From 579eed37b8264fc88e67102d527b6a18cffeec33 Mon Sep 17 00:00:00 2001 From: null Date: Mon, 11 May 2026 21:46:33 -0500 Subject: [PATCH] docs: update HISTORY v0.25.0, remove completed CSRF fix from FUTURE --- FUTURE.md | 26 -------------------------- HISTORY.md | 11 +++++++++++ 2 files changed, 11 insertions(+), 26 deletions(-) diff --git a/FUTURE.md b/FUTURE.md index 8c46df9..22c4f7d 100644 --- a/FUTURE.md +++ b/FUTURE.md @@ -31,32 +31,6 @@ Items are grouped under their priority section heading (`## 🔴 CRITICAL`, `## ## Pending Recommendations -### 🔴 CRITICAL - -### 🔴 Import XLSX / SQLite / Backup CSRF Failure — CRITICAL -**Priority:** CRITICAL -**Added:** 2026-05-11 by Ripley - -**Description:** -All three file-upload import endpoints (`/api/import/spreadsheet/preview`, `/api/import/user-db/preview`, `/api/admin/backups/import`) return "Your session has expired or this request may be fraudulent" because the frontend raw `fetch()` calls don't include the `x-csrf-token` header. - -**Rationale:** -- The `_fetch()` helper in `client/api.js` automatically adds `x-csrf-token` from the cookie for all state-changing requests -- Three import functions bypass `_fetch()` and use raw `fetch()` directly for file uploads: `previewSpreadsheetImport`, `previewUserDbImport`, `importAdminBackup` -- None of them include the CSRF token header -- The CSRF middleware rejects these requests with 403 `CSRF_INVALID` -- Import is completely broken — users cannot import XLSX, SQLite, or backup files -- This affects a core feature (data import) and produces a confusing error message - -**Implementation Notes:** -- Add `x-csrf-token` header to all three raw `fetch()` calls in `client/api.js` -- Use the existing `getCsrfToken()` function (already defined at the top of `client/api.js`) -- Lines to fix: ~L204 (previewSpreadsheetImport), ~L234 (previewUserDbImport), ~L93 (importAdminBackup) -- Example: `headers: { 'Content-Type': 'application/octet-stream', 'x-csrf-token': getCsrfToken(), ... }` -- No backend changes needed — CSRF middleware already works correctly -- Files to modify: `client/api.js` -- Estimated effort: 15 minutes - ### 🔴 Import XLSX Dual-Column Layout Not Parsed — CRITICAL **Priority:** CRITICAL **Added:** 2026-05-11 by Ripley diff --git a/HISTORY.md b/HISTORY.md index e79523d..ca66bc7 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -1,5 +1,16 @@ # Bill Tracker — Changelog +## v0.25.0 + +### Added +- **Roadmap Page** — Kanban-style priority lanes (CRITICAL → NICE TO HAVE) with collapsible items, lazy-loaded activity log tab, admin-only `/api/about/roadmap` and `/api/about/dev-log` endpoints. Replaces AdminDashboard. + +### Fixed +- **Import CSRF failure** — XLSX, SQLite, and backup file imports now include `x-csrf-token` header in all three raw `fetch()` calls (`importAdminBackup`, `previewSpreadsheetImport`, `previewUserDbImport`). Previously returned "session expired or fraudulent" 403 on every import attempt. + +### Removed +- **AdminDashboard.jsx** — Replaced by RoadmapPage with kanban layout. + ## v0.24.4 ### Changed