80b3bcc17b
HIGH: - Admin toggle-paid: removed cross-user admin branch, now requires ownership - Analytics crash: imported missing standardizeError - Export data loss: added cycle_type, cycle_day, bill_history_ranges to exports - Single-user lockout: removed unnecessary sessions join from getSingleModeUser MEDIUM: - Password rate limiter: scoped to change-password only, not all profile routes - Profile session invalidation: fixed req.sessionId → req.cookies[COOKIE_NAME] - CSRF default: httpOnly now defaults to false (matches SPA double-submit pattern) - CSRF password routes: removed csrfSkip for password change endpoints - Notification due-day: calendar day comparison instead of timestamp floor - Upcoming bills: clamped days to 1-365, default 30 for invalid input FUTURE.md: marked all 10 items as FIXED, bumped version refs HISTORY.md: added v0.24.0 entry |
||
|---|---|---|
| .. | ||
| utils.js | ||
| version.js | ||