null/BillTracker

Commit Graph

Author	SHA1	Message	Date
null	a9cdf846fe	v0.19.2: fix legacy DB migration login failure + security hardening CRITICAL fix: Users upgrading from pre-migration-tracking databases (now get 'invalid username/password' because schema_migrations table doesn't exist. Added handleLegacyDatabase() and reconcileLegacyMigrations() to detect and reconcile legacy DBs. Security fixes: - Path traversal: replaced sanitizePath() with ALLOWED_FILES allowlist - Public /about bypass: added admin route guard in App.jsx - Sensitive info exposure: expanded redactSensitiveContent() patterns - Error message path leaks: generic error messages only - Race condition: wrapped in db.transaction() in server.js - Password validation: INIT_REGULAR_PASS min 8 chars with process.exit(1) All verified by Bishop (build + runtime) and Private_Hudson (security).	2026-05-09 18:25:25 -05:00
null	6c7d481494	feat: add admin about page with security hardening - Add /api/about-admin endpoint (admin-only, path traversal protection, content redaction, error sanitization) - Add /admin/about route with RequireAuth admin guard - Add adminActionLimiter rate limiting on about-admin endpoint - Add rehype-sanitize XSS prevention in AboutPage.jsx - Add aboutAdmin API client endpoint - Create HISTORY.md with version bump convention (patch/minor/major) - Update Engineering Reference Manual with about-admin docs and security measures - Add INIT_REGULAR_USER/INIT_REGULAR_PASS env vars to docs - Update FUTURE.md with critical regular user env var item	2026-05-09 16:25:12 -05:00
kaspa	4d1709aea3	push	2026-05-09 13:03:36 -05:00
_null	3228332e8c	push	2026-05-04 23:34:24 -05:00
_null	d1efeece04	push	2026-05-04 20:12:57 -05:00
_null	b019487423	init	2026-05-04 16:38:03 -05:00
_null	969139251d	calendar	2026-05-04 13:14:32 -05:00
_null	b9d1366d46	initial commit	2026-05-03 19:51:57 -05:00

8 Commits