36a7d309fa
feat: /dashboard/checkout/:id route so invoices survive refresh
2026-03-18 23:37:20 +04:00
nate
c9130243e8
feat: crypto payment system with HD wallets, Freedom.st integration, and checkout UI
2026-03-18 23:04:17 +04:00
nate
c89b63bd97
feat: implement free/pro plan system with monitor and interval limits
2026-03-18 22:40:45 +04:00
nate
5295fcfe79
chore: move TOS to /terms, remove from header, remove pricing from footer
2026-03-18 20:59:23 +04:00
nate
13beacbc5a
chore: remove us-east and ap-southeast regions from UI
2026-03-18 20:20:25 +04:00
nate
2d46491dee
chore: remove us-east region from UI, charts, and region selectors
2026-03-18 20:13:11 +04:00
nate
425bfbfc39
perf: optimize monitor runner, fix SSE leak, deduplicate shared utils
2026-03-18 18:44:08 +04:00
07648672ad
feat: per-region chart lines and lowest-avg sparkline
2026-03-18 16:25:47 +04:00
eeb0318c4d
fix: hide login key and sub-keys from sub-key sessions
2026-03-18 11:48:51 +04:00
1a7bc4dfa5
fix: sameSite=none for cross-origin cookie (pingql.com → api.pingql.com)
2026-03-18 11:41:00 +04:00
nate
5a0cf5033b
fix: harden auth, SSRF, query engine, and cookie security
2026-03-18 11:37:33 +04:00
641af86779
fix: separate jsHash for app.js cache busting
2026-03-18 09:43:11 +04:00
841a852491
feat: split web and api into separate apps
2026-03-18 09:33:46 +04:00
7db2889960
feat: add Terms of Service page
2026-03-18 03:52:58 +04:00
ce4411b13b
feat: add 1-20s interval options, lower API minimum to 1s
2026-03-18 03:20:33 +04:00
3df7f4b702
fix: logout properly expires cookie with matching domain/path attributes
2026-03-18 03:08:00 +04:00
bd3c33dda4
fix: jitter = actual check start minus ideal scheduled time, not wall clock at dispatch
2026-03-17 10:54:36 +04:00
27be1fa8bf
fix: jitter_ms now measured in Rust at check start, excludes latency and return trip
2026-03-17 10:52:08 +04:00
f71388a51a
feat: jitter_ms tracking — scheduled_at stamped at dispatch, jitter computed on ingest
2026-03-17 10:44:35 +04:00
5c91cbc522
refactor: convert all static HTML to EJS with cssHash cache-busting, remove stale html files
2026-03-17 09:54:44 +04:00
ac693e55e0
fix: immutable cache-control headers for versioned static assets
2026-03-17 09:45:24 +04:00
41bfe52f10
feat: cache-bust static assets with CSS content hash on startup
2026-03-17 09:44:18 +04:00
a995fe3c94
feat: replace Tailwind CDN with self-hosted pre-built CSS
2026-03-17 09:32:34 +04:00
62b67aaa7c
feat: privacy page at /privacy, drop query language nav link
2026-03-17 08:22:17 +04:00
1495da41fa
chore: remove limits during testing
2026-03-17 07:57:42 +04:00
34fd66f784
feat: pricing page — 10 monitors/30s free, unlimited/5s pro coming soon; enforce 30s min interval
2026-03-17 07:55:07 +04:00
0874583a4f
Revert "fix: static HTML label spans outside swap zone, chart only returns SVG + label update script"
...
