Implement comprehensive webhook system supporting 40+ event types with automatic retries, HMAC signatures, delivery tracking, REST API, and admin UI. Integrates with Activity logging for automatic event triggering.
- Database: Add webhooks and webhook_deliveries tables (migration 046)
- API: Full CRUD endpoints with read:webhooks/write:webhooks scopes
- UI: Admin interface for webhook management and testing
- Service: Automatic retry with exponential backoff every 5 minutes
- Security: HMAC-SHA256 signature verification
- Tests: Model and service tests included
- Docs: Complete integration guide with examples
Implement a complete audit logging system to track all changes made to
tracked entities, providing full compliance and accountability capabilities.
Features:
- Automatic tracking of create, update, and delete operations on 25+ models
- Detailed field-level change tracking with old/new value comparison
- User attribution with IP address, user agent, and request path logging
- Web UI for viewing and filtering audit logs with pagination
- REST API endpoints for programmatic access
- Entity-specific history views
- Comprehensive test coverage (unit, model, route, and smoke tests)
Core Components:
- AuditLog model with JSON-encoded value storage and decoding helpers
- SQLAlchemy event listeners for automatic change detection
- Audit utility module with defensive programming for table existence checks
- Blueprint routes for audit log viewing and API access
- Jinja2 templates for audit log list, detail, and entity history views
- Database migration (044) creating audit_logs table with proper indexes
Technical Implementation:
- Uses SQLAlchemy 'after_flush' event listener to capture changes
- Tracks 25+ models including Projects, Tasks, TimeEntries, Invoices, Clients, Users, etc.
- Excludes sensitive fields (passwords) and system fields (id, timestamps)
- Implements lazy import pattern to avoid circular dependencies
- Graceful error handling to prevent audit logging from breaking core functionality
- Transaction-safe logging that integrates with main application transactions
Fixes:
- Resolved login errors caused by premature transaction commits
- Fixed circular import issues with lazy model loading
- Added table existence checks to prevent errors before migrations
- Improved error handling with debug-level logging for non-critical failures
UI/UX:
- Added "Audit Logs" link to admin dropdown menu
- Organized admin menu into logical sections for better usability
- Filterable audit log views by entity type, user, action, and date range
- Color-coded action badges and side-by-side old/new value display
- Pagination support for large audit log datasets
Documentation:
- Added comprehensive feature documentation
- Included troubleshooting guide and data examples
- Created diagnostic scripts for verifying audit log setup
Testing:
- Unit tests for AuditLog model and value encoding/decoding
- Route tests for all audit log endpoints
- Integration tests for audit logging functionality
- Smoke tests for end-to-end audit trail verification
This implementation provides a robust foundation for compliance tracking
and change accountability without impacting application performance or
requiring code changes in existing routes/models.
Add complete internationalization (i18n) infrastructure supporting 9 languages
including full Right-to-Left (RTL) support for Arabic and Hebrew.
Languages supported:
- English, German, French, Spanish, Dutch, Italian, Finnish (LTR)
- Arabic, Hebrew (RTL with complete layout support)
Core features:
* Flask-Babel configuration with locale selector
* Translation files for all 9 languages (480+ strings each)
* Language selector UI component in header with globe icon
* User language preference storage in database
* RTL CSS support with automatic layout reversal
* Session and user-based language persistence
Model field translation system:
* Created comprehensive i18n helper utilities (app/utils/i18n_helpers.py)
* 17 new Jinja2 template filters for automatic translation
* Support for task statuses, priorities, project statuses, invoice statuses,
payment methods, expense categories, and all model enum fields
* Status badge CSS classes for consistent styling
Technical implementation:
* Language switching via API endpoint (POST /api/language)
* Direct language switching route (GET /set-language/<lang>)
* RTL detection and automatic dir="rtl" attribute
* Context processors for language information in all templates
* Template filters registered globally
Testing and quality:
* 50+ unit tests covering all i18n functionality
* Tests for locale selection, language switching, RTL detection
* Comprehensive test coverage for all translation features
Files added:
- translations/es/LC_MESSAGES/messages.po (Spanish)
- translations/ar/LC_MESSAGES/messages.po (Arabic)
- translations/he/LC_MESSAGES/messages.po (Hebrew)
- app/utils/i18n_helpers.py (translation helper functions)
- app/static/css/rtl-support.css (RTL layout support)
- tests/test_i18n.py (comprehensive test suite)
- scripts/audit_i18n.py (translation audit tool)
Files modified:
- app/config.py: Added 3 languages + RTL configuration
- app/routes/user.py: Language switching endpoints
- app/templates/base.html: Language selector + RTL support
- app/utils/context_processors.py: Language context injection
- app/__init__.py: Registered i18n template filters
- scripts/extract_translations.py: Updated language list
- translations/*/messages.po: Added 70+ model field translations
The infrastructure is production-ready. Model enum fields now automatically
translate in templates using the new filters. Flash messages and some template
strings remain in English until wrapped with translation markers (tracked
separately for incremental implementation).
