Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Introduction

Welcome to TaskMinder: a platform built to simplify school organization and improve collaboration between students, teams, and classes.

TaskMinder combines planning, communication, and file handling in one place, so you spend less time switching between tools and more time focusing on your actual work.

With TaskMinder, you can:

  • Track homework, lessons, events, and substitutions in a structured way.
  • Collaborate with classmates through shared class and team workflows.
  • Upload and manage files relevant to your school tasks.
  • Keep important information synchronized and accessible across your school setup.

Whether you are setting up TaskMinder for local development, self-hosting it for production, or just exploring the project, this documentation will guide you step by step.

  • Development setup: Start your local environment by following the development guide.

  • Production deployment: Deploy TaskMinder in production with the deployment guide.

You can explore the project on GitHub: https://github.com/Taskminder/TaskMinder

If you want a quick preview, visit: https://taskminder.de

Thanks for using TaskMinder! We hope it helps make school organization simpler, clearer, and more reliable for everyone involved.

Development

⚠️ Warning: Docs for develop branch

This guide outlines the current development process and is intended for contributing to the develop branch.
It may differ from the steps used in the latest stable release.

This guide outlines the steps necessary to set up your development environment for TaskMinder. This includes installing redis, PostgreSQL, bun with optional setup for ClamAV, Ghostscript and mdbook (requires rust and cargo).

⚠️ Warning: License Notice

Please make sure to review our license before contributing to the project!

ℹ️ Info

Windows is currently not supported, as the primary development and testing of this tool are carried out on Linux and macOS platforms. This may result in compatibility issues or unexpected behavior when attempting to run the server on Windows.

Installing Redis and PostgreSQL

Recommended versions: PostgreSQL 18.1+ and Redis v8.6+ (Redis Open Source).

Linux (Ubuntu / Debian)

Follow this guide to install Redis Open Source: Install Redis on Linux. Return here once complete.

Download PostgreSQL here: Download page of PostgreSQL. Return here once installed.

Don’t forget to start and enable both services to run at system startup:

# Redis setup is covered in the installation guide
sudo systemctl enable redis-server
sudo systemctl start redis-server
# PostgreSQL setup – this part is often not included in guides
sudo systemctl enable postgresql
sudo systemctl start postgresql
macOS

Follow this guide to install Redis Open Source: Install Redis on MacOS. Return here once finished.

Download PostgreSQL here: Download page of PostgreSQL. Return here once finished.

Service startup instructions are included in the respective guides.

GitHub Codespaces

Since Codespaces run on Ubuntu, the setup is similar to the Linux instructions. Auto-starting services on boot is skipped to save memory and runtime.

Install and start Redis:

sudo apt-get update
sudo apt-get install redis
sudo service redis-server start

Install and start PostgreSQL:

sudo apt-get update
sudo apt-get -y install postgresql
sudo service postgresql start

Installing Bun

Bun is required for this project.

To check if it’s already installed, run:

bun --version

You should see at least Bun 1.3.12 (last checked: April 10th, 2026).

If not installed, retrieve the download instructions from the Bun Download Page. For Github Codespaces, follow the npm instructions under the Mac/Linux Tab.

Installing ClamAV and Ghostscript - optional

This step installs the tools that scan files uploaded to the server. This is optional for development environments, as you typically wouldn’t enable scanning in that context. However, if you’re developing or testing upload functionality, please install these tools to ensure your code changes work correctly with the scanning pipeline.

Linux (Ubuntu / Debian) and Github Codespaces

Install ClamAV via apt package manager

sudo apt install clamav clamav-daemon -y
  • clamav: the command-line scanner (clamscan)
  • clamav-daemon: runs the clamd background service for faster scanning

Stop the daemon before updating virus definitions

# Github Codespaces
sudo service clamav-freshclam stop
# Ubuntu/Debian (Linux)
sudo systemctl stop clamav-freshclam

Update virus definitions

# fetches the latest virus signatures from ClamAV's servers
sudo freshclam

Start services

# Github Codespaces
sudo service clamav-freshclam start
sudo service clamav-daemon start
# Ubuntu/Debian (Linux)
sudo systemctl enable clamav-freshclam
sudo systemctl start clamav-freshclam
sudo systemctl enable clamav-daemon
sudo systemctl start clamav-daemon

Install Ghostscript via apt package manager

sudo apt install ghostscript -y
gs --version

Ghostscript should at least return version 10.02.1 (last checked: November 7th, 2025).

macOS

Install ClamAV via Homebrew

brew install clamav

Verify the installation

brew list clamav
clamscan --version

You should see binaries like clamd, clamdscan, clamscan, and configuration files in /opt/homebrew/etc/clamav/. The version of ClamAV should at least be 1.5.1 (last checked: January 5th, 2026).

Copy sample configuration files

ClamAV ships with sample configuration files that you’ll need to customize:

cd /opt/homebrew/etc/clamav
cp clamd.conf.sample clamd.conf
cp freshclam.conf.sample freshclam.conf

Configure clamd.conf

nano /opt/homebrew/etc/clamav/clamd.conf

Edit or uncomment these lines:

# Where the database files are stored
DatabaseDirectory /opt/homebrew/var/lib/clamav
    
# Temporary directory
TemporaryDirectory /tmp
    
# Log file location
LogFile /opt/homebrew/var/log/clamav/clamd.log
LogFileMaxSize 5M
    
# Local socket (used by clamdscan)
LocalSocket /opt/homebrew/var/run/clamav/clamd.sock
FixStaleSocket yes
    
# Run as daemon
Foreground no

Configure freshclam.conf

nano /opt/homebrew/etc/clamav/freshclam.conf

Edit these lines:

DatabaseDirectory /opt/homebrew/var/lib/clamav
UpdateLogFile /opt/homebrew/var/log/clamav/freshclam.log
DatabaseOwner _clamav
Checks 12

Create required directories

sudo mkdir -p /opt/homebrew/var/lib/clamav
sudo mkdir -p /opt/homebrew/var/log/clamav
sudo mkdir -p /opt/homebrew/var/run/clamav
sudo chown -R $(whoami) /opt/homebrew/var/{lib,log,run}/clamav

Download virus definitions

freshclam

This downloads the latest virus definitions to /opt/homebrew/var/lib/clamav.