This reverts commit e8bfaa42d7
2026-03-17 07:34:02 +04:00
e8bfaa42d7
fix: static HTML label spans outside swap zone, chart only returns SVG + label update script
2026-03-17 07:32:39 +04:00
1e90b5f3c2
fix: move min/max labels out of SVG into HTML overlays, no more text stretch
2026-03-17 07:30:28 +04:00
5eb463a03a
fix: SVG h-full so it fills container exactly, no overflow or clipping
2026-03-17 07:28:57 +04:00
66b368453d
refactor: single account-level SSE stream instead of per-monitor connections
2026-03-17 07:06:09 +04:00
749c6f391e
fix: SSE stream 500 — replace error() with plain Response in stream handler
2026-03-17 06:59:43 +04:00
15227b9c6e
fix: key_plain -> key in dashboard query
2026-03-17 06:51:27 +04:00
e461d73ce3
refactor: drop all hashing, store keys plaintext
2026-03-17 06:47:22 +04:00
54c89a5a11
fix: store key_plain on sub-keys, display always in settings with copy button
2026-03-17 06:40:33 +04:00
c684d96d90
fix: rename API Keys -> Sub-Keys, show key inline on creation, no reload
2026-03-17 06:37:29 +04:00
0c65b5e3fa
fix: just show the login key on settings page
2026-03-17 06:33:13 +04:00
b80f4673b2
fix: use standard UUID v4 for keys instead of custom 256-bit hex format
2026-03-17 06:26:52 +04:00
bbd5df8c46
fix: 8 groups of 8 chars, not 16 groups of 4
2026-03-17 06:26:14 +04:00
43a1abc2ed
fix: format keys as XXXX-XXXX-...-XXXX (8 groups), normalize before hashing
...
Keys are now human-readable grouped hex instead of raw 64-char blobs.
resolveKey() strips dashes before sha256/bcrypt so both formats work.
All key creation paths (register, reset-key, sub-keys) hash the
normalized form. Login placeholder and maxlength updated to match.
2026-03-17 06:25:19 +04:00
b8ac4e7b1f
fix: redirect loop on stale cookie, login broken for 64-char keys, stale docs
...
- /dashboard now validates key before redirecting to /home — bad/old keys
clear the cookie and show login instead of looping
- Login form: remove old 4-group auto-formatter, fix maxlength 19→64,
fix min length validation 19→10, update placeholder
- New key display: break-all so 64-char hex wraps properly
- docs.html: update example key format and description
2026-03-17 06:22:16 +04:00
6bdd76b4f0
security: auth redesign, SSRF protection, CORS lockdown, and 13 other fixes
...
- Auth (#2/#3): UUID PK, 256-bit keys, SHA-256 lookup + bcrypt hash
- SSRF (#1 ): validate URLs, block private IPs, cloud metadata endpoints
- CORS (#4 ): lock to pingql.com origins, not wildcard
- SSE limit (#6 ): 10 connections per monitor max
- ReDoS (#7 ): cap $regex patterns at 200 chars
- Monitor limit (#8 ): 100 per account default
- Cookie env config (#9 ): secure/domain from env vars
- Bearer parsing (#10 ): case-insensitive RFC 6750
- Pings retention (#11 ): 90-day pruner, hourly interval
- monitors.enabled index (#12 ): partial index for /internal/due
- Runner locking (#14 ): locked_until for horizontal scale safety
- COALESCE nullable bug (#17 ): dynamic PATCH with explicit undefined checks
- MONITOR_TOKEN null guard (#18 ): startup validation + middleware hardening
- reset-key cookie fix (#16 ): sets new cookie in response
2026-03-17 06:10:10 +04:00
5071e340c7
fix: SSE-driven chart/sparkline refresh, debounced server-side partials
2026-03-16 21:21:56 +04:00
2f7273604b
refactor: full SSR dashboard, minimal SSE DOM patches, poll-based refresh
2026-03-16 21:14:45 +04:00
0597c7f6e7
fix: set cookie domain to .pingql.com so it works on both subdomains
2026-03-16 17:26:56 +04:00
ef56b47b09
feat: cookie-based auth, SSR dashboard, JS-optional login
2026-03-16 17:25:59 +04:00
31d1fa7b04
fix: SSE via fetch for auth headers, remove query param auth, add heartbeat every 10s
2026-03-16 16:17:33 +04:00
6d48a83560
feat: SSE live ping stream for monitors
2026-03-16 16:14:23 +04:00
0b69fbfc72
fix: requireAuth uses onBeforeHandle instead of error() in derive
2026-03-16 15:56:33 +04:00
3368dbdd7f
feat: custom method, headers, body, timeout on monitors
2026-03-16 15:30:35 +04:00
M1
nate