Implement comprehensive budget monitoring and forecasting feature with:
Database & Models:
- Add BudgetAlert model for tracking project budget alerts
- Create migration 039_add_budget_alerts_table with proper indexes
- Support alert types: 80_percent, 100_percent, over_budget
- Add acknowledgment tracking with user and timestamp
Budget Forecasting Utilities:
- Implement burn rate calculation (daily/weekly/monthly)
- Add completion date estimation based on burn rate
- Create resource allocation analysis per team member
- Build cost trend analysis with configurable granularity
- Add automatic budget alert detection with deduplication
Routes & API:
- Create budget_alerts blueprint with dashboard and detail views
- Add API endpoints for burn rate, completion estimates, and trends
- Implement resource allocation and cost trend API endpoints
- Add alert acknowledgment and manual budget check endpoints
- Fix log_event() calls to use keyword arguments
UI Templates:
- Design modern budget dashboard with Tailwind CSS
- Create detailed project budget analysis page with charts
- Add gradient stat cards with color-coded status indicators
- Implement responsive layouts with full dark mode support
- Add smooth animations and toast notifications
- Integrate Chart.js for cost trend visualization
Project Integration:
- Add Budget Alerts link to Finance navigation menu
- Enhance project view page with budget overview card
- Show budget progress bars with status indicators
- Add Budget Analysis button to project header and dashboard
- Display real-time budget status with color-coded badges
Visual Enhancements:
- Use gradient backgrounds for stat cards (blue/green/yellow/red)
- Add status badges with icons (healthy/warning/critical/over)
- Implement smooth progress bars with embedded percentages
- Support responsive grid layouts for all screen sizes
- Ensure proper type conversion (Decimal to float) in templates
Scheduled Tasks:
- Register budget alert checking job (runs every 6 hours)
- Integrate with existing APScheduler tasks
- Add logging for alert creation and monitoring
This feature provides project managers with real-time budget insights,
predictive analytics, and proactive alerts to prevent budget overruns.
## Payment Analytics Integration
- Add 5 new API endpoints for payment metrics:
- /api/analytics/payments-over-time - trend visualization
- /api/analytics/payments-by-status - status distribution
- /api/analytics/payments-by-method - method breakdown
- /api/analytics/payment-summary - statistics with period comparison
- /api/analytics/revenue-vs-payments - collection rate tracking
- Integrate payment data into analytics dashboard with 4 new charts
- Add payment metrics to reports page (total, count, fees, net received)
- Update summary endpoint to include payment statistics
## UI/UX Improvements
- Standardize form styling across all payment templates
- Replace inconsistent Tailwind classes with form-input utility
- Update card backgrounds to use card-light/card-dark
- Fix label spacing to match application patterns
- Ensure consistent border colors and backgrounds
- Replace browser confirm() with system-wide modal for payment deletion
- Consistent danger variant with warning icon
- Keyboard support (Enter/Escape)
- Dark mode compatible
- Clear messaging about impact on invoice status
## Technical Changes
- Import Payment and Invoice models in analytics and reports routes
- Add proper admin/user scoping for payment queries
- Maintain responsive design across all new components
Closes payment tracking phase 2 (analytics & polish)
Refactored the existing calendar API endpoint to properly display calendar
events, tasks, and time entries with distinct visual representations.
Changes:
- Updated /api/calendar/events endpoint in api.py to use new
CalendarEvent.get_events_in_range() method that fetches all three item types
- Fixed user_id bug where it was defaulting to None instead of current_user.id
- Modified API response format to include all items in unified 'events' array
with item_type field ('event', 'task', 'time_entry') for differentiation
- Updated calendar.js to parse unified response format and filter items by type
- Added visual distinctions:
* Tasks: 📋 emoji, orange (#f59e0b) color, clickable
* Time entries: ⏱ emoji, project-based colors, non-clickable
* Calendar events: 📅 emoji, custom colors, clickable
- Fixed task detail route from /tasks/view/{id} to /tasks/{id}
- Updated all calendar view renderers (month, week, day) to use correct
data structure with extendedProps
- Added cache-busting to calendar.js (v7) and calendar.css (v2)
- Preserved backward compatibility with existing calendar filtering
(project_id, task_id, tags)
The calendar now correctly displays all time tracking data in a unified view
with proper visual hierarchy and interaction patterns.
