I. Document control

II. General Questions

1. How to configure email

xFans provides 2 sections in the Admin settings for email

• Email tab

  • Admin email: Email address for who will receive notification from system and contact form

  • Sender email: Email address for who will send the email in system

• SMTP tab

  • Host: enter SMTP host eg smtp.google.com

  • Port: SMTP port eg 465

  • Auth user: SMTP username

  • Auth password: SMTP password

  • Secure option: Enable if use port 465

2. How to add Google analytics code

Go to Admin panel > Settings > System settings > Google Analytics and enter your GA code.

3. How to add custom script

Go to Admin panel > Settings > System settings > SEO > Custom. There are 2 section you can enter your custom script

• Custom header script: website will render this content in the <head> tag

• Custom body script: website will render this content before </body> tag

4. How to update or change style

xFans does not provide option to change layout or style in the admin panel. However if you want to custom there are 2 solutions

• Change style from source code (recommend this)

• Or inspect element in xFans HTML code and get CSS class name or section then update your style to “Custom header script” section.

5. How to setup xFans payment gateway

xFans just supports these payment gateways.

a. CCBill

• Go to Admin > Settings > System settings > CCbill and enter CCBill information in the form

• CCBill webhook URL: https://[xFans-v2-api-domain]/payment/ccbill/callhook (eg https://api.xFans.info/payment/ccbill/callhook)

• Approval URL: redirect link to your website after purchased successfully. You can enter https://[xFans-front-office-domain]/payment/success (eg https://xfans.info/payment/success)

• Cancel URL: Redirect link after user cancelled or purchased unsuccessfully. You can enter https://[xFans-front-office-domain] (eg https://xfans.info/)

• Check for CCBill setup here

b. Verotel Flexpay (since v2.1.4)

• Go to Admin > Settings > System settings > Payment settings and enter Verotel credentials there

• Verotel webhook URL: https://[xFans-v2-api-domain]/payment/verotel/callhook (eg https://api.xFans.info/payment/verotel/callhook)

• Success URL: It is redirect pay after payment successful. You can enter https://[xFans-front-office-domain]/payment/success (eg https://xfans.info/payment/success)

• Check for Verotel setup here

c. Other Payment Gateways

Please contact us for custom requirements.

6. How to add footer menu

Go to Admin panel > FE Menu. Here you can see the list and create or update existing menu.

xFans provides only option to change footer menu for now

• From system page: FE will reload custom script file if it is system url. if enable you can select list of static pages too

• Is new tab: open link in a new tab once clicking on

• Title: menu text

• Path: link to the page (you can enter full url here if it is not system page)

• Section: where we will show the menu

• Ordering: enter sort number of menu item in the list

7. SMTP common list and setup

Sendgrid

• Host: smtp.sendgrid.net

• Port: 465 / 587

• Auth user: the string apikey. This setting is the exact string "apikey" and not the API key itself.

• Auth password: your Sendgrid API key eg: SG.xxxxx

Gmail

• Host: smtp.sendgrid.net

• Port: 465 / 587

• Auth user: your full email address eg: youremail@gmail.com

• Auth password: your Gmail password

M3 service

• Host: m3 host url eg v2010004s.m3xs.net

• Port: 587

• Auth user: email username account or M3 FTP master account

• Auth password: your email password or M3 FTP master password

8. What are product types on xFans

xFans provide 2 product options

• Physical product - Physical item such as mobile device, DVD disk, etc…

  • model has to ship to user once having an order

  • model is able to update shipping code, delivery status is needed in the control panel

• Digital product - Digital item such as photo, video or audio file

  • user purchases digital item will receive email notification with download link of digital item

  • model doesn’t need to manage order status, it is completed once user purchased successfully.

9. How can user cancel unsubscribe a model?

Our system supports to cancel CCBill subscription for now.

• In user: Login and check subscription tab and click on Cancel subscription button

• In admin panel

  • Setup CCBill Datalink Service username and Datalink Service password in the Settings > CCBill

  • username could be found in the Log in to CCbill admin panel -> Account Info -> Data link services suite

  • password could be found in the link https://admin.ccbill.com/megamenus/ccbillHome.html#AccountInfo/DataLinkServicesSuite(234)

• Important: For your ccbill account, please provide IP ranges that we should add in Datalink, for additional details, you may see our API guide, which also contains the list of other error codes and their explanation.

10. Banner & Logo sizes

• Slider banner: 1257 x 314

• Login Placeholder: 1086 x 1866

• Site Logo: 300 x 87

• Favicon: 16 x 16

III. Technical Questions

1. How does xFans storage asset files such as videos and images?

xFans supports Local storage (single machine) for now. We use nginx http_auth_module to protect assets. The download link usually is available in 4h, and have integrated business rules in our application.

2. Does xFans support S3 (Simple Storage Service) services like AWS S3 or Digital Ocean Space?

xFans supports local storage for now. If need S3 service you can customize our File module or contact for customization

3. Does xFans support FTP file server?

xFans supports local storage for now. If need FTP service you can customize our File module or contact for customization

4. Can we deploy xFans to AWS EC2?

Yes, xFans is able to be deployed to any VPS server, include AWC EC2

5. Does xFans support Kubernetes?

We have not supported for application container image in our script yet. So you have to create image eg with Docker and deploy application to Kubernetes. Or contact us for a customization.

6. Does xFans support Docker?

For now xFans does not provide Docker image yet. We will provide in future release.

