null/BillTracker
null
/
BillTracker
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 1 Wiki Activity
89 Commits 2 Branches 2 Tags 13 MiB
Commit Graph

6 Commits

Author SHA1 Message Date
null 2ce5328fd2 v0.25.0: roadmap redesign, import CSRF fix, AdminDashboard removed 
- RoadmapPage: kanban-style priority lanes, shadcn Collapsible/Tabs,
  lazy-loaded activity log, admin-only /api/about/roadmap + /dev-log endpoints
- Import CSRF fix: added x-csrf-token header to importAdminBackup,
  previewSpreadsheetImport, previewUserDbImport raw fetch() calls
- Removed AdminDashboard.jsx, replaced by RoadmapPage
- Added @radix-ui/react-collapsible + collapsible shadcn component
- Security audit by Private_Hudson: PASS (CSRF fix verified,
  admin endpoints gated, path traversal mitigated, XSS safe)
 2026-05-11 21:42:36 -05:00
null 78f95f784e fix: remove duplicate login route (authLogin.js), consolidate into auth.js 
- Deleted routes/authLogin.js (orphaned duplicate login handler)
- Removed authLoginRouter import and mount from server.js
- Rate limiter now runs as standalone middleware on /api/auth/login
- Added try/catch to auth.js login handler (was only in deleted file)
- Consistent audit log variable naming (username vs req.body.username)
- No functionality change — login flow works identically
 2026-05-10 12:20:50 -05:00
null c4a3593241 v0.22.2: Session Token Rotation on Auth Events 
- invalidateOtherSessions() in authService.js: deletes all sessions except current
- Password change (auth.js + profile.js) now invalidates all other sessions
- Password change rotates current session ID (sets new cookie)
- New POST /api/auth/logout-all endpoint (deletes all sessions + clears cookie)
- Audit logging for logout.all and password.change
- Added last_password_change_at to auth.js change-password for consistency
- Hudson security audit: 6/6 PASS
 2026-05-10 03:55:14 -05:00
null 7503a54f81 v0.20.6: Audit logging for critical operations 
- New audit_log table (migration v0.45) with indexes
- logAudit() service with try/catch safety (never crashes app)
- Audit events: login.success, login.failure, logout, password.change, role.change, csrf.failure, profile.update, profile.settings.update
- All events include ip_address and user_agent
- No passwords, tokens, or session IDs logged
- Hudson security audit: 7/7 PASS
 2026-05-10 00:03:12 -05:00
kaspa 4d1709aea3 push 2026-05-09 13:03:36 -05:00
_null b9d1366d46 initial commit 2026-05-03 19:51:57 -05:00