Fixes: Calendar not showing tasks and time entries
Related: Calendar/Agenda Support feature implementation
Major improvements to the backup restore system with a complete UI overhaul
and enhanced functionality:
UI/UX Improvements:
- Complete redesign of restore page with modern Tailwind CSS
- Added prominent warning banners and danger badges to prevent accidental data loss
- Implemented drag-and-drop file upload with visual feedback
- Added real-time progress tracking with auto-refresh every 2 seconds
- Added comprehensive safety information sidebar with checklists
- Full dark mode support throughout restore interface
- Enhanced confirmation flows with checkbox and modal confirmations
Functionality Enhancements:
- Added dual restore methods: upload new backup or restore from existing server backups
- Enhanced restore route to accept optional filename parameter for existing backups
- Added "Restore" button to each backup in the backups management page
- Implemented restore confirmation modal with critical warnings
- Added loading states and button disabling during restore operations
- Improved error handling and user feedback
Backend Changes:
- Enhanced admin.restore() to support both file upload and existing backup restore
- Added dual route support: /admin/restore and /admin/restore/<filename>
- Added shutil import for file copy operations during restore
- Improved security with secure_filename validation and file type checking
- Maintained existing rate limiting (3 requests per minute)
Frontend Improvements:
- Added interactive JavaScript for file selection, drag-and-drop, and modal management
- Implemented auto-refresh during restore process to show live progress
- Added escape key support for closing modals
- Enhanced user feedback with file name display and button states
Safety Features:
- Pre-restore checklist with 5 verification steps
- Multiple warning levels throughout the flow
- Confirmation checkbox required before upload restore
- Modal confirmation required before existing backup restore
- Clear documentation of what gets restored and post-restore steps
Dependencies:
- Updated flask-swagger-ui from 4.11.1 to 5.21.0
Files modified:
- app/templates/admin/restore.html (complete rewrite)
- app/templates/admin/backups.html (added restore functionality)
- app/routes/admin.py (enhanced restore route)
- requirements.txt (updated flask-swagger-ui version)
- RESTORE_BACKUP_IMPROVEMENTS.md (documentation)
This provides a significantly improved user experience for the restore process
while maintaining security and adding powerful new restore capabilities.
BREAKING CHANGE: Permission system now actively enforced across all routes
## Summary
Complete implementation of advanced role-based access control (RBAC) system
with full route protection, UI conditionals, and enhanced management interface.
## Route Protection
- Updated all admin routes to use @admin_or_permission_required decorator
- Replaced inline admin checks with granular permission checks in:
* Admin routes: user management, settings, backups, telemetry, OIDC
* Project routes: create, edit, delete, archive, bulk operations
* Client routes: create, edit, delete, archive, bulk operations
- Maintained backward compatibility with existing @admin_required decorator
## UI Permission Integration
- Added template helpers (has_permission, has_any_permission) to all templates
- Navigation conditionally shows admin/OIDC links based on permissions
- Action buttons (Edit, Delete, Archive) conditional on user permissions
- Project and client pages respect permission requirements
- Create buttons visible only with appropriate permissions
## Enhanced Roles & Permissions UI
- Added statistics dashboard showing:
* Total roles, system roles, custom roles, assigned users
- Implemented expandable permission details in roles list
* Click to view all permissions grouped by category
* Visual checkmarks for assigned permissions
- Enhanced user list with role visibility:
* Shows all assigned roles as color-coded badges
* Blue badges for system roles, gray for custom roles
* Yellow badges for legacy roles with migration prompt
* Merged legacy role column into unified "Roles & Permissions"
- User count per role now clickable and accurate
## Security Improvements
- Added CSRF tokens to all new permission system forms:
* Role creation/edit form
* Role deletion form
* User role assignment form
- All POST requests now protected against CSRF attacks
## Technical Details
- Fixed SQLAlchemy relationship query issues (AppenderQuery)
- Proper use of .count() for relationship aggregation
- Jinja2 namespace for accumulating counts in templates
- Responsive grid layouts for statistics and permission cards
## Documentation
- Created comprehensive implementation guides
- Added permission enforcement documentation
- Documented UI enhancements and features
- Included CSRF protection review
## Impact
- Permissions are now actively enforced, not just defined
- Admins can easily see who has what access
- Clear visual indicators of permission assignments
- Secure forms with CSRF protection
- Production-ready permission system
Implement a complete expense tracking feature that allows users to record,
manage, approve, and track business expenses with full integration into
existing project management and invoicing systems.
Features:
- Create and manage expenses with detailed information (amount, category,
vendor, receipts, tax tracking)
- Multi-currency support (EUR, USD, GBP, CHF)
- Approval workflow with admin oversight (pending → approved → rejected)
- Reimbursement tracking and status management
- Billable expense flagging for client invoicing
- Receipt file upload and attachment
- Project and client association with auto-client selection
- Tag-based organization and advanced filtering
- CSV export functionality
- Analytics dashboard with category breakdowns
- API endpoints for programmatic access
Database Changes:
- Add expenses table with comprehensive schema
- Create Alembic migration (029_add_expenses_table.py)
- Add composite indexes for query performance
- Implement proper foreign key constraints and cascading
Routes & Templates:
- Add expenses blueprint with 14 endpoints (CRUD, approval, export, API)
- Create 4 responsive templates (list, form, view, dashboard)
- Implement advanced filtering (status, category, project, client, date range)
- Add permission-based access control (user vs admin)
- Integrate receipt file upload handling
User Experience:
- Add "Expenses" to Insights navigation menu
- Auto-populate client when project is selected
- Provide visual feedback for auto-selections
- Display summary statistics and analytics
- Implement pagination and search functionality
Testing & Documentation:
- Add 40+ comprehensive tests covering models, methods, and workflows
- Create complete user documentation (docs/EXPENSE_TRACKING.md)
- Add API documentation and examples
- Include troubleshooting guide and best practices
Integration:
- Link expenses to projects for cost tracking
- Associate with clients for billing purposes
- Connect billable expenses to invoicing system
- Add PostHog event tracking for analytics
- Implement structured logging for audit trail
Security:
- Role-based access control (users see only their expenses)
- Admin-only approval and reimbursement actions
- CSRF protection and file upload validation
- Proper permission checks on all operations
This implementation follows existing codebase patterns and includes full
test coverage, documentation, and database migrations per project standards.