Start the ClamAV daemon

brew services start clamav

Note: Homebrew services don’t automatically update virus definitions. Remember to run freshclam regularly to keep your definitions up-to-date.

Install Ghostscript via Homebrew

brew install ghostscript
gs --version

Ghostscript should at least return version 10.06.0 (last checked: January 5th, 2026).

Clone Repository and Install Bun Packages

Visit the repo at https://github.com/TaskMinder/TaskMinder and fork it.

Then, on your local machine, choose a directory and run:

git clone https://github.com/YOUR_GITHUB_USERNAME/TaskMinder.git
cd TaskMinder

Replace YOUR_GITHUB_USERNAME with your actual GitHub username.

Install all dependencies:

bun install

Initialize the Database

Before using the database, you need to log into the PostgreSQL terminal (psql) and create a database. It’s also recommended to change the default postgres password.

Replace your_db_name with your actual database name.

Linux (Ubuntu / Debian) 
sudo -u postgres psql
\password

CREATE DATABASE your_db_name;
macOS 
psql postgres
\password

CREATE DATABASE your_db_name;
GitHub Codespaces 
sudo su postgres
psql postgres
\password

CREATE DATABASE your_db_name;

Create the .env File

To securely manage credentials, create a .env file in the root directory of your project. Use the .env.example file located in the root folder as a reference.

Setup mdbook (documentation) - optional

Follow the official guide: Installation mdbook. mdbook requires rust and cargo.

Applying database changes

Run bunx prisma migrate dev to apply schema changes from previously pulled commits to your local database. You should also run this command during development if the schema has been modified.

If you make changes to the schema while developing—especially on a feature branch—don’t forget to generate a migration file. Otherwise, your changes might be lost or overwritten when switching branches (e.g., to develop or main).

Start the Server

Run this command to compile the typescript code and start the development server:

bun run build
bun run dev

Notes:

  • You can manually compile the code by running bun run build, or use bun run build:fe and bun run build:be to compile the frontend and backend separately. After building, start the server with bun run dev.

  • We use linting/formatting tools to maintain code quality. To use ESLint and Prettier (frontend only) on this project, simply run: bun run lint (NOT bun run lint .!).

  • When updating the Prisma schema, remember to run bunx prisma generate to regenerate the client and TypeScript types in node_modules/. Before committing your changes, make sure to run bunx prisma migrate dev to create and apply the necessary migration files to your local database—skipping this step may result in broken or inconsistent code.

Deployment

What you’ll need

  • A valid domain (e.g. taskminder.de)
  • A server (minimum 2GB RAM and 20GB storage) running Ubuntu (≥ 24.04 LTS) with sudo or root access
  • The codebase of TaskMinder from https://github.com/TaskMinder/TaskMinder

1. DNS Configuration

Before proceeding with the server setup, configure your domain to point to your Ubuntu server.

Get Your Server’s Public IP Address

On your server, run:

curl ifconfig.me

Copy the returned IP (e.g., 203.0.113.42). Make sure the server is not behind a router. The following guide will use this example IP — replace it with your actual IP.

Configure DNS Records

Go to your domain registrar’s DNS management page (e.g., Namecheap, GoDaddy, Cloudflare etc.) and add the following records:

TypeNameValue (replace)TTL
A@203.0.113.42Automatic / 3600
Awww203.0.113.42Automatic / 3600

This assumes you’re using example.com and want www.example.com to also work.

We also use a subdomain for monitoring (monitoring.example.com) and a subdomain for a status page.

We use https://betterstack.com/ as it offers custom subdomains for the status page, but you may choose another provider. After setting up the status page, follow BetterStack’s instructions to configure the CNAME record.

For the monitoring page (monitoring.example.com), add the following record:

TypeNameValue (replace)
Amonitoring203.0.113.42

Wait for Propagation

DNS propagation can take a few minutes to several hours. Use tools like:

Once your domain resolves to your server’s IP, proceed to the next step.

2. Install Required Packages

Update and install dependencies:

This installs (if not already installed) Git, curl, NGINX, libnginx-mod-http-lua (for Lua in NGINX), lua-cjson (for NGINX), UFW, and Fail2Ban:

sudo apt update && sudo apt upgrade -y
sudo apt install -y git curl nginx ufw fail2ban libnginx-mod-http-lua lua-cjson

Verify lua was installed and is enabled:

See if the module was auto-enabled, if not, enable it first before proceeding:

ls /etc/nginx/modules-enabled/ | grep lua

Install Docker and Docker Compose:

Follow the official Docker documentation to install Docker and Docker Compose:

🔗 https://docs.docker.com/engine/install/ubuntu/

Enable and start Docker

sudo systemctl enable docker
sudo systemctl start docker

Enable and configure firewall (UFW)

sudo ufw allow OpenSSH
sudo ufw allow 'Nginx Full'
sudo ufw enable

Configure Fail2Ban

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Check status:

sudo fail2ban-client status

3. Clone the Project from GitHub

cd /opt
sudo git clone https://github.com/TaskMinder/TaskMinder.git
cd TaskMinder

4. Configure NGINX

First, modify the nginx.config file to replace taskminder.de with your actual domain name.

vi nginx.config
# or
nano nginx.config

Install Certbot and Obtain SSL Certificates

Install Certbot and its NGINX plugin:

sudo apt install -y certbot python3-certbot-nginx

Run Certbot to obtain SSL certificates (replace example.com and subdomains with your actual domains):

sudo certbot -d example.com -d www.example.com -d monitoring.example.com

Certbot will automatically update the configuration file at /etc/nginx/sites-available/default. Delete this file, as you’ll be using your custom config instead. Also, delete the symlink: sudo rm /etc/nginx/sites-enabled/default

Now that you know the location and filenames of the generated certificates, update your original nginx.config at /opt/TaskMinder/nginx.config. Replace the certificate paths with the correct ones provided by Certbot.

