feat: release v3.6.1 - security hardening

Security improvements:
- Enhanced CSP headers with frame-ancestors, form-action, base-uri, object-src
- Added rate limiting to all bills, payments, shares, and user search endpoints
- iOS Keychain backup exclusion for JWT tokens (WHEN_UNLOCKED_THIS_DEVICE_ONLY)
- Timing-safe token comparison in models.py
- SQL wildcard escaping for user search to prevent injection
- Mobile app: wrapped sensitive logging in __DEV__ guards

Other changes:
- Structured logging with environment-based configuration
- Fixed N+1 query issues with database indexes
- Mobile app UI improvements for payment history and stats screens

Author: brdweb

README.md

@@ -6,7 +6,7 @@ A **secure multi-user** web application for tracking recurring expenses and inco
 
 ---
 
-## 🎉 What's New in v3.6.0
+## 🎉 What's New in v3.6.1
 
 **Shared Bills & Split Expenses** - The biggest feature release yet! Now you can share bills with other users and track split payments seamlessly.
 

apps/mobile/assets/adaptive-icon.png

@@ -31,6 +31,8 @@
     "react-native": "0.81.5",
     "react-native-chart-kit": "^6.12.0",
     "react-native-gesture-handler": "^2.30.0",
+    "react-native-gifted-charts": "^1.4.70",
+    "react-native-linear-gradient": "^2.8.3",
     "react-native-reanimated": "~4.1.1",
     "react-native-safe-area-context": "~5.6.0",
     "react-native-screens": "~4.16.0",

apps/mobile/assets/icon.png

@@ -8,6 +8,13 @@ const REFRESH_TOKEN_KEY = 'billmanager_refresh_token';
 const CURRENT_DATABASE_KEY = 'billmanager_current_database';
 const LAST_SYNC_KEY = 'billmanager_last_sync';
 
+// Secure storage options for sensitive data (tokens)
+// WHEN_UNLOCKED_THIS_DEVICE_ONLY: Data is only accessible when device is unlocked
+// AND is NOT backed up to iCloud or migrated to a new device
+const SECURE_STORE_OPTIONS: SecureStore.SecureStoreOptions = {
+  keychainAccessible: SecureStore.WHEN_UNLOCKED_THIS_DEVICE_ONLY,
+};
+
 // API Configuration
 // For local development, use your machine's IP (not localhost)
 // Physical device (Expo Go): use your computer's local IP
@@ -115,8 +122,8 @@ class BillManagerApi {
         this.accessToken = access_token;
         this.refreshToken = refresh_token;
 
-        await SecureStore.setItemAsync(ACCESS_TOKEN_KEY, access_token);
-        await SecureStore.setItemAsync(REFRESH_TOKEN_KEY, refresh_token);
+        await SecureStore.setItemAsync(ACCESS_TOKEN_KEY, access_token, SECURE_STORE_OPTIONS);
+        await SecureStore.setItemAsync(REFRESH_TOKEN_KEY, refresh_token, SECURE_STORE_OPTIONS);
 
         // Set first database as default if available
         if (response.data.data.databases?.length > 0) {
@@ -153,7 +160,7 @@ class BillManagerApi {
 
       if (response.data.success && response.data.data) {
         this.accessToken = response.data.data.access_token;
-        await SecureStore.setItemAsync(ACCESS_TOKEN_KEY, this.accessToken);
+        await SecureStore.setItemAsync(ACCESS_TOKEN_KEY, this.accessToken, SECURE_STORE_OPTIONS);
         return true;
       }
       return false;

apps/mobile/package-lock.json

@@ -58,12 +58,13 @@ export function AuthProvider({ children }: { children: React.ReactNode }) {
         loadServerType(),
       ]);
 
-      console.log('[AuthContext] initializeAuth - hasToken:', hasToken, 'serverType:', serverType);
+      if (__DEV__) {
+        console.log('[AuthContext] initializeAuth - hasToken:', hasToken, 'serverType:', serverType);
+      }
 
       if (hasToken) {
         // Verify token is still valid by fetching user info
         const response = await api.getUserInfo();
-        console.log('[AuthContext] initializeAuth - getUserInfo response:', JSON.stringify(response, null, 2));
 
         let userData: User | null = null;
         let databases: DatabaseInfo[] = [];
@@ -98,7 +99,9 @@ export function AuthProvider({ children }: { children: React.ReactNode }) {
         }
 
         if (userData) {
-          console.log('[AuthContext] initializeAuth - Setting user:', userData);
+          if (__DEV__) {
+            console.log('[AuthContext] initializeAuth - User authenticated:', userData.username);
+          }
           setState({
             isLoading: false,
             isAuthenticated: true,
@@ -109,7 +112,9 @@ export function AuthProvider({ children }: { children: React.ReactNode }) {
           });
           return;
         } else {
-          console.log('[AuthContext] initializeAuth - No user in response, clearing auth');
+          if (__DEV__) {
+            console.log('[AuthContext] initializeAuth - No user in response, clearing auth');
+          }
         }
       }
 
@@ -122,7 +127,9 @@ export function AuthProvider({ children }: { children: React.ReactNode }) {
         serverType,
       });
     } catch (error) {
-      console.error('Auth initialization error:', error);
+      if (__DEV__) {
+        console.error('Auth initialization error:', error);
+      }
       const serverType = await loadServerType();
       setState({
         isLoading: false,
@@ -153,7 +160,9 @@ export function AuthProvider({ children }: { children: React.ReactNode }) {
     try {
       // First, login to get tokens
       const loginResponse = await api.login(username, password);
-      console.log('[AuthContext] Login response:', JSON.stringify(loginResponse, null, 2));
+      if (__DEV__) {
+        console.log('[AuthContext] Login response success:', loginResponse.success);
+      }
 
       if (!loginResponse.success) {
         return { success: false, error: loginResponse.error || 'Login failed' };
@@ -163,9 +172,7 @@ export function AuthProvider({ children }: { children: React.ReactNode }) {
       const serverType = await loadServerType();
 
       // Fetch user info from /me endpoint after login
-      console.log('[AuthContext] Fetching user info from /me');
       const userInfoResponse = await api.getUserInfo();
-      console.log('[AuthContext] getUserInfo response:', JSON.stringify(userInfoResponse, null, 2));
 
       let userData: User | null = null;
       let databases: DatabaseInfo[] = [];
@@ -208,10 +215,14 @@ export function AuthProvider({ children }: { children: React.ReactNode }) {
         return { success: true };
       }
 
-      console.error('[AuthContext] Failed to get user info from /me');
+      if (__DEV__) {
+        console.error('[AuthContext] Failed to get user info from /me');
+      }
       return { success: false, error: 'Failed to get user info' };
     } catch (error) {
-      console.error('[AuthContext] Login error:', error);
+      if (__DEV__) {
+        console.error('[AuthContext] Login error:', error);
+      }
       return { success: false, error: 'An unexpected error occurred' };
     }
   }, []);