null
f587d09d4a
style: apply Prettier across client + server (no behavior change)
...
One-time repo-wide `prettier --write` (isolated commit so future diffs
stay reviewable). Mechanical formatting only.
Verified unchanged: typecheck + typecheck:server + check:server clean;
server tests 232/232; client tests 50/50; Vite build succeeds.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-06 14:23:53 -05:00
null
135bd98c6a
refactor(server): migrate middleware, workers, and db layer to TypeScript (.cts)
...
- middleware/ (5): requireAuth, securityHeaders, errorFormatter, csrf,
rateLimiter — fully typed against the shared http Req/Res/Next types.
- workers/dailyWorker — fully typed.
- db/ (4): database, subscriptionCatalogSeed, migrations/versionedMigrations,
migrations/legacyReconcileMigrations — large dynamic schema/migration infra,
converted with @ts-nocheck (typing deferred). All requires updated to .cts.
Behavior-preserving. Verified: typecheck:server 0, check:server 0, suite 226/226.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-06 11:34:08 -05:00
null
6746d42380
refactor(server): migrate 5 more services to TypeScript (.cts)
...
webauthnService, cleanupService, backupService, bankSyncService, authService.
Behavior-preserving. Verified: typecheck:server 0, check:server 0, suite 226/226.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-06 11:06:05 -05:00
null
a6c9b6cb1c
refactor(server): migrate 8 leaf services + apiError to TypeScript (.cts)
...
Batch of low-blast-radius modules: utils/apiError, and services statusRuntime,
loginFingerprint, auditService, transactionMatchState, updateCheckService,
advisoryFilterService, bankSyncConfigService.
- types/http.d.ts: shared permissive Express-ish Req/Res/Next/Router types
(@types/express isn't installed; handlers are dynamic) — for apiError's
errorHandler now and the routes/middleware batches next.
- Every require of a migrated module updated to the explicit .cts extension.
- Confirmed + documented the Node rule: a .cts needs at least one `import`
statement or type-stripping never activates (node --check fails on the first
type token); import-less modules lead with an `import type`.
Behavior-preserving. Verified: typecheck:server 0, check:server 0, suite 226/226.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-06 10:47:16 -05:00
null
947fa3bdf8
feat(auth): add per-username rate limiter, migrate dates to local-time utils (batch 0.38.1)
2026-06-10 19:42:51 -05:00
null
38c8bbd472
feat(server): add trust proxy, CSRF HTTPS detection, error formatting, dates util (batch 0.38.0)
2026-06-10 19:37:19 -05:00
null
f69f778821
fix: use express-rate-limit ipKeyGenerator for sync limiter fallback
2026-06-06 18:38:40 -05:00
null
80b5d56010
feat(sync): rate limit sync/backfill endpoints to 10 per 15 minutes
2026-06-06 15:08:33 -05:00
null
a6b2e8bb87
fix: login mode card update, OIDC service improvements, auth middleware refinements
2026-06-04 03:53:38 -05:00
null
67ce59db50
v0.35.0
2026-05-31 15:52:50 -05:00
null
0ba315bd32
v0.28.0
2026-05-15 22:45:38 -05:00
null
d720931894
v0.27.02 push
2026-05-14 21:00:07 -05:00
null
80b3bcc17b
fix: HIGH+MEDIUM batch — 10 fixes (v0.24.0)
...
HIGH:
- Admin toggle-paid: removed cross-user admin branch, now requires ownership
- Analytics crash: imported missing standardizeError
- Export data loss: added cycle_type, cycle_day, bill_history_ranges to exports
- Single-user lockout: removed unnecessary sessions join from getSingleModeUser
MEDIUM:
- Password rate limiter: scoped to change-password only, not all profile routes
- Profile session invalidation: fixed req.sessionId → req.cookies[COOKIE_NAME]
- CSRF default: httpOnly now defaults to false (matches SPA double-submit pattern)
- CSRF password routes: removed csrfSkip for password change endpoints
- Notification due-day: calendar day comparison instead of timestamp floor
- Upcoming bills: clamped days to 1-365, default 30 for invalid input
FUTURE.md: marked all 10 items as FIXED, bumped version refs
HISTORY.md: added v0.24.0 entry
2026-05-10 15:25:47 -05:00
null
7503a54f81
v0.20.6: Audit logging for critical operations
...
- New audit_log table (migration v0.45) with indexes
- logAudit() service with try/catch safety (never crashes app)
- Audit events: login.success, login.failure, logout, password.change, role.change, csrf.failure, profile.update, profile.settings.update
- All events include ip_address and user_agent
- No passwords, tokens, or session IDs logged
- Hudson security audit: 7/7 PASS
2026-05-10 00:03:12 -05:00
kaspa
4d1709aea3
push
2026-05-09 13:03:36 -05:00
_null
3228332e8c
push
2026-05-04 23:34:24 -05:00
_null
734e190884
corrected admin view
2026-05-03 20:40:48 -05:00
_null
b9d1366d46
initial commit
2026-05-03 19:51:57 -05:00