-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #5 from gorrion-io/prc/mobile
prc/mobile
- Loading branch information
Showing
38 changed files
with
285 additions
and
24 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| --- | ||
| "production-readiness-checklist": major | ||
| --- | ||
|
|
||
| Mobile version | ||
|
|
||
| Introducing the WIP mobile version of the checklist. This version is still in development and will be available soon. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| # Gorrion Production Readiness Checklist - Mobile Applications | ||
|
|
||
| ``` | ||
| 💡 This is a preview version. The checklist is still under construction. | ||
| ``` | ||
|
|
||
| | Name | Level | | ||
| | ---------------------------------------------------------------------------------------------------------- | --------------- | | ||
| | [The app complies with the stores' review guidelines](./docs/mobile/review-guidelines.md) | Critical 🔴 | | ||
| | [The app payment system complies with regulations](./docs/mobile/payments.md) | Critical 🔴 | | ||
| | [The app has an error-monitoring system configured](./docs/mobile/error-monitoring.md) | Critical 🔴 | | ||
| | [The certificates and keystores are securely stored](./docs/mobile/keystores-and-certificates.md) | Critical 🔴 | | ||
| | [The app securely stores user PII](./docs/mobile/pii-storage.md) | Critical 🔴 | | ||
| | [The user can request to remove their account](./docs/mobile/account-deletion.md) | Critical 🔴 | | ||
| | [The app should have a consistent versioning system](./docs/mobile/versioning.md) | Critical 🔴 | | ||
| | [Do not rely on Expo Secrets](./docs/mobile/expo-secrets.md) | Should have 🟡 | | ||
| | [The app has a new version prompt mechanism configured](./docs/mobile/new-version-prompt.md) | Should have 🟡 | | ||
| | [The app should work without any issues when font scaling in OS is enabled](./docs/mobile/font-scaling.md) | Should have 🟡 | | ||
| | [The permission usage descriptions should be localised](./docs/mobile/permissions.md) | Should have 🟡 | | ||
| | [The app using SSO always applies the recent rules](./docs/mobile/sso.md) | Nice to have 🟢 | | ||
| | [The app has properly configured and validated deep linking](./docs/mobile/deeplinking.md) | Nice to have 🟢 | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,26 +1,26 @@ | ||
| # Gorrion Production Readiness Checklist | ||
|
|
||
| | Name | Level | Scope | Comment | | ||
| | ----------------------------------------------------------------------------------------------------------------------------------- | --------------- | ----------------------------------------- | --------------------------------------------------------------------------------------- | | ||
| | [The website is available via the client’s domain address with TLS and redirected to HTTPS from HTTP](./docs/01-redirect-front-https.md) | Critical 🔴 | Frontend 🖥, Security 🔒 | | | ||
| | [The domain is redirected to the www subdomain](./docs/02-redirect-www.md) | Critical 🔴 | Frontend 🖥 | | | ||
| | [The check on https://securityheaders.com/ gives at least a “B” grade](./docs/03-security-headers.md) | Critical 🔴 | Frontend 🖥, Security 🔒 | | | ||
| | [The backend is accessible via the client’s domain with TLS](./docs/04-backend-tls.md) | Critical 🔴 | Backend ⚙️, Security 🔒 | | | ||
| | [The backend is accessible only from the client’s domains using CORS](./docs/05-backend-cors.md) | Critical 🔴 | Backend ⚙️, Security 🔒 | Not possible with mobile apps | | ||
| | [The JWT secret is safe and configured only on the server side](./docs/06-jwt.md) | Critical 🔴 | Backend ⚙️, Security 🔒 | | | ||
| | [The app has an error-monitoring system configured](./docs/07-error-monitoring.md) | Critical 🔴 | Backend ⚙️, Frontend 🖥, Monitoring 👀 | Recommended: https://sentry.io | | ||
| | [The app is deployed via the CI solution](./docs/08-ci.md) | Critical 🔴 | Deployment 🚀, CI/CD 🤖 | | | ||
| | [The app is hosted on a production-grade cloud solution](./docs/09-hosting.md) | Critical 🔴 | Deployment 🚀, Security 🔒 | Recommended: AWS, Digital Ocean, Fly.io | | ||
| | [The database is hosted on a production-grade solution](./docs/10-db.md) | Critical 🔴 | Deployment 🚀, Security 🔒 | Recommended: AWS RDS, Digital Ocean Databases, Supabase, PlanetScale or similar | | ||
| | [The system has backups enabled](./docs/11-backup.md) | Critical 🔴 | Deployment 🚀, Security 🔒 | | | ||
| | [CRON jobs should only be handled via one source of truth](./docs/12-crons.md) | Critical 🔴 | Backend ⚙️, Deployment 🚀 | | | ||
| | [All password related to the project should be shared via password manager only with corresponding group](./docs/13-passwords.md) | Critical 🔴 | Security 🔒, Deployment 🚀 | Do not share password, secrets etc. in messages nor host them on git | | ||
