Project Background
Today I completed a major upgrade of a Todo List application, successfully transforming a single-user web application into a multi-user system with authentication capabilities and cross-platform server architecture. This project demonstrates not only technical proficiency but also the comprehensive application of modern web development best practices.
Technical Stack Upgrade
Original Tech Stack
- Frontend: HTML5 + CSS3 + jQuery 3.6.0
- Backend: Python Flask 2.3.3
- Database: SQLite single-table design
- Architecture: Single-user web application
Upgraded Tech Stack
- Frontend: HTML5 + CSS3 + jQuery 3.6.0 + Authentication interfaces
- Backend: Flask 2.3.3 + Flask-JWT-Extended + bcrypt
- Database: SQLite multi-user design (foreign key relationships)
- Authentication: Hybrid approach using both session-based authentication (for web UI) and JWT tokens (for API clients)
- Architecture: Multi-user server architecture designed to support cross-platform clients
Core Upgrade Components
1. Project Structure Reorganization
Reorganized the original flat structure to prepare for multi-platform development:
todo-list/
├── BLUE.md # Cross-platform development blueprint
├── CLAUDE.md # Development guide and code analysis
├── README.md # Project documentation
└── web-client/ # B/S Web client
├── backend/
│ ├── app.py # Flask application main file
│ ├── models.py # Data models
│ ├── requirements.txt # Python dependencies
│ ├── migrate_db.py # Database migration script
│ └── todo.db # SQLite database
├── static/
│ ├── auth.css # Authentication page styles
│ ├── auth.js # Authentication page scripts
│ ├── script.js # Main application script
│ └── style.css # Main application styles
└── templates/
├── index.html # Main application page
├── login.html # Login page
└── register.html # Registration page2. Database Schema Redesign
Original Schema
CREATE TABLE todos (
id INTEGER PRIMARY KEY AUTOINCREMENT,
title TEXT NOT NULL,
completed BOOLEAN DEFAULT FALSE,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);Multi-User Schema
-- Users table
CREATE TABLE users (
id INTEGER PRIMARY KEY AUTOINCREMENT,
username TEXT UNIQUE NOT NULL,
password_hash TEXT NOT NULL,
email TEXT,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
-- Todos table (updated for multi-user support)
CREATE TABLE todos (
id INTEGER PRIMARY KEY AUTOINCREMENT,
user_id INTEGER NOT NULL,
title TEXT NOT NULL,
completed BOOLEAN DEFAULT FALSE,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
FOREIGN KEY (user_id) REFERENCES users (id) ON DELETE CASCADE
);Technical Note: In SQLite, the updated_at column will only be set to the current timestamp on INSERT operations. For the updated_at field to function correctly on UPDATE operations, either the application logic must explicitly set this value during updates, or a database trigger should be implemented:
CREATE TRIGGER update_todos_updated_at
AFTER UPDATE ON todos
WHEN old.updated_at <> current_timestamp
BEGIN
UPDATE todos
SET updated_at = CURRENT_TIMESTAMP
WHERE id = OLD.id;
END;The ON DELETE CASCADE constraint ensures that when a user is deleted, all their associated todos are automatically removed from the database, maintaining referential integrity.
3. User Authentication System Implementation
Backend API Design
# User authentication endpoints
@app.route('/api/register', methods=['POST'])
def register():
# User registration logic with password encryption
@app.route('/api/login', methods=['POST'])
def login():
# User login verification, returns JWT Token
@app.route('/api/logout', methods=['POST'])
def logout():
# User logout, clears session
# Protected API endpoints
@app.route('/api/todos', methods=['GET'])
@login_required
def get_todos():
# Returns only current user's todosAuthentication Decorator
def login_required(f):
@wraps(f)
def decorated_function(*args, **kwargs):
if 'user_id' not in session:
return jsonify({'error': 'Authentication required'}), 401
return f(*args, **kwargs)
return decorated_function4. Frontend Authentication Interface
Login Page Features
- Responsive Design: Supports desktop and mobile devices
- Real-time Validation: Username length and password strength checks
- Error Handling: Friendly error messages and loading states
- Security Features: Prevents form resubmission, password masking
Registration Page Features
- Input Validation: Username uniqueness, password confirmation matching
- Visual Feedback: Real-time input status indicators
- User Experience: Automatic redirect to login after successful registration
5. Database Migration Solution
Developed a professional database migration script migrate_db.py:
def migrate_database(db_path):
# 1. Automatically backup existing database
backup_path = backup_database(db_path)
# 2. Check table structure, determine if migration is needed
todos_columns, users_exists = check_table_structure(db_path)
# 3. Safely add user_id column and users table
# 4. Preserve existing data, assign to default user
# 5. Add foreign key constraints to ensure data consistency
# 6. Automatic rollback on failureMigration Features:
- ✅ Automatic data backup
- ✅ Data integrity protection
- ✅ Automatic rollback on failure
- ✅ Detailed migration logs
Technical Challenges and Solutions
1. Database Schema Mismatch Issue
Problem: After upgrade, encountered sqlite3.OperationalError: no such column: user_id error
Solution:
- Created safe database migration script
- Implemented progressive table structure upgrade
- Ensured zero data loss migration
2. API Path 404 Errors
Problem: Frontend calling /api/5 instead of /api/todos/5
Solution:
// Before fix
url: `${API_BASE}/${id}` // /api/5
// After fix
url: `${API_BASE}/todos/${id}` // /api/todos/53. User Data Isolation
Problem: Ensuring different users can only access their own data
Solution:
- Added user authentication checks to all API endpoints
- Database queries must include
user_idfilter conditions - Implemented strict session management
Performance Optimization Practices
1. Database Connection Optimization
