- Enhanced invoice creation form with auto-fill client data from project selection
- Redesigned invoice edit page with improved layout and quick actions sidebar
- Added new generate-from-time template for adding unbilled time entries and costs
- Improved form styling and added responsive design enhancements
- Added internationalization (i18n) support throughout invoice templates
- Added notes and terms fields to invoice forms
- Implemented item removal functionality in invoice editor
- Added comprehensive tests for new invoice features
- Updated .gitignore to exclude logs directory
- Bumped version from 3.0.0 to 3.2.0
The invoice UI now provides:
- Quick actions panel with export, duplicate, and payment recording links
- Invoice summary sidebar showing totals and status
- Tips and guidance sidebars for better UX
- Client data auto-population when selecting projects
- Improved visual hierarchy and mobile responsiveness
Implement comprehensive CSRF token management with cookie-based
double-submit pattern to improve security and SPA compatibility.
Changes:
- Add CSRF cookie configuration in app/config.py
* WTF_CSRF_SSL_STRICT for strict SSL validation in production
* CSRF_COOKIE_NAME (default: XSRF-TOKEN) for framework compatibility
* CSRF_COOKIE_SECURE inherits from SESSION_COOKIE_SECURE by default
* CSRF_COOKIE_HTTPONLY, CSRF_COOKIE_SAMESITE, and CSRF_COOKIE_DOMAIN settings
- Implement CSRF cookie handler in app/__init__.py
* Set CSRF token in cookie after each request
* Configure cookie with secure flags based on environment settings
* Support for double-submit pattern and SPA frameworks
- Add client-side CSRF token management in base.html
* JavaScript utilities for token retrieval and validation
* Cookie synchronization for frameworks that read XSRF-TOKEN
* Auto-refresh mechanism for stale tokens (>15 minutes)
* Pre-submit token validation and refresh
* User notification for missing cookies/tokens
- Clean up docker-compose.yml environment variables
* Remove redundant SECRET_KEY, WTF_CSRF_*, and cookie security settings
* These are now managed through .env files and config.py
This enhancement provides better CSRF protection while maintaining
compatibility with modern JavaScript frameworks and SPA architectures.
