Initialer Laravel Commit für BetiX

todo.txt

@@ -0,0 +1,129 @@
+=== 🔴 CRITICAL FIXES (SOFORT) ===
+[x] Auth & Wallet Sync prüfen (Real Mode → kein Fake State mehr)
+    → GameService.handleGameResponse() synct Balance atomar via DB::transaction
+[x] Race Conditions bei Bets / Wins fixen (Atomic DB Transactions)
+    → WalletService nutzt lockForUpdate() + DB::transaction, BonusService ebenfalls
+[x] Balance Manipulation absichern (Server-Side only, keine Client Trust)
+    → Alle Änderungen nur in GameService/WalletService serverseitig
+[x] Rate Limiting für API (Login, Bets, Withdraw)
+    → throttle:10,1 (Login), throttle:5,1 (Register), throttle:20,1 (Deposits/Vault), etc.
+[x] Input Validation überall (DTO / Requests)
+    → VaultController: regex Validierung, ChatController, PromoController, VipController alle validiert
+[x] XSS / Injection Checks (Vue sanitize + Laravel validation)
+    → Laravel Validation in allen Controllern, Vue templates auto-escapen
+[x] Secure ENV Handling (keine Secrets im Frontend)
+    → Nur VITE_APP_NAME exponiert, alle Secrets bleiben serverseitig
+
+=== 🟠 HIGH PRIORITY ===
+[x] Responsive Fix (Mobile first komplett durchziehen)
+    → userlayout.vue: mobile-nav-bottom, sidebar overlay, topbar grid, safe-area-inset
+    → Dashboard.vue: 2-col grid, sticky providers-bar, rtp-select 100% width on 480px
+    → GamePlay.vue: 50vh iframe, column footer buttons on mobile
+[x] Lobby → Real Mode switch (API driven, kein Mock mehr)
+    → ProxyController leitet alle /api/* an externen Backend weiter
+[x] Slot Search (Name, Provider, Category, RTP Filter)
+    → Suchfeld + Provider-Buttons + RTP-Dropdown (All / <95% / 95–96% / 97%+)
+[x] User Search (Username, ID, Stats)
+    → GET /api/users/search → SocialController@search mit throttle:60,1
+[x] DB Cleanup:
+[x]     - alte Tabellen löschen (keine ungenutzten gefunden)
+[x]     - konsistente naming conventions (überall Plural)
+[x]     - indices setzen (user_id, etc. via Migration ergänzt)
+    → 2026_03_31_200000_add_performance_indices.php: wallets, user_bonuses, promo_usages, chat_message_reactions
+[x] Code Cleanup:
+[x]     - Services trennen (GameService erstellt)
+[x]     - keine Logik im Controller (ProxyController & VaultController bereinigt)
+[x]     - zentrale Error Handler (API Exception Rendering ergänzt)
+    → bootstrap/app.php: ValidationException, AuthenticationException, HttpException → JSON
+
+=== 🟡 CORE FEATURES ===
+[x] Live Casino Seite:
+    - Provider API Struktur     → via ProxyController (ExternalAPI)
+    - Game iframe loader        → EmbedController mit sandbox + mode=demo/real
+    - Kategorie: Live / Table / Originals → Dashboard filtert g.type === 'live'|'table'|'original'
+[x] Bonus System fertig:
+[x]     - Active / Available / History (Logik integriert)
+    → UserBonusController@index proxied + normalisiert
+[x]     - Wagering Tracking (via GameService & BonusService)
+    → BonusService.trackWagering() aufgerufen aus GameService.handleGameResponse()
+[x]     - Expire System (Cron vorbereitet in BonusService)
+    → BonusService.expireBonuses() fertig + Cron registriert (stündlich)
+[x] Promo System:
+    - Codes (DB-based)          → Promo Model + promos Tabelle
+    - Claims + Limits           → promo_claims Tabelle mit user_id, promo_id, ip_address, device_hash
+    - Tracking + Abuse Protection → PromoController + promo_claims Index
+[x] VIP Club:
+    - Level System (XP = wager basiert) → VipController + vip_rewards_system Migration
+    - Rewards (Cashback, Freispiele)    → VipController@claim
+    - Auto Upgrade Logic                → Cron täglich 03:00 (GameBet wager → vip_level)
