian phone validation (+47) - [ ] Max 3 verification attempts - [ ] Single-use OTP - [ ] Audit log includes IP, user agent - [ ] HTTPS enforced --- ## 13. Cost & Timeline **Cost:** - SMS: 420 NOK/month (500 tx/month) - Annual: ~5,000 NOK - Cost per transaction: 0.84 NOK **Timeline:** - Week 1: Backend - Week 2: Frontend - Week 3: Deployment - **Total: 3 weeks** --- ## 14. Risks & Mitigations | Risk | Impact | Probability | Mitigation | |------|--------|-------------|------------| | SMS delivery failures | HIGH | LOW | BankID fallback, 99.95% SLA | | Cost overrun | MEDIUM | LOW | Monitor, cap at 1000/month | | SIM swap attacks | HIGH | LOW | BankID re-auth | | UX friction | MEDIUM | MEDIUM | Clear errors, fallback | | Twilio outage | HIGH | VERY LOW | BankID fallback | --- ## 15. Future Enhancements - Voice OTP fallback - Authenticator app (TOTP) - Anomaly detection - Trusted devices (skip OTP) - International numbers - Multi-language SMS - Biometric verification --- ## 16. References **Research:** - [Twilio SMS Pricing Norway](https://www.twilio.com/en-us/sms/pricing/no) - [Norway SMS Pricing 2025: Compare 11 Providers](https://www.sent.dm/resources/norway-sms-pricing) - [MessageBird SMS Pricing](https://bird.com/en-us/pricing/sms) - [Top 8 SMS OTP Providers in 2026](https://www.engagelab.com/blog/otp-service-provider) - [Top 7 OTP Service Providers](https://www.smscountry.com/blog/top-otp-service-providers/) - [Best SMS Gateway Providers](https://prelude.so/blog/best-sms-gateway-providers) **Internal Docs:** - Drop Architecture: `~/ALAI/products/Drop/project/architecture/architecture-document.md` - Drop Auth: `~/ALAI/products/Drop/src/drop-app/src/lib/auth.ts` - Drop Middleware: `~/ALAI/products/Drop/src/drop-app/src/lib/middleware.ts` --- ## 17. Approvals | Role | Name | Date | Status | |------|------|------|--------| | **Spec Author** | John | 2026-02-17 | ✅ COMPLETE | | **Tech Review** | TBD | TBD | ⏳ PENDING | | **Security Review** | TBD | TBD | ⏳ PENDING | | **CEO Approval** | Alem | TBD | ⏳ PENDING | --- ## Appendix A: SMS Templates **Norwegian:** ``` Drop: Din bekreftelseskode er {CODE}. Koden utløper om 5 minutter. ``` **English:** ``` Drop: Your verification code is {CODE}. Expires in 5 minutes. ``` **Character Count:** < 160 chars (1 SMS segment) --- ## Appendix B: Error Messages | Code | User Message | Developer Note | |------|--------------|----------------| | `otp_expired` | "Code expired. Request new code." | OTP > 5 min | | `otp_invalid` | "Incorrect code. Try again." | Wrong code | | `otp_failed` | "Too many attempts. Request new code." | 3+ attempts | | `rate_limited` | "Too many requests. Wait {X} minutes." | 3+ in 1 hour | | `sms_failed` | "SMS failed. Try resend or BankID." | Twilio error | | `phone_invalid` | "Invalid phone. Use +47 number." | Not Norwegian | --- **END OF SPECIFICATION** **MC Task #1189:** Spec complete. Ready for review. **Next Action:** Submit to Alem for GO/NO-GO decision. **Estimated Implementation:** 3 weeks (backend + frontend + deployment). # drop-supporting-systems-plan # Plan: Drop Supporting Systems — Monitoring, Logging, Alerts, Backups ## Research Summary ### What Exists - Health check endpoint (`GET /api/health`) — DB ping, latency, uptime, version - Container health checks (Docker Compose 30s, Fly.io 30s) - Auto-restart on failure (`restart: unless-stopped`) - CI/CD pipeline (5 GitHub Actions jobs: lint, test, build, e2e, docker) - Security basics (JWT httpOnly, bcrypt, CSRF, rate limiting, parameterized SQL) - Manual SQLite backup/restore documented in DEPLOYMENT.md ### What's Missing (from docs/infrastructure/MONITORING.md) - External uptime monitoring - Error tracking (Sentry) - Structured logging (JSON + request IDs) - Log aggregation - Alerting (Slack/email) - Audit logging (compliance requirement — PSD2, AML, GDPR) - Database performance monitoring - Automated backups - Security scanning in CI ### Tech Stack Context - Next.js 16 + React 19, API Routes - SQLite (better-sqlite3) for demo, PostgreSQL for prod - Docker multi-stage builds - Fly.io staging config ready (not deployed) - Vitest + Playwright tests ## Objective Implement the missing supporting systems that make Drop operationally ready: structured logging, error tracking, audit logging, automated backups, alerting, and CI security scanning. ## Team Orchestration ### Team Members | ID | Name | Role | Agent Type | |----|------|------|------------| | B1 | logging-builder | Build structured logging + audit log system | builder | | V1 | logging-validator | Validate logging implementation | validator | | B2 | monitoring-builder | Build error tracking (Sentry) + uptime + alerting | builder | | V2 | monitoring-validator | Validate monitoring setup | validator | | B3 | backup-builder | Build automated backup system + CI security scanning | builder | | V3 | backup-validator | Validate backup + CI security | validator | ### Step-by-Step Tasks --- #### Phase 1: Structured Logging + Audit Log (Foundation) **Task 1:** Implement structured logging library - Owner: B1 - BlockedBy: none - Files: `src/drop-app/src/lib/logger.ts` (new) - Acceptance: - [ ] JSON-formatted log output with timestamp, level, requestId, message, metadata - [ ] Request ID generation middleware (UUID per request, passed through all handlers) - [ ] Log levels: debug, info, warn, error - [ ] Writes to stdout (Docker-friendly, no file writes) - [ ] All existing API routes use logger instead of console.log - [ ] No new dependencies if possible (use built-in, or pino if needed for perf) **Task 2:** Implement audit log table + middleware - Owner: B1 - BlockedBy: 1 - Files: `src/drop-app/src/lib/db.ts` (schema), `src/drop-app/src/lib/audit.ts` (new) - Acceptance: - [ ] `audit_log` table: id, timestamp, user_id, action, resource, details (JSON), ip_address, user_agent, request_id - [ ] Actions logged: login_success, login_failure, logout, register, password_change, transfer_initiated, transfer_completed, qr_payment, kyc_submitted, session_created, session_revoked - [ ] Audit entries created in same transaction as domain action where possible - [ ] Retention: no auto-delete (5-year compliance requirement noted in comments) - [ ] GET /api/admin/audit endpoint (admin-only, paginated) for future use **Task 3:** Validate logging + audit log - Owner: V1 - BlockedBy: 2 - Acceptance: - [ ] All API routes produce structured JSON logs on request - [ ] Request IDs are consistent across a single request's log entries - [ ] Login success/failure both produce audit log entries - [ ] Transfer/payment actions produce audit log entries - [ ] Audit table schema matches spec - [ ] Build passes, all existing tests still pass - [ ] No console.log left in API routes (replaced with logger) --- #### Phase 2: Error Tracking + Monitoring + Alerting **Task 4:** Integrate Sentry error tracking - Owner: B2 - BlockedBy: 1 (needs logger for context) - Files: `src/drop-app/src/lib/sentry.ts` (new), `src/drop-app/src/app/layout.tsx` (init), `src/drop-app/next.config.ts` - Acceptance: - [ ] @sentry/nextjs installed and initialized (client + server) - [ ] DSN configurable via `SENTRY_DSN` env var - [ ] Sentry disabled when env var not set (no crash in dev) - [ ] Unhandled errors + rejected promises captured - [ ] API route errors captured with request context (user_id, requestId) - [ ] Source maps uploaded in Docker build (or skipped if no SENTRY_AUTH_TOKEN) - [ ] Environment tag: production/staging/development - [ ] Performance monitoring (traces sample rate configurable via env) **Task 5:** Add health check monitoring + Slack alerting hook - Owner: B2 - BlockedBy: 4 - Files: `src/drop-app/src/lib/alerts.ts` (new), env vars - Acceptance: - [ ] Slack webhook integration via `SLACK_WEBHOOK_URL` env var - [ ] Alert on: application startup, graceful shutdown, unhandled error spike (>5 in 1 min) - [ ] Alert format: emoji + severity + message + timestamp + link to Sentry - [ ] Cooldown: max 1 alert per type per 10 minutes (no spam) - [ ] No-op when SLACK_WEBHOOK_URL not configured - [ ] UptimeRobot setup documented in MONITORING.md (external, free tier, checks /api/health) **Task 6:** Validate monitoring + alerting - Owner: V2 - BlockedBy: 5 - Acceptance: - [ ] Sentry captures thrown errors in API routes (test with intentional throw) - [ ] Sentry DSN not hardcoded (env var only) - [ ] Sentry disabled gracefully in dev (no SENTRY_DSN = no crash) - [ ] Slack alert function works with mock webhook (unit test) - [ ] No sensitive data in Sentry events (no passwords, tokens, card numbers) - [ ] MONITORING.md updated with full stack docs - [ ] Build passes, all existing tests still pass --- #### Phase 3: Automated Backups + CI Security **Task 7:** Create automated backup script + CI security scanning - Owner: B3 - BlockedBy: none (independent) - Files: `src/drop-app/scripts/backup.sh` (new), `.github/workflows/ci.yml` (edit) - Acceptance: - [ ] backup.sh: SQLite `.backup` command (safe, atomic), timestamped output - [ ] backup.sh: Configurable retention (default 30 days, delete older) - [ ] backup.sh: Exit code for cron/monitoring integration - [ ] backup.sh: Works inside Docker container (volume mount) - [ ] Docker Compose: backup service or documented cron setup - [ ] CI: `npm audit --audit-level=high` step added to GitHub Actions - [ ] CI: Fails build on HIGH/CRITICAL vulnerabilities - [ ] .github/dependabot.yml created (weekly npm updates) - [ ] DEPLOYMENT.md updated with backup schedule + restore procedure **Task 8:** Validate backups + CI security - Owner: V3 - BlockedBy: 7 - Acceptance: - [ ] backup.sh creates valid SQLite backup (can be opened, tables exist) - [ ] backup.sh handles missing DB gracefully (exit 1, clear message) - [ ] Old backups cleaned up after retention period - [ ] npm audit step present in CI workflow - [ ] dependabot.yml valid YAML, correct config - [ ] DEPLOYMENT.md backup section accurate - [ ] Build passes, all existing tests still pass --- ## Validation Commands ```bash # Phase 1: Logging + Audit cd ~/ALAI/products/Drop/src/drop-app npm run build # Build passes npm test # All tests pass # Start app, hit /api/auth/login → check stdout for JSON log # Check /api/health → verify request ID in logs # SELECT * FROM audit_log → verify entries after login # Phase 2: Monitoring # Set SENTRY_DSN → start app → trigger error → check Sentry dashboard # Set SLACK_WEBHOOK_URL → trigger alert → check Slack # npm run build with SENTRY_AUTH_TOKEN → verify sourcemaps # Phase 3: Backups + CI bash scripts/backup.sh # Creates timestamped backup sqlite3 backups/drop-*.db ".tables" # Verify backup integrity # Push to GitHub → CI runs → npm audit step visible # Check dependabot.yml in .github/ ``` ## Summary | Phase | What | Effort | |-------|------|--------| | 1 | Structured logging + audit log | ~1 day | | 2 | Sentry + Slack alerts + uptime docs | ~1 day | | 3 | Automated backups + CI security scanning | ~0.5 day | **Total: ~2.5 days with 3 builder/validator pairs running in parallel.