- Trust the Forge reverse proxy and force https URLs in production so
generated absolute URLs match the actual TLS termination.
- Reject Nostr profile photo URLs that aren't http(s) or that resolve to
loopback / private (RFC1918) addresses to close an SSRF vector in
FetchNostrProfileJob.
- Tighten image upload validation across meetup, course, and lecturer
create/edit components: explicit mimes whitelist (jpeg, png, webp),
max 5 MiB, and dimension cap of 4000x4000.
- Replace the silent "skip if exists" branch in LnurlAuthController with
updateOrCreate so concurrent callers cannot race on the k1 record.
- Validate github_data on Meetup edit, decoding the JSON, and keep only
the whitelisted keys (top, left, state) with strict type coercion to
prevent storing arbitrary attacker-controlled JSON.
- Add 60 req/min throttle to the public API group and a stricter 10 req/min
throttle to POST /highscores.
- Replace mass-assigned $guarded=[] with explicit $fillable on User, Meetup,
Course, Lecturer, and SelfHostedService. created_by stays out of the
whitelist; the existing creating() hooks continue to populate it.
- Require authenticated user on Api/MeetupController::index instead of
trusting the user_id query parameter (IDOR).
- Constrain the /img and /img-public route paths to a safe character set
and reject any path containing ".." in ImageController.
- Add rel="noopener noreferrer" to every target="_blank" link on the meetup
and course landing pages.
- Remove unauthenticated /test route that dispatched FetchNostrProfileJob
for a hardcoded user (routes/web.php).
- Enforce created_by ownership check in meetup and lecturer Livewire edit
components; mirror the existing services/edit pattern.
- Replace blind-trust nostrLoggedIn handler with NIP-42-style signed event
verification: server-issued challenge stored in session, client signs a
kind:22242 event, server verifies signature via swentel/nostr-php and
derives npub. Challenge is single-use with 5-minute TTL.
- Validate the ?my[] parameter on the calendar download endpoint as an
array of integers and intersect with the authenticated user's meetups.
- **Added:** Endpoints for submitting highscores (`highscores.store`) and retrieving the leaderboard (`highscores.index`).
- **Implemented:** Validation rules via `StoreHighscoreRequest` to ensure highscore integrity.
- **Included:** `Highscore` model, migration, and factory for data handling and seeding.
- **Enhanced:** Comprehensive feature tests covering submission, updating, retrieval, and payload validation.
- Added `LnurlAuthController` to handle LNURL authentication flow with signature verification, user creation, and session expiry checks.
- Integrated authentication error polling in `nostrLogin.js`.
- Added `LoginKeyFactory` for testing and database seed purposes.
- Created feature tests (`LnurlAuthTest`) to validate LNURL callback, error responses, and session handling.
- Extended `login.blade.php` with dynamic error handling and reset logic for expired sessions.
- Introduce `portal.einundzwanzig.space` with locale settings in `DomainMiddleware`.
- Replace verbose if‑chain in `NostrTrait::getUrl()` with a concise match expression.
- Add `DOMAIN_MAP` constant to `PublishUnpublishedItems` and force URL generation to use the correct domain per country.
- Update command flow: set domain before configuring timezone/locale.
- Added a new `lang/pl.json` file with comprehensive Polish translations.
- Enhanced `lang/es.json` with additional Spanish keys and phrases for better coverage.
- Introduced a new route `meetup/ical` in `api.php` to handle iCal data export.
- Added `ical` method to `MeetupController` returning a 404 response for now.
- Replaced inline language selection logic in `profile.blade.php` with `<x-einundzwanzig.language-selector>`.
- Introduced Hungarian (`hu.json`) translations for improved multilingual support.
- Updated `DomainMiddleware` to include settings for Hungarian locale and portal branding.
- Added `DomainMiddleware` to dynamically set locale, language-country session, and app name based on domain.
- Updated views and components to leverage `lang_country` session for language and region-specific content.
- Enhanced country parameter retrieval with `config('app.domain_country')` as fallback.
- Refined language filtering by scanning available language files dynamically.
- Added language-specific assets and translations (`nl.json`, `es.json`) with improved language-region associations.
- Updated `app-logo-icon` to display region-specific images or default SVGs.
- Improved views with cleaner, dynamic rendering and session-aware functionalities.
- Introduced a `SetTimezone` middleware to dynamically apply user-specific timezones.
- Added a `timezone chooser` component for users to select their timezone.
- Enhanced date and time display in views with `asDate`, `asTime`, and `asDateTime` methods.
- Updated `AppServiceProvider` to leverage `preventLazyLoading` in local environments and set custom `Carbon` instance for dates.
- Expanded configuration with `user-timezone`.
- Integrated timezone support into meetups and events for consistent scheduling.
- Added `publicDisk` configuration to `filesystems.php`.
- Expanded locale translations in `es.json` and `de.json`.
- Implemented RSS, Atom, and JSON feed views.
- Added `feed.php` configuration for feed generation.
- Introduced `ImageController` for image handling.
- Updated application routing to include `api.php`.
Claude