Add Gzip and Lua settings in general nginx.config

Open the main nginx configuration file:

sudo nano /etc/nginx/nginx.conf

Inside the http { } block, comment out all related gzip lines, as we will be using it for compression work. Furthermore, add this line in the http block:

##
# Lua Maintenance Flag Setting
##
lua_shared_dict maintenance_flag 1m;

Deploy Your Final NGINX Configuration

# Copy your updated configuration
sudo cp /opt/TaskMinder/nginx.config /etc/nginx/sites-available/taskminder

# Enable and test the configuration
sudo ln -s /etc/nginx/sites-available/taskminder /etc/nginx/sites-enabled/
sudo nginx -t

# Restart NGINX to apply changes
sudo systemctl restart nginx

5. Set Up Non-Root User

Running as root means a compromised container could gain full system access. It is highly recommended to run the server as a non-root user (least privilege). We’ll use the name ubuntu for this guide, but you may choose another name.

sudo adduser ubuntu
sudo usermod -aG sudo ubuntu
sudo usermod -aG docker ubuntu

If adduser fails, the user likely already exists (common on cloud providers like AWS or DigitalOcean). In that case, just add them to the docker group:

sudo usermod -aG docker ubuntu

Give the user access to the project folder:

sudo chown -R ubuntu:ubuntu /opt/TaskMinder

Log out and reconnect as the ubuntu user:

exit
ssh ubuntu@<your-ip-address>

For enhanced security, use SSH key-based authentication instead of password-based logins to reduce the risk of unauthorized access. After adding your SSH key and verifying the connection, disable both root logins and password authentication:

Edit and/or uncomment the following lines in /etc/ssh/sshd_config:

PermitRootLogin no
PasswordAuthentication no

Then restart SSH:

sudo systemctl restart ssh

6. Automated Backup Setup (via Cron)

Make the Backup Script Executable

The cron service needs permission to run the script. You only need to do this once.

chmod +x /opt/TaskMinder/backup-cmds/db_backup.sh

Add the Job to Crontab

This will schedule the script to run automatically.

Open the crontab editor for the current user:

   crontab -e

Add the following line to the bottom of the file, then save and exit:

   0 * * * * /opt/TaskMinder/backup-cmds/db_backup.sh >> /var/log/backup.log 2>&1

Verify the Setup

Confirm the job was added successfully by listing the active cron jobs:

   crontab -l

You should see the line you just added.

7. Add Docker Secrets and .env.production

Navigate back to the TaskMinder folder and create directories for secrets and backups:

cd /opt/TaskMinder
mkdir docker_secrets
mkdir db-backups

Before starting the application, create the following text files inside the docker_secrets/ folder. These files are used as Docker secrets for configuration:

FilenameDescription
db_name.txtName of the PostgreSQL database.
db_password.txtPassword for the PostgreSQL database user.
db_host.txtHost for the database, usually postgres when running in docker.
db_user.txtPostgreSQL database username.
redis_port.txtRedis port (default is 6379).
session_secret.txtSecure session secret (e.g., generate one with openssl rand -base64 32).
database_url.txtProvides the database URL for Prisma ORM: postgresql://db_user:db_password@taskminder-postgres:5432/db_name
encryption_key.txtEncryption key for server-side encryption in the database, generated with openssl rand -base64 32
encryption_key_secondary.txtRotation key for server-side encryption, generated with openssl rand -base64 32
encryption_key_lookup.txtLookup key for hashes for server-side encryption, generated with openssl rand -base64 32
proxy_hop.txtProxy hop count for additional reverse proxies that are configured by the server provider. Add 1 to account for the NGINX config.

8. Run Docker Compose and reset git changes

Navigate to the project root and build/start the containers:

cd /opt/TaskMinder
docker compose up -d --build

Reset git changes:

git reset --hard

And build/start the containers again:

docker compose up -d --build

9. TaskMinder Deployment Complete

Your TaskMinder server should now be running at:

10. What’s Next?

  • Create an account to set up a class and add your subjects, teams, and timetable.
  • Visit https://monitoring.example.com to change the default password “admin” to a secure one. You’ll be prompted to do this upon your first login.

11. Subsequent Updates

This guide covers minor version upgrades. For major version upgrades, please refer to the relevant migration guides to check for any breaking changes. Before upgrading, enable maintenance mode by adding a file flag with:

touch /etc/nginx/maintenance.flag

  1. Navigate to the root folder of the project and stop the Docker Compose process:

    docker compose down

  2. Pull the latest changes from the main branch on GitHub:

    git pull origin main

  3. Rebuild and restart the Docker containers:

    docker compose up -d --build

  4. Disable maintenance mode:

    rm /etc/nginx/maintenance.flag

Data Processing

Introduction

This document provides a comprehensive overview of data processing practices for our educational management system. As part of our commitment to data protection and privacy compliance (GDPR/DSGVO), we document what personal and operational data is intentionally collected, stored, and processed, as well as identify potential unintentional data capture points across all system tables.

Scope

This documentation describes all database tables defined in the current Prisma schema, with particular attention to the processing of personal data and related privacy implications. It also details the data stored in the Redis-powered cache, as well as the information collected during server monitoring (logs).

Data Processing Analysis by Table

1. Account Table

Purpose: User authentication and access management.

FieldData TypeIntentionally StoredPotentially Unintentional
accountIdIntegerUnique user identifierCould enable cross-system tracking
usernameStringPersonal identifier for loginMay reveal real names or personal info
passwordStringEncrypted authentication credentialHash algorithms may become vulnerable
createdAtBigIntAccount creation timestamp-
deletedAtBigIntAccount deletion timestamp-

Privacy Concerns:

  • Usernames might contain real names or other identifying information.
  • Password security is critically dependent on the strength and implementation of the hashing algorithm.
  • Personal data (username, password) is retained after the user has initiated deletion, creating a risk if the cleanup process fails.

