github afadil/wealthfolio v3.0.4
on GitHub

7 hours ago

Wealthfolio v3.0.4 — Release Notes

What's New

  • Securities portfolio filter — The securities list now defaults to showing
    only your currently held assets. Switch between "Current" and "Past" holdings
    to find what you need faster.
  • Persistent table sorting — Your sorting preferences on data tables are now
    remembered across sessions. (#671)
  • Better crypto precision — Increased decimal precision from 6 to 8 digits,
    so fractional crypto holdings (e.g. 0.00012345 BTC) are tracked accurately.
  • Search activities by notes — You can now search your activities using text
    from the notes field. (#662)
  • AI provider feedback — Adding or removing AI API keys now shows clear
    success/error notifications.
  • Smarter update checks — Update checks are cached to avoid redundant
    network calls, with a manual "force refresh" option. (#663)

Security Improvements

  • Stronger session security — Login sessions now use secure, HttpOnly
    cookies instead of browser-stored tokens, protecting against common web
    attacks like XSS.
  • Login rate limiting — Login attempts are limited to 5 per minute per IP
    address to prevent brute-force attacks.
  • Stricter CORS policy — Wildcard origins (*) are no longer allowed when
    authentication is enabled. You must specify your exact allowed origin.
  • Improved secret key handling — Encryption keys are now derived using
    industry-standard HKDF-SHA256. Existing secrets are migrated automatically on
    startup — no action needed.

Bug Fixes

  • AI assistant — Fixed Ollama model selection so the chosen model always
    matches what's available. Also fixed /v1 URL handling that caused 405
    errors. (#665)
  • Keyboard shortcuts — The search shortcut in the sidebar now shows the
    correct key for your platform (⌘K on Mac, Ctrl+K on Windows/Linux). (#670)
  • Performance chart — Improved chart width and disabled animation on mobile
    for smoother rendering.
  • Sheet layout — Fixed padding on sheet overlays for better visual spacing.
  • Timezone settings — Simplified timezone detection by removing the
    confusing auto-detected field.
  • Device sync pairing — Improved snapshot handling and UI updates during the
    device pairing flow.
  • Cloud sync sessions — Sessions are now automatically restored on page
    reload, so you don't need to re-authenticate as often.

For Self-Hosters (Docker / Web Mode)

Breaking Changes

  1. CORS wildcard no longer allowed with auth — If WF_AUTH_PASSWORD_HASH is
    set, you must set WF_CORS_ALLOW_ORIGINS to an explicit origin (e.g.
    https://wealthfolio.example.com).

  2. Auth required on non-loopback addresses — Binding to 0.0.0.0 now
    requires either WF_AUTH_PASSWORD_HASH to be set, or
    WF_AUTH_REQUIRED=false to explicitly opt out (e.g. when a reverse proxy
    handles auth).

  3. OpenAPI schema moved — Now served at /api/v1/openapi.json (requires
    authentication when auth is enabled).

New Environment Variable

Variable Default Description
WF_AUTH_REQUIRED true Set to false to run without authentication on non-loopback addresses (e.g. behind a reverse proxy)

What to Do

  • Docker Compose users: Set WF_CORS_ALLOW_ORIGINS to your actual domain in
    your .env.docker or compose.yml. If you run without auth behind a reverse
    proxy, add WF_AUTH_REQUIRED=false. Review the updated compose.yml and
    README.md.
  • Reverse proxy users: Ensure your proxy preserves Cookie and Set-Cookie
    headers for /api paths. The session cookie uses SameSite=Strict and
    Path=/api.
  • SSE / frontend clients: EventSource connections now authenticate via
    cookie (withCredentials: true). Query-param token passing has been removed.

Full changelog:
v3.0.3...v3.0.4

Check out latest releases or
releases around afadil/wealthfolio v3.0.4

Don't miss a new wealthfolio release

NewReleases is sending notifications on new releases.

Get notifications