I put together a list of ALL of the MattChat features I have implemented. I am posting this here, because I feel this is a VERY complete chat platform, and you folks here, would offer good feedback on things you think are whack or missing.

Any of you all want to maybe use something like this? Is federation with other MattChat servers something that would be wanted?

Without further ado here is 260+ lines of markdown:

1. Accounts & Authentication

• Username + password registration and login with bcrypt-hashed passwords
• Three server-configurable registration modes: open, closed (admin-created only), and invite-only (token-based)
• JWT access tokens with refresh-token rotation and a 60-second grace window for mid-rotation network failures
• Sessions table tracks active refresh tokens for revocation, device info, and IP
• Server-forced password change on next login (set by admin)
• Account self-service: update display name, status text, avatar, password
• Account deactivation (by admin or self)
• Short-lived WebSocket tickets for authenticated WS upgrade

2. Two-Factor Authentication (TOTP)

• Optional per-user TOTP 2FA with QR-code provisioning
• Admin-enforceable 2FA ("required" ) — user is prompted to set it up on next login and cannot proceed without completing enrollment
• Forced-setup flow with separate confirm endpoint so enrollment can't be bypassed
• Admin can reset or clear a user's 2FA from the admin panel

3. End-to-End Encryption

• Per-conversation encryption toggle (defaults to on)
• X3DH-style key exchange using identity key, signed pre-key, and one-time pre-keys (OTPKs) per device
• Ed25519 signatures on signed pre-keys (real cryptographic signatures, not sentinels)
• Double-ratchet session state per conversation, with out-of-order message handling
• Multi-device support: each device has its own key bundle; messages are encrypted once per recipient device
• Safety numbers (fingerprint) for out-of-band verification of a peer's identity
• Identity-change detection with user-facing warning modal before sending
• Automatic key-rotation handling (stale-session detection via key_generation counter)
• Server-side OTPK replenishment signaling; client auto-uploads new OTPKs when the pool runs low
• Per-requester rate limiting on key-bundle fetches (defense against OTPK-exhaustion attacks), with a rotation-aware exemption so self-heal on rotation still works
• decrypt_failed back-channel: receivers can request an encrypted re-send from the sender via a dedicated resends table
• Key recovery / regeneration modal for users with broken keys
• Device-list management UI (view, remove old devices)
• Explicit encrypted content type on messages so server + client can tell encrypted vs plaintext blobs without parsing

4. Messaging Core

• Text messages with Markdown formatting (bold, italic, strikethrough, inline code, fenced code blocks)
• Contextual Markdown preview button — only appears when the draft contains renderable Markdown, with Ctrl/Cmd+Shift+P shortcut
• Emoji rendering inline
• Message editing (with edited-at tracking)
• Message deletion (soft delete)
• Reply threading via reply_to_id with quoted reply preview bar above composer
• Message forwarding to one or many conversations with a forwarded-from indicator
• Copy message text to clipboard
• Per-message context menu (reply, react, copy, edit, delete, forward, star, transcribe)
• Message reactions: emoji reactions with toggle model (click same emoji again to remove)
• Starred messages / bookmarks: per-user server-synced starred list with a dedicated browsing modal
• Starred-view refinements: group-by-conversation toggle and search within starred messages
• Optimistic send (message appears instantly; reconciled on server ACK; marked red on failure with tap-to-retry)
• Drafts: per-conversation auto-saved drafts with Draft: indicator in the conversation list
• Read receipts with per-conversation last_read_at tracking
• Typing indicators with 3-second throttle; works around mobile IME quirks via compositionupdate/compositionend
• Infinite scroll message history with IDB-cached pages for instant cold start
• System messages (joins, leaves, name changes, call events, announcements)
• Client-side message search (encrypted conversations) + server-side trigram search (plaintext conversations)

5. Attachments & Media

• File uploads with resumable/backpressure-aware streaming (tolerates 10 GB files over slow connections)
• Server sniffs and caches the real MIME type (doesn't trust client-supplied values)
• Uploader-ownership enforcement: users can't attach someone else's uploaded file
• Image, video, audio, and generic-file message types
• Inline image and video rendering in message bubbles
• Lightbox for full-screen image viewing with prev/next navigation and download
• Media collections: consecutive image/video messages are visually grouped
• Drag-and-drop to attach (drop overlay appears over the chat)
• Per-conversation attachment avatars (conversation and user)
• Attachment keys are E2E-encrypted per recipient

