cx-nexredirect

Author	SHA1	Message	Date
Hendrik Garske	71915dba04	v0.1.33 — fix: auto-update job fehlte in background scheduler	2026-05-21 14:51:47 +02:00
Hendrik Garske	faf054a655	Remove dependency-review job, keep npm audit only	2026-05-16 19:22:02 +02:00
Hendrik Garske	302ac2a6a3	Simplify security scan: remove CodeQL, add npm audit	2026-05-16 19:19:16 +02:00
Hendrik Garske	6d2f8af238	Fix runner label capitalization (Linux/X64 not linux/x64)	2026-05-16 19:16:01 +02:00
Hendrik Garske	facc3eecc6	Fix runner label capitalization (Linux/X64 not linux/x64)	2026-05-16 19:16:00 +02:00
Hendrik Garske	a893c42dd1	Fix runner label capitalization (Linux/X64 not linux/x64)	2026-05-16 19:15:59 +02:00
Hendrik Garske	e89ea85804	Add security scan workflow	2026-05-16 19:13:03 +02:00
Hendrik Garske	5461eef29e	Add CI workflow on self-hosted runners	2026-05-16 19:13:03 +02:00
Hendrik Garske	3ced1e9e76	Use self-hosted runners for release builds	2026-05-16 19:13:02 +02:00
Hendrik	9da40724b4	Upgrade next to 15.5.18 to fix middleware bypass CVEs Fixes CVE-2026-44574 (CVSS 8.1), CVE-2026-44575 (CVSS 7.5), CVE-2026-45109 (CVSS 7.5): attackers could bypass middleware auth in App Router applications via dynamic route parameter injection and segment-prefetch routes. Also fixes CVE-2026-44579 (DoS, CVSS 7.5) and CVE-2026-44576 (cache poisoning, CVSS 5.4).	2026-05-15 16:51:04 +02:00
Hendrik	daa13c808b	Fix admin UI inaccessible via private/local IP isAdminHost() only matched localhost and the configured server_ip (set to the public IP by the install script). Installations accessed via RFC 1918 addresses (10.x, 192.168.x, 172.16-31.x) fell through to the redirect-domain handler and returned 'Domain nicht konfiguriert'. Extract isPrivateOrLoopbackIp() to recognize all private and loopback addresses as admin hosts. No security risk: redirect domains are never private IPs.	2026-05-15 16:48:07 +02:00
Hendrik Garske	44bb7810a7	v0.1.31 — fix: PDF-Export 403 wenn IP-Allowlist aktiv Puppeteer rendert /r/{token} intern von 127.0.0.1 — Allowlist-Check blockierte auch Loopback-Adressen. Loopback (127.x, ::1, ::ffff:127.) wird jetzt vor dem Allowlist-Check ausgenommen.	2026-05-07 15:29:40 +02:00
Hendrik Garske	ee3a72ce50	v0.1.30 — fix: username-login; feature: IP-allowlist für Admin-UI - fix: username-Spalte in DB-DDL ergänzt + Migration für Bestandsdatenbanken; createSchema in /api/users speichert username jetzt korrekt (war immer NULL) - feature: IP-Allowlist für Admin-UI — IPs/CIDR-Bereiche in Einstellungen konfigurierbar; Enforcement in server.ts vor Next.js-Handoff; /api/v1 bleibt offen; Lockout-Warnung wenn eigene IP nicht in der Liste	2026-05-06 19:43:41 +02:00
Hendrik	a34fa9bfa8	v0.1.29 — auth: self-heal username column on first login if migration didn't run	2026-05-01 23:47:12 +02:00
Hendrik	25644e0ea2	v0.1.28 — security: nodemailer 8.0.7 (SMTP CRLF injection fixes), uuid 11.1.1 override durchsetzen	2026-05-01 23:41:30 +02:00
Hendrik	f06e6e7df0	v0.1.27 — fix: blocklist self-creates table; settings UI redesign mit overview-cards + edit-popups	2026-05-01 22:16:52 +02:00
Hendrik	ef9c598f71	update.sh: SHA256-verification of prebuilt tarball	2026-05-01 22:07:17 +02:00
Hendrik	c60a38091b	v0.1.26 — SMTP + Passwort-vergessen, Username-Login, SHA256-Verifikation der Update-Tarballs	2026-05-01 22:06:55 +02:00
Hendrik	19d16bd0c5	Bump to 0.1.25	2026-05-01 22:00:05 +02:00
Hendrik	4803fe5afa	v0.1.25 — security: passwort-bestätigung, HIBP-leak-check, role-enforcement auf alle mutations, API-rate-limits	2026-05-01 21:59:52 +02:00
