Payment method tracking and summary
Month navigation arrows should bracket the month name (< MAY >)
MEDIUM: Admin routes use req.params.id without integer validation
Added at the top of admin.js:
function parseUserId(params) { const n = parseInt(params.id, 10); return Number.isInteger(n) && n > 0 ? n : null; } Applied to all 5 user routes:
Route…
MEDIUM: Admin routes use req.params.id without integer validation
LOW: OIDC client secret stored in plaintext in user_settings table
Added getOidcClientSecret() helper — reads from DB, decrypts with fallback to plaintext for any legacy value saved before this fix Replaced 3 read sites (getOidcConfig, getOidcConfigStatus,…
LOW: OIDC client secret stored in plaintext in user_settings table
Phase 6: Background Sync & Polish
Added getOidcClientSecret() helper — reads from DB, decrypts with fallback to plaintext for any legacy value saved before this fix Replaced 3 read sites (getOidcConfig, getOidcConfigStatus,…
Analytics — Expense vs Spend color key partially covered by bar graph on desktop
Not reproducible in current code
Analytics — Expense vs Spend color key partially covered by bar graph on desktop
Calendar shows Due dot on days with no bills due (e.g. Saturday 16th)
MEDIUM: CSRF cookie defaults to httpOnly=false - XSS bypasses CSRF protection