6. Voice Messages

• In-app voice recording with live recording timer and cancel control
• Waveform visualization for playback with click-to-seek
• Voice transcription via bundled Whisper sidecar (ggml-tiny model) — user taps "Transcribe" and the transcript is stored and displayed inline

7. Conversations (DMs + Groups)

• 1:1 direct messages
• Group conversations with name, description, avatar
• New-conversation modal with tabs for DM and group creation
• User search (display name, username) for starting DMs or adding to groups
• Conversation list with last-message preview, unread badge, draft indicator, mute indicator, favorite pin
• Favorite conversations (pin to top)
• Mute conversation (suppress notifications)
• Per-conversation nicknames (rename a user just within one conversation)
• Conversation settings modal (rename, avatar, members, encryption toggle, invite management)

8. Group Management

• Roles: owner, admin, member
• Add/remove members
• Promote/demote to admin
• Transfer ownership
• Per-member posting permissions (admins can mute individual members from posting without kicking them)
• Invite links with expiration, max-uses, revocation, and use-count tracking
• Invite-accept flow for new members (with join confirmation modal)

9. One-to-One Calls

• Audio and video calls over WebRTC
• Incoming call overlay with accept/reject, outgoing call overlay with status, active call overlay with controls
• Mute, camera toggle, speaker toggle, camera switch (front/back on mobile)
• Screen sharing (replaces video track during share; restores camera on stop)
• In-call gear menu for device switching
• Device picker for mic/camera/output selection
• Call quality indicator
• Call timer
• Call decline via push notification action (works when app is backgrounded or closed)
• Call-end and call-decline REST endpoints used by the service worker
• Call events logged as system messages in the conversation timeline (with duration and bandwidth used)

10. Group Calls

• Two modes with admin-pickable strategy:
  • Mesh (peer-to-peer) for ≤ 5 participants — direct connections
  • SFU (mediasoup) for larger calls — server-relayed media
• Group audio and group video calls
• Participant list panel with live count
• Local PiP (picture-in-picture of own camera) with camera-off placeholder
• Mute, camera, screen-share, camera-switch controls per participant
• Gear menu for in-call device switching
• "Join in progress" banner on the conversation when a call is already active
• DB-enforced uniqueness so only one active group call per conversation (race-safe)
• Bandwidth tracking per call event

11. TURN / STUN / SFU Configuration (admin-side)

• Admin-configurable STUN and TURN servers for WebRTC NAT traversal
• HMAC-based ephemeral TURN credentials with configurable TTL (turn_secret, turn_secret_ttl)
• Server-relayed audio toggle for tricky network conditions
• mediasoup announced-address hot-swap (runtime update without restart)
• IP auto-detection helper for SFU setup

12. Push Notifications

• Web Push with VAPID keys (rotatable via server metadata store)
• Per-device subscription management (unique per user+endpoint)
• Always-notify toggle per subscription (foreground vs background behavior)
• Push payloads correlated with the per-device crypto deviceId so the server can send a slimmed E2E envelope (only the keys that device needs)
• Notification actions: accept call, decline call, mark read, reply (decline works even with app closed — the service worker hits /api/call/decline)
• Admin tools: send test push, view all subscriptions, delete stale subscriptions, run bulk cleanup

13. Progressive Web App

• Installable PWA (manifest with icons, maskable variants, screenshots for desktop and mobile form factors)
• Standalone display mode
• Service worker for offline shell, asset caching, and push handling
• Badging API: unread-count badge on the home-screen icon (installed PWA)
• Share Target API: receive files (images, video, audio, PDFs, text) shared from other apps via the OS share sheet
• Update banner when a new service-worker version is available
• Skip link for keyboard-accessibility

14. Themes & UI

• Light and dark themes with toggle button
• Theme icons swap (sun/moon) with "brand time" (sun during day, moon at night) variants
• System-respectful defaults, user preference persisted
• Responsive layout (separate chat-list screen on mobile, side-by-side on desktop)
• Back button on mobile conversation view
• Accessible roles and ARIA labels throughout