** All 3 phases can run in parallel (Phase 1 and 3 are independent, Phase 2 depends on Phase 1 Task 1 for logger context). # drop-transaction-failure-spec # Drop Transaction Failure Handling & Recovery **Task:** MC #1191 **Created:** 2026-02-17 **Author:** John (Software Architect Agent) **Status:** DRAFT — Awaiting Alem approval --- ## Executive Summary This specification defines comprehensive transaction failure handling for Drop's fintech payment system. Drop operates as a PSD2 PISP (Payment Initiation Service Provider) — we initiate payments from users' bank accounts but never hold customer money. This creates unique challenges: - **External dependency:** Every transaction depends on user's bank and Open Banking provider - **Asynchronous flow:** PISP initiation → bank processing → status callback (can take seconds to days) - **Failure modes:** Network timeouts, bank declines, partial processing, provider outages - **Customer impact:** Real money, real trust — failures must be handled gracefully **Core principles:** 1. **Clear state machine** — No ambiguous states 2. **Idempotency** — Network retries never cause double-charges 3. **Automatic retry** — Transient failures self-heal 4. **User communication** — Always tell user what's happening 5. **Admin tooling** — Manual intervention when automation can't resolve --- ## 1. Current State Analysis ### 1.1 What We Have (Good) **Idempotency keys:** - Both `/api/transactions/remittance/route.ts` and `/api/transactions/qr-payment/route.ts` accept `idempotencyKey` - Check for existing transaction: `SELECT ... WHERE idempotency_key = ? AND user_id = ?` - Returns cached response for duplicate requests (prevents double-charge) - **Status:** ✅ **Production-ready** **Basic error handling:** - `insufficient_balance` error caught and returned as 402 - Rate limiting: IP (10/min) + user (3/min) - Transaction wrapped in DB transaction (atomic balance check + insert) - **Status:** ✅ **Good foundation** **30-second timeout:** - PISP API calls have `AbortController` with 30s timeout - Returns specific timeout error: "Payment request timeout" - **Status:** ✅ **Implemented** ### 1.2 What's Missing (Critical Gaps) ❌ **State machine enforcement:** - `transactions.status` has CHECK constraint: `'processing','completed','failed'` - But no state transition validation (can jump from processing → completed without rules) - No transition audit (who/when/why status changed) ❌ **Retry logic:** - Timeout errors return failure immediately — no retry - No exponential backoff - No max retry counter - No dead letter queue for permanently failed transactions ❌ **Background reconciliation:** - Transactions stuck in `processing` status stay there forever - No periodic job to check PISP provider for status updates - No admin alert when transactions are stuck ❌ **Partial failure handling:** - FX conversion success + transfer failure → no rollback/refund flow - No compensation logic for partial state ❌ **User communication:** - No transaction status page showing real-time progress - No push notification on status change - No email on final completion/failure - Error messages are generic (not user-friendly) ❌ **Admin tools:** - No `/api/admin/transactions/stuck` endpoint to list limbo transactions - No manual retry mechanism - No manual resolution workflow --- ## 2. Transaction State Machine ### 2.1 States ``` ┌─────────────┐ │ initiated │ ──────┐ └─────────────┘ │ │ │ ▼ │ ┌─────────────┐ │ │ processing │ │ (timeout after 30s) └─────────────┘ │ │ │ ├───────────────┴────────────┐ │ │ ▼ ▼ ┌─────────────┐ ┌─────────────┐ │ completed │ │ timeout │ └─────────────┘ └─────────────┘ │ ▼ ┌─────────────┐ │ failed │ └─────────────┘ ┌─────────────────────────────────────────────────────┐ │ partially_completed │ (future — FX success, transfer fail) └─────────────────────────────────────────────────────┘ ``` ### 2.2 State Definitions | State | Meaning | Terminal? | User-Facing Message | |-------|---------|-----------|---------------------| | `initiated` | API request received, validation passed, DB record created | No | "Initiating payment..." | | `processing` | PISP provider accepted request, waiting for bank confirmation | No | "Your payment is being processed" | | `timeout` | PISP provider didn't respond within 30s, will check status later | No | "Processing your payment — we'll notify you when complete" | | `completed` | Bank confirmed payment successful | Yes | "Payment completed" | | `failed` | Bank declined, or PISP returned permanent error | Yes | "Payment failed: [reason]" | | `partially_completed` | FX conversion succeeded but transfer failed (future) | No | "Processing refund..." | **Terminal states:** `completed`, `failed` — no further transitions allowed ### 2.3 Valid Transitions ```typescript const VALID_TRANSITIONS = { initiated: ["processing", "failed"], processing: ["completed", "timeout", "failed"], timeout: ["completed", "failed", "processing"], // retry partially_completed: ["completed", "failed"], // after refund completed: [], // terminal failed: [], // terminal }; ``` **Enforcement:** Database CHECK constraint + application-level validation ### 2.4 Transition Audit Every status change logged in `audit_log`: ```sql INSERT INTO audit_log ( id, user_id, action, resource_type, resource_id, details, ip_address, user_agent, request_id ) VALUES ( 'aud_xyz', 'usr_abc', 'TRANSACTION_STATUS_CHANGE', 'transaction', 'tx_rem_123', '{"from": "processing", "to": "completed", "reason": "PISP callback", "external_id": "ext_456"}', '10.0.1.5', 'Drop-iOS/1.0', 'req_789' ); ``` **Compliance:** PSD2 requires 5-year audit trail of all payment operations --- ## 3. Idempotency ### 3.1 Current Implementation (Keep It) ✅ **Already production-ready:** ```typescript // Check for existing transaction with this idempotency key (scoped to user) const existing = await getOne( "SELECT id, type, status, amount, currency, fee, ... FROM transactions WHERE idempotency_key = ? AND user_id = ?", [idempotencyKey, u.id] ); if (existing) { // Return cached response (same payload as successful creation) return NextResponse.json({ data: existing }, { status: 200 }); } ``` **Key features:** - Scoped to user (prevents IDOR) - Returns exact same response (status 200, not 201) - No expiry — idempotency keys valid forever - Client must generate UUID or similar unique key ### 3.2 Best Practices **Client implementation:** ```typescript // Generate idempotency key client-side const idempotencyKey = `${userId}_${Date.now()}_${crypto.randomUUID()}`; // Send with every payment request await fetch('/api/transactions/remittance', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ recipientId: 'rec_123', amount: 500, idempotencyKey, // ← REQUIRED }) }); ``` **No changes needed** — current implementation is correct --- ## 4. Retry Logic ### 4.1 Classification of Errors | Error | Type | Retry? | Example | |-------|------|--------|---------| | Network timeout | Transient | ✅ Yes | `AbortError`, socket timeout | | PISP 5xx | Transient | ✅ Yes | 500 Internal Server Error, 503 Service Unavailable | | PISP 4xx client error | Permanent | ❌ No | 400 Bad Request, 401 Unauthorized | | Bank decline | Permanent | ❌ No | Insufficient funds (from bank), invalid IBAN | | Validation error | Permanent | ❌ No | Amount < minimum, KYC not approved | **Rule:** Only retry errors that are transient (temporary network/server issues) ### 4.2 Exponential Backoff Strategy **Max retries:** 3 attempts **Delays:** 2s → 8s → 32s (exponential) **Jitter:** ±20% to avoid thundering herd ```typescript const RETRY_CONFIG = { maxRetries: 3, baseDelayMs: 2000, // 2 seconds maxDelayMs: 60000, // 1 minute cap jitterPercent: 0.2, // ±20% }; function calculateDelay(attempt: number): number { const exponentialDelay = RETRY_CONFIG.baseDelayMs * Math.pow(4, attempt - 1); const cappedDelay = Math.min(exponentialDelay, RETRY_CONFIG.maxDelayMs); const jitter = cappedDelay * RETRY_CONFIG.jitterPercent * (Math.random() * 2 - 1); return Math.floor(cappedDelay + jitter); } // Attempt 1: 2s ± 400ms = 1.6-2.4s // Attempt 2: 8s ± 1.6s = 6.4-9.6s // Attempt 3: 32s ± 6.4s = 25.6-38.4s ``` ### 4.3 Retry Implementation **Two approaches:** #### Option A: In-Process Retry (Simpler, Recommended for MVP) Retry within the same API request (synchronous): ```typescript async function callPispWithRetry( fn: () => Promise, txId: string ): Promise { let lastError: Error | null = null; for (let attempt = 1; attempt <= RETRY_CONFIG.maxRetries; attempt++) { try { const result = await fn(); // Success — return immediately if (result.success) return result; // Permanent error (4xx, bank decline) — don't retry if (isPermanentError(result.error)) { await logAudit({ userId: txId, action: "PISP_PERMANENT_ERROR", resourceType: "transaction", resourceId: txId, details: { attempt, error: result.error }, }); return result; } // Transient error — prepare to retry lastError = new Error(result.error || "Unknown error"); } catch (error) { lastError = error as Error; // Non-retryable (validation error, etc.) if (!isTransientError(error)) throw error; } // If not last attempt, wait before retry if (attempt < RETRY_CONFIG.maxRetries) { const delay = calculateDelay(attempt); await logAudit({ userId: txId, action: "PISP_RETRY_SCHEDULED", resourceType: "transaction", resourceId: txId, details: { attempt, nextAttempt: attempt + 1, delayMs: delay }, }); await sleep(delay); } } // All retries exhausted await logAudit({ userId: txId, action: "PISP_ALL_RETRIES_FAILED", resourceType: "transaction", resourceId: txId, details: { maxRetries: RETRY_CONFIG.maxRetries, lastError: lastError?.message }, }); return { success: false, status: "failed", error: `Payment failed after ${RETRY_CONFIG.maxRetries} attempts` }; } ``` **Pros:** - Simple — no queue infrastructure needed - User waits for final result (good UX for fast retries) - Automatic cleanup (no orphan jobs) **Cons:** - Request can take up to ~40s (blocks thread) - If server crashes mid-retry, transaction stuck - No visibility into retry progress #### Option B: Background Job Queue (Production-Grade) Move retries to background worker using job queue: **Tech stack:** - **Job queue:** BullMQ (Redis-backed) or pg-boss (PostgreSQL-backed, no extra infra) - **Worker:** Separate process polls queue every 5s **Flow:** 1. API route creates transaction with status `initiated` 2. Enqueue job: `{ type: "pisp_call", txId: "tx_rem_123", attempt: 1 }` 3. Return to user: `{ status: "processing", txId: "tx_rem_123" }` 4. Worker picks job → calls PISP → updates transaction status 5. On transient failure → re-enqueue with delay + increment attempt 6. On success/permanent failure → mark transaction terminal **Pros:** - Non-blocking (API responds instantly) - Survives server restarts (jobs persisted in DB) - Can inspect queue (show pending retries in admin dashboard) **Cons:** - More complex (requires job queue setup) - More infrastructure (Redis or pg-boss tables) - User must poll `/api/transactions/[id]` for status updates **Recommendation:** Start with Option A (in-process) for MVP. Migrate to Option B when transaction volume increases. ### 4.4 Dead Letter Queue After max retries exhausted: 1. **Mark transaction as `failed`** with reason: `"PISP provider unreachable after 3 attempts"` 2. **Create admin alert** in separate table: ```sql CREATE TABLE admin_alerts ( id TEXT PRIMARY KEY, alert_type TEXT NOT NULL, -- 'transaction_stuck', 'pisp_failure', etc. severity TEXT NOT NULL CHECK(severity IN ('low','medium','high','critical')), resource_type TEXT, resource_id TEXT, title TEXT NOT NULL, description TEXT, status TEXT DEFAULT 'open' CHECK(status IN ('open','investigating','resolved','dismissed')), created_at TEXT DEFAULT (datetime('now')), resolved_at TEXT, resolved_by TEXT ); INSERT INTO admin_alerts ( id, alert_type, severity, resource_type, resource_id, title, description ) VALUES ( 'alert_xyz', 'transaction_stuck', 'high', 'transaction', 'tx_rem_123', 'Transaction failed after 3 retries', 'Transaction tx_rem_123 (user: usr_abc, amount: 500 NOK) failed to process after 3 attempts. PISP provider returned: "Service Unavailable". Manual investigation required.' ); ``` 3. **Send Slack/email to ops team** (via webhook or existing notification system) 4. **Admin dashboard shows alert** at `/admin/alerts` with: - Transaction details - Retry history (from audit_log) - Manual actions: "Retry Now", "Refund User", "Mark Resolved" --- ## 5. Timeout Recovery ### 5.1 Scenario User initiates payment → PISP accepts request → network drops → no response after 30s → transaction stuck in `processing` **Current behavior:** API returns error, transaction never completes **New behavior:** Mark as `timeout`, schedule background reconciliation ### 5.2 Implementation **Step 1:** On timeout, transition to `timeout` status ```typescript // In payments.ts if (error instanceof Error && error.name === "AbortError") { // Don't fail immediately — schedule status check await updateTransactionStatus(txId, "timeout", "PISP request timeout - will check status later"); // Enqueue background reconciliation job (runs after 2 min) await scheduleStatusCheck(txId, 120000); // 2 minutes return { success: true, // ← YES! Tell API route we handled it status: "timeout", message: "Payment is processing — we'll notify you when complete" }; } ``` **Step 2:** Background worker checks status ```typescript // reconciliation-worker.ts async function checkTransactionStatus(txId: string) { const tx = await getOne("SELECT * FROM transactions WHERE id = ?", [txId]); if (!tx) return; // Call PISP provider's GET /payments/{id} endpoint const status = await pispProvider.getPaymentStatus(tx.external_id); if (status.completed) { await updateTransactionStatus(txId, "completed", "Confirmed via reconciliation"); await notifyUser(tx.user_id, "payment_completed", { txId }); } else if (status.failed) { await updateTransactionStatus(txId, "failed", status.reason); await notifyUser(tx.user_id, "payment_failed", { txId, reason: status.reason }); } else { // Still processing — check again in 5 min await scheduleStatusCheck(txId, 300000); // 5 minutes } } ``` **Step 3:** Periodic sweep (every 10 minutes) Find all transactions stuck in `timeout` or `processing` for > 10 minutes: ```sql SELECT id FROM transactions WHERE status IN ('timeout', 'processing') AND created_at < datetime('now', '-10 minutes') LIMIT 100; ``` For each: call `checkTransactionStatus(txId)` ### 5.3 User Experience **User sees:** 1. **Immediate response:** "Processing your payment — we'll send you a notification when it's complete" (status 202) 2. **Push notification (1-2 min later):** "Your 500 NOK payment to Mama Jasmina is complete" 3. **Transaction list updates:** Polling `/api/transactions` or WebSocket push **What if it never completes?** - After 24 hours stuck in `timeout` → mark as `failed` + admin alert - User can contact support via `/support` page - Admin manually investigates + refunds if needed --- ## 6. Partial Failure Handling ### 6.1 Scenario (Future — FX Conversion) Remittance flow with FX conversion: 1. User sends 500 NOK → 5,085 RSD 2. FX conversion succeeds (NOK debited from user's bank) 3. International transfer fails (recipient bank rejects) 4. **Problem:** User's money is gone, recipient didn't receive it **Current code:** No FX conversion step (demo uses hardcoded exchange rates) **Future risk:** When FX provider is added, must handle partial success ### 6.2 Classification | Scenario | Recoverable? | Action | |----------|-------------|--------| | FX success + transfer success | N/A | ✅ Complete | | FX success + transfer fail | ✅ Yes | Refund converted amount back to NOK | | FX fail + transfer not attempted | ✅ Yes | Transaction never started, return error | | FX timeout + transfer unknown | ⚠️ Maybe | Check FX provider status, then refund or complete | ### 6.3 Compensation Flow (When FX Added) **Database changes:** Add `compensation_status` field: ```sql ALTER TABLE transactions ADD COLUMN compensation_status TEXT CHECK( compensation_status IN ('none', 'pending', 'completed', 'failed') ) DEFAULT 'none'; ``` **Flow:** ```typescript // 1. Attempt FX conversion const fxResult = await fxProvider.convert({ from: "NOK", to: "RSD", amount: 500 }); if (!fxResult.success) { await updateTransactionStatus(txId, "failed", "FX conversion failed"); return { success: false, status: "failed", error: fxResult.error }; } // 2. Mark FX complete await run("UPDATE transactions SET fx_completed_at = datetime('now'), fx_external_id = ? WHERE id = ?", [fxResult.externalId, txId]); // 3. Attempt international transfer const transferResult = await pispProvider.transferInternational({ ... }); if (!transferResult.success) { // Transfer failed — need to refund FX await updateTransactionStatus(txId, "partially_completed", "Transfer failed, initiating refund"); await run("UPDATE transactions SET compensation_status = 'pending' WHERE id = ?", [txId]); // 4. Initiate refund (convert RSD back to NOK + credit user's bank account) const refundResult = await fxProvider.refund({ originalConversionId: fxResult.externalId, recipientBankAccountId: tx.from_bank_account_id }); if (refundResult.success) { await updateTransactionStatus(txId, "failed", "Transfer failed, refund completed"); await run("UPDATE transactions SET compensation_status = 'completed' WHERE id = ?", [txId]); } else { // Refund also failed — escalate to manual review await updateTransactionStatus(txId, "failed", "Transfer and refund failed - manual review required"); await run("UPDATE transactions SET compensation_status = 'failed' WHERE id = ?", [txId]); await createAdminAlert({ type: "compensation_failed", severity: "critical", resourceId: txId, title: "Refund failed after partial payment", description: `Transaction ${txId}: FX conversion succeeded (${fxResult.externalId}) but transfer and refund both failed. User's 500 NOK is stuck in limbo. URGENT MANUAL INTERVENTION REQUIRED.` }); } } ``` **SLA:** Refund must complete within 24 hours (PSD2 requirement) ### 6.4 Edge Cases **Q: What if refund takes 48 hours?** A: Status remains `partially_completed` until refund clears. User sees: "Processing refund — this may take up to 2 business days" **Q: What if user's bank account is closed?** A: Refund fails → admin alert → manual investigation → refund via alternative method (e.g., bank transfer to new account) **Q: What if FX provider goes down during refund?** A: Retry with exponential backoff (same logic as Step 4). After max retries → admin alert. --- ## 7. User Communication ### 7.1 Transaction Status Page **Route:** `/transactions/[id]` **Content:** ```tsx // src/app/transactions/[id]/page.tsx export default function TransactionDetailPage({ params }: { params: { id: string } }) { const { data: tx } = useSWR(`/api/transactions/${params.id}`, fetcher, { refreshInterval: tx?.status === "processing" || tx?.status === "timeout" ? 2000 : 0 }); if (!tx) return