| | [The app should have a risk management and disaster recovery plan written down and available at any point](./docs/14-risk-management.md) | Critical 🔴 | Monitoring 👀, Security 🔒, Deployment 🚀 | | | ||
| | [The app has an uptime-monitoring system configured](./docs/15-uptime.md) | Should have 🟡 | Monitoring 👀, Backend ⚙️, Frontend 🖥 | Leverage health checks. Recommended: https://instatus.com/ or https://betteruptime.com/ | | ||
| | [The app has a logging solution configured](./docs/16-logging.md) | Should have 🟡 | Monitoring 👀, Backend ⚙️, Frontend 🖥 | Recommended: AWS Cloudwatch or https://betterstack.com/logtail | | ||
| | [The auto-scaling solution is enabled](./docs/17-autoscaling.md) | Should have 🟡 | Deployment 🚀, Backend ⚙️ | | | ||
| | [The frontend should be checked periodically in terms of performance](./docs/18-front-perf.md) | Should have 🟡 | Frontend 🖥 | At least test Core Web Vitals via Chrome Lighthouse | | ||
| | [Tests and audits should run in CI/CD pipelines](./docs/19-ci-cd-tests.md) | Should have 🟡 | CI/CD 🤖, Security 🔒 | Audit packages to limit CVEs, use SNYK CLI to check production docker images | | ||
| | [There is a way to quickly check and deploy hot fixes to production](./docs/20-hot-fixes.md) | Should have 🟡 | Deployment 🚀, CI/CD 🤖 | | | ||
| | [The error messages on client don’t include stack traces](./docs/21-stack-trace.md) | Nice to have 🟢 | Deployment 🚀, Security 🔒, Frontend 🖥 | Remove everything that can give attackers an attack surface | | ||
| | [The app has versioning system enabled and has a change log](./docs/22-versioning.md) | Nice to have 🟢 | Deployment 🚀 | | | ||
| | Name | Level | Scope | Comment | | ||
| | ---------------------------------------------------------------------------------------------------------------------------------------- | --------------- | ----------------------------------------- | --------------------------------------------------------------------------------------- | | ||
| | [The website is available via the client’s domain address with TLS and redirected to HTTPS from HTTP](./docs/base/01-redirect-front-https.md) | Critical 🔴 | Frontend 🖥, Security 🔒 | | | ||
| | [The domain is redirected to the www subdomain](./docs/base/02-redirect-www.md) | Critical 🔴 | Frontend 🖥 | | | ||
| | [The check on https://securityheaders.com/ gives at least a “B” grade](./docs/base/03-security-headers.md) | Critical 🔴 | Frontend 🖥, Security 🔒 | | | ||
| | [The backend is accessible via the client’s domain with TLS](./docs/base/04-backend-tls.md) | Critical 🔴 | Backend ⚙️, Security 🔒 | | | ||
| | [The backend is accessible only from the client’s domains using CORS](./docs/base/05-backend-cors.md) | Critical 🔴 | Backend ⚙️, Security 🔒 | Not possible with mobile apps | | ||
| | [The JWT secret is safe and configured only on the server side](./docs/base/06-jwt.md) | Critical 🔴 | Backend ⚙️, Security 🔒 | | | ||
| | [The app has an error-monitoring system configured](./docs/base/07-error-monitoring.md) | Critical 🔴 | Backend ⚙️, Frontend 🖥, Monitoring 👀 | Recommended: https://sentry.io | | ||
| | [The app is deployed via the CI solution](./docs/base/08-ci.md) | Critical 🔴 | Deployment 🚀, CI/CD 🤖 | | | ||
| | [The app is hosted on a production-grade cloud solution](./docs/base/09-hosting.md) | Critical 🔴 | Deployment 🚀, Security 🔒 | Recommended: AWS, Digital Ocean, Fly.io | | ||
| | [The database is hosted on a production-grade solution](./docs/base/10-db.md) | Critical 🔴 | Deployment 🚀, Security 🔒 | Recommended: AWS RDS, Digital Ocean Databases, Supabase, PlanetScale or similar | | ||
| | [The system has backups enabled](./docs/base/11-backup.md) | Critical 🔴 | Deployment 🚀, Security 🔒 | | | ||
| | [CRON jobs should only be handled via one source of truth](./docs/base/12-crons.md) | Critical 🔴 | Backend ⚙️, Deployment 🚀 | | | ||
| | [All password related to the project should be shared via password manager only with corresponding group](./docs/base/13-passwords.md) | Critical 🔴 | Security 🔒, Deployment 🚀 | Do not share password, secrets etc. in messages nor host them on git | | ||
| | [The app should have a risk management and disaster recovery plan written down and available at any point](./docs/base/14-risk-management.md) | Critical 🔴 | Monitoring 👀, Security 🔒, Deployment 🚀 | | | ||
| | [The app has an uptime-monitoring system configured](./docs/base/15-uptime.md) | Should have 🟡 | Monitoring 👀, Backend ⚙️, Frontend 🖥 | Leverage health checks. Recommended: https://instatus.com/ or https://betteruptime.com/ | | ||
| | [The app has a logging solution configured](./docs/base/16-logging.md) | Should have 🟡 | Monitoring 👀, Backend ⚙️, Frontend 🖥 | Recommended: AWS Cloudwatch or https://betterstack.com/logtail | | ||
