Skip to content

Releases: chicohaager/TravelMind

v1.2.2 - Security Fixes

Choose a tag to compare

@chicohaager chicohaager released this 07 Dec 16:20

Security Fixes

Critical

  • IDOR Vulnerabilities - Fixed in diary and budget routes
    • Added shared access_control.py utility
    • Now checks trip owner OR accepted participant
  • Path Traversal - Fixed in photo deletion
    • Validates filename and resolves path within upload directory
  • CSRF Middleware Bug - Fixed undefined variable

High Priority

  • Password Reset Token Reuse - Tokens now invalidated after use
    • New password_changed_at field tracks when password was changed
    • Tokens issued before password change are rejected

Rate Limiting

  • Photo upload: 60/min → 15/min (prevents storage DoS)
  • Audio transcription: New 10/hour limit (prevents API cost abuse)

Files Changed

  • backend/middleware/security.py
  • backend/models/user.py
  • backend/routes/budget.py
  • backend/routes/diary.py
  • backend/routes/password_reset.py
  • backend/utils/access_control.py (new)
  • backend/utils/rate_limits.py

v1.2.1 - bcrypt fix

Choose a tag to compare

@chicohaager chicohaager released this 07 Dec 14:47

Fixes

  • Fix bcrypt version compatibility with passlib (4.1.2 → 4.0.1)
  • Fix hardcoded German text in TripDetail - now uses i18n translations
  • Add missing translation keys for: description, period, destination, travelDiary, statistics, visited, diaryEntries, photos, interactiveMapAndRoutes

Languages

All 4 languages updated: English, German, French, Spanish

v1.2.0 - Security & Bug Fixes

Choose a tag to compare

@chicohaager chicohaager released this 07 Dec 14:18

Security Fixes (HIGH severity)

  • Fix missing authentication in diary photo deletion
  • Fix export endpoints auth bypass in diary routes
  • Add trip ownership verification to all timeline endpoints
  • Fix timezone issues with datetime.now(timezone.utc)

Frontend Bug Fixes

  • Fix React rules violation (setState during render) in TimelineView
  • Fix Blob URL memory leak in DiaryModal
  • Fix DOM manipulation error handling in TripDetail export
  • Replace hardcoded German text with translation keys

Database Migration

  • Remove SQLite support - PostgreSQL only
  • Simplify database.py for single database engine

Translation Improvements

  • Add missing keys across all 4 languages (en, de, es, fr)
  • Complete ES and FR translations

New Feature

  • Add ShareButton component

Docker Images

docker pull chicohaager/travelmind-backend:latest
docker pull chicohaager/travelmind-frontend:latest

v1.1.0 - Multi-language Support

Choose a tag to compare

@chicohaager chicohaager released this 06 Dec 18:02

What's New

Multi-Language Support

  • 4 Languages: English, German, French, Spanish
  • Automatic browser language detection
  • Easy language switching in the app
  • Namespace-based i18n architecture (25 namespaces per language)

New Features

  • Lightbox: Full-screen image viewing in diary entries with keyboard navigation
  • Expandable Diary Entries: "Read more" functionality for long entries
  • IndexedDB Fallback: Graceful offline support
  • Request ID Middleware: Better request tracing
  • Health Check Endpoint: Detailed system monitoring
  • GDPR Data Export: Compliant user data export
  • Password Reset Flow: JWT-based email verification
  • Database Backups: Automated backup scripts

Improvements

  • Production Docker optimization with multi-stage builds
  • Enhanced rate limiting configuration
  • Improved OpenAPI documentation

Bug Fixes

  • Fixed Settings page "t is not defined" error
  • Fixed Diary "Weiterlesen" button not working
  • Fixed IndexedDB availability check

Security

  • Audit logging for sensitive operations
  • Improved rate limiting per endpoint

Docker Images

docker pull chicohaager/travelmind-frontend:1.1.0
docker pull chicohaager/travelmind-backend:1.1.0

Quick Start

curl -O https://raw.githubusercontent.com/chicohaager/TravelMind/main/docker-compose.hub.yml
docker-compose -f docker-compose.hub.yml up -d