Implemented a comprehensive Weekly Time Goals system that allows users to set
and track weekly hour targets with real-time progress monitoring.
Features:
- WeeklyTimeGoal model with status tracking (active, completed, failed, cancelled)
- Full CRUD interface for managing weekly goals
- Real-time progress calculation based on logged time entries
- Dashboard widget showing current week's goal progress
- Daily breakdown view with detailed statistics
- Automatic status updates based on goal completion and week end
- API endpoints for goal data and progress tracking
Technical changes:
- Added app/models/weekly_time_goal.py with local timezone support
- Created migration 027_add_weekly_time_goals.py for database schema
- Added app/routes/weekly_goals.py blueprint with all CRUD routes
- Created templates: index.html, create.html, edit.html, view.html
- Integrated weekly goal widget into main dashboard
- Added "Weekly Goals" navigation item to sidebar
- Implemented comprehensive test suite in tests/test_weekly_goals.py
- Added feature documentation in docs/WEEKLY_TIME_GOALS.md
Bug fixes:
- Fixed timezone handling to use TZ environment variable instead of Config.TIMEZONE
- Corrected log_event() calls to use proper signature (event name as first positional argument)
- Manually created database table via SQL when Alembic migration didn't execute
Database schema:
- weekly_time_goals table with user_id, target_hours, week_start_date, week_end_date, status, notes
- Indexes on user_id, week_start_date, status, and composite (user_id, week_start_date)
- Foreign key constraint to users table with CASCADE delete
The feature supports flexible week start days per user, calculates remaining hours,
provides daily average targets, and automatically updates goal status based on progress.
Implement comprehensive client notes system allowing users to add
internal notes about clients that are never visible to clients
themselves. Notes support importance flagging, full CRUD operations,
and proper access controls.
Key Changes:
- Add ClientNote model with user/client relationships
- Create Alembic migration (025) for client_notes table
- Implement full REST API with 9 endpoints
- Add client_notes blueprint with CRUD routes
- Create UI templates (edit page + notes section on client view)
- Add importance toggle with AJAX functionality
- Implement permission system (users edit own, admins edit all)
Features:
- Internal-only notes with rich text support
- Mark notes as important for quick identification
- Author tracking with timestamps
- Cascade delete when client is removed
- Mobile-responsive design
- i18n support for all user-facing text
Testing:
- 24 comprehensive model tests
- 23 route/integration tests
- Full coverage of CRUD operations and permissions
Documentation:
- Complete feature guide in docs/CLIENT_NOTES_FEATURE.md
- API documentation with examples
- Troubleshooting section
- Updated main docs index
Database:
- Migration revision 025 (depends on 024)
- Fixed PostgreSQL boolean default value issue
- 4 indexes for query performance
- CASCADE delete constraint on client_id
This feature addresses the need for teams to track important
information about clients internally without exposing sensitive
notes to client-facing interfaces or documents.
Improved the Release Build workflow to clearly show that PostHog and Sentry
credentials are being injected from the GitHub Secret Store, providing better
transparency and auditability.
Changes:
- Enhanced workflow step name to explicitly mention "GitHub Secrets"
- Added comprehensive logging with visual separators and clear sections
- Added before/after file content display showing placeholder replacement
- Added secret availability verification with format validation
- Added detailed error messages with step-by-step fix instructions
- Enhanced release summary to highlight successful credential injection
- Updated build configuration documentation with cross-references
Benefits:
- Developers can immediately see credentials come from GitHub Secret Store
- Security teams have clear audit trail of credential injection process
- Better troubleshooting with detailed error messages
- Secrets remain protected with proper redaction (first 8 + last 4 chars)
- Multiple validation steps ensure correct injection
The workflow now outputs 50+ lines of structured logging showing:
- Secret store location (Settings → Secrets and variables → Actions)
- Target file being modified (app/config/analytics_defaults.py)
- Verification that secrets are available
- Format validation (phc_* pattern for PostHog)
- Confirmation of successful placeholder replacement
- Summary with redacted credential previews
Workflow: .github/workflows/cd-release.yml
Documentation: docs/cicd/README_BUILD_CONFIGURATION.md
Fully backward compatible - no breaking changes.
