Armarium/armarium-suite
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 2 Wiki Activity

2 Releases 2 Tags

RSS Feed
  • v1.1.0 1a7ef09805
    Compare

    MVP: First production ready release. Stable

    kraehed released this 2026-05-25 20:46:30 +00:00 | 0 commits to main since this release

    [1.1.0] - 2026-05-19

    Added

    • Auth — Email verification: SHA-256 token (24h TTL) sent on registration; /verify-email?token= route auto-confirms via POST /api/auth/verify-email/
    • Auth — Password reset: anti-enumeration POST /api/auth/password-reset/; confirm endpoint resets password and invalidates all sessions; SHA-256 token with 15 min TTL sent via Brevo
    • Auth — 2FA (TOTP): QR code setup, HMAC-signed 5 min temp token, replay protection via totp_last_used_code, 8 backup codes (SHA-256 hashed in DB, XXXXXXXX-XXXXXXXX format); copy to clipboard + PDF download via jsPDF; two-step login flow
    • Auth — "Keep me signed in": toggles between localStorage (persistent) and sessionStorage; carried through 2FA and recovery flows
    • Auth — Language switcher (LangSwitcher): embedded in login and register cards
    • Settings page (/settings): active sessions (list all devices, individual revoke, revoke-all); data export (ZIP with 6 structured PDFs via fpdf2); notification preferences (deadlines, budget warnings, monthly summary); 2FA management; three-step account deletion (mandatory export → password + confirmation phrase → redirect to armarium.ch)
    • Dashboard: income vs. expenses bar chart (3 series, year selector); fixed costs donut chart with toggle to scrollable list view; savings rate card with customisable target marker
    • Security: Cloudflare Turnstile CAPTCHA on login and register
    • Infrastructure: Brevo SMTP (smtp-relay.brevo.com:587), domain armarium.ch verified (SPF/DKIM); all email config via env vars (EMAIL_HOST, EMAIL_PORT, EMAIL_HOST_USER, etc.)
    • Email templates: registration_confirm, password_reset, password_changed, email_changed — HTML + plaintext; finance/email.py generic helper using EmailMultiAlternatives
    • Backend: ADMIN_URL env var obscures the admin path (default manage/); production security block — SECURE_SSL_REDIRECT, HSTS (1 year, preload, subdomains), secure cookies, SECURE_CONTENT_TYPE_NOSNIFF; upload size capped at 5 MB; CSRF_TRUSTED_ORIGINS from env var
    • i18n: all new keys for financial year, household, dashboard, auth flows, settings and 2FA (DE/EN/FR/IT)

    Changed

    • Login: email-based authentication (username removed, backend auto-sets username=email); "Forgot password?" link; two-step flow when 2FA is active; show/hide password toggle; font sizes increased throughout login/register cards
    • Register: email-only; independent show/hide toggle on both password fields; display-name hint
    • Dashboard: KPI data now sourced from FinancialYearService (was account/budget totals)
    • Settings: 2FA and active sessions moved here from Profile; account deletion is now three-step
    • Calendar: live holiday and school holiday data via OpenHolidays API (AGPL-3.0) with static fallback; language-aware requests and cache key; in-memory cache per year/canton; today shown as violet ring only (not filled)
    • Notifications: per-notification "mark as read" button; "mark all as read" in panel header
    • Typography: Roboto self-hosted via @fontsource/roboto (300/400/500/700) — no Google Fonts CDN, GDPR-compliant; unified font-size scale with custom Tailwind steps
    • Mobile: responsive improvements across tables (hidden columns), modals (single-column grids), touch targets (min p-2), dashboard KPI cards, calendar cells, OTP inputs, notification panel margins; sidebar mobile drawer now contains notifications, theme toggle, profile and logout
    • Backend: LogoutView accepts unauthenticated calls and deletes UserSession by JTI; ChangePasswordView invalidates all other sessions; authInterceptor sends X-Session-Key header on every request; session key stored alongside JWT in same storage