; return (

{tx.type === "remittance" ? "Money Transfer" : "QR Payment"}

{/* Real-time status */}

{tx.status === "initiated" && } {tx.status === "processing" && } {tx.status === "timeout" && } {tx.status === "completed" && } {tx.status === "failed" && }

{/* Timeline */}

Timeline

{/* Details */}

{tx.type === "remittance" && ( <> )}

{/* Actions */} {tx.status === "failed" && ( )}

); } ``` **Timeline data:** API response includes `timeline` array: ```json { "id": "tx_rem_123", "status": "completed", "timeline": [ { "timestamp": "2026-02-17T10:00:00Z", "event": "created", "message": "Payment initiated" }, { "timestamp": "2026-02-17T10:00:02Z", "event": "processing", "message": "Sent to bank" }, { "timestamp": "2026-02-17T10:00:45Z", "event": "completed", "message": "Payment confirmed by bank" } ] } ``` Fetched from `audit_log` table where `resource_id = tx.id` and `action LIKE 'TRANSACTION_%'` ### 7.2 Push Notifications **When to send:** | Status Change | Title | Body | |--------------|-------|------| | `processing` → `completed` | "Payment Complete" | "Your 500 NOK payment to Mama Jasmina is complete" | | `processing` → `failed` | "Payment Failed" | "Your 500 NOK payment failed. Tap to view details" | | `timeout` → `completed` | "Payment Complete" | "Your payment has been confirmed by the bank" | | `partially_completed` → `failed` | "Refund Processed" | "Your 500 NOK has been refunded to your account" | **Implementation:** ```typescript // lib/services/notifications.ts export async function sendPushNotification(params: { userId: string; title: string; body: string; data: Record; }) { // Check user settings const settings = await getOne("SELECT push_enabled FROM settings WHERE user_id = ?", [params.userId]); if (!settings?.push_enabled) return; // Get user's push tokens (stored in separate table) const tokens = await query<{ token: string }>( "SELECT token FROM push_tokens WHERE user_id = ? AND active = 1", [params.userId] ); // Send via Firebase Cloud Messaging (FCM) or Apple Push Notification Service (APNS) for (const { token } of tokens) { await fcm.send({ token, notification: { title: params.title, body: params.body }, data: params.data, }); } // Log notification await run( "INSERT INTO notifications (id, user_id, type, title, body) VALUES (?, ?, ?, ?, ?)", [randomId("ntf"), params.userId, "push", params.title, params.body] ); } ``` **Call from status update:** ```typescript async function updateTransactionStatus( txId: string, newStatus: string, reason?: string ) { const tx = await getOne("SELECT * FROM transactions WHERE id = ?", [txId]); if (!tx) throw new Error("Transaction not found"); // Update status await run("UPDATE transactions SET status = ?, updated_at = datetime('now') WHERE id = ?", [newStatus, txId]); // Log audit await logAudit({ ... }); // Send push notification if (newStatus === "completed" || newStatus === "failed") { await notifications.sendPushNotification({ userId: tx.user_id, title: newStatus === "completed" ? "Payment Complete" : "Payment Failed", body: newStatus === "completed" ? `Your ${tx.amount} NOK payment is complete` : `Your ${tx.amount} NOK payment failed${reason ? `: ${reason}` : ""}`, data: { txId, status: newStatus }, }); } } ``` ### 7.3 Email Notifications **When to send:** Only for terminal states (`completed`, `failed`) **Template:** ```html

Payment Complete

Your payment of {{amount}} {{currency}} to {{recipientName}} has been completed.