- Avoid creating new connections for each query
- Implement connection pool management
- Optimize SQL query efficiency
2. Frontend Experience Optimization
- Implement loading state indicators
- Add operation confirmation dialogs
- Optimize error message display
3. Security Enhancements
- bcrypt password encryption storage
- JWT Token authentication mechanism
- XSS attack protection (HTML escaping)
- CSRF protection measures
Development Workflow
1. Requirements Analysis and Architecture Design
- Analyzed technical challenges from single-user to multi-user
- Designed cross-platform server architecture
- Developed detailed development roadmap
2. Backend System Refactoring
- Redesigned data models
- Strengthened API endpoint security
- Implemented user authentication system
3. Frontend Interface Development
- Designed authentication page UI/UX
- Refactored JavaScript logic
- Adapted responsive layout
4. Database Migration Implementation
- Developed and tested migration scripts
- Safely migrated production data
- Verified data consistency
5. Integration Testing and Optimization
- API interface functional testing
- User registration/login flow verification
- Data isolation security testing
Project Results
Functional Features
- ✅ User Management: Complete registration/login/logout functionality
- ✅ Data Isolation: Each user has independent todo data
- ✅ Session Management: Dual authentication based on Session + JWT
- ✅ Responsive Design: Supports desktop and mobile device access
- ✅ Security Authentication: bcrypt password encryption, anti-XSS attacks
Technical Metrics
- User Response Time: < 200ms (local environment)
- Data Security: 100% user data isolation
- Compatibility: Supports modern browsers
- Scalability: Reserved interfaces for multi-platform clients
Cross-Platform Development Plan
Based on today’s established server architecture, development will continue according to the BLUE.md roadmap:
Phase 2: Apple Ecosystem
- iOS client (Swift + SwiftUI)
- macOS client (Catalyst)
- Core Data offline caching
Phase 3: Android + Windows
- Android client (Kotlin + Compose)
- Windows client (C# + WPF)
- Local database caching
Phase 4: Linux + Integration Testing
- Linux client (Python + PyQt)
- Cross-platform integration testing
- Complete documentation writing
Technical Insights
1. Importance of Architecture Design
Good architecture design is the foundation of project success. Through reasonable module division and interface design, sufficient space is reserved for future functional expansion.
2. Caution in Data Migration
Data migration is a high-risk operation that requires adequate backup and rollback preparation. Automated migration scripts greatly reduce the risk of human error.
3. Importance of User Experience
Technical implementation is important, but user experience is equally critical. Responsive design, friendly error messages, and smooth interactions are all details that cannot be ignored.
4. Security-First Design Principles
Security must be considered from the beginning of the project, including password encryption, session management, and data isolation. The cost of later remediation is far higher than early design.
Summary
Today’s Todo List application upgrade was a complete technical practice, successfully evolving from a single-function web application to a modern multi-user system. This project not only demonstrates web application development best practices but also lays a solid foundation for subsequent cross-platform development.
Through this practice, I deeply realize: Good software is not completed in one go, but gradually perfected through continuous iteration and optimization. Each feature implementation and each problem solution is a step toward better user experience and stronger technical capabilities.
Tech Stack: Python Flask, SQLite, HTML5, CSS3, JavaScript, JWT, bcrypt
Project Features: Multi-user authentication, Data isolation, Responsive design, Cross-platform architecture
Development Date: July 24, 2025
Project Status: Web client completed, multi-platform client development in progress
脱敏说明:本文所有出现的表名、字段名、接口地址、变量名、IP地址及示例数据等均非真实,仅用于阐述技术思路与实现步骤,示例代码亦非公司真实代码。示例方案亦非公司真实完整方案,仅为本人记忆总结,用于技术学习探讨。
• 文中所示任何标识符并不对应实际生产环境中的名称或编号。
• 示例 SQL、脚本、代码及数据等均为演示用途,不含真实业务数据,也不具备直接运行或复现的完整上下文。
• 读者若需在实际项目中参考本文方案,请结合自身业务场景及数据安全规范,使用符合内部命名和权限控制的配置。Data Desensitization Notice: All table names, field names, API endpoints, variable names, IP addresses, and sample data appearing in this article are fictitious and intended solely to illustrate technical concepts and implementation steps. The sample code is not actual company code. The proposed solutions are not complete or actual company solutions but are summarized from the author's memory for technical learning and discussion.
• Any identifiers shown in the text do not correspond to names or numbers in any actual production environment.
• Sample SQL, scripts, code, and data are for demonstration purposes only, do not contain real business data, and lack the full context required for direct execution or reproduction.
• Readers who wish to reference the solutions in this article for actual projects should adapt them to their own business scenarios and data security standards, using configurations that comply with internal naming and access control policies.版权声明:本文版权归原作者所有,未经作者事先书面许可,任何单位或个人不得以任何方式复制、转载、摘编或用于商业用途。
• 若需非商业性引用或转载本文内容,请务必注明出处并保持内容完整。
• 对因商业使用、篡改或不当引用本文内容所产生的法律纠纷,作者保留追究法律责任的权利。Copyright Notice: The copyright of this article belongs to the original author. Without prior written permission from the author, no entity or individual may copy, reproduce, excerpt, or use it for commercial purposes in any way.
• For non-commercial citation or reproduction of this content, attribution must be given, and the integrity of the content must be maintained.
• The author reserves the right to pursue legal action against any legal disputes arising from the commercial use, alteration, or improper citation of this article's content.Copyright © 1989–Present Ge Yuxu. All Rights Reserved.