Thanks to visit codestin.com
Credit goes to github.com

Skip to content

v1.0.4

Latest
Latest

Choose a tag to compare

View all tags
@karl-cta karl-cta released this 02 May 20:42
v1.0.4
5d170b5

What's New

Page Lock

  • New per-page read-only mode. Toggle from the tab context menu or the options menu.
  • Lock icon in the tab and "Page is read-only" banner above the editor.
  • Server-enforced (HTTP 423 on locked writes), survives reload and applies to all collaborators.

Page Tabs

  • Reliable drag and drop reordering on desktop and mobile (migrated from framer-motion to dnd-kit, long-press on touch).
  • Optimistic order update, tabs snap into place instantly with no more reverting to old positions.
  • Auto-select the page title text when renaming.
  • Fix double-tab flash when switching between notes that both have pages.

Editor UX

  • Single click on a link opens the URL in a new tab (was a no-op before).
  • Tighter font-size scale: XS=12, S=14 (default), M=16, L=18, XL=22, XXL=28.
  • "Modified X ago" refreshes within 500 ms, checkbox toggles and atomic edits feel instant.
  • Note info chips hidden on mobile, only the "modified" timestamp remains.

Collaboration

  • Collaborator avatars in the presence pill now show uploaded profile pictures (was always falling back to the initial).
  • Presence indicator clears properly when switching from a shared note to a personal one.

Sidebar

  • Larger text in the shared-with-me section (notes 12 to 13 px, owner 11 to 12 px, badge 9 to 10 px).
  • Bigger owner avatars (4×4 to 5×5).

Security

Shannon agentic pentest, 8 vulnerabilities patched:

  • IDOR on uploads: note_uploads pivot table synced on every note/page write, authorization scoped to the referenced note.
  • 2FA bypass: signed pending-2fa token (5 min TTL) now required on /2fa/send-login-code and /2fa/verify.
  • OTP hashing: HMAC-SHA256 with JWT_SECRET instead of raw SHA-256 (blocks local crack of 6-digit code if DB leaks).
  • Access token revocation: jti plus revoked_access_tokens table, logout invalidates immediately with no more 15-minute replay window.
  • Rate limit on /password-reset/request (5 per 15 min per IP).
  • Cache-Control: no-store on all /auth/* routes.
  • XSS in search preview: decode HTML entities before strip-tags (double-encoding bypass).
  • TOCTOU on first admin creation: atomic SQLite transaction.
Assets 2
Loading