Transaction ID: {{txId}}

Date: {{completedAt}}

View Transaction

``` **Send via existing email service:** ```typescript // lib/services/email.ts import { email } from "@/lib/services"; await email.send({ to: user.email, subject: "Payment Complete", template: "transaction-completed", data: { amount: tx.amount, currency: tx.currency, recipientName: tx.recipient_name, txId: tx.id, completedAt: new Date(tx.completed_at).toLocaleString("nb-NO"), }, }); ``` ### 7.4 Error Messages (User-Friendly) **Current:** Generic errors like "PISP API error: 500" **New:** Human-readable messages | Error Code | User-Facing Message (Norwegian) | English | |------------|--------------------------------|---------| | `insufficient_balance` | "Ikke nok dekning på bankkontoen" | "Insufficient funds in your bank account" | | `bank_declined` | "Banken din avslo betalingen. Kontakt banken for detaljer." | "Your bank declined the payment. Contact your bank for details." | | `invalid_iban` | "Ugyldig kontonummer. Sjekk mottakerens kontoopplysninger." | "Invalid account number. Check recipient's account details." | | `pisp_timeout` | "Betalingen tar lengre tid enn vanlig. Vi varsler deg når den er fullført." | "Payment is taking longer than usual. We'll notify you when complete." | | `pisp_unavailable` | "Vår betalingsleverandør er midlertidig utilgjengelig. Prøv igjen om noen minutter." | "Our payment provider is temporarily unavailable. Try again in a few minutes." | | `max_retries_exceeded` | "Betalingen feilet etter flere forsøk. Kontakt kundestøtte." | "Payment failed after multiple attempts. Contact support." | **Implementation:** ```typescript // lib/error-messages.ts const ERROR_MESSAGES: Record = { insufficient_balance: { no: "Ikke nok dekning på bankkontoen", en: "Insufficient funds in your bank account" }, // ... all errors above }; export function getUserFacingError(errorCode: string, language: "no" | "en" = "no"): string { return ERROR_MESSAGES[errorCode]?.[language] || ERROR_MESSAGES.default[language]; } ``` --- ## 8. Admin Tools ### 8.1 Stuck Transactions Endpoint **Route:** `GET /api/admin/transactions/stuck` **Access:** Requires admin role (check JWT: `user.role === 'admin'`) **Query:** ```sql SELECT t.id, t.user_id, t.type, t.status, t.amount, t.currency, t.created_at, t.updated_at, u.email AS user_email, u.first_name || ' ' || u.last_name AS user_name, (julianday('now') - julianday(t.created_at)) * 24 AS hours_stuck FROM transactions t JOIN users u ON t.user_id = u.id WHERE t.status IN ('processing', 'timeout', 'partially_completed') AND t.created_at < datetime('now', '-10 minutes') ORDER BY t.created_at ASC LIMIT 100; ``` **Response:** ```json { "data": [ { "id": "tx_rem_456", "userId": "usr_abc", "userName": "Amir Hadžić", "userEmail": "amir@example.com", "type": "remittance", "status": "timeout", "amount": 500, "currency": "NOK", "createdAt": "2026-02-17T08:00:00Z", "hoursStuck": 2.5 } ], "total": 1 } ``` ### 8.2 Manual Retry Endpoint **Route:** `POST /api/admin/transactions/[id]/retry` **Access:** Admin only **Action:** 1. Validate transaction is in retryable state (`timeout`, `failed` with transient error) 2. Reset retry counter 3. Call PISP provider again (with retry logic from Section 4) 4. Log admin action in audit_log **Implementation:** ```typescript // src/app/api/admin/transactions/[id]/retry/route.ts export async function POST( request: NextRequest, { params }: { params: { id: string } } ) { const { user, error } = await requireAuth(request); if (error) return error; if (user.role !== "admin") { return jsonError("forbidden", "Admin access required", 403); } const txId = params.id; const tx = await getOne("SELECT * FROM transactions WHERE id = ?", [txId]); if (!tx) { return jsonError("not_found", "Transaction not found", 404); } if (!["timeout", "failed"].includes(tx.status)) { return jsonError("invalid_state", "Transaction is not retryable", 400); } // Log admin action await logAudit({ userId: user.id, action: "ADMIN_TRANSACTION_RETRY", resourceType: "transaction", resourceId: txId, details: { previousStatus: tx.status }, ipAddress: getClientIp(request), requestId: getRequestId(request.headers), }); // Reset transaction to initiated await run("UPDATE transactions SET status = 'initiated', retry_count = 0 WHERE id = ?", [txId]); // Re-call PISP with retry logic const result = tx.type === "remittance" ? await payments.initiateRemittance({ ... }) : await payments.initiateQrPayment({ ... }); if (result.success) { return NextResponse.json({ message: "Retry initiated", status: result.status }); } else { return jsonError("retry_failed", result.error || "Retry failed", 500); } } ``` ### 8.3 Manual Resolution Endpoint **Route:** `POST /api/admin/transactions/[id]/resolve` **Body:** ```json { "action": "mark_completed" | "mark_failed" | "initiate_refund", "reason": "Admin manually verified with bank", "externalReference": "bank_ref_12345" // optional } ``` **Actions:** | Action | Effect | |--------|--------| | `mark_completed` | Set status to `completed`, add admin note to audit_log | | `mark_failed` | Set status to `failed`, add reason, notify user | | `initiate_refund` | Trigger refund flow (for partially_completed), set compensation_status to `pending` | **Implementation:** ```typescript export async function POST(request: NextRequest, { params }: { params: { id: string } }) { const { user, error } = await requireAuth(request); if (error) return error; if (user.role !== "admin") return jsonError("forbidden", "Admin access required", 403); const body = await request.json(); const { action, reason, externalReference } = body; const txId = params.id; const tx = await getOne("SELECT * FROM transactions WHERE id = ?", [txId]); if (!tx) return jsonError("not_found", "Transaction not found", 404); switch (action) { case "mark_completed": await run("UPDATE transactions SET status = 'completed', completed_at = datetime('now') WHERE id = ?", [txId]); await logAudit({ userId: user.id, action: "ADMIN_MARK_COMPLETED", resourceId: txId, details: { reason, externalReference } }); await notifications.sendPushNotification({ userId: tx.user_id, title: "Payment Complete", body: "Your payment has been confirmed" }); return NextResponse.json({ message: "Transaction marked as completed" }); case "mark_failed": await run("UPDATE transactions SET status = 'failed', failure_reason = ? WHERE id = ?", [reason, txId]); await logAudit({ userId: user.id, action: "ADMIN_MARK_FAILED", resourceId: txId, details: { reason } }); await notifications.sendPushNotification({ userId: tx.user_id, title: "Payment Failed", body: reason }); return NextResponse.json({ message: "Transaction marked as failed" }); case "initiate_refund": // TODO: Call refund provider await run("UPDATE transactions SET compensation_status = 'pending' WHERE id = ?", [txId]); await logAudit({ userId: user.id, action: "ADMIN_INITIATE_REFUND", resourceId: txId, details: { reason } }); return NextResponse.json({ message: "Refund initiated" }); default: return jsonError("invalid_action", "Invalid action", 400); } } ``` ### 8.4 Admin Dashboard **Route:** `/admin/transactions` **Features:** 1. **Overview Cards:** - Stuck transactions (count) - Failed last 24h (count) - Average resolution time 2. **Stuck Transactions Table:** - Columns: TX ID, User, Amount, Status, Hours Stuck, Actions - Actions: "Retry", "Resolve", "View Audit Log" 3. **Filters:** - Status (processing, timeout, partially_completed) - Stuck > X hours - User search (email, ID) **Screenshot mockup:** ``` ┌────────────────────────────────────────────────────┐ │ Admin: Stuck Transactions │ ├────────────────────────────────────────────────────┤ │ [ Stuck: 3 ] [ Failed 24h: 12 ] [ Avg: 1.2h ] │ ├────────────────────────────────────────────────────┤ │ Filters: [Status: All ▼] [Stuck > 1h ▼] │ ├────────────────────────────────────────────────────┤ │ TX ID │ User │ Amount │ Status │ Hours │ Actions │ │ tx_rem_456 │ amir@ex.com │ 500 NOK│ timeout │ 2.5 │ [Retry][Resolve]│ │ tx_qr_789 │ sara@ex.com │ 129 NOK│ processing│ 0.8 │ [Retry][Resolve]│ └────────────────────────────────────────────────────┘ ``` --- ## 9. Database Schema Changes ### 9.1 New Columns on `transactions` Table ```sql -- Retry tracking ALTER TABLE transactions ADD COLUMN retry_count INTEGER DEFAULT 0; ALTER TABLE transactions ADD COLUMN last_retry_at TEXT; -- External references ALTER TABLE transactions ADD COLUMN external_id TEXT; -- PISP provider's transaction ID ALTER TABLE transactions ADD COLUMN external_status TEXT; -- Raw status from provider -- Failure details ALTER TABLE transactions ADD COLUMN failure_reason TEXT; ALTER TABLE transactions ADD COLUMN failure_code TEXT; -- Machine-readable error code -- Compensation (for partial failures) ALTER TABLE transactions ADD COLUMN compensation_status TEXT CHECK( compensation_status IN ('none', 'pending', 'completed', 'failed') ) DEFAULT 'none'; ALTER TABLE transactions ADD COLUMN compensation_completed_at TEXT; -- Timeline ALTER TABLE transactions ADD COLUMN updated_at TEXT DEFAULT (datetime('now')); -- FX tracking (future) ALTER TABLE transactions ADD COLUMN fx_completed_at TEXT; ALTER TABLE transactions ADD COLUMN fx_external_id TEXT; ``` ### 9.2 New State: `timeout` Update CHECK constraint: ```sql -- Before: status TEXT DEFAULT 'processing' CHECK(status IN ('processing','completed','failed')) -- After: status TEXT DEFAULT 