15. Link Previews

• Automatic Open Graph scraping for URLs in messages
• Preview cards with title, description, and thumbnail
• Server-cached link metadata (avoids re-fetching the same URL)
• Image proxy (/api/preview/image?url=...) to keep client IPs off third-party servers

16. Admin Panel

• Dedicated admin modal with full server management
• User management: create, list, search, deactivate, reset password, force password change, make/remove admin, edit avatar, manage 2FA, view user info
• Registration control: switch between open/closed/invite-only; create, list, and revoke invite codes with expiry + max-uses
• Conversation browser: list all groups on the server. Conversations are not possible to view even unencrypted.
• Visibility circles: named groups that control which users are discoverable to which others (e.g., students can only see students + teachers)
• Server settings UI: rate limits, TURN config, SFU config, registration mode, system announcement, etc.
• System announcement broadcast: push a system message to every active conversation
• Bandwidth dashboard: aggregated call data-transfer metrics
• Caddy integration: view certificate status and trigger renewal from the panel
• Push tooling: test push, view all subscriptions, clean up stale ones

17. Visibility Circles

• Admin-defined named groups controlling who can see whom in user search
• Per-user membership (one user can be in multiple circles)
• Enforced at user-search and new-conversation time

18. Security & Rate Limiting

• HTTP and WebSocket rate limits configurable from the admin panel at runtime
• Separate per-requester caps on key-bundle fetches (OTPK-exhaustion defense), rotation-aware
• Slowloris defense: 30-minute cap on request body arrival, terminating trickle uploads
• Server-side file-size limits per route (separate from the 10 GB global ceiling)
• trustProxy configuration for deployment behind Caddy
• Admin-on-admin mutation guard (admins can't edit other admins without ownership-like protections)
• Per-route auth guards and role checks

19. Composer / Input Area Features

• Auto-resizing textarea
• Ctrl/Cmd+Enter to send (configurable enter-to-send behavior)
• Paste-to-attach for images
• Drag-and-drop attachments
• Reply bar with cancel button
• Recording indicator during voice capture (separate row that replaces the input)
• Markdown preview toggle — hidden by default, appears only when the draft contains complete Markdown syntax; keyboard shortcut Ctrl/Cmd+Shift+P
• Per-conversation draft persistence (in memory, debounced to IndexedDB)

20. Storage & Offline Resilience

• IndexedDB caches conversation list, message pages, drafts, and plaintext for decrypted messages
• Instant cold-start from IDB before the network fetch returns
• Batched IDB reads for plaintext priming (single transaction for a whole page)
• Stale-cache guards (reject old v1/v2 envelope formats found in the cache)
• Background-hydration of per-conversation message caches on load
• Idle-time scheduling (requestIdleCallback) for link previews, media regrouping, and old-plaintext purging
• Service-worker offline shell

21. Deployment

• Docker Compose stack with app, Postgres, Caddy (reverse proxy + automatic HTTPS), and whisper-sidecar containers
• Single-container Dockerfile build
• Entry-point script handles migrations, seeding, and startup ordering
• Staged SQL migrations (36+ stage files) applied via _migrations tracking table
• Configurable via environment (domain, DB connection, secrets, VAPID keys, etc.)

22. Developer / Operational Niceties

• Health endpoint (/api/health) for readiness probes
• Structured Fastify logging (info in prod, debug in dev)
• Auto-derived CORS origin based on DOMAIN config (handles localhost, raw IPs, explicit protocol, bare domains)
• TypeScript throughout the server; watch-mode dev via tsx
• Seed script for initial admin/user data

Notable Small Touches

• Input field composes correctly with IME/predictive keyboards on mobile (typing events fire even when input doesn't)
• Optimistic bubbles reconcile against the WS broadcast coming back — no duplicate bubbles on fast networks
• "Nothing to preview yet" placeholder in the Markdown preview pane
• autoResizeTextarea runs after draft-load and after sends so the height never jumps
• Safety-number display has both raw and QR-code variants for verification
• Call system messages render with duration and data-transferred inline
• Reply bar auto-closes when the user starts editing an existing message
• Preview mode force-resets on conversation switch (session-local, not persisted across switches)