- Trust the Forge reverse proxy and force https URLs in production so
generated absolute URLs match the actual TLS termination.
- Reject Nostr profile photo URLs that aren't http(s) or that resolve to
loopback / private (RFC1918) addresses to close an SSRF vector in
FetchNostrProfileJob.
- Tighten image upload validation across meetup, course, and lecturer
create/edit components: explicit mimes whitelist (jpeg, png, webp),
max 5 MiB, and dimension cap of 4000x4000.
- Replace the silent "skip if exists" branch in LnurlAuthController with
updateOrCreate so concurrent callers cannot race on the k1 record.
- Validate github_data on Meetup edit, decoding the JSON, and keep only
the whitelisted keys (top, left, state) with strict type coercion to
prevent storing arbitrary attacker-controlled JSON.
- Add 60 req/min throttle to the public API group and a stricter 10 req/min
throttle to POST /highscores.
- Replace mass-assigned $guarded=[] with explicit $fillable on User, Meetup,
Course, Lecturer, and SelfHostedService. created_by stays out of the
whitelist; the existing creating() hooks continue to populate it.
- Require authenticated user on Api/MeetupController::index instead of
trusting the user_id query parameter (IDOR).
- Constrain the /img and /img-public route paths to a safe character set
and reject any path containing ".." in ImageController.
- Add rel="noopener noreferrer" to every target="_blank" link on the meetup
and course landing pages.
- Remove unauthenticated /test route that dispatched FetchNostrProfileJob
for a hardcoded user (routes/web.php).
- Enforce created_by ownership check in meetup and lecturer Livewire edit
components; mirror the existing services/edit pattern.
- Replace blind-trust nostrLoggedIn handler with NIP-42-style signed event
verification: server-issued challenge stored in session, client signs a
kind:22242 event, server verifies signature via swentel/nostr-php and
derives npub. Challenge is single-use with 5-minute TTL.
- Validate the ?my[] parameter on the calendar download endpoint as an
array of integers and intersect with the authenticated user's meetups.
- **Removed:** `docker-compose.yml`, Sail-specific Dockerfiles, and related scripts for PHP 8.3 setup.
- **Updated:** Documentation to reflect a shift from Docker to a direct PHP-based local development workflow.
- **Removed:** `laravel/sail` dependency from `composer.lock`.
- **Implemented:** `#[Locked]` Livewire attribute across components for read-only properties.
- **Added:** Feature tests to ensure locked properties cannot be tampered with.
- **Removed:** Unused feature and component tests to clean up the codebase.
- **Added:** `RecurrenceType` enum for handling event recurrence modes.
- **Introduced:** City, Country, and Meetup factories for test data generation.
- **Implemented:** Migration to support recurring event fields in `meetup_events` table.
- **Enhanced:** Livewire meetup events creation with recurrence validation and preview logic.
- **Updated:** PHPUnit test suite configuration and composer dependencies for `pestphp/pest@v4.3`.
- **Refined:** SEO configuration (`favicon`) to standardize icon format.
- Replaced `state` and `computed` with `Livewire\Component` implementations in `language/selector.blade.php` for enhanced maintainability.
- Adjusted `login.blade.php` syntax for dynamic href generation and removed commented-out sign-up link.
- Added unique `wire:key` attributes to iterable elements for enhanced performance and reactivity.
- Simplified controller routing and corrected indentation in `web.php`, improving clarity.
- Added `LnurlAuthController` to handle LNURL authentication flow with signature verification, user creation, and session expiry checks.
- Integrated authentication error polling in `nostrLogin.js`.
- Added `LoginKeyFactory` for testing and database seed purposes.
- Created feature tests (`LnurlAuthTest`) to validate LNURL callback, error responses, and session handling.
- Extended `login.blade.php` with dynamic error handling and reset logic for expired sessions.
- Introduced `livewire/livewire` v4 dependency.
- Added `config/livewire.php` for Livewire customization.
- Adjusted `login.blade.php` language fallback logic for session handling.
- Created new Blade layouts (`error.blade.php`, `auth.blade.php`, `app.blade.php`) for unified component architecture.
- Update select options with localized names (`Einundzwanzig Community`, `Allgemeine Bitcoin Community`).
- Wrap the heading text on the landing page with `__()` for proper translation.
🛠️ Add “Keine” placeholder option to community select
✏️ Translate community values (“bitcoin”, “einundzwanzig”) on landing page
🌍 Update German locale strings for community names
- Added a new `lang/pl.json` file with comprehensive Polish translations.
- Enhanced `lang/es.json` with additional Spanish keys and phrases for better coverage.
- Updated HTML indentation and alignment across `top-countries`, `activities`, and `top-meetups` components.
- Applied consistent formatting to dynamic content (e.g., map links, charts).
- Corrected key usage in `NostrTrait` for route parameters related to `meetups`.
- Introduced three new Livewire components for the dashboard:
- Top Countries: Displays countries with the most users.
- Top Meetups: Highlights meetups with the largest user counts.
- Activities: Showcases recent meetups and events.
- Updated `dashboard.blade.php` to lazy-load these components.
- Expanded multilingual support for relevant labels across all languages.
- Introduced `all-meetups` route (`meetups.index-all`) for accessing meetups globally.
- Updated sidebar with a new navigation item for global meetups, including icon and dynamic badge count.
- Enhanced backend logic to handle country-specific and global meetup filtering based on the current route.
- Introduced `FetchNostrProfileJob` for retrieving and updating user Nostr profiles.
- Added Hungarian translations (`auth.php`, `passwords.php`, `validation.php`, and others) for improved localization.
- Integrated Laravel Horizon for enhanced queue management (`HorizonServiceProvider` added, `composer.json` updated).
- Updated German and Spanish language files to fix duplicate keys.
- Minor route addition for testing Nostr profile job dispatch.
- Implemented automatic creation of fallback users with default properties during login if no existing user is found.
- Standardized the redirect logic for the dashboard route with consistent parameter handling.
- Improved readability of route definitions by formatting parameters across multiple lines.
Claude