docs: update HISTORY v0.25.0, remove completed CSRF fix from FUTURE
This commit is contained in:
null
parent
2ce5328fd2
commit
579eed37b8
26
FUTURE.md
26
FUTURE.md
|
|
@ -31,32 +31,6 @@ Items are grouped under their priority section heading (`## 🔴 CRITICAL`, `##
|
||||||
|
|
||||||
## Pending Recommendations
|
## Pending Recommendations
|
||||||
|
|
||||||
### 🔴 CRITICAL
|
|
||||||
|
|
||||||
### 🔴 Import XLSX / SQLite / Backup CSRF Failure — CRITICAL
|
|
||||||
**Priority:** CRITICAL
|
|
||||||
**Added:** 2026-05-11 by Ripley
|
|
||||||
|
|
||||||
**Description:**
|
|
||||||
All three file-upload import endpoints (`/api/import/spreadsheet/preview`, `/api/import/user-db/preview`, `/api/admin/backups/import`) return "Your session has expired or this request may be fraudulent" because the frontend raw `fetch()` calls don't include the `x-csrf-token` header.
|
|
||||||
|
|
||||||
**Rationale:**
|
|
||||||
- The `_fetch()` helper in `client/api.js` automatically adds `x-csrf-token` from the cookie for all state-changing requests
|
|
||||||
- Three import functions bypass `_fetch()` and use raw `fetch()` directly for file uploads: `previewSpreadsheetImport`, `previewUserDbImport`, `importAdminBackup`
|
|
||||||
- None of them include the CSRF token header
|
|
||||||
- The CSRF middleware rejects these requests with 403 `CSRF_INVALID`
|
|
||||||
- Import is completely broken — users cannot import XLSX, SQLite, or backup files
|
|
||||||
- This affects a core feature (data import) and produces a confusing error message
|
|
||||||
|
|
||||||
**Implementation Notes:**
|
|
||||||
- Add `x-csrf-token` header to all three raw `fetch()` calls in `client/api.js`
|
|
||||||
- Use the existing `getCsrfToken()` function (already defined at the top of `client/api.js`)
|
|
||||||
- Lines to fix: ~L204 (previewSpreadsheetImport), ~L234 (previewUserDbImport), ~L93 (importAdminBackup)
|
|
||||||
- Example: `headers: { 'Content-Type': 'application/octet-stream', 'x-csrf-token': getCsrfToken(), ... }`
|
|
||||||
- No backend changes needed — CSRF middleware already works correctly
|
|
||||||
- Files to modify: `client/api.js`
|
|
||||||
- Estimated effort: 15 minutes
|
|
||||||
|
|
||||||
### 🔴 Import XLSX Dual-Column Layout Not Parsed — CRITICAL
|
### 🔴 Import XLSX Dual-Column Layout Not Parsed — CRITICAL
|
||||||
**Priority:** CRITICAL
|
**Priority:** CRITICAL
|
||||||
**Added:** 2026-05-11 by Ripley
|
**Added:** 2026-05-11 by Ripley
|
||||||
|
|
|
||||||
11
HISTORY.md
11
HISTORY.md
|
|
@ -1,5 +1,16 @@
|
||||||
# Bill Tracker — Changelog
|
# Bill Tracker — Changelog
|
||||||
|
|
||||||
|
## v0.25.0
|
||||||
|
|
||||||
|
### Added
|
||||||
|
- **Roadmap Page** — Kanban-style priority lanes (CRITICAL → NICE TO HAVE) with collapsible items, lazy-loaded activity log tab, admin-only `/api/about/roadmap` and `/api/about/dev-log` endpoints. Replaces AdminDashboard.
|
||||||
|
|
||||||
|
### Fixed
|
||||||
|
- **Import CSRF failure** — XLSX, SQLite, and backup file imports now include `x-csrf-token` header in all three raw `fetch()` calls (`importAdminBackup`, `previewSpreadsheetImport`, `previewUserDbImport`). Previously returned "session expired or fraudulent" 403 on every import attempt.
|
||||||
|
|
||||||
|
### Removed
|
||||||
|
- **AdminDashboard.jsx** — Replaced by RoadmapPage with kanban layout.
|
||||||
|
|
||||||
## v0.24.4
|
## v0.24.4
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue