null/BillTracker
null
/
BillTracker
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 1 Wiki Activity
43 Commits 2 Branches 2 Tags 13 MiB
Commit Graph

10 Commits

Author SHA1 Message Date
null 399882f282 v0.19.4: session token expiry cleanup 
- Added cleanupExpiredSessions() in db/database.js
- v0.43 migration: sessions.created_at column
- Startup cleanup + periodic cleanup every 24h (configurable via SESSION_CLEANUP_INTERVAL_MS)
- Per-user expired session cleanup on login and createSession
- Input validation on SESSION_CLEANUP_INTERVAL_MS (rejects 0, negative, >7d)
- Bishop verified all tests pass
- Hudson security audit: 5 PASS, 1 FAIL (interval validation — fixed)
 2026-05-09 20:19:46 -05:00
null d55827d497 v0.19.3: legacy DB login fix, migration run functions, security hardening 
- Reset default admin password when INIT_ADMIN_PASS is set on legacy DBs
- Added run() functions to all legacy migration entries (reconcileLegacyMigrations)
- Migrations that aren't present in legacy DB now actually execute
- v0.40 ownership migration assigns to first admin (not first user)
- Removed username from password reset log (info disclosure fix)
- must_change_password enforced after legacy password reset
 2026-05-09 19:47:00 -05:00
null 4e91bed343 v0.19.2: add React Error Boundaries for crash recovery 
Added ErrorBoundary component wrapping all routes in App.jsx.
Shows friendly fallback UI with Try Again and Reload buttons
instead of white screen crash. Logs component stack to console.
 2026-05-09 18:33:02 -05:00
null a9cdf846fe v0.19.2: fix legacy DB migration login failure + security hardening 
CRITICAL fix: Users upgrading from pre-migration-tracking databases
(now get 'invalid username/password' because schema_migrations table
doesn't exist. Added handleLegacyDatabase() and
reconcileLegacyMigrations() to detect and reconcile legacy DBs.

Security fixes:
- Path traversal: replaced sanitizePath() with ALLOWED_FILES allowlist
- Public /about bypass: added admin route guard in App.jsx
- Sensitive info exposure: expanded redactSensitiveContent() patterns
- Error message path leaks: generic error messages only
- Race condition: wrapped in db.transaction() in server.js
- Password validation: INIT_REGULAR_PASS min 8 chars with process.exit(1)

All verified by Bishop (build + runtime) and Private_Hudson (security).
 2026-05-09 18:25:25 -05:00
null 6c7d481494 feat: add admin about page with security hardening 
- Add /api/about-admin endpoint (admin-only, path traversal protection, content redaction, error sanitization)
- Add /admin/about route with RequireAuth admin guard
- Add adminActionLimiter rate limiting on about-admin endpoint
- Add rehype-sanitize XSS prevention in AboutPage.jsx
- Add aboutAdmin API client endpoint
- Create HISTORY.md with version bump convention (patch/minor/major)
- Update Engineering Reference Manual with about-admin docs and security measures
- Add INIT_REGULAR_USER/INIT_REGULAR_PASS env vars to docs
- Update FUTURE.md with critical regular user env var item
 2026-05-09 16:25:12 -05:00
null d5057a6325 feat: add migration version tracking, update docs, add dev log 
- Added schema_migrations table for explicit version tracking (CRITICAL fix)
- Refactored runMigrations() to use versioned migration objects
- Added hasMigrationBeenApplied() and recordMigration() helpers
- Migrations now skip already-applied versions and log progress
- Updated FUTURE.md with migration system issues and criticality ratings
- Updated Engineering_Reference_Manual.md with migration system docs
- Added DEVELOPMENT_LOG.md for agent work tracking
 2026-05-09 15:17:40 -05:00
kaspa 4d1709aea3 push 2026-05-09 13:03:36 -05:00
_null c8c256bad2 init 2026-05-04 14:17:32 -05:00
_null 831bdfa3e2 correct 2026-05-04 13:51:38 -05:00
_null 9fc442fb8e readme 2026-05-04 13:38:19 -05:00