This commit introduces several high-impact features to improve user experience
and productivity:
New Features:
- Activity Logging: Comprehensive audit trail tracking user actions across the
system with Activity model, including IP address and user agent tracking
- Time Entry Templates: Reusable templates for frequently logged activities with
usage tracking and quick-start functionality
- Saved Filters: Save and reuse common search/filter combinations across
different views (projects, tasks, reports)
- User Preferences: Enhanced user settings including email notifications,
timezone, date/time formats, week start day, and theme preferences
- Excel Export: Generate formatted Excel exports for time entries and reports
with styling and proper formatting
- Email Notifications: Complete email system for task assignments, overdue
invoices, comments, and weekly summaries with HTML templates
- Scheduled Tasks: Background task scheduler for periodic operations
Models Added:
- Activity: Tracks all user actions with detailed context and metadata
- TimeEntryTemplate: Stores reusable time entry configurations
- SavedFilter: Manages user-saved filter configurations
Routes Added:
- user.py: User profile and settings management
- saved_filters.py: CRUD operations for saved filters
- time_entry_templates.py: Template management endpoints
UI Enhancements:
- Bulk actions widget component
- Keyboard shortcuts help modal with advanced shortcuts
- Save filter widget component
- Email notification templates
- User profile and settings pages
- Saved filters management interface
- Time entry templates interface
Database Changes:
- Migration 022: Creates activities and time_entry_templates tables
- Adds user preference columns (notifications, timezone, date/time formats)
- Proper indexes for query optimization
Backend Updates:
- Enhanced keyboard shortcuts system (commands.js, keyboard-shortcuts-advanced.js)
- Updated projects, reports, and tasks routes with activity logging
- Safe database commit utilities integration
- Event tracking for analytics
Dependencies:
- Added openpyxl for Excel generation
- Added Flask-Mail dependencies
- Updated requirements.txt
All new features include proper error handling, activity logging integration,
and maintain existing functionality while adding new capabilities.
Improve task workflows and overall UX, and align backend routes with the
new UI flows. Update docs and development setup accordingly.
- UI: refine task list/view/edit templates, project views, and Kanban
partial (`_kanban_tailwind.html`)
- CSS: polish `app/static/enhanced-ui.css` for spacing, layout, and
responsiveness
- Routes: update `app/routes/tasks.py` and `app/routes/clients.py` to
support new edit/delete/filter behaviors and validations
- Templates: align clients/projects pages for consistency and navigation
- Docs: refresh `docs/GETTING_STARTED.md` and
`docs/TASK_MANAGEMENT_README.md`
- Dev: adjust `docker-compose.yml` and `setup.py` to match the latest
runtime/build expectations
- Tests: add coverage for delete actions, task project editing, and task
filters UI (`tests/test_delete_actions.py`,
`tests/test_task_edit_project.py`,
`tests/test_tasks_filters_ui.py`); update existing tests
Why:
- Streamlines common task operations and improves discoverability
- Ensures backend and UI are consistent and well-tested
- Simplify docker-compose setup and align environment defaults
- Update README and Quick Start to reflect the new compose flow
- Refine app initialization and configuration for clearer env handling
- Minor consistency and cleanup in config modules
No breaking changes expected.
Implement comprehensive analytics and monitoring system with PostHog integration,
complete observability stack (Prometheus, Grafana, Loki, Promtail), and CI/CD
workflows for automated builds.
Features:
- Add PostHog telemetry integration with privacy-focused event tracking
- Implement installation flow for opt-in telemetry configuration
- Add telemetry management UI in admin panel with detailed transparency
- Track key user events across all major features (projects, tasks, timer, etc.)
Infrastructure:
- Set up Prometheus for metrics collection
- Configure Grafana for visualization dashboards
- Integrate Loki and Promtail for log aggregation
- Add separate analytics docker-compose configuration
CI/CD:
- Add GitHub Actions workflows for building and publishing Docker images
- Implement separate dev and production build pipelines
- Configure automated image publishing to registry
Documentation:
- Restructure documentation into organized docs/ directory
- Add comprehensive guides for telemetry, analytics, and local development
- Create transparency documentation for tracked events
- Add CI/CD and build configuration guides
Code improvements:
- Integrate telemetry hooks across all route handlers
- Add feature flags and configuration management
- Refactor test suite for analytics functionality
- Clean up root directory by moving docs and removing test artifacts
Breaking changes:
- Requires new environment variables for PostHog configuration
- Docker compose setup now supports analytics stack
Changes: 73 files changed, 955 insertions(+), 14126 deletions(-)
Add comprehensive HTTPS support with two deployment options:
- mkcert for local development with trusted certificates
- Automatic SSL with Let's Encrypt for production
HTTPS Implementation:
- Add docker-compose.https-mkcert.yml for local HTTPS development
- Add docker-compose.https-auto.yml for automatic SSL certificates
- Create Dockerfile.mkcert for certificate generation
- Add setup scripts (setup-https-mkcert.sh/bat)
- Add startup scripts (start-https.sh/bat)
- Add certificate generation script (generate-mkcert-certs.sh)
CSRF and IP Access Fixes:
- Fix CSRF token validation for IP-based access
- Add CSRF troubleshooting documentation
- Update configuration to handle various access patterns
Documentation:
- Add HTTPS_MKCERT_GUIDE.md with setup instructions
- Add README_HTTPS.md with general HTTPS documentation
- Add README_HTTPS_AUTO.md for automatic SSL setup
- Add AUTOMATIC_HTTPS_SUMMARY.md
- Add CSRF_IP_ACCESS_FIX.md and CSRF_IP_FIX_SUMMARY.md
- Add docs/CSRF_IP_ACCESS_GUIDE.md
- Update main README.md with HTTPS information
Configuration:
- Update .gitignore for SSL certificates and nginx configs
- Update env.example with new HTTPS-related variables
- Update docker-compose.yml with SSL configuration options
This enables secure HTTPS access in both development and production
environments while maintaining compatibility with existing deployments.