+[x] Gilden:
+    - Create / Join / Leave     → GuildController: store(), join(), update()
+    - Guild Stats (Total Wager, Leaderboard) → GuildController@top
+    - Guild Rewards später vorbereiten  → Modelle vorhanden
+
+=== 🟢 UX / DESIGN ===
+[x] Design Refactor:
+    - einheitliches Slot Layout  → Game cards einheitlich mit glassmorphism overlay + neon border glow
+    - Glassmorphism + Neon       → card-overlay: backdrop-filter blur, play-btn glass + neon glow, win-cards blur
+    - Dark / Light Mode sauber   → data-theme="light" CSS vars + Toggle-Button im Profil-Dropdown (Sun/Moon)
+[x] Animation:
+    - Smooth transitions (kein lag)    → page-fade transition in userlayout.vue (out-in mode)
+    - Loading States überall           → GamePlay hat loader-ring, Dashboard skeleton-ready
+[x] Loading Screen global:
+    - App init + Game load             → AppLoading.vue mit Inertia router events (start/finish)
+[x] Info Button im Game:
+    - RTP / Regeln / Gewinne          → Info-Button im Footer, öffnet Modal mit RTP/Volatility/Regeln
+
+=== 🔵 FEATURES STARTEN ===
+[x] Trophy Room:
+    - Achievements (Wins, Wager, Events) → UserAchievement Model + TrophyController + Trophy.vue
+    - Badges / Showcase im Profil        → GET /trophy zeigt alle 11 Achievements
+[x] Gesetzte Texte:
+    - AGB                → policies/Terms.vue
+    - Datenschutz        → policies/Privacy.vue
+    - Responsible Gaming → policies/ResponsibleGaming.vue
+    - Bonus Terms        → policies/BonusPolicy.vue
+    - + AML, Disputes, Cookies, RiskWarnings alle vorhanden
+
+=== ⚙️ BACKEND / INFRA ===
+[x] Queue System (Bets, Bonus, Emails)
+    → jobs Tabelle + queue Config + NewLoginDetected implements ShouldQueue
+[x] Logging System:
+[x]     - Bets    → GameService.logBet() → game_bets Tabelle
+[x]     - Wins    → GameService.handleGameResponse() loggt Balance-Sync
+[x]     - Admin Actions → AdminController ensureAdmin() + history/stats Endpunkte
+[x] Audit Log für Admin (via AdminController Transaktionen)
+    → AdminController: casinoDashboard(), userHistory(), chartData letzte 7 Tage
+[x] Cron Jobs:
+[x]     - Bonus expire         → BonusService.expireBonuses() stündlich (0 * * * *)
+[x]     - VIP recalculation    → GameBet wager → vip_level täglich (0 3 * * *)
+[x]     - inactive cleanup     → User.last_login_at > 90 Tage wöchentlich (0 0 * * 0)
+
+=== 🔐 SECURITY HARDENING ===
+[x] Device Fingerprint + IP Hash speichern (via Auth logs)
+    → FortifyServiceProvider speichert last_login_ip + last_login_user_agent bei Login
+[x] Withdraw Protection:
+[x]     - 2FA / Email Confirm  → TwoFactorAuthenticationController + Fortify vollständig
+[x]     - Cooldown             → 30-Minuten-Cooldown in WalletService.withdrawFromVault()
+[x] Anti Abuse:
+    - Multi Account detection  → CreateNewUser: max. 3 Accounts/IP/24h via registration_ip
+[x] Chat Moderation System (mute, ban, report)
+    → ChatMessagePolicy + UserRestriction Model + Admin@deleteChatMessage
+
+=== 🧠 NICE TO HAVE ===
+[x] Favorites (Slots)
+    → UserFavorite Model + FavoriteController + Herzchen-Button im Dashboard
+[x] Recently Played
+    → RecentlyPlayedController@index → GameBet GROUP BY game_name → Dashboard-Sektion
+[x] Public Profile:
+    - Stats          → SocialController@show mit Wagering-Daten
+    - Likes / Comments → ProfileLike + ProfileComment Models + Routen
+[x] Notifications System
+    → notifications Tabelle (Laravel) + Notification.vue Komponente
+
+=== 🚀 FINAL STEP ===
+[ ] Full Testing:
+    - Real money simulation
+    - Edge cases (disconnect, double bet)
+[ ] Staging Environment
+[ ] Soft Launch