Solutions:

  • Hashing using bcrypt: bcrypt automatically generates a unique random salt per password, making rainbow table attacks ineffective. We use a sufficient number of salt rounds (SALT_ROUNDS = 10).
  • Implemented a robust, automated cron job to ensure permanent deletion after the 30-day period.

2. AccountSessions Table

Purpose: Session management and user state tracking, provided by express-session.

FieldData TypeIntentionally StoredPotentially Unintentional
sidStringSession identifier for state managementCould enable session tracking across requests
sessJSONSession data and user contextRisk: May contain browsing patterns, IP addresses, device info
expireDateTimeSession timeout managementCould reveal usage patterns (login/logout times)

Privacy Concerns:

  • The sess JSON blob could inadvertently store sensitive runtime information.
  • Long session retention periods could enable user behavior analysis.
  • Session hijacking risks if cookies are not properly secured.

Solutions:

  • The sess JSON column intentionally stores: accountId, username, classId (if joined), and a csrfToken.
  • The session secret is cryptographically secure. Cookies are set with httpOnly: true and secure: true (in production) to prevent client-side script access and ensure transmission only over HTTPS.

4. Class Table

Purpose: Defines a class, acting as a central hub for all related data like students, subjects, events, homework and upload data.

FieldData TypeIntentionally StoredPotentially Unintentional
classIdIntegerUnique class identifier-
classNameStringThe name of the classMay identify a specific group of students
classCodeStringUnique encrypted code for students to join the classCould lead to abusive joins if class code is breached
classCodeHashStringUnique hashed code for students to join the class (fast lookup)Could lead to abusive joins if class code is breached
createdAtBigIntTimestamp of class creation-
isTestClassBooleanFlag to identify test/demo classes-
defaultPermissionLevelIntegerDefault user permission level for new members-
storageUsedBytesBigIntCurrent storage usage by the classMay reveal class activity level and content volume
storageQuotaBytesBigIntStorage limit allocated to the class-
dsbMobileActivatedBooleanFlag if DSBMobile is active-
dsbMobileUserStringThird-party service username (DSB Mobile)Risk: Credentials for external system
dsbMobilePasswordStringThird-party service password (DSB Mobile)Risk: Enables account compromise
dsbMobileClassStringClass Name to filter in substitution dataMay identify the specific class

Privacy Concerns:

  • Class centralizes all student data, making profile-building easier.

Solutions:

  • Implemented change class code function/button for class members.
  • Implemented strict access controls for rows containing third-party credentials.
  • Implemented secure (aes-256-gcm) server-side encryption for class codes, 3rd-party (DSB Mobile) migration coming soon

5. Event & EventType Tables

Purpose: Management of class-specific events (e.g., exams, holidays) and their categories.

Table.FieldData TypeIntentionally StoredPotentially Unintentional
Event.eventIdIntegerUnique event identifier-
Event.name / desc.StringEvent title and detailsRisk: May contain personal info (student names, sensitive topics)
Event.isPinnedBooleanEvent pinning-
Event.startDate/endDateBigIntEvent schedulingReveals attendance/activity patterns
Event.createdAtBigIntRecord creation timestamp-
EventType.nameStringCategory name (e.g., “Exam”, “Field Trip”)Adds context that could have privacy implications (e.g., “Detention”)
EventType.createdAtBigIntRecord creation timestamp-
Event.classIdIntegerLinks event to a specific class-

Privacy Concerns:

  • Free-text fields (name, description) are high-risk for unintentional storage of personal data.
  • The combination of event data, when linked to a Class, can reveal detailed schedules and activities for a specific group of students.

Solutions:

  • Provided clear guidance or input masks to discourage users from entering personal data in event names and descriptions.
  • Regularly audit event data for inappropriate content.

6. Homework & HomeworkCheck Tables

Purpose: Management of homework assignments and tracking student completion.

Table.FieldData TypeIntentionally StoredPotentially Unintentional
Homework.homeworkIdIntegerAssignment identifier-
Homework.isPinnedBooleanHomework pinning-
Homework.contentStringAssignment detailsMay contain student-specific instructions or references
Homework.submissionDateBigIntDeadline managementReveals individual work patterns
Homework.createdAtBigIntRecord creation timestamp-
HomeworkCheck.accountIdIntegerStudent identifierDirect link to student performance
HomeworkCheck.homeworkIdIntegerAssignment referenceCreates detailed academic profile when combined with accountId
HomeworkCheck.createdAtBigIntRecord creation timestamp-

Privacy Concerns:

  • The HomeworkCheck table creates a direct, persistent record of individual student performance and behavior (completion status).
  • This data is highly valuable for academic analytics but is privacy-sensitive and can be used for student profiling.

7. JoinedClass & JoinedTeams Tables

Purpose: Manage the relationship between Accounts and the Class or Team they belong to.

Table.FieldData TypeIntentionally StoredPotentially Unintentional
JoinedClass.accountIdIntegerStudent/user identifierLinks a specific user to a class
JoinedClass.classIdIntegerClass identifier-
JoinedClass.permissionLevelIntegerUser’s role/permissions in the class-
JoinedClass.createdAtBigIntRecord creation timestamp-
JoinedTeams.accountIdIntegerStudent/user identifierCreates social network mapping within a class
JoinedTeams.teamIdIntegerGroup associationCould reveal social connections and group dynamics
JoinedTeams.createdAtBigIntRecord creation timestamp-

Privacy Concerns:

  • Social Graph: The JoinedTeams table explicitly maps out social connections and group affiliations within a class, which can be highly sensitive.
  • This data can be used to analyze social dynamics, peer relationships, and potential cliques.

8. Lesson Table

Purpose: Defines the weekly class schedule, including subjects, times, and locations.