Implement comprehensive CSRF token management with cookie-based
double-submit pattern to improve security and SPA compatibility.
Changes:
- Add CSRF cookie configuration in app/config.py
* WTF_CSRF_SSL_STRICT for strict SSL validation in production
* CSRF_COOKIE_NAME (default: XSRF-TOKEN) for framework compatibility
* CSRF_COOKIE_SECURE inherits from SESSION_COOKIE_SECURE by default
* CSRF_COOKIE_HTTPONLY, CSRF_COOKIE_SAMESITE, and CSRF_COOKIE_DOMAIN settings
- Implement CSRF cookie handler in app/__init__.py
* Set CSRF token in cookie after each request
* Configure cookie with secure flags based on environment settings
* Support for double-submit pattern and SPA frameworks
- Add client-side CSRF token management in base.html
* JavaScript utilities for token retrieval and validation
* Cookie synchronization for frameworks that read XSRF-TOKEN
* Auto-refresh mechanism for stale tokens (>15 minutes)
* Pre-submit token validation and refresh
* User notification for missing cookies/tokens
- Clean up docker-compose.yml environment variables
* Remove redundant SECRET_KEY, WTF_CSRF_*, and cookie security settings
* These are now managed through .env files and config.py
This enhancement provides better CSRF protection while maintaining
compatibility with modern JavaScript frameworks and SPA architectures.
- CSRF error handler:
- Treat classic form POSTs as HTML (flash + safe redirect) regardless of
Accept header quirks; return JSON only for XHR/JSON requests
- Add contextual logging (path, method, referrer, user, reason) for diagnostics
- Security/config:
- Enforce strong SECRET_KEY in production (no placeholders, min length);
refuse startup if invalid
- Make SESSION_COOKIE_SAMESITE and REMEMBER_COOKIE_SAMESITE env-driven
while keeping Secure/HttpOnly flags configurable
- Client resilience:
- Refresh CSRF token on window focus in addition to periodic refresh
- Pre-submit refresh if token is stale (>15 minutes)
- Auto-inject/refresh tokens for dynamically added forms via MutationObserver
- UX correctness:
- Ensure tasks.edit_task re-renders with projects/users on validation errors
Fixes#77 (csrf_token_missing_or_invalid)
See: https://github.com/DRYTRIX/TimeTracker/issues/77
Files:
- app/__init__.py
- app/config.py
- app/templates/base.html
- app/routes/tasks.py
Note: In production, a single, persistent SECRET_KEY is required across all instances.
This commit introduces a comprehensive Kanban board customization system and
improves CSRF token configuration for Docker deployments.
## Major Features
### 1. Customizable Kanban Board Columns
Add complete kanban column customization system allowing users to define
custom workflow states beyond the default columns.
**New Components:**
- Add KanbanColumn model with full CRUD operations (app/models/kanban_column.py)
- Add kanban routes blueprint with admin endpoints (app/routes/kanban.py)
- Add kanban column management templates (app/templates/kanban/)
- Add migration 019 for kanban_columns table (migrations/)
**Features:**
- Create unlimited custom columns with unique keys, labels, icons, and colors
- Drag-and-drop column reordering with position persistence
- Toggle column visibility without deletion
- Protected system columns (todo, in_progress, done) prevent accidental deletion
- Complete state marking for columns that should mark tasks as done
- Real-time updates via SocketIO broadcasts when columns change
- Font Awesome icon support (5000+ icons)
- Bootstrap color scheme integration
- Comprehensive validation and error handling
**Integration:**
- Update Task model to work with dynamic column statuses (app/models/task.py)
- Update task routes to use kanban column API (app/routes/tasks.py)
- Update project routes to fetch active columns (app/routes/projects.py)
- Add kanban column management links to base template (app/templates/base.html)
- Update kanban board templates to render dynamic columns (app/templates/tasks/)
- Add cache prevention headers to force fresh column data
**API Endpoints:**
- GET /api/kanban/columns - Fetch all active columns
- POST /api/kanban/columns/reorder - Reorder columns
- GET /kanban/columns - Column management interface (admin only)
- POST /kanban/columns/create - Create new column (admin only)
- POST /kanban/columns/<id>/edit - Edit column (admin only)
- POST /kanban/columns/<id>/delete - Delete column (admin only)
- POST /kanban/columns/<id>/toggle - Toggle column visibility (admin only)
### 2. Enhanced CSRF Configuration
Improve CSRF token configuration and documentation for Docker deployments.