'initiated' CHECK(status IN ('initiated','processing','timeout','completed','failed','partially_completed')) ``` **Migration (SQLite):** SQLite doesn't support `ALTER TABLE ... MODIFY CONSTRAINT`, so recreate table: ```sql -- Create new table with updated constraint CREATE TABLE transactions_new ( id TEXT PRIMARY KEY, user_id TEXT NOT NULL REFERENCES users(id), type TEXT NOT NULL CHECK(type IN ('remittance','qr_payment')), status TEXT DEFAULT 'initiated' CHECK(status IN ('initiated','processing','timeout','completed','failed','partially_completed')), -- ... all other columns ); -- Copy data INSERT INTO transactions_new SELECT * FROM transactions; -- Drop old, rename new DROP TABLE transactions; ALTER TABLE transactions_new RENAME TO transactions; -- Recreate indexes CREATE UNIQUE INDEX idx_tx_idempotency ON transactions(idempotency_key) WHERE idempotency_key IS NOT NULL; CREATE INDEX idx_transactions_user ON transactions(user_id); CREATE INDEX idx_transactions_merchant ON transactions(merchant_id); ``` ### 9.3 New Table: `admin_alerts` ```sql CREATE TABLE admin_alerts ( id TEXT PRIMARY KEY, alert_type TEXT NOT NULL, -- 'transaction_stuck', 'pisp_failure', 'compensation_failed', etc. severity TEXT NOT NULL CHECK(severity IN ('low','medium','high','critical')), resource_type TEXT, -- 'transaction', 'user', 'merchant', etc. resource_id TEXT, title TEXT NOT NULL, description TEXT, status TEXT DEFAULT 'open' CHECK(status IN ('open','investigating','resolved','dismissed')), created_at TEXT DEFAULT (datetime('now')), resolved_at TEXT, resolved_by TEXT, -- user_id of admin who resolved resolution_notes TEXT ); CREATE INDEX idx_admin_alerts_status ON admin_alerts(status); CREATE INDEX idx_admin_alerts_type ON admin_alerts(alert_type); CREATE INDEX idx_admin_alerts_created ON admin_alerts(created_at); ``` ### 9.4 New Table: `retry_history` Optional (if want detailed retry logs separate from audit_log): ```sql CREATE TABLE retry_history ( id TEXT PRIMARY KEY, transaction_id TEXT NOT NULL REFERENCES transactions(id), attempt INTEGER NOT NULL, -- 1, 2, 3 started_at TEXT DEFAULT (datetime('now')), completed_at TEXT, success INTEGER DEFAULT 0, -- 0 = failed, 1 = succeeded error_code TEXT, error_message TEXT, pisp_response TEXT -- Full JSON response from PISP provider ); CREATE INDEX idx_retry_history_tx ON retry_history(transaction_id); ``` **Alternative:** Use `audit_log` table (already exists, sufficient for MVP) --- ## 10. File Structure & Implementation Checklist ### 10.1 Files to Create ``` src/ ├── app/ │ ├── api/ │ │ ├── transactions/ │ │ │ ├── [id]/ │ │ │ │ ├── route.ts # GET transaction by ID (add timeline) │ │ │ │ └── retry/route.ts # NEW: POST retry transaction (user-facing, for failed txs) │ │ ├── admin/ │ │ │ ├── transactions/ │ │ │ │ ├── stuck/route.ts # NEW: GET stuck transactions │ │ │ │ └── [id]/ │ │ │ │ ├── retry/route.ts # NEW: POST admin retry │ │ │ │ └── resolve/route.ts # NEW: POST admin manual resolution │ │ │ └── alerts/ │ │ │ ├── route.ts # NEW: GET admin alerts (list) │ │ │ └── [id]/route.ts # NEW: PATCH resolve alert │ ├── transactions/ │ │ └── [id]/ │ │ └── page.tsx # NEW: Transaction detail page │ └── admin/ │ ├── transactions/ │ │ └── page.tsx # NEW: Admin stuck transactions dashboard │ └── alerts/ │ └── page.tsx # NEW: Admin alerts dashboard ├── lib/ │ ├── services/ │ │ ├── payments.ts # MODIFY: Add retry logic + timeout handling │ │ ├── reconciliation.ts # NEW: Background status checks │ │ └── notifications.ts # MODIFY: Add transaction notifications │ ├── db-migrations/ │ │ └── 004-transaction-recovery.sql # NEW: Schema changes │ ├── retry.ts # NEW: Retry logic (exponential backoff) │ ├── state-machine.ts # NEW: Transaction state transitions │ ├── error-messages.ts # NEW: User-friendly error messages │ └── admin-alerts.ts # NEW: Admin alert creation/management └── workers/ └── reconciliation-worker.ts # NEW: Background job to check stuck txs ``` ### 10.2 Implementation Phases #### Phase 1: State Machine & Audit (Week 1) - [ ] Update `transactions` table schema (new columns + `timeout` state) - [ ] Implement state transition validation in `lib/state-machine.ts` - [ ] Add transition audit logging (every status change → audit_log) - [ ] Update API routes to use state machine validation - [ ] **Deliverable:** Status changes are validated + audited #### Phase 2: Retry Logic (Week 2) - [ ] Implement exponential backoff in `lib/retry.ts` - [ ] Add error classification (transient vs permanent) - [ ] Update `payments.ts` to use retry wrapper - [ ] Add retry counter tracking in DB - [ ] **Deliverable:** Transient errors auto-retry up to 3 times #### Phase 3: Timeout Recovery (Week 2-3) - [ ] Change timeout behavior: return `timeout` status instead of failure - [ ] Create `reconciliation-worker.ts` background job - [ ] Implement PISP status polling (every 10 min for stuck txs) - [ ] Add timeout → completed/failed transitions - [ ] **Deliverable:** Timeouts self-resolve via background reconciliation #### Phase 4: User Communication (Week 3) - [ ] Create transaction detail page (`/transactions/[id]`) - [ ] Add real-time status polling (SWR with 2s refresh) - [ ] Implement push notifications for status changes - [ ] Add email notifications for terminal states - [ ] Implement user-friendly error messages - [ ] **Deliverable:** Users always know transaction status #### Phase 5: Admin Tools (Week 4) - [ ] Create `admin_alerts` table - [ ] Implement stuck transaction detection (every 10 min sweep) - [ ] Build admin dashboard (`/admin/transactions`) - [ ] Add manual retry endpoint (`POST /api/admin/transactions/[id]/retry`) - [ ] Add manual resolution endpoint (`POST /api/admin/transactions/[id]/resolve`) - [ ] **Deliverable:** Admins can intervene on stuck transactions #### Phase 6: Partial Failure Handling (Future — After FX Provider Integration) - [ ] Add `compensation_status` field - [ ] Implement refund flow for partial failures - [ ] Add FX provider status checks - [ ] Test compensation scenarios - [ ] **Deliverable:** Partial failures trigger automatic refunds --- ## 11. Testing Strategy ### 11.1 Unit Tests **Retry logic:** ```typescript describe("Retry with exponential backoff", () => { test("succeeds on first attempt", async () => { const result = await callPispWithRetry(() => Promise.resolve({ success: true })); expect(result.success).toBe(true); }); test("retries on transient error", async () => { let attempts = 0; const result = await callPispWithRetry(async () => { attempts++; if (attempts < 3) throw new Error("Network timeout"); return { success: true }; }); expect(attempts).toBe(3); }); test("stops on permanent error", async () => { let attempts = 0; const result = await callPispWithRetry(async () => { attempts++; return { success: false, error: "invalid_iban" }; // permanent }); expect(attempts).toBe(1); }); }); ``` **State machine:** ```typescript describe("Transaction state machine", () => { test("allows initiated → processing", () => { expect(canTransition("initiated", "processing")).toBe(true); }); test("blocks processing → initiated", () => { expect(canTransition("processing", "initiated")).toBe(false); }); test("blocks completed → anything", () => { expect(canTransition("completed", "failed")).toBe(false); }); }); ``` ### 11.2 Integration Tests **Scenario: Timeout recovery** 1. Mock PISP to timeout on first call 2. Initiate transaction → verify status = `timeout` 3. Run reconciliation worker 4. Mock PISP to return `completed` 5. Verify transaction status = `completed` 6. Verify push notification sent **Scenario: Retry exhaustion** 1. Mock PISP to return 503 three times 2. Initiate transaction 3. Verify transaction status = `failed` 4. Verify admin alert created 5. Verify user notified ### 11.3 End-to-End Tests **User journey:** 1. User initiates remittance (500 NOK → RSD) 2. PISP times out after 30s 3. User sees "Processing — we'll notify you" 4. 2 minutes later: background worker checks status 5. PISP returns `completed` 6. User receives push notification 7. User opens transaction detail page → sees "Completed" 8. User receives email confirmation **Admin journey:** 1. Transaction stuck in `timeout` for 2 hours 2. Admin opens `/admin/transactions` dashboard 3. Sees transaction in "Stuck" list 4. Clicks "Retry" → transaction re-attempted 5. PISP succeeds → status = `completed` 6. Admin marks alert as "Resolved" --- ## 12. Acceptance Criteria ### 12.1 State Machine - [x] All status transitions validated against whitelist - [x] Invalid transitions blocked at DB + app level - [x] Every status change logged in `audit_log` with timestamp + reason - [x] Terminal states (`completed`, `failed`) cannot transition ### 12.2 Idempotency - [x] Duplicate requests with same `idempotencyKey` return cached response (already implemented) - [x] Idempotency keys scoped to user (prevents IDOR) (already implemented) - [x] Response includes identical payload + status 200 (already implemented) ### 12.3 Retry Logic - [x] Transient errors (5xx, timeout) trigger automatic retry - [x] Exponential backoff: 2s → 8s → 32s (with jitter) - [x] Max 3 retry attempts - [x] Permanent errors (4xx, bank decline) fail immediately (no retry) - [x] After max retries: mark as `failed` + create admin alert ### 12.4 Timeout Recovery - [x] Timeout returns `timeout` status (not `failed`) - [x] Background worker checks PISP status every 10 min - [x] Stuck transactions (> 10 min) swept periodically - [x] Timeout → completed/failed based on PISP response - [x] User notified when status resolves ### 12.5 Partial Failure - [x] `compensation_status` field added (for future FX refunds) - [x] Refund flow triggers on transfer failure (when FX provider added) - [x] Compensation failures escalate to admin alert - [x] User sees "Processing refund" status ### 12.6 User Communication - [x] Transaction detail page (`/transactions/[id]`) shows: - Real-time status - Timeline of events - User-friendly error messages - [x] Push notifications sent on status change - [x] Email sent on terminal status (`completed`, `failed`) - [x] Error messages in Norwegian (primary) + English ### 12.7 Admin Tools - [x] `/api/admin/transactions/stuck` returns all stuck transactions - [x] `/api/admin/transactions/[id]/retry` manually retries transaction - [x] `/api/admin/transactions/[id]/resolve` manually marks completed/failed - [x] Admin dashboard shows stuck transactions with action buttons - [x] Admin alerts created for: - Max retries exhausted - Compensation failure - Transaction stuck > 24 hours --- ## 13. Monitoring & Alerting ### 13.1 Metrics to Track | Metric | Threshold | Alert If | |--------|-----------|----------| | Stuck transactions (count) | 5 | > 10 | | Average resolution time (hours) | 1 | > 4 | | Failed transactions (last 24h) | 50 | > 100 | | PISP timeout rate (%) | 5% | > 15% | | Retry success rate (%) | 80% | < 60% | | Compensation failures (count) | 0 | > 0 | ### 13.2 Dashboard Queries **Stuck transactions:** ```sql SELECT COUNT(*) FROM transactions WHERE status IN ('processing', 'timeout') AND created_at < datetime('now', '-10 minutes'); ``` **Average resolution time:** ```sql SELECT AVG(julianday(completed_at) - julianday(created_at)) * 24 AS hours FROM transactions WHERE status = 'completed' AND completed_at > datetime('now', '-24 hours'); ``` **PISP timeout rate:** ```sql SELECT SUM(CASE WHEN failure_code = 'pisp_timeout' THEN 1 ELSE 0 END) * 100.0 / COUNT(*) AS timeout_pct FROM transactions WHERE created_at > datetime('now', '-24 hours'); ``` ### 13.3 Log Events **Every transaction state change:** ```json { "level": "info", "msg": "Transaction status changed", "txId": "tx_rem_123", "userId": "usr_abc", "from": "processing", "to": "completed", "reason": "PISP callback received", "externalId": "ext_456", "timestamp": "2026-02-17T10:00:45Z" } ``` **PISP API call failures:** ```json { "level": "error", "msg": "PISP API call failed", "txId": "tx_rem_123", "attempt": 2, "errorCode": "pisp_timeout", "errorMessage": "Request timeout after 30s", "willRetry": true, "nextRetryIn": "8000ms", "timestamp": "2026-02-17T10:00:30Z" } ``` **Retry exhaustion:** ```json { "level": "error", "msg": "All retries exhausted", "txId": "tx_rem_123", "maxRetries": 3, "lastError": "PISP provider unavailable", "adminAlertCreated": "alert_xyz", "timestamp": "2026-02-17T10:01:10Z" } ``` --- ## 14. Security Considerations ### 14.1 Admin Endpoints **Access control:** - All admin endpoints require `user.role === 'admin'` (checked via JWT) - Audit every admin action (`ADMIN_TRANSACTION_RETRY`, `ADMIN_MARK_COMPLETED`, etc.) - Log IP address + user agent for all admin operations **Rate limiting:** - Admin endpoints: 60 requests/min (higher than user endpoints) - Admin dashboard: no rate limit (internal tool) ### 14.2 Idempotency Key Security **No vulnerability:** Idempotency keys scoped to user → can't replay another user's transaction **Best practice:** Client generates key = `${userId}_${timestamp}_${random}` (prevents guessing) ### 14.3 Transaction Status Leaks **Risk:** User A checks `/api/transactions/tx_rem_123` → sees User B's transaction **Mitigation (already implemented):** ```typescript const tx = await getOne( "SELECT * FROM transactions WHERE id = ? AND user_id = ?", [txId, user.id] // ← Scoped to logged-in user ); ``` **Admin endpoints:** Bypass user_id check (admin sees all transactions) --- ## 15. Cost Analysis ### 15.1 Infrastructure | Component | Cost | Notes | |-----------|------|-------| | Background worker | $0 | Same server process (cron or `setInterval`) | | Job queue (pg-boss) | $0 | Uses existing PostgreSQL (when migrated from SQLite) | | Job queue (BullMQ) | ~$20/mo | Redis hosting (if chosen over pg-boss) | | Push notifications (FCM) | Free | Up to unlimited (Firebase Cloud Messaging) | | Email (SendGrid) | $15/mo | 50k emails/month (transactional tier) | **Total:** $15-35/mo (depending on job queue choice) ### 15.2 PISP API Costs **Retry costs:** - 3 retries per failed transaction - If 5% of transactions fail → 5% * 3 = 15% extra PISP API calls - Assuming 10,000 txs/month, 5% fail = 500 failed → 1,500 retry calls - Cost: depends on PISP provider (typically $0.01-0.05 per API call) - **Estimated:** $15-75/mo in extra API fees **Reconciliation costs:** - Background worker checks status every 10 min for stuck txs - If 1% stuck (100 txs/month) → 100 * 6 status checks/hour * 24h = 14,400 API calls - **Estimated:** $144-720/mo **Optimization:** Only check status for transactions stuck > 10 min (reduces unnecessary calls) --- ## 16. Open Questions (For Alem) ### 16.1 Retry Strategy **Q1:** Should we do in-process retry (Option A) or background job queue (Option B)? **Recommendation:** Start with Option A (simpler, no extra infra). Migrate to Option B when transaction volume > 10k/month. ### 16.2 Notification Channels **Q2:** Email + push notifications both? Or only one? **Recommendation:** Both. Email is fallback (if user disabled push). Send email only for terminal states. ### 16.3 Admin Alert Delivery **Q3:** How should admin alerts be delivered? - Option A: Dashboard only (admin must check `/admin/alerts`) - Option B: Email to ops team - Option C: Slack webhook - Option D: SMS for critical alerts **Recommendation:** Option C (Slack) for high/critical alerts. Dashboard for all. ### 16.4 Stuck Transaction Threshold **Q4:** When should we mark a transaction as "stuck"? - Current spec: 10 minutes - Alternative: 1 hour (less aggressive) **Recommendation:** 10 min for reconciliation sweep, 24h for admin alert (gives time to self-resolve) ### 16.5 Partial Failure Compensation SLA **Q5:** What's acceptable refund time for partial failures? - PSD2 requires 24h for refunds - Faster = better UX **Recommendation:** Initiate refund immediately, complete within 24h (meet regulatory minimum) --- ## 17. Next Steps 1. **Review this spec** with Alem 2. **Approve/reject each section** (or request changes) 3. **Prioritize phases** (which to implement first?) 4. **Assign to builder agent** (one phase at a time) 5. **Validation after each phase** (validator agent checks implementation) **Estimated timeline:** 4 weeks for Phases 1-5, Phase 6 (partial failure) deferred until FX provider integrated --- ## Appendix A: State Diagram (ASCII) ``` ┌─────────────┐ │ initiated │──────────────┐ └──────┬──────┘ │ │ │ (immediate fail: validation error) ▼ ▼ ┌─────────────┐ ┌─────────────┐ │ processing │ │ failed │ (terminal) └──────┬──────┘ └─────────────┘ │ ├──────────────────┬──────────────────┐ │ │ │ │ (success) │ (timeout) │ (permanent error) ▼ ▼ ▼ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ completed │ │ timeout │ │ failed │ │ (terminal) │ └──────┬──────┘ └─────────────┘ └─────────────┘ │ │ (reconciliation) ├───────────┬───────────┐ │ │ │ ▼ ▼ │ ┌─────────────┐ ┌─────────────┐│ (retry) │ completed │ │ failed ││ └─────────────┘ └─────────────┘▼ ┌─────────────┐ │ processing │ └─────────────┘ Future: ┌─────────────────────────────┐ │ partially_completed │ └──────────┬──────────────────┘ │ (refund) ├───────────┬───────────┐ ▼ ▼ ▼ ┌─────────────┐ ┌─────────────┐ │ completed │ │ failed │ └─────────────┘ └─────────────┘ ``` --- ## Appendix B: Error Code Reference | Code | Type | Retry? | User Message (NO) | User Message (EN) | |------|------|--------|-------------------|-------------------| | `insufficient_balance` | Permanent | No | "Ikke nok dekning på bankkontoen" | "Insufficient funds" | | `bank_declined` | Permanent | No | "Banken din avslo betalingen" | "Your bank declined the payment" | | `invalid_iban` | Permanent | No | "Ugyldig kontonummer" | "Invalid account number" | | `kyc_required` | Permanent | No | "Identitetsverifisering kreves" | "Identity verification required" | | `pisp_timeout` | Transient | Yes | "Betalingen tar lengre tid enn vanlig" | "Payment taking longer than usual" | | `pisp_unavailable` | Transient | Yes | "Betalingsleverandør midlertidig utilgjengelig" | "Payment provider temporarily unavailable" | | `network_error` | Transient | Yes | "Nettverksfeil — prøver igjen automatisk" | "Network error — retrying automatically" | | `pisp_5xx` | Transient | Yes | "Betalingsleverandør har tekniske problemer" | "Payment provider experiencing technical issues" | | `max_retries_exceeded` | Permanent | No | "Betalingen feilet etter flere forsøk" | "Payment failed after multiple attempts" | | `validation_error` | Permanent | No | "Ugyldig forespørsel" | "Invalid request" | --- **End of Specification** # drop-validation-hardening-plan # Plan: Drop Validation Hardening ## Research Summary ### What the documentation says (spec vs reality) **Sources reviewed:** 1. `project/architecture/api-specification.md` — API contract, field examples, error codes 2. `project/architecture/architecture-document.md` — User requirements from vilkår.html (legally binding) 3. `project/docs/security-qa-audit.md` — Issue #14 (email), #19 (password), #9 (amounts) 4. `project/docs/drop-qa-rapport.md` — QA findings C-1 through L-10 5. `src/lib/middleware/validation.ts` — Existing validators (UNUSED by any route) 6. `src/app/api/auth/register/route.ts` — Current registration validation 7. `src/app/onboarding/page.tsx` — Current frontend validation ### Gap Analysis | Field | Spec / Audit Requirement | Current Implementation | Gap | |-------|--------------------------|----------------------|-----| | **Email** | Regex `/^[^\s@]+@[^\s@]+\.