FieldData TypeIntentionally StoredPotentially Unintentional
lessonNumber/weekDayIntegerSchedule structureReveals attendance patterns
classId/teamIdIntegerClass/group assignmentLinks schedule to specific groups
roomStringLocation managementMay reveal physical presence patterns
startTime/endTimeBigIntTime managementEnables detailed daily schedule tracking
createdAtBigIntRecord creation timestamp-

Privacy Concerns:

  • The combination of fields in this table allows for the reconstruction of a detailed daily schedule for student groups, including their physical location (room) at specific times.

9. Subjects Table

Purpose: Stores information about school subjects and their assigned teachers for a specific class.

FieldData TypeIntentionally StoredPotentially Unintentional
subjectIdIntegerUnique subject identifier-
subjectName…String / String[]Subject name and variations-
teacherGenderStringTeacher gender for display/adminPrivacy concern: May enable discrimination or profiling
teacherName…String / String[]Full and short teacher nameDirect personal identifiers of staff
classIdIntegerLinks subject to a specific class-
createdAtBigIntRecord creation timestamp-

Privacy Concerns:

  • Teacher’s Personal Data: This table directly stores identifiable personal data about teachers (teacherNameLong, teacherNameShort, teacherGender).
  • Consent: Ensure teacher consent is obtained for storing and displaying this information.

10. Team Table

Purpose: Defines a specific group (team) within a class.

FieldData TypeIntentionally StoredPotentially Unintentional
teamIdIntegerUnique team identifier-
nameStringName of the teamMay be revealing (e.g., “Advanced Group”, “Remedial Reading”)
classIdIntegerLinks team to a specific class-
createdAtBigIntRecord creation timestamp-

Privacy Concerns:

  • The name of a team could imply academic level, behavioral status, or other sensitive classifications about its members.

11. Upload & FileMetadata Tables

Purpose: Management of file uploads, upload requests and their metadata. An upload can contain one or multiple files.

Table.FieldData TypeIntentionally StoredPotentially Unintentional
Upload.uploadIdIntegerUnique upload job identifier-
Upload.uploadNameStringUser-provided name for the uploadMay contain personal info or sensitive content descriptions
Upload.uploadDescriptionStringUser-provided description for the uploadMay contain personal info or sensitive content descriptions
Upload.uploadTypeStringCategory/type of uploadCould reveal the nature of shared content
Upload.isPinnedBooleanUpload pinning-
Upload.statusStringProcessing state of uploadReveals system usage patterns
Upload.errorReasonStringError details if upload failedMay leak technical details or file content information
Upload.reservedBytesBigIntStorage space reserved for uploadIndicates size/scope of content being shared
Upload.createdAtBigIntUpload timestampReveals user activity patterns and collaboration timing
Upload.teamIdIntegerLinks upload to a specific teamCreates connection between users and shared content
Upload.accountIdIntegerIdentifier of user who uploadedDirect link to user and their shared content
Upload.classIdIntegerLinks upload to a specific class-
UploadRequest.uploadRequestIdIntegerUnique upload request identifier-
UploadRequest.uploadRequestNameStringUser-provided title of the upload requestMay contain personal or sensitive descriptions
UploadRequest.classIdIntegerLinks request to a specific classReveals class involvement
UploadRequest.teamIdIntegerLinks request to a specific teamMaps request to social/working groups
FileMetadata.fileMetaDataIdIntegerUnique file metadata identifier-
FileMetadata.uploadIdIntegerLinks file to its upload job-
FileMetadata.storedFileNameStringUUID-based filename on diskPrevents direct file access but enables file tracking
FileMetadata.mimeTypeStringFile type informationReveals nature of content (documents, images, videos, etc.)
FileMetadata.sizeIntegerFile size in bytesCombined with mime type, may identify specific content
FileMetadata.createdAtBigIntFile creation timestampEnables detailed activity tracking

Privacy Concerns:

  • Content Profiling: The combination of uploadName, uploadDescription, uploadType, mimeType, and size can create detailed profiles of what type of content users and teams are sharing.
  • User Attribution: The accountId field directly links uploaded content to specific users, creating a permanent record of who shared what.
  • Team Dynamics: Upload patterns (frequency, size, type) can reveal team collaboration dynamics and potentially identify active vs. inactive members.
  • Temporal Tracking: Timestamps enable detailed analysis of when users are active and how they collaborate over time.

Solutions:

  • Implement strict file type validation and size limits to prevent abuse.
  • Ensure errorReason messages are sanitized and do not expose sensitive details.
  • Implement retention policies for old uploads and automatic cleanup.
  • Monitor storage usage patterns to detect potential abuse.

12. UploadRequest Table

Purpose: Manages requests for file uploads, allowing users to specify what files or types of content are needed from class members or teams.

FieldData TypeIntentionally StoredPotentially Unintentional
uploadRequestIdIntegerUnique upload request identifier-
uploadRequestNameStringUser-provided title/description of requestMay contain personal or sensitive context
classIdIntegerLinks request to a specific classReveals class involvement and collaboration needs
teamIdIntegerLinks request to a specific teamMaps request to social/working groups; may reveal group dynamics

Privacy Concerns:

  • Contextual Data: The uploadRequestName field may inadvertently include personal or sensitive information if users describe the request in detail (e.g., “Upload your medical certificates here”).
  • Group Dynamics: Linking requests to specific teams (teamId) or classes (classId) can expose collaboration patterns and group-specific activities.

Cross-Table Privacy Risks

The Class schema as a central entity increases cross-table risks.

1. Granular Profile Building

Combining data across tables enables the creation of highly detailed user profiles:

  • Student Profile: Academic performance (HomeworkCheck) + social connections (JoinedTeams) + daily schedule and location (Lesson) + specific activities (Event). All data is correlated through classId.

2. Behavioral and Social Analytics

  • The normalized structure allows for analytics on student behavior, such as correlating homework completion (HomeworkCheck) with team membership (JoinedTeams) or specific lessons (Lesson).
  • Social network graphs can be generated from the JoinedTeams and Account tables, revealing peer influence and group dynamics.

