Release Summary
- Added email notifications for account lockout incidents after 10 failed login attempts.
- Improved account security by implementing user lockout after multiple failed login attempts.
- Fixed email verification rate limiting to prevent abuse.
- Fixed issues with CSRF validation for enhanced security on critical endpoints.
- Validated locale in lockout emails to provide clearer user communication.
0.38.0 (2026-03-15)
Features
- add account lockout after 10 failed login attempts (0a765f1)
- add account lockout fields to User model (975669c)
- add StripeEvent model for webhook idempotency (670d7a8)
- send email notification on account lockout with i18n (16ef3e0)
Bug Fixes
- add 5-second DNS resolution timeout to SSRF checks (0a965de)
- add CSRF origin validation to state-changing API endpoints (eab27a9)
- add CSRF validation to unauthenticated auth endpoints (93bfcdb)
- add idempotency to Stripe webhook handler using unique constraint (77329de)
- add missing lockout fields to locale test mock objects (91b1a23)
- add rate limiting to email verification endpoint (1c92410)
- add SSRF protection to photo URL downloads (41b2645)
- expand Permissions-Policy header to restrict additional browser features (377ddcc)
- hash email verification tokens before storing in database (5e5ce3b)
- hash password reset tokens before storing in database (f115463)
- make CSP environment-aware — unsafe-eval only in development (d237a72)
- remove unsafe-eval from CSP script-src directive (54c8e3a)
- remove unsafe-inline from CSP script-src directive (3c2fd16)
- require STRIPE_WEBHOOK_SECRET in SaaS mode env validation (fb10653)
- resolve TypeScript error in csrf.ts missing return statement (938f6aa)
- restore unsafe-inline in CSP — required for Next.js hydration (e22d046)
- update lockout email test to use objectContaining for flexibility (015f9c4)
- validate locale in lockout email, surface account-locked error to user (68cd6d8)
- validate PHOTO_STORAGE_PATH and prevent path traversal (e2280da)