null
38c8bbd472
feat(server): add trust proxy, CSRF HTTPS detection, error formatting, dates util (batch 0.38.0)
2026-06-10 19:37:19 -05:00
null
426b0fd932
fix(admin): admin/profile routes and services
2026-06-07 21:18:02 -05:00
null
ab5e3fbf1f
feat: profile settings UI, auth service refactor, schema migration, route tests
2026-06-07 01:17:49 -05:00
null
7455dff5b8
feat: v0.37.0 — auto-learn merchant rules, ambiguous match protection, session hashing, geolocation opt-in
2026-06-06 18:30:21 -05:00
null
9a2a7ecdee
feat: v0.94 — session token hashing, geolocation opt-in privacy setting
2026-06-06 17:00:22 -05:00
null
99abca9868
security: WebAuthn / FIDO2 hardware security key 2FA
2026-06-05 22:05:23 -05:00
null
653dd72e12
feat: TOTP 2FA for login & profile setup flow
2026-06-04 04:10:14 -05:00
null
a6b2e8bb87
fix: login mode card update, OIDC service improvements, auth middleware refinements
2026-06-04 03:53:38 -05:00
null
26b6fb13e5
feat: login history with geolocation, encryption, new device alerts, session detection
2026-06-04 03:38:32 -05:00
null
4b86898bc7
wrap rotateSessionId transaction in try/catch, return null on failure
2026-06-03 20:37:12 -05:00
null
2550034996
feat: v0.36.0 patch set — 404 page, OIDC encryption, session rotate, user validation, calendar fixes
2026-06-03 20:32:00 -05:00
null
0ba315bd32
v0.28.0
2026-05-15 22:45:38 -05:00
null
263f1c5e6e
v0.27.04
2026-05-15 01:36:56 -05:00
null
d720931894
v0.27.02 push
2026-05-14 21:00:07 -05:00
null
c4a3593241
v0.22.2: Session Token Rotation on Auth Events
...
- invalidateOtherSessions() in authService.js: deletes all sessions except current
- Password change (auth.js + profile.js) now invalidates all other sessions
- Password change rotates current session ID (sets new cookie)
- New POST /api/auth/logout-all endpoint (deletes all sessions + clears cookie)
- Audit logging for logout.all and password.change
- Added last_password_change_at to auth.js change-password for consistency
- Hudson security audit: 6/6 PASS
2026-05-10 03:55:14 -05:00
null
399882f282
v0.19.4: session token expiry cleanup
...
- Added cleanupExpiredSessions() in db/database.js
- v0.43 migration: sessions.created_at column
- Startup cleanup + periodic cleanup every 24h (configurable via SESSION_CLEANUP_INTERVAL_MS)
- Per-user expired session cleanup on login and createSession
- Input validation on SESSION_CLEANUP_INTERVAL_MS (rejects 0, negative, >7d)
- Bishop verified all tests pass
- Hudson security audit: 5 PASS, 1 FAIL (interval validation — fixed)
2026-05-09 20:19:46 -05:00
kaspa
4d1709aea3
push
2026-05-09 13:03:36 -05:00
_null
3228332e8c
push
2026-05-04 23:34:24 -05:00
_null
b9d1366d46
initial commit
2026-05-03 19:51:57 -05:00