Data Collected and Stored in Redis and Telemetry Systems (Prometheus/Loki)

Redis

Our Redis architecture serves as a cache to temporarily store data, reducing database load and improving performance. Cached data is automatically cleared when a service restarts or when the corresponding data is deleted from the database. The following types of content are stored:

  • Homework, events, lessons, timetables, teams, substitutions and upload metadata (first 50 entries) for each class
  • Authenticated user and class information

Telemetry Data

To maintain and improve our service quality, we collect certain telemetry data, which is stored in server logs:

  • Date and time of the request
  • Request content
  • HTTP status code
  • Size of the returned data
  • Referrer information
  • User agent details (e.g., browser name and version, operating system, etc.)

Retention: Logs are stored for 14 days (±2h) and are permanently deleted thereafter.

  • Document Version: 2.3
  • Stable Version Alignment: v2.2.5
  • Last Updated: February 1st, 2026
  • Next Scheduled Review: Quarterly – April 11th, 2026
  • Technical Contact: info@taskminder.de

Release Notes

All changes are grouped by type and the latest version appears first.

[v2.2.5] - 2026-04-12

Breaking Changes

  • chore(db): migrate postgresql@14 to postgresql@18
  • feat(encryption): add server-side encryption

Added

  • feat(frontend): add caching and offline mode
  • feat(maintenance): add maintenance mode
  • feat(animation): add animations, add specific calendar animation
  • feat(warnings): add suspicious settings warnings
  • feat(upload): add upload description and request new uploads
  • feat(upload): edit files
  • feat(homework/event/upload): add homework/event/upload pinning
  • feat(upload): file-input as pretty wrapper for drag&drop and browse file input with preview list
  • chore(homework): add “later” section
  • chore(ui): show breaks in the timetable and correctly display them (respect events/substitutions)

Fixed

  • fix(rate-limit): proxy setting and update nginx.config
  • fix(subject): subject data not stringified correctly
  • fix(account): send 201 instead of 200 at /register
  • fix(links): /main links to events/homework do not use pjax
  • fix(homework/check): homework check on /main does not work
  • fix(navbar/login): login button in navbar does not always show up
  • fix(richtextarea): allow multiple spaces in rich textarea
  • fix(search): search in plaintext not styled rich textarea text

Changed

  • chore(scss): compressed scss for event type styles
  • chore(frontend/cache): better caching for event type styles and files
  • chore(frontend/logic): guess new subjectId for substitution
  • chore(ux): copy unknown error server response & better request timeout error toast
  • chore(ui): better appearance of substituted breaks
  • chore(logging): improve error logs on server
  • chore(ui): improve frontend class settings on mobile
  • chore(upload/loading): add upload loading animation
  • chore(substitution): change DSBMobile fetch to weekday peak time prefetch
  • chore(api): rename and change method of API routes
  • chore(password): bump password requirements
  • chore(ui): make bottombar icons pop on click
  • chore(ui): scroll to top on site change
  • chore(substitution): replace axios with node fetch
  • chore(substitution): use shared cache key per school, avoid redundant DSB API fetches for classes within the same school
  • chore(frontend/logic): remove $.get and replace with modern fetch
  • chore(ui): change filter interface to modal and offcanvas (mobile)
  • chore(tableview): improve table layouts for events & uploads
  • chore(csp): remove csp .env variable
  • chore(getdata): event, homework and upload metadata order by more values
  • chore(docs): migrate to mdbook and github actions/pages for deployment
  • chore(sitemap): update sitemap values
  • chore(migration): add migrate upload metadata date script
  • chore(package): update package.json version to v2.2.5, bump packages, update CI
  • chore(frontend): several bugfixes and smaller improvements
  • chore(backend): several bugfixes and smaller improvements

[v2.2.4] - 2026-01-11

🎉 Happy New Year! This release kicks off the year with improvements and fixes to make TaskMinder smoother, faster, and more reliable. Thanks for your support—here’s to a productive year ahead!

Added

  • feat(main): new homework view on /main
  • feat(upload/event): add table/gallery view
  • feat(upload/event/homework): add search boxes
  • feat(timetable): suggest most used room for subject, add autocomplete markings
  • chore(upload): add not supported note for download for webkit-standalone users

Fixed

  • fix(homework): check animation does not show
  • fix(homework): homework list renders twice
  • fix(homework): homework button stays disabled
  • fix(navbar): reload button does not properly show / hide
  • fix(getTeamsData): data is not stringified with BigIntreplacer, leading to fetch errors
  • fix(migration): demo class homework/event movement does not work
  • fix(upload): upload not found change http code from 400 to 404
  • fix(event/homework): events/homework can be changed/deleted through API even if not in class
  • fix(event): check for valid eventTypeId before adding/editing events
  • fix(checkhomework): homework of foreign classes can be checked through API

Changed

  • chore(docs): update year to 2026
  • refactor(class): rewrite 62base method to use randomInt from crypto package
  • feat(event): singleflight deduplication for sass compilation of event styles
  • chore(deps): update packages, allow bun > v1.3.5 again
  • fix(rate-limit): increase global threshold to 125req/s

Removed

  • chore(deps): remove express-async-handler in favor of native ts implemetation

[v2.2.3b] - 2025-12-14

Fixed

  • fix(regression): homework checking is not consistent across page reloads on webkit clients (Safari)
  • fix(regression): improved alloy config and better labelling
  • chore(docker): bump monitoring stack packages

[v2.2.3a] - 2025-12-13

Fixed

  • fix(regression): checking homework would display all homework of the last 60 days
  • fix(regression): page did not load properly with content (grey screen)
  • fix(linting): run linting in frontend folder

[v2.2.3] - 2025-12-12

Changed

  • Backend: Invalidate cache at all update actions (edit, delete, set, etc.), only refetch if getting (GET) data
  • Backend: Implement individual route rate-limiters
  • Sys: Lock in bun on v1.3.3 (v1.3.4 has package installment issues) in production
  • Frontend: Improve performance by listening directly on changed data instead of socket to update
  • Frontend: Add explicit info box for data responsibility