[^\s@]+$/` (audit #14) | `email.includes("@")` | YES — accepts `@`, `a@`, `@ @` | | **Password** | 12+ chars, uppercase, lowercase, digit (audit #19) | `length >= 8`, no complexity | YES — "12345678" passes | | **First/Last Name** | `validateName()` exists in validation.ts — 1-100 chars, no script tags, sanitized | `typeof === "string"` only | YES — "123", XSS, 100K chars pass | | **Phone** | `+47` Norwegian format (architecture doc 1.4) | No validation at all | YES — any string passes | | **Age** | 18+ from vilkår.html (architecture doc 1.4) | Not implemented | YES — but deferred (needs BankID) | | **Amount (remittance)** | 100-50,000 NOK, 2 decimal places, finite (audit #9) | 100-50,000 check, isFinite | PARTIAL — no decimal precision | | **Amount (QR)** | 1-100,000 NOK, 2 decimals | 1-100,000 check, isFinite | PARTIAL — no decimal precision | | **Bank account** | IBAN validation (validation.ts has `validateIBAN`) | No validation | YES — but separate scope | | **Currency** | NOK, RSD, BAM, PLN, PKR, TRY, EUR | Missing RSD, TRY, PKR, NOK | YES — but unused validator | ### Existing assets (ready to wire up) `src/lib/middleware/validation.ts` already has: - `validateEmail()` — proper regex - `validatePhone()` — international `+` format, 8-15 digits - `validateAmount()` — positive, max 2 decimals - `validateIBAN()` — format + mod-97 checksum - `validatePIN()` — exactly 4 digits - `validateName()` — 1-100 chars, no script tags - `sanitizeText()` — strips HTML, control chars, max length - `validateCurrency()` — needs RSD, TRY, PKR, NOK added **Key insight:** The validators EXIST but are NEVER IMPORTED. The middleware/ directory is entirely dead code (QA rapport C-1). The fix is to wire existing validators into the actual routes. ## Objective Wire existing validation utilities into all API routes and frontend forms. Close the gap between documented requirements and actual implementation. Do NOT create new validators — use what exists in `validation.ts`, extend where needed. ## Scope **In scope:** 1. Registration API — email, password, name, phone validation 2. Registration frontend — matching client-side checks 3. Login frontend — email format check 4. Amount validation — add decimal precision check to remittance + QR payment routes 5. Update existing tests to match new validation rules 6. Currency validator — add missing currencies **Out of scope (separate tasks):** - Age verification (needs BankID integration) - IBAN validation for recipients (separate feature) - CSRF protection (separate security task) - Audit logging (separate task) - Password complexity upgrade to 12+ (BREAKING CHANGE — needs migration plan, keep 8 for now but add complexity) ## Team Orchestration ### Team Members | ID | Name | Role | Agent Type | |----|------|------|------------| | B1 | validation-builder | Implement validation wiring | builder | | V1 | validation-validator | Verify all validation works | validator | ### Step-by-Step Tasks #### Phase 1: Backend Validation (API Routes) **Task 1:** Wire validators into registration API - Owner: B1 - BlockedBy: none - Files: `src/app/api/auth/register/route.ts`, `src/lib/middleware/validation.ts` - Changes: 1. Import `validateEmail`, `validateName`, `sanitizeText`, `validatePhone` from `@/lib/middleware/validation` 2. Replace `!email.includes("@")` with `!validateEmail(email)` 3. Replace `!firstName || typeof firstName !== "string"` with `!validateName(firstName)` 4. Replace `!lastName || typeof lastName !== "string"` with `!validateName(lastName)` 5. Add phone validation: `if (phone && !validatePhone(phone))` error 6. Sanitize names before storing: `sanitizeText(firstName, 100)`, `sanitizeText(lastName, 100)` 7. Add password complexity: min 8 chars + at least 1 letter + at least 1 digit (soft upgrade, not full 12-char yet) 8. Add `validateCurrency` update: add missing currencies (RSD, TRY, PKR, NOK) - Acceptance: - [ ] `user@` rejected (no domain) - [ ] `@domain.com` rejected (no local part) - [ ] `user space@domain.com` rejected (spaces) - [ ] `valid@email.com` accepted - [ ] `123` as firstName rejected (contains only digits? No — validateName allows digits, just checks length + no script tags. This is acceptable.) - [ ] `` as name rejected - [ ] Empty firstName rejected - [ ] 200+ char firstName truncated to 100 - [ ] Phone without `+` prefix rejected (if provided) - [ ] Phone `+4712345678` accepted - [ ] Password `12345678` rejected (no letter) - [ ] Password `abcdefgh` rejected (no digit) - [ ] Password `abc12345` accepted (letter + digit + 8 chars) **Task 2:** Wire validators into amount routes - Owner: B1 - BlockedBy: none - Files: `src/app/api/transactions/remittance/route.ts`, `src/app/api/transactions/qr-payment/route.ts` - Changes: 1. Import `validateAmount` from `@/lib/middleware/validation` 2. Add decimal precision check before range check: `if (Math.round(amount * 100) !== amount * 100)` → 400 error 3. Existing range checks stay (100-50K for remittance, 1-100K for QR) - Acceptance: - [ ] `100.999` rejected (3 decimals) - [ ] `100.99` accepted (2 decimals) - [ ] `100` accepted (0 decimals) - [ ] Existing range tests still pass **Task 3:** Validate Task 1 + Task 2 - Owner: V1 - BlockedBy: 1, 2 - Acceptance: - [ ] Read all modified files, verify imports are correct - [ ] Verify no breaking changes to existing passing tests - [ ] Run `npm test` — all 120 Vitest tests pass - [ ] Run `npx playwright test` — all 75 e2e tests pass (may need test updates) #### Phase 2: Frontend Validation (Client-side) **Task 4:** Add proper validation to registration form - Owner: B1 - BlockedBy: 3 (backend must be validated first) - Files: `src/app/onboarding/page.tsx` - Changes: 1. Replace `!email.includes("@")` with proper regex check matching backend 2. Add inline error for email format: "Ugyldig e-postformat" 3. Add password complexity check: show "Passord må inneholde bokstaver og tall" 4. Add name format hint if script tags detected: "Ugyldig tegn i navn" 5. Add phone format hint: "Norsk telefonnummer påkrevd (+47...)" 6. Keep button disabled logic, but add per-field inline errors - Acceptance: - [ ] `user@` shows email format error immediately on blur - [ ] `12345678` password shows complexity error - [ ] Valid form submits normally - [ ] Error messages in Norwegian **Task 5:** Add email validation to login form - Owner: B1 - BlockedBy: 3 - Files: `src/app/login/page.tsx` - Changes: 1. Add email format check matching backend regex 2. Show "Ugyldig e-postformat" if email doesn't match on submit - Acceptance: - [ ] Invalid email format shows Norwegian error - [ ] Valid email + wrong password shows credential error (not format error) **Task 6:** Validate Task 4 + Task 5 - Owner: V1 - BlockedBy: 4, 5 - Acceptance: - [ ] Read all modified frontend files - [ ] Verify error messages are in Norwegian - [ ] Run `npx playwright test` — all 75 e2e tests pass - [ ] Verify no regressions in user-flows or input-chaos tests #### Phase 3: Test Updates **Task 7:** Update e2e tests for new validation rules - Owner: B1 - BlockedBy: 6 - Files: `tests/e2e/input-chaos.spec.ts`, `tests/e2e/user-flows.spec.ts` - Changes: 1. Update password boundary tests — "12345678" now fails (no letter), use "pass1234" instead 2. Update any test assertions that depend on old weak validation 3. Add new positive test: valid registration with proper fields 4. Verify all 75 tests pass with the new validation - Acceptance: - [ ] `npx playwright test` — 75/75 pass - [ ] `npm test` — 120/120 pass - [ ] No test uses weak input that now gets rejected without updating the assertion **Task 8:** Final validation — full test suite - Owner: V1 - BlockedBy: 7 - Acceptance: - [ ] `npm test` — 120/120 pass (5 consecutive runs) - [ ] `npx playwright test` — 75/75 pass - [ ] Manual check: registration form rejects `

`, `
`, `
`, ``, `

${t('welcome_subject')}

Inviter venner — få 50 kr per venn

Dine invitasjoner

[Post Title]

Prøv Drop gratis

Koble til BankID

Verifisering pågår

Verifisering feilet

Hei, {user.firstName}!

Siste transaksjoner

Verifisering feilet

BankID-innlogging avbrutt

Verifisering feilet

Fullfør registreringen

Noe gikk galt

Koble BankID for å låse opp alle funksjoner

BankID påkrevd

{tx.type === "remittance" ? "Money Transfer" : "QR Payment"}

Timeline

Payment Complete

`, ``, ``, ``, `

${t('welcome_subject')}

Inviter venner — få 50 kr per venn

Dine invitasjoner

[Post Title]

Prøv Drop gratis

Koble til BankID

Verifisering pågår

Verifisering feilet

Hei, {user.firstName}!

Siste transaksjoner

Verifisering feilet

BankID-innlogging avbrutt

Verifisering feilet

Fullfør registreringen

Noe gikk galt

Koble BankID for å låse opp alle funksjoner

BankID påkrevd

{tx.type === "remittance" ? "Money Transfer" : "QR Payment"}

Timeline

Payment Complete

`, `
`, `
`, ``, `