Security:
- rooms: rate-limit /invite-email (SMTP spam relay), validate share
target user exists, guard timingSafeEqual against length mismatch
in the presentation route (500 -> 403)
- analytics: verify callback token before parsing the 5mb body so
unauthenticated callers cannot buffer large payloads
- caldav: rate-limit failed Basic-Auth attempts (token brute force),
lowercase email lookup, case-insensitive principal check
- auth: fall back to the in-memory rate-limit store when Redis is
unavailable; previously every rate-limited endpoint (incl. login)
returned 500 when the Redis connection was down
UI/copy:
- Home: factual hero copy and feature cards (6 instead of 9), fix
double-rendered feature icon, remove fake stats row and pill badge;
keep the background gradient and card layout
- i18n: consistent informal tone, drop trailing exclamation marks
from status toasts, remove emoji from transactional emails
- new favicon (logo.svg), restore theme-based default brand logo
Chore:
- gitignore SQLite WAL/SHM files
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Bug fixes:
- bbb.js: replace undefined t('defaultWelcome') call that threw a
ReferenceError when a room had an empty welcome message, breaking
meeting creation. Default welcome and the guest-invite hint are now
localised via the i18n system (new "bbb" namespace in de/en).
- auth.js: app name was read from the never-written 'branding' settings
key, so custom names never appeared in verification emails or the TOTP
issuer. Now resolved through a shared getAppName() helper.
- auth.js: lowercase the email in the registration duplicate check so
case-variant duplicates return a clean 409 instead of a 500 (UNIQUE
violation).
- federation.js: select the user's "language" column so federation
invite emails respect the recipient's language instead of always
defaulting to English.
- calendar.js: a set reminder could not be cleared. COALESCE treated an
explicit reminder_minutes: null as "keep existing"; use a direct
assignment that distinguishes "omitted" (keep) from "null" (clear).
- index.js / analytics.js: exclude the BBB learning-analytics callback
from the global 100kb body limit and give it its own 5mb limit, since
analytics payloads for large meetings can be several MB.
Cleanup:
- Add server/config/appName.js as the single source of truth for the
app name (admin setting -> APP_NAME env -> 'Redlight') and use it in
auth, admin, rooms, calendar and federation, replacing the previous
mix of wrong DB key, direct app_name reads and bare process.env reads.
- Localise the BBB default welcome message in the room owner's language.
- Remove two unused safeAppName variables in mailer.js.
Michelle