Fixed

  • Backend: Fix awaiting some async functions in backend

Security

  • Package bumping

[v2.2.2] - 2025-11-30

Changed

  • Backend now sends regex for substitution data directly
  • Add 400 return codes if file is too large or too many files being uploaded
  • Explanation for test class is now wrapped in an info box
  • Added createdAt field to multiple tables
  • Cache is now invalidated/refechted if corresponding data changes
  • Change cron job delete test class schedule to run every 15mins
  • Uploads now support autocomplete for lessons and date (at title)

Fixed

  • Migrate from promtail (deprecated) to alloy
  • (. Stunde) bug still existed in /main
  • Certain lessons were not displayed in timetable
  • “Heute kein Unterricht” (or the blue info box in general) did not always display immediately
  • Improve production deployment regarding permissions (least privilege)
  • Change host volume to named volume in docker compose to avoid permission errors
  • Correct docs at db migration
  • Fixed Adding/editing/checking homework will lead to displaying all homework (ignoring filters) of the last 90 days

Removed

  • Redis volume as not needed anymore (cache-only)

Security

  • Package bumping

[v2.2.1] - 2025-11-16

Fixed

  • BigInts were not correctly serialized to JSON at /get_upload_metadata
  • ClamAV did not work in production as intended
  • Add object “self” to CSP headers to support upload viewing

[v2.2.0] - 2025-11-16

Added

  • Add feature to upload files
  • Timetable announcer, e.g. “Nächste Stunde Geographie in 48min in Raum 40983.”
  • Randomly select one homework (spin wheel), exclude/include homework in selection (like vocab)
  • Add easter egg in devTools
  • Add “Angemeldet als…” in offcanvas
  • Socket events for many real-time changes
  • Add loading bar to simulate progress
  • Add frontend feedback for timetable changes
  • Move events and homework further along (1 week)

Fixed

  • Fix bug where an account could not be deleted due to too early checks in backend
  • Fix bug where teams could not be deleted due to wrong css selector in frontend
  • Fix big where cache could return invalid or outdated data
  • Fix bug where substitution cache would return No Data due to inconsistent thrid-party response
  • Fix bug where “Neuer Nutzername” at change name is type=password

Changed

  • Different text styles for more or less important things, misc. UI changes
  • Marking of text now adapts to background of event, etc.
  • Improved data loading to skip file calling when previously called (up to 2x less requests and data transferred)
  • Use substitutionData when auto selecting date at addHomework, etc.
  • /main links smaller (arrows)
  • Improved out-of-bounds checks and additional barrier checks in the backend
  • Improved caching for all relevant tables if one related thing is updated
  • Migrate from custom logger to winston
  • Require bun v1.3.2 (> v1.3) in development and production (no breaking changes)
  • Renaming files in backend for readability
  • Monitoring /metrics endpoint exposed to local network instead of public route
  • Bump loki, prometheus, grafana, promtail (no breaking changes)
  • Bump redis to v8 (no breaking changes)
  • Increased deletion for homework from 60 to 90 days

Security

  • Package bumping
  • Close security issue with validator.js (removed)

Removed

  • Remove unused packages
  • Remove unused domain names from nginx config

[v2.1.0] - 2025-09-27

Added

  • Add prisma.config.ts to Dockerfile
  • Add event cleanup cron job (365 days)
  • Tests for services in backend
  • Accessibility features
  • ToS

Fixed

  • Fix bug where a joined class user (not logged in) visiting /join or / would get the hardcoded 10d - className value
  • Fixed check for team/subject (now validates specific teamId, subjectId, and classId)

Changed

  • Update documentation
  • Scripts improvements through GITCMD and DOCKERCMD
  • Frontend improvements
  • Improve SEO
  • Change classCode, className, upgrade test classes to normal classes

Removed

  • Remove unused packages

[v2.0.0] - 2025-08-16

Breaking Change

  • Database structure (please refer to the migration guide on docs.taskminder.de)

Added

  • Functionality to create new classes (account required)
  • Functionality to log out, delete account, change password and username
  • Add autocomplete for due date and team selection as soon as subject is selected
  • QR Code sharing of class code
  • Copy paste for event/homework descriptions
  • Add prisma transactions for safer database handling
  • Add homework check animation
  • Add sharing events with calendar
  • Add soft deletion of accounts wth 30d auto delete from db
  • Add permission levels (0,1,2,3) for classes with different permission levels
  • Default setting for unregistered user and individual permissions for registered users
  • Functionality to kick members from class
  • Add 404 page

Changed

  • Change formatter to eslint formatting instead of prettier
  • Improve data loading on frontend side
  • Improve production handling by introducing build and run stages in Dockerfile
  • Rename tables for more generic usage
  • Update nginx config for domain change and redirection
  • Change calendar month view: show 2 weeks before & after selected, not the whole month
  • Improve displayed dates (strings like tomorrow or weekdays)
  • Move session check and class check to extra middleware with single source of truth check with db with redis caching
  • Move vaidation (zod) layer from controller to seperate middleware

Fixed

Frontend

  • Show more button on rich textarea not showing up
  • No 404 result
  • Multiple toast containers which overlap
  • Homework checking is buggy on frontend
  • Class settings: made more collapsible

Backend

  • Server not restarting on change
  • Move type packages to devDependencies in package.json
  • Error on requesting unknown route

Security

  • Package bumping

Removed

  • Timetable validator, ajv package
  • Compression package, compression now handeled by nginx

[v1.2.2] - 2025-07-14

Changed

  • change domain to taskminder.de, update email to info@taskminder.de
  • update default legal information

Fixed

  • fix nginx config file and setup guide in documentation

[v1.2.1] - 2025-07-14

Added

  • add codylon.de migration toast

Changed

  • Increase timeout to 5 seconds
  • migrate to extern sh script

Fixed

  • sometimes no homework & events appear on their own site
  • fix cache stringify issue

[v1.2.0] - 2025-06-10

Breaking Change - License

Users must review and comply with the updated license terms before updating or continuing use.