**Configuration Updates:**
- Add WTF_CSRF_ENABLED environment variable to all docker-compose files
- Add WTF_CSRF_TIME_LIMIT environment variable with 1-hour default
- Update app/config.py to read CSRF settings from environment
- Add SECRET_KEY validation in app/__init__.py to prevent production deployment
with default keys
**Docker Compose Updates:**
- docker-compose.yml: CSRF enabled by default for security testing
- docker-compose.remote.yml: CSRF always enabled in production
- docker-compose.remote-dev.yml: CSRF enabled with production-like settings
- docker-compose.local-test.yml: CSRF can be disabled for local testing
- Add helpful comments explaining each CSRF-related environment variable
- Update env.example with CSRF configuration examples
**Verification Scripts:**
- Add scripts/verify_csrf_config.sh for Unix systems
- Add scripts/verify_csrf_config.bat for Windows systems
- Scripts check SECRET_KEY, CSRF_ENABLED, and CSRF_TIME_LIMIT settings
### 3. Database Initialization Improvements
- Update app/__init__.py to run pending migrations on startup
- Add automatic kanban column initialization after migrations
- Improve error handling and logging during database setup
### 4. Configuration Management
- Update app/config.py with new CSRF and kanban-related settings
- Add environment variable parsing with sensible defaults
- Improve configuration validation and error messages
## Documentation
### New Documentation Files
- CUSTOM_KANBAN_README.md: Quick start guide for kanban customization
- KANBAN_CUSTOMIZATION.md: Detailed technical documentation
- IMPLEMENTATION_SUMMARY.md: Implementation details and architecture
- KANBAN_AUTO_REFRESH_COMPLETE.md: Real-time update system documentation
- KANBAN_REFRESH_FINAL_FIX.md: Cache and refresh troubleshooting
- KANBAN_REFRESH_SOLUTION.md: Technical solution for data freshness
- docs/CSRF_CONFIGURATION.md: Comprehensive CSRF setup guide
- CSRF_DOCKER_CONFIGURATION_SUMMARY.md: Docker-specific CSRF setup
- CSRF_TROUBLESHOOTING.md: Common CSRF issues and solutions
- APPLY_KANBAN_MIGRATION.md: Migration application guide
- APPLY_FIXES_NOW.md: Quick fix reference
- DEBUG_KANBAN_COLUMNS.md: Debugging guide
- DIAGNOSIS_STEPS.md: System diagnosis procedures
- BROWSER_CACHE_FIX.md: Browser cache troubleshooting
- FORCE_NO_CACHE_FIX.md: Cache prevention solutions
- SESSION_CLOSE_ERROR_FIX.md: Session handling fixes
- QUICK_FIX.md: Quick reference for common fixes
### Updated Documentation
- README.md: Add kanban customization feature description
- Update project documentation with new features
## Testing
### New Test Files
- test_kanban_refresh.py: Test kanban column refresh functionality
## Technical Details
**Database Changes:**
- New table: kanban_columns with 11 columns
- Indexes on: key, position
- Default data: 4 system columns (todo, in_progress, review, done)
- Support for both SQLite (development) and PostgreSQL (production)
**Real-Time Updates:**
- SocketIO events: 'kanban_columns_updated' with action type
- Automatic page refresh when columns are created/updated/deleted/reordered
- Prevents stale data by expiring SQLAlchemy caches after changes
**Security:**
- Admin-only access to column management
- CSRF protection on all column mutation endpoints
- API endpoints exempt from CSRF (use JSON and other auth mechanisms)
- System column protection prevents data integrity issues
- Validation prevents deletion of columns with active tasks
**Performance:**
- Efficient querying with position-based ordering
- Cached column data with cache invalidation on changes
- No-cache headers on API responses to prevent stale data
- Optimized database indexes for fast lookups
## Breaking Changes
None. This is a fully backward-compatible addition.
Existing workflows continue to work with the default columns.
Custom columns are opt-in via the admin interface.
## Migration Notes
1. Run migration 019 to create kanban_columns table
2. Default columns are initialized automatically on first run
3. No data migration needed for existing tasks
4. Existing task statuses map to new column keys
## Environment Variables
New environment variables (all optional with defaults):
- WTF_CSRF_ENABLED: Enable/disable CSRF protection (default: true)
- WTF_CSRF_TIME_LIMIT: CSRF token expiration in seconds (default: 3600)
- SECRET_KEY: Required in production, must be cryptographically secure
See env.example for complete configuration reference.
