Security Hardening
- Rate limiter now backed by SQLite — survives server restarts and works across clustered deployments, with automatic in-memory fallback
- Content Security Policy tightened: removed unsafe-inline and unsafe-eval from script-src, theme script allowed via SHA-256 hash only
- Session invalidation on password change: mobile JWT tokens issued before a password change are automatically rejected
- Password changes trigger email notification to the user
- Admin user creation no longer returns passwords in API responses — credentials are sent via email (requires SMTP)
- Admin password resets use cryptographically secure generation (crypto.randomBytes) instead of Math.random
- Admin system endpoint standardized to use consistent authentication helpers
Mobile Web Optimization
- Responsive layout across all dashboard pages (proper padding, touch targets, viewport handling)
- Sidebar adapts to screen width (85vw with max-w-72) instead of fixed 288px overlay
- Header compact mode for narrow screens
- Map tile picker buttons enlarged to 48px to meet touch target guidelines
- Dynamic viewport height (dvh) fixes mobile browser address bar layout shift
Share Link Deletion
- Share links can now be permanently deleted, not just revoked
- Delete button added to both web and mobile share management screens
- Revoked/expired links show delete option to remove them from the list entirely
History
- History pages now default to last 7 days instead of last 24 hours
Other
- Updated README to reflect removal of Google Play Services dependency
- Mobile app version bumped to 0.8.2