Added

  • Migrated runtime environment from Node.js to Bun for improved performance and native support for TypeScript.
  • Updated all scripts and tooling to be compatible with Bun.

Changed

  • Replaced npm scripts with bun equivalents.
  • Adjusted build and deployment pipelines to support Bun.
  • run linting and formatting tools in frontend
  • LICENSE changes to clarify ownership and permissions

Removed

  • Removed package-lock.json in favor of Bun’s dependency manager.

[v1.1.2] - 2025-06-08

Added

  • Rich text support in homework and events.
  • Added release notes for v.1.1.1 and v1.1.2
  • Linting and Formatting tools - ESLint and Prettier.

Changed

  • Impressum and DSGVO updates
  • UI improvements

Fixed

  • Resolved an issue where logged-in users were unable to join multiple teams within the same class.

Security

  • Bump packages to close security iusses.

[v1.1.1] - 2025-06-04

Fixed

  • fix redis cache not working correctly

[v1.1.0] - 2025-06-03

Added

  • .env.example file

Changed

  • Moved docs to host on readthedocs
  • Migrate to prisma ORM, add migrations

Fixed

  • wrong joinedTeamsData saved locally
  • edit toggle btn doesn’t always show up when logged in

[v1.0.1] - 2025-05-25

Added

  • Support for multiline event and homework descriptions.
  • .sql dump compression to reduce storage usage.
  • Collapsible long events to improve UI/UX.
  • Production documentation updates for:
    • User permission details.
    • Switched the order of NGINX and Certbot setup.
  • trust proxy enabled for Express Rate Limit compatibility (source).

Changed

  • Resized “Copy Classcode” button for better mobile experience.
  • Updated NGINX configuration for improved compatibility and performance.

Fixed

  • Timetable now properly displays when no substitutions are available.
  • Backup table issue resolved by referencing the correct .env variable.
  • Duplicate display issue corrected in UI.

Security

  • Bump packages to close securtity iusses.
  • Escaping html to reduce attack risks.

[v1.0.0] – 2025-05-23

Added

  • Fetch, edit, and store timetable and subjects from the frontend.
  • Ability to add and edit teams.
  • Privacy Policy including Impressum, Datenschutzinformation, and contact email.
  • Forced login or class code entry before accessing content.
  • Copy class code button for easy sharing.
  • Server monitoring tools to track system health and performance metrics.

Changed

  • Migrated codebase from JavaScript to TypeScript for improved type safety and maintainability.
  • External content fetching moved from client-side to server-side.
  • SEO improvements to enhance discoverability.
  • Mobile navigation improved with off-canvas menu and direct login/logout buttons.
  • File compression enabled to reduce load times.
  • Documentation migrated from Notion to self-hosted MkDocs.
  • Bumped core packages, including major upgrade to Express v5.
  • Strengthened Content Security Policy (CSP) headers.
  • Established and enforced new code standards.

Fixed

  • Backup table command issues resolved.

Security

  • Added server-side rate limiter to prevent abuse.
  • Implemented CSRF middleware to protect against cross-site request forgery attacks.

Removed

  • Previous license replaced with updated terms (see LICENSE file).

TaskMinder License (Non-Commercial, Source-Available)

Copyright (c) 2024-2026 Mingqi Li and Fabian Leonardi

Permission is hereby granted, free of charge, to any person obtaining a copy of this Software and associated documentation files (the “Software”), to use, copy, modify, merge, publish, and distribute the Software for non-commercial purposes only, subject to the following conditions:

Definitions

  • “Licensors” refers to Mingqi Li and Fabian Leonardi, the original creators and copyright holders of the Software.
  • “You” refers to any individual or entity obtaining a copy of the Software and using it under the terms of this License.
  • “Software” means the TaskMinder source code, binaries, and any accompanying documentation or files made available by the Licensors.

Attribution

You must give appropriate credit to the Licensors, including a link to the original source, and indicate if changes were made. Appropriate credit includes, but is not limited to, displaying the following information:

“Original source code from TaskMinder by Mingqi Li and Fabian Leonardi, available at https://github.com/TaskMinder/TaskMinder

You may provide this credit in any reasonable manner, but not in any way that suggests endorsement by the Licensors. The attribution requirement applies to all forms of distribution, including but not limited to, source code, binaries, documentation, and any other materials that include or are derived from the Software.

Non-Commercial Use Only

The Software may not be used, in whole or in part, for any commercial purposes without prior written permission from the Licensors. Commercial use includes, but is not limited to:

  • Selling, licensing, or distributing the Software as part of a product or service
  • Offering paid subscriptions or memberships
  • Running ads on, in, or alongside the Software
  • Using the Software to offer commercial services
  • Deploying the Software in a commercial or enterprise environment

The examples above are representative but not exhaustive. If in doubt, You must seek written clarification from the Licensors before engaging in potentially commercial use.
“Non-commercial” refers to personal, educational, or research use where no financial gain or profit is involved.

Derivative Works

You may create and distribute derivative works of the Software under the same license terms, provided You comply with both the Attribution and Non-Commercial Use requirements.
“Derivative works” means any work that is based on or derived from the Software, including but not limited to modifications, translations, adaptations, and combinations with other software or materials.

Termination

This License will terminate automatically if You fail to comply with any of its terms and conditions. Upon termination, all rights granted to You under this License shall immediately cease, and You must destroy all copies of the Software in Your possession or control.

Disclaimer of Warranty and Liability

The Software is provided “as is”, without warranties of any kind, express or implied, including but not limited to the warranties of merchantability, fitness for a particular purpose, and non-infringement.
In no event shall the Licensors be liable for any claim, damages, or other liability, whether in an action of contract, tort, or otherwise, arising from, out of, or in connection with the Software or the use or other dealings in the Software.

This disclaimer does not affect liability which cannot be excluded under applicable law, including liability for intentional misconduct or personal injury.

Contact

For commercial licensing or other inquiries, please contact:
info@taskminder.de