0.3.30
- Require token password and validate manifest URLs (34bf868)
Security and API updates: require a password for GET /api/token and verify it against stored password_hash (uses accountsDb and verifyPassword) before returning token config; add isSafeUrl checks in proxy manifest parsing to block localhost, private IP ranges, and cloud metadata addresses to mitigate SSRF; update docs page to reflect the new GET /api/token?password requirement; bump package version to 0.3.30.
Full Changelog: v0.3.29...v0.3.30