Hendrik	a4efe3bee2	v0.1.24 — Sign-out: client-side signOut() statt Default-NextAuth-Page (matched UI)	2026-05-01 21:46:35 +02:00
Hendrik	18157d0a2f	v0.1.23 — UI: 'CoreX' aus Sichtbarkeit raus (Login, Setup, Sidebar, Report, Page-Title)	2026-05-01 21:45:51 +02:00
Hendrik	c81114f44c	v0.1.22 — fix Internal Server Error on redirect: static hashIp import + resilient blocklist (no-op on schema miss)	2026-05-01 21:44:44 +02:00
Hendrik	a359e0852c	Remove docs/ folder — content is in GitHub Wiki, link from README	2026-05-01 21:40:20 +02:00
Hendrik	9fce2e9db6	Bump to 0.1.21	2026-05-01 21:38:46 +02:00
Hendrik	ad44a7b8b2	v0.1.21 — Multi-User mit Rollen (admin/user), User-CRUD-UI, role-enforcement auf domain mutations	2026-05-01 21:38:33 +02:00
Hendrik	91b7b2494e	Bump to 0.1.20	2026-05-01 21:36:37 +02:00
Hendrik	eb283f487c	v0.1.20 — jobs (hits-retention, dns-health), login rate-limit, IP-blocklist, security headers, search/sort/csv-import on domains, test-call + per-domain PDF, webhooks, extended health	2026-05-01 21:36:24 +02:00
Hendrik	3b209db090	Add wiki content (12 pages) — to be published once GitHub Wiki is enabled	2026-05-01 21:10:00 +02:00
Hendrik	91bb41ed05	v0.1.19 — browser-signal heuristic: require Sec-Fetch + Accept-Language + Accept html (2 von 3)	2026-05-01 21:01:44 +02:00
Hendrik	47690ff96d	v0.1.18 — aggressive bot filter: scanner path patterns, short-UA skip, per-IP scan detector	2026-05-01 20:56:10 +02:00
Hendrik	79108b0693	v0.1.17 — sunset continue: link back to source domain (server resolves to target), nicht direkt zum Ziel	2026-05-01 20:45:33 +02:00
Hendrik	12f16e078b	v0.1.16 — DNS records overview, domain edit form, bulk delete, group edit, CSV export, audit log	2026-05-01 20:41:26 +02:00
Hendrik	63df0fe8d6	v0.1.15 — self-healing sunset_config migration: check schema each boot, not just setting flag	2026-05-01 19:36:08 +02:00
Hendrik	4bd76c9eda	v0.1.14 — direct PDF download via puppeteer + chromium, fix logo on cover	2026-05-01 19:34:08 +02:00
Hendrik	cb70fbacf5	v0.1.13 — PDF Report Redesign: A4 portrait, brand layout, sauberes page-break-Verhalten	2026-05-01 19:27:06 +02:00
Hendrik	cfb35034e9	Bump to 0.1.12	2026-05-01 19:22:20 +02:00
Hendrik	aeba290d16	v0.1.12 — bot filter, unique visitors, sunset notice page (per-domain + bulk)	2026-05-01 19:22:04 +02:00
Hendrik	fd118b40bf	v0.1.11 — PDF Report-Export mit Preset-Auswahl + Recharts-Tooltip-Fix	2026-05-01 19:16:05 +02:00
Hendrik	807911d026	v0.1.10 — caddy reload via 'caddy reload' CLI (avoids admin API Origin 403)	2026-05-01 19:09:45 +02:00
Hendrik	ab47513dd9	v0.1.9 — fix Caddy auto-HTTPS: chown Caddyfile to service user so app can regenerate per-domain blocks	2026-05-01 19:06:38 +02:00
Hendrik	96c541f8f6	v0.1.8 — security: bump next 15.5.15, postcss override, uuid 11 override	2026-05-01 19:00:17 +02:00
Hendrik	22d4e283b0	Bump to 0.1.7	2026-05-01 18:56:55 +02:00
Hendrik	c75fa5aa18	v0.1.7 — auto-migrate 301→302 on startup, auto-install sqlite3, ensure_sqlite helper	2026-05-01 18:56:42 +02:00
Hendrik	d695d4c8c9	v0.1.6 — fix hit tracking: default 302, no-cache headers, 301-warning in UI	2026-05-01 18:53:46 +02:00
Hendrik	8fe9f13c56	Bump to 0.1.5	2026-05-01 18:48:01 +02:00
Hendrik	cf8e01c384	v0.1.5 — skip update if current, robust UI fallback reload, force flag	2026-05-01 18:47:50 +02:00
Hendrik	e371da26a3	Bump to 0.1.4	2026-05-01 18:41:48 +02:00
Hendrik	2e412b61a7	v0.1.4 — MaxMind Basic Auth + Account-ID Field, detailed download errors	2026-05-01 18:41:38 +02:00
Hendrik	c710d874b1	v0.1.3 — update flow: detached restart, version-aware status, auto-reload UI, banner polling	2026-05-01 18:34:15 +02:00

1 2

64 commits