Skip to content

Releases: nullata/webui-manager

0.7.5

05 Apr 00:11
@nullata nullata
0.7.5
5e12341

Choose a tag to compare

View all tags
0.7.5 Latest
Latest

New Features

  • ⚠️Breaking changes ⚠️ DB MIGRATION - Users of v0.6.4 will need to reinitialize their database or run the migration SQL for schema updates.

  • Admin password change - Settings page now includes a dedicated form to update the admin password. Requires the current password, new password, and confirmation. Username remains fixed after initial setup.

  • Login rate limiting - After 5 consecutive failed login attempts from the same IP, the account is locked out for 5 minutes. The lockout is in-memory and resets on app restart.

Security

  • CSRF protection - All POST forms and AJAX requests are now protected with CSRF tokens via Flask-WTF. A csrf_token hidden input was added to every form; JS fetch calls include an X-CSRFToken header read from a <meta> tag.

  • Credential password removed from DOM - The decrypted service password is no longer written to dataset.value on the dashboard card. It is held in a JS closure variable only, preventing DOM inspection attacks.

  • Background image upload hardening - File uploads now enforce a 10 MB size limit and validate magic bytes (JPEG, PNG, GIF, WebP, AVIF) in addition to the extension check. A file claiming to be an image but failing the byte signature check is rejected.

  • Consistent password trimming - All password fields (credential password, SMTP password, admin login, admin setup, admin password change) now call .strip() before use. Prevents silent storage of passwords with leading/trailing spaces.

Bug Fixes

  • Healthcheck reset on new WebUI - Creating a new WebUI with a blank healthcheck URL would always trigger a healthcheck data reset because '' != None evaluated to True. The comparison now normalises both sides with or '' before comparing.

  • Credential username change without password - Editing a WebUI's stored credential username while leaving the password field blank silently created a mismatched username/password pair (new username, old encrypted password). This is now blocked with an error message directing the user to provide a new password or clear credentials first.

Other

  • Minimize original opinionated UI styling and introduce custom background usage.
  • Code quality changes

Full Changelog: https://github.com/nullata/webui-manager/commits/0.7.5

Assets 2
Loading