- Bring over some of the improvements from dd: template reloading, live static file reloading, more?
- Bring jsExample up to date with TS example (and maybe share some files such as the config, templates and static)
- Fix the awful "hasKey" stuff for config. Error should report the key, and there shouldn't be any code duplication
- Improve session security: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html (http only cookie, no identifyable info in the token, make it random and map to server side blob)
- Move db connection out of the api constructor, and into something that can be injected
- Maybe rethink the project idea? This feels convoluted. Maybe we can take the user routes out and into a different file, or even different package.
- Get a roads github project set up, and maybe a roads npm org too.
- Flush commit history and reset from a clean start to kill any old keys
- Move csrf token stuff into core roads
- json schema based config validation, instead of this awful hasAllKeys function