## Deployment Notes
BREAKING CHANGE: Removed legacy license server in favor of Stripe billing
Major changes:
- Remove license server system (563 lines removed from license_server.py)
- Add multi-tenant support with organizations and memberships
- Integrate Stripe billing and subscription management
- Enhance authentication with 2FA, password reset, and JWT tokens
- Add provisioning and onboarding flows for new customers
- Implement row-level security (RLS) for data isolation
- Add GDPR compliance features and data retention policies
- Enhance admin dashboard with billing reconciliation and customer management
- Add security scanning tools (Bandit, Gitleaks, GitHub Actions workflow)
- Implement rate limiting and enhanced password policies
- Update all routes to support organization context
- Enhance user model with billing and security fields
- Add promo code system for marketing campaigns
- Update Docker initialization for better database setup
Modified files:
- Core: app.py, app/__init__.py, app/config.py
- Models: Enhanced user model (+175 lines), updated all models for multi-tenancy
- Routes: Enhanced admin routes (+479 lines), updated all routes for org context
- Templates: Updated login, admin dashboard, and settings
- Docker: Enhanced database initialization scripts
- Dependencies: Added stripe, pyotp, pyjwt, and security packages
Deleted files:
- app/utils/license_server.py
- docs/LICENSE_SERVER_*.md (3 files)
- templates/admin/license_status.html
- test_license_server.py
New features:
- Organizations and membership management
- Stripe billing integration with webhook handling
- Enhanced authentication (2FA, password reset, refresh tokens)
- GDPR compliance and data export/deletion
- Onboarding checklist for new customers
- Promo code system
- Security enhancements (rate limiting, password policies)
- Admin tools for customer and billing management
Net change: 46 files changed, 1490 insertions(+), 1968 deletions(-)
- Add Comment model with threaded replies and user attribution
- Create Alembic migration (013_add_comments_table.py) for database schema
- Implement complete CRUD operations via comments routes
- Add responsive UI with inline editing and real-time interactions
- Include permission system (users edit own, admins manage all)
- Support soft delete for comments with replies to preserve structure
- Add comprehensive CSS styling with dark theme support
- Integrate comments sections into project and task detail views
- Fix modal z-index and context issues for delete confirmations
- Update README with detailed feature documentation
Technical details:
- Threaded comment structure with parent-child relationships
- API endpoints for comment operations and retrieval
- Mobile-responsive design with touch-friendly interactions
- Internationalization support via Flask-Babel
- Bootstrap 5 modal integration with proper event handling
- Integrate Flask-Babel and i18n utilities; initialize in app factory
- Add `preferred_language` to `User` with Alembic migration (011_add_user_preferred_language)
- Add `babel.cfg` and `scripts/extract_translations.py`
- Add `translations/` for en, de, fr, it, nl, fi
- Update templates to use `_()` and add language picker in navbar/profile
- Respect locale in routes and context processors; persist user preference
- Update requirements and Docker/Docker entrypoint for Babel/gettext support
- Minor copy and style adjustments across pages
Migration: run `alembic upgrade head`
- Improve web interface layout for better user-friendliness and mobile responsiveness
* Update CSS variables for consistent spacing and component sizing
* Enhance card layouts with improved padding, borders, and shadows
* Optimize button and form element dimensions for better touch targets
* Add hover effects and animations for improved user interaction
* Implement responsive grid system with mobile-first approach
- Refactor mobile JavaScript to prevent duplicate initialization
* Consolidate mobile enhancements into dedicated utility classes
* Add initialization guards to prevent double loading
* Implement MobileUtils and MobileNavigation classes
* Remove duplicate event listeners and mobile enhancements
- Fix circular import issue in logo handling
* Replace problematic 'from app import app' with Flask's current_app
* Add error handling for cases where current_app is unavailable
* Improve logo path resolution with fallback mechanisms
* Fix settings model to use proper Flask context
- Clean up template code and remove duplication
* Remove duplicate mobile enhancements from base template
* Clean up dashboard template JavaScript
* Centralize all mobile functionality in mobile.js
* Add proper error handling and debugging
- Update CSS variables and spacing system
* Introduce --section-spacing and --card-spacing variables
* Add mobile-specific spacing variables
* Improve border-radius and shadow consistency
* Enhance typography and visual hierarchy
This commit resolves the double loading issue and logo import errors while
significantly improving the overall user experience and mobile responsiveness
of the web interface.
- Add Task model with full CRUD operations, status tracking, and priority management
- Integrate tasks with existing projects and time entries via foreign key relationships
- Create new Flask routes (/tasks) with admin and user role-based access control
- Implement task status transitions (pending → in_progress → completed → cancelled)
- Add task filtering by status, priority, assignee, and project
- Create responsive Jinja2 templates for task listing, creation, editing, and viewing
- Integrate task selection in timer and manual time entry forms
- Add task management to project dashboards and navigation menus
- Implement automatic database migration system for seamless deployment
- Create migration scripts to add missing tables and columns
- Update startup script to detect and run migrations automatically
- Add comprehensive error handling and validation
- Include full documentation (TASK_MANAGEMENT_README.md)
- Update project structure and main README with new feature details
Database Changes:
- New 'tasks' table with indexes for performance
- Add 'task_id' column to 'time_entries' table
- Automatic migration detection and execution
Technical Implementation:
- SQLAlchemy relationships with proper backrefs and cascading
- Flask-Login integration for role-based access
- Bootstrap 5 responsive UI components
- Font Awesome icons for visual enhancement
- Comprehensive test coverage and error handling
This feature enables users to break down projects into manageable tasks,
track progress, assign work, and maintain better project organization.
- Change analytics dashboard template from `{% block scripts %}` to `{% block extra_js %}`
- Fixes block name mismatch between base.html and analytics dashboard template
- Resolves issue where AnalyticsDashboard JavaScript class was not loading
- Charts now properly initialize and display data from API endpoints
- Maintains all existing functionality while fixing the rendering issue
