Skip to content

v2.0.0

Choose a tag to compare

View all tags
@DefinetlyNotAI DefinetlyNotAI released this 18 May 10:07
· 18 commits to main since this release
v2.0.0
aa45980
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Flask Bank v2.0.0 Release Notes

Major Updates & Fixes

  • Server health endpoint restriction: Server health status is now hidden for non-admin users to prevent unauthorized access (403 error fixed).
  • Admin wallet syncing: Admin wallet amount automatically syncs with the unset currency, supporting manual currency changes, then resets admin wallet accordingly.
  • Setup endpoint security: Fixed a critical security vulnerability allowing unsafe setup calls via app.test_client().post('/api/setup', json={}).
  • Improved Flask security: Hardened Flask app defaults and integrated Flask-Talisman for better security headers.
  • Content Security Policy (CSP): Migrated all inline JavaScript to external files across 4 key HTML templates to comply with stricter CSP.
  • Login form validation: Introduced stronger and more robust login form validation rules.
  • Request wallet form validation: Prevented injection of dangerous characters (| and others) in the reason field using regex on both backend and frontend.
  • Database UI enhancements: Added buttons in the SQL DB settings section to rename bank or currency names easily.
  • CSRF protection: Enforced CSRF tokens and required name attributes on all forms.
  • API docs and access removal: Removed all references to API_ACCESS and related documentation to reduce attack surface.
  • Unified error handling: All JSON and error responses now pass through a centralized error.html template for consistent user experience.
  • Code formatting and logging: Cleaned and standardized code formatting; replaced all print statements with enhanced logging featuring color output in app.py.

Breaking Changes

  • The admin_password column in the settings table is now removed to improve security.
  • If upgrading from an older version, please run the following SQL command to prevent schema conflicts:
DO $$
BEGIN
    IF EXISTS (
        SELECT 1
        FROM information_schema.columns
        WHERE table_name='settings'
          AND column_name='admin_password'
    ) THEN
        ALTER TABLE settings
        DROP COLUMN admin_password;
    END IF;
END$$;

Thank you for upgrading to Flask Bank v2.0.0. This release significantly improves security, stability, and user experience. For detailed usage and migration instructions, please consult the updated documentation.

Full Changelog: v1.1.2...v2.0.0

Assets 2
Loading