v4.0.0

BillManager v4.0.0\n\n- Social login with Google and Apple\n- Two-factor authentication with email OTP and passkeys\n- Linked accounts management and security enhancements\n- Release hardening and CI/security fixes

v3.8.0 - Dashboard & Analytics Overhaul

What's New in v3.8.0

New Features

• Dashboard Page - At-a-glance stat cards showing total bills, due this week, overdue count, and monthly total with paid/remaining breakdown
• Upcoming Bills - 7-day lookahead table on Dashboard with pay and edit actions
• Overdue Alerts - Overdue bills highlighted with quick "Pay Now" action
• Analytics Page - Spending trends line chart, account breakdown pie chart, year-over-year comparison bar chart, and yearly summary
• Calendar Improvements - Color-coded days (green=paid, red=overdue, yellow=upcoming), multi-month view (1/3/6), day detail modal
• Filter Indicators - Visual filter banners on Bills and All Payments pages showing active filters with result count and clear button

Improvements

• Sidebar navigation simplified with dedicated page links (Dashboard, Bills, Calendar, Analytics)
• Sidebar footer with version number, license info, and "Need Help?" link
• All Payments page defaults to last 30 days with pre-filled date range
• Dark mode improvements across Analytics yearly summary and filter banners
• Monthly Total stat card shows paid vs remaining breakdown

Security Hardening

• All single-resource API endpoints now handle all-buckets mode correctly (prevents 500 errors)
• Rate limiting (60 req/min) added to new analytics endpoints
• Defensive JSON parsing for bill frequency config (prevents page crashes from malformed data)

Bug Fixes

• Fixed calendar day coloring to accurately reflect bill payment status
• Fixed sidebar month navigation arrows for calendar integration
• Fixed delete/edit payment functionality on All Payments page
• Fixed dark mode rendering for yearly summary table in Analytics

Testing

• 74 Playwright E2E tests across 11 test suites (68 passing, 6 conditional skips)
• New test specs for Dashboard, Calendar, Analytics, and Sidebar navigation
• Expanded test-e2e.sh with analytics API tests and improved reporting

v3.6.1 - Security Hardening

Security Improvements

• Enhanced CSP Headers - Added frame-ancestors, form-action, base-uri, object-src directives to prevent clickjacking, form hijacking, and plugin-based attacks
• Rate Limiting - Added rate limiting to all bills, payments, shares, and user search endpoints (60/min for reads, 30/min for writes, 20/min for sensitive operations)
• iOS Keychain Security - JWT tokens now use WHEN_UNLOCKED_THIS_DEVICE_ONLY to prevent backup/migration to new devices
• Timing-Safe Token Comparison - Email verification tokens now use secrets.compare_digest() to prevent timing attacks
• SQL Injection Prevention - User search endpoints now escape SQL wildcards (%, _, \)
• Mobile Logging Security - Sensitive data logging wrapped in __DEV__ guards to prevent token exposure in production

Other Changes

• Structured Logging - New environment-based logging configuration with JSON format support for production
• Database Performance - Fixed N+1 query issues with additional indexes
• Mobile UI - Improved payment history and stats screens

Upgrade Notes

This is a security-focused release. No database migrations required. Simply update to the latest version to benefit from the security improvements.

Full Changelog: v3.6.0...v3.6.1

v3.6.0 - Shared Bills & Split Expenses

🎉 The biggest feature release yet!

Now you can share bills with other BillManager users and track split payments seamlessly.

✨ Highlights

• Share Bills with Anyone - Share any bill with other BillManager users by username
• Flexible Split Options - Configure splits by percentage (50/50), fixed amount ($500), or equal division
• Real-Time Payment Tracking - See when sharees mark their portion as paid
• Automatic Income Recording - Payments from sharees automatically appear as deposits in your payment history and trends
• Protected Transactions - Sharee payments are view-only for owners; only the person who made the payment can edit or delete it
• Visual Indicators - Shared bills display with a users icon; payment history shows Income vs Expense badges

For Bill Owners

• Create a bill, click "Share Bill", enter the sharee's username
• Configure how the bill is split (percentage, fixed, or equal)
• Track when your sharee marks their portion as paid
• See their payments as income in your monthly trends

For Sharees

• Accept or decline bill share invitations
• View the full bill details and your calculated portion
• Mark your portion as paid with one click
• Your payment appears in your expense history

Technical Changes

• Added share_id column to payments table for tracking shared bill payments
• Updated monthly stats endpoint to properly categorize owner vs sharee payments
• Protected sharee payments from owner edits via API (403 responses)
• Share button text changes to "Edit Bill Sharing" when shares exist
• Shared bills display with users icon indicator inline with bill name
• Confirmation modal for marking shared bill portions as paid

Full Changelog

See the README for complete details.

v3.4.5 - Security fixes

Security Fixes

• Stack trace exposure: Fixed information leakage in Stripe service error responses and webhook handler. Generic error messages are now returned to users instead of internal exception details.
• Password hashing: Added suppression for legacy SHA-256 password migration code (intentional migration path that auto-upgrades passwords to secure hashing on login).

Changes since v3.4.4

• Sanitized error messages in billing endpoints
• Improved webhook error handling

v3.4.4

Bug Fix

• Fix date timezone bug in bill editing - When editing a bill, the due date picker now correctly displays the saved date instead of showing the previous day. This was caused by timezone conversion when loading dates into the date picker.

Technical Details

• Applied parseLocalDate when loading bill data for editing to prevent timezone shift
• Completes the date timezone fixes started in v3.4.3

v3.4.1

What's Changed

Bug Fixes

• Fix initial admin login for self-hosted installations - Users logging in with the initial generated password now properly receive admin rights and access to the default bill group
• Add missing /change-password endpoint to v1 API - The web frontend can now complete the forced password change flow
• Fix logger ordering bug - Logger was being used before it was defined

Technical Details

• Added /change-password endpoint that validates the change token, updates the password, and properly establishes the session
• After password change, users now correctly see their role as admin and have access to the Personal database
• Added comprehensive test for the password change flow

Full Changelog: v3.4.0...v3.4.1

v3.3.6

Fixes

• Fresh install credentials now visible in Docker logs - Initial admin password is printed to stderr so docker logs captures it
• Skip migrations on fresh install - Since db.create_all() creates tables with the current schema, migrations are now marked as applied rather than executed on fresh installs

Docker

docker pull ghcr.io/brdweb/billmanager:3.3.6

On first run, check logs for admin credentials:

docker logs <container_name>

v3.3.5

Changes

• Add ARM64 Docker image support for Raspberry Pi
• Consolidate CI/CD workflows into single build.yml
• Add QEMU emulation for cross-platform builds

Docker

Pull the image:

docker pull ghcr.io/brdweb/billmanager:3.3.5

ARM64 (Raspberry Pi 4/5) and AMD64 architectures are now both supported.

v3.3.4

Bug Fixes

• Fixed admin panel bill groups caching (deleted groups no longer appear, new groups now visible when editing users)
• Fixed biweekly bill frequency advancing by month instead of 2 weeks

UI Improvements

• Redesigned dashboard layout for better responsiveness at various zoom levels
• Added floating back-to-top button
• Added mobile drawer for sidebar on small screens