7. Is xFans using CI/CD in our dev process?

Yes, we are using Jenkins for this purpose

8. How can we deliver the update efficiently?

We provide full source code, so you can do implementation if you want. Or we can provide Docker image for your customizations

9. How can we change style (CSS)?

We use less (https://lesscss.org/ ) to manage stylesheet. From source code you can

• Check style folder, here we define common style rules in the global.less, responsive.less, vars.less

• For separate component you can check related files in the components > component name > .less file. example to manage header, you can check components > common > layout > header.less

10. Can you confirm that your code set supports a PWA (not just web)?

It supports but not 100%, some we need to modify. basically we have no PWA yet

11. Do you use any design system that we should replicate for our bespoke UI to enable efficiency and speed in the dev process?

We just use ant design for our component design / approach.

12. Can you explain more about your approach to security, particularly how you manage authentication tokens and secure user data?

We do not provide server security or DDOS protection, we provide application only

Application below

Authentication Tokens:

• Secure Storage: Store tokens securely using methods like environment variables or dedicated secret management services. also support .env if needed

• Encryption: Encrypt tokens in transit and at rest to protect against interception and unauthorized access.

• Expiration and Rotation: Implement expiration dates for tokens with JWT Securing User Data:

• Data Encryption: Encrypt sensitive user data both in transit (using TLS/SSL) and at rest (using AES or similar algorithms).

• Access Controls: Enforce strict access controls and permissions to ensure that only authorized users and systems can access or modify data.

• Data Minimization: Collect and retain only the data that is necessary for the application to function, reducing the potential impact of a data breach.

13. How do you plan to handle error logging and monitoring in both the frontend and backend to ensure reliability and ease troubleshooting?

Backend we have request logs and httpexception log to track issues / exception. besides that we also have log tool to use in additional case In frontend we do not apply but we provide addon for Sentry log when having request from client

14. What strategies have you implemented for scalability, especially considering the hardcoded values and direct coupling seen in the snippets?

• No hardcoded values with configuration files or environment variables. If have we have constants file, and define all there

• default system is monolithic architecture but if want we can design as microservice.

• so far in our application, we just need to separate file server then we can apply load balancer without issue

• have cache system on our app, use Redis

• db: Have indexing, query optimization. Our DB platform supports sharding to improve database performance and scalability.

• we have queue, messaging system for asynchronous Processing, message queues and event-driven architectures to handle tasks that can be processed asynchronously.

15. Could you discuss your approach to ensuring code maintainability, such as documentation standards, coding conventions, and review processes you follow?

Documentation Standards:

• Code Comments

• README Files: we provided confluence page with all details

• API Documentation: we provided api docs already

Coding Conventions:

• Style Guides: we use Airbnb's JavaScript Style Guide

• Naming Conventions: Use clear and descriptive names for variables, functions, and classes.

• Refactoring: Regularly refactor code to improve readability and reduce complexity.

Review Processes:

• Code Reviews: Implement a peer review process where every piece of code is reviewed by at least one other developer before being merged.

16. How do you ensure the application is secure against common web vulnerabilities (e.g., SQL injection, XSS, CSRF)?

we do not use SQL but no-sql. and we use mongoose framework with mongodb-driver, it will prevent sql injection. CSRF is not applied on our product, we use API with authentication header. XSS we provided setup on nginx, if neeed any we can update there. Check our nginx template for details

17. What is your approach to testing, both in terms of unit tests and integration tests, for the frontend and backend?

We do not have E2E or unit test right now. manual testing whole app

18. Can you explain the decision-making process behind the mix of local and global styling approaches seen in the frontend?

==> https://ant.design/docs/spec/values

19. What live websites or apps has xFans built that we could take a look at

You can have a look at our portfolio - https://adent.io/portfolio

20. Is application designed out of the box to scale horizontally (i.e. to be deployed on multiple instances/containers)?

=> partial support, If you want to support auto scaling - need to customize the file server as below,

database -> there is no problem with db - scale or separate db for each module file service -> converting, transcode (eg from mov to mp4 h264), image processing (eg crop, resize...) we need to create a separate file media service otherwise we cannot support horizontal scale properly.
queue / messaging service -> we are using Redis - need a shared Redis server for all instances

21. What is the plan for scaling on database side?

=> So far it is single database but it support scaling well. check https://www.mongodb.com/basics/scaling . if needed we can design / change DB connection for each module without issue as well.

22. Where users/passwords are stored?

In the DB we store hashed password. 1-way hash (sha1)

23. Which React libraries are you using in the project

Version ^18.2.0

24. What would be the process of “theming” to customize look and feel

=> Current version we are using ant design (5.x) with its components
-> use scss superset to manage theme variable, theme size...
-> we can overwrite default ant design components if any (check antd custom theme )

25. Walk-through session management

note: we allow 1 device (user) login 1 time only

Step 1: call login api /login
Step 2: create session record with unique random-token and return token to client side
Step 3: for auth request, send token to http header
Step 4: check / verify token before process next
Step 5: get user info and verify status (eg inactive) and allow/disallow to next step

26. If deployed on AWS – can it be S3?

=> Yes, it can be deployed. we can also use full AWS service if needed. step below

1. Upload file to s3 server directly

2. Listen uplaod success event and notify Lambda function

3. Process media convert (for instance use AWS Media convert for video processing)

27. What do you use for video streaming?

=> default is nginx pseudo streaming -> for protected file we use nginx http_auth_request_module to verify

28. High-level Deployment steps?

• Create aws ec2 instance

• Install softwares for that instance (ffmpeg, redis, database...)

• Configure nginx config

• Deploy code / custom code to server

• Build / compile code with build command.

• Run application as normal node app with production process manager such as pm2