    Security

    • Password reset invalidates all active sessions
    • Email verification token stored as SHA-256 hash with 24h TTL
    • VerifyEmailView and PasswordResetConfirmView rate-limited at 5/min
    • TwoFactorRecoverConfirmView: temp_token verified before accepting a recovery code (previously bypassable)
    • ProfileView.delete: requires password verification; returns 403 on failure

    Fixed

    • EmailAuthBackend: case-insensitive email lookup so login works regardless of capitalisation
    • Dashboard: December bars no longer clipped at the right edge of the bar chart
    • Calendar: legend removed from footer; ZH spring holidays 2026 corrected to 20.04.–02.05.; date input locale bound to app language; deadline type dropdown shows placeholder on open; placeholder text styled correctly
    • Auth LangSwitcher: signal initialisation order fixed; [class] binding used instead of [class.dark:...] to avoid Tailwind dark-mode colon conflict
    • Backend: fpdf2 export — em/en dash caused FPDFUnicodeEncodingException with Helvetica; fixed via Latin-1 safe encoding helper
    • Backend: api/notifications/ URL conflict resolved; prefs endpoint moved to api/notifications/prefs/
    • Mobile navbar: icons hidden on mobile and integrated into sidebar drawer to prevent layout overflow
    Downloads
  • v1.0.0 807ebc41a5
    Compare

    Release pilot testversion Pre-Release

    kraehed released this 2026-04-13 12:08:44 +00:00 | 1 commits to main since this release

    [1.0.0] - 2026-04-13

    Added

    • Branding: app named "Armarium"; horizontal and vertical logo SVGs; favicon; dark-mode logo invert
    • Backend: Django + DRF with JWT auth (djangorestframework-simplejwt), token blacklist, rate limiting (5/200/20 req/min), PostgreSQL, media uploads, env config via python-dotenv
    • Data models: Account (asset/expense/revenue), Transaction (double-entry), Budget (7 categories), Expense (10 categories), Profile (avatar, canton, all 26 CH cantons), Deadline (5 types)
    • REST API: auth endpoints (register, login, refresh, logout, password change), full CRUD for accounts, transactions, budgets, expenses, deadlines, profile
    • Frontend: Angular 21 standalone components, Tailwind CSS v3, ApexCharts; ApiService, AuthService, authGuard, authInterceptor, SidebarService
    • Pages: Login, Register, Dashboard (KPIs + bar/donut charts), Accounts, Budgets, Expenses, Transactions, Calendar, Profile
    • Responsive layout: mobile-first — slide-in sidebar drawer, backdrop close, overflow-x-auto tables, notifications as full-width top drawer on mobile
    • Sidebar: collapsible to icon-only view with flyout submenus and tooltips; toggle in navbar
    • Dark/Light mode: sun/moon toggle in navbar; preference persisted in localStorage (dark default)
    • i18n: 4 languages (DE/FR/IT/EN) via ngx-translate; LanguageService; browser language auto-detection; canton names translated per UI language
    • Calendar: year view with month modal; Swiss public and school holidays by canton (2025–2026); expense due dates and deadlines; day detail slide-in drawer; iCal feed (HMAC-SHA256 token auth) with "Subscribe" button
    • Infrastructure: PostgreSQL, nginx reverse proxy, Forgejo Actions CI/CD pipeline, .env.example

    Fixed

    • Profile: canton and language selects not saving — switched to [ngModel]/(ngModelChange)
    • Calendar: canton not reflected on load; iCal feed pytz import error
    • Sidebar: collapse button unwired; flyout menus clipped due to overflow-y-auto; mobile submenus replaced with Angular signal-based state
    • i18n: translations not loading — src/assets missing from angular.json assets
    • Production: hardcoded http://127.0.0.1:8000 replaced with relative API paths throughout
    Downloads