| | [The auto-scaling solution is enabled](./docs/base/17-autoscaling.md) | Should have 🟡 | Deployment 🚀, Backend ⚙️ | | | ||
| | [The frontend should be checked periodically in terms of performance](./docs/base/18-front-perf.md) | Should have 🟡 | Frontend 🖥 | At least test Core Web Vitals via Chrome Lighthouse | | ||
| | [Tests and audits should run in CI/CD pipelines](./docs/base/19-ci-cd-tests.md) | Should have 🟡 | CI/CD 🤖, Security 🔒 | Audit packages to limit CVEs, use SNYK CLI to check production docker images | | ||
| | [There is a way to quickly check and deploy hot fixes to production](./docs/base/20-hot-fixes.md) | Should have 🟡 | Deployment 🚀, CI/CD 🤖 | | | ||
| | [The error messages on client don’t include stack traces](./docs/base/21-stack-trace.md) | Nice to have 🟢 | Deployment 🚀, Security 🔒, Frontend 🖥 | Remove everything that can give attackers an attack surface | | ||
| | [The app has versioning system enabled and has a change log](./docs/base/22-versioning.md) | Nice to have 🟢 | Deployment 🚀 | | |
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| --- | ||
| title: The user can request to remove their account | ||
| --- | ||
| # The user can request to remove their account | ||
|
|
||
| ## Description | ||
|
|
||
| Providing users with the ability to request account removal is essential for complying with privacy regulations and maintaining user trust. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| --- | ||
| title: The app has properly configured and validated deep linking | ||
| --- | ||
| # The app has properly configured and validated deep linking | ||
|
|
||
| ## Description | ||
|
|
||
| Deep linking enables users to quickly access specific content or features within your app, leading to enhanced user experience and increased engagement. | ||
|
|
||
| - **Apple App Site Association File**: ensure the `apple-app-site-association` file is accessible from the `.well-known` directory, has the proper Application ID and is returned as content-type `application/json` | ||
| - **Android Asset Links**: ensure the `assentlinks.json` file is accessible from the `.well-known` directory, and has the proper package name and fingerprint taken from Google Play Console | ||
| - **Test on Device/Simulator**: Use tools like `adb` and `xcrun` to test deep linking locally. | ||
| - **Online validators**: Tools like [yURL](https://yurl.chayev.com/) can help you test your domain settings. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| --- | ||
| title: The app has an error-monitoring system configured | ||
| --- | ||
|
|
||
| # The app has an error-monitoring system configured | ||
|
|
||
| ## Description | ||
|
|
||
| Implementing an error-monitoring system is crucial for proactively identifying, diagnosing, and resolving issues in the application. | ||
|
|
||
| - **Tool Selection**: Choose a reliable error-monitoring system such as [Sentry](https://sentry.io) or Firebase Crashlytics. | ||
| - **Configuration**: Configure the error-monitoring system to capture relevant information, including: error messages and stack traces, user context (anonymised where necessary), environment (production, staging, development), release versions etc. | ||
| - **Notification Setup**: Set up notifications and alerts to inform the development team of new errors or issues. | ||
| - **Documentation**: Document the setup and configuration process for the error-monitoring system. Include guidelines for handling and resolving errors, and ensure all team members are familiar with these procedures. | ||
| - **Continuous Improvement**: Use insights gained from error reports to continuously improve the application’s stability and performance. Prioritise fixing high-impact and frequently occurring issues. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| --- | ||
| title: Do not rely on Expo Secrets | ||
| --- | ||
| # Do not rely on Expo Secrets | ||
|
|
||
| ## Description | ||
|
|
||
| When using the Expo-managed workflow, it's important to avoid storing environment variables in Expo Secrets. Instead, you should use the standard `.env` file. If you're using EAS Update, the variables will be fetched from the `.env` file, not from Expo Secrets. If the variables exist only in EAS Secrets, they will be empty during the update process, which could potentially lead to discrepancies. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| --- | ||
| title: The app should work without any issues when font scaling in OS is enabled | ||
| --- | ||
| # The app should work without any issues when font scaling in OS is enabled | ||
|
|
||
| ## Description | ||
|
|
||
| Ensuring that your mobile app works seamlessly with the OS font scaling feature is crucial for providing an accessible and user-friendly experience. |
Oops, something went wrong.