94 Box logo

94 Box Youth Boxing Foundation

Changelog

Recent updates to the kiosk app. Contact us if you notice any issues.

2025-10-04 — Admin Registration Toggle & Security Updates
  • NEW: Admin can now enable/disable member registration from Settings page.
  • Registration toggle takes effect immediately across entire application.
  • When disabled: Sign Up links hidden, /signup blocked with friendly message, existing members can still check in.
  • Settings page shows current status, last updated timestamp, and confirmation dialog.
  • SECURITY FIX: Implemented comprehensive session security (HttpOnly, Secure, SameSite=Lax flags).
  • Session cookies now protected against XSS theft, MITM attacks, and CSRF.
  • Admin sessions auto-expire after 30 minutes of inactivity with auto-refresh on activity.
  • Custom session cookie name 'gym_session' to reduce fingerprinting.
  • Comprehensive code review completed: 4/5 stars with detailed security analysis.
  • CORS policy updated from wildcard (*) to whitelist of specific allowed origins.
  • Allowed origins: localhost (ports 53407, 54883), members.waipahuboxingclub.org, 135.148.146.142.
  • Added Access-Control-Allow-Credentials support for authenticated cross-origin requests.
  • Added X-Content-Type-Options: nosniff security header.
  • Added X-CSRFToken to allowed CORS headers (preparation for CSRF protection).
  • Identified critical security issue: missing CSRF protection (session security now fixed).
  • Created comprehensive documentation: APP_REVIEW.md, CRITICAL_FINDINGS.md, ARCHITECTURE_OVERVIEW.md, CORS_CONFIGURATION.md, SIGNUP_TOGGLE_FEATURE.md, SESSION_SECURITY.md.
  • Documented 20+ recommendations prioritized into immediate, short-term, medium-term, and long-term actions.
2025-09-24 — Admin Features & Code Quality
  • Added admin member delete functionality with cascade handling (removes associated check-ins).
  • Added 'Danger Zone' UI section in member edit page with JavaScript confirmation dialog.
  • Code refactoring: consolidated scattered imports to top of file, removed duplicate admin_required decorator.
  • UI cleanup: removed 'Open Signup (capture)' button from admin member edit page.
  • Flash messages for delete operations show member name for clarity.
  • Proper transaction rollback on delete errors ensures data integrity.
2025-09-24 — Infrastructure & Backups
  • CI deploy now creates SQLite backup (gzip) of gym.db before Alembic migrations and retains last 10 backups.
  • Database backups are non-fatal and use sqlite online backup API with timeout.
  • CI deploy ensures proper ownership (www-data) and permissions before migrations.
  • Nginx/systemd/AppArmor update jobs are idempotent (reload only when config changes).
  • Migrations run as service user to avoid permission issues on gym.db and .venv.
  • Support for duplicate email addresses in signups (unique constraint removed).
2025-09-21 — CI/CD & Deploy Fixes
  • Preserved virtualenv executables (.venv/bin) at 0755 to prevent Permission denied on pip/python/gunicorn.
  • Applied targeted permissions: directories 0750; non-executable files 0640; keep any existing exec bit; uploads 0770; gym.db 0660.
  • Build order: create venv and install dependencies before chown/chmod to avoid permission issues.
  • CI writes systemd env file (/etc/default/boxing_gym) and auto-generates SECRET_KEY when missing; ADMIN_PIN defaults to 9400.
2025-09-21 — Admin & Templates
  • Treat empty SECRET_KEY as unset to avoid Flask session RuntimeError.
  • Enable ADMIN_PIN fallback (default 9400) when no stored hash is set.
  • Add fmt_dt Jinja filter and use it across admin templates to avoid 500s on null/invalid dates.
  • Resolved admin PIN issue; verified login and reset workflow; persistent across reboots.
2025-09-20 — Security & Anti-bot
  • Added in-memory lockout on admin login after 5 wrong attempts for 60s; respects X-Forwarded-For behind Nginx.
  • robots.txt now disallows all crawlers (User-agent: *; Disallow: /).
2025-09-19 — Bug fixes
  • Resolved HTTPS redirect loop by adding proper 443 server block in Nginx template and forwarding X-Forwarded-Proto.
  • Switched deprecated 'listen ... http2' to 'http2 on;' and added bootstrap snakeoil certs so nginx -t passes before certbot injects LE certs.
  • Signature pads now work reliably on touch devices and kiosk browsers (touch-action:none, passive:false, accurate coords).
2025-09-19 — Platform & TLS
  • Enabled HTTPS via Let's Encrypt (certbot --nginx); valid certificate live.
  • Forced HTTP→HTTPS redirects (except /.well-known/acme-challenge and /healthz).
  • HSTS intentionally not enabled per policy.
2025-09-19 — UI
  • Footer aligned to site theme; styles moved to main.css.
  • Footer now shows EIN and optional email (ORG_EMAIL in config).
  • QR code vendored locally and rendering reliability improved.
  • Footer pinned to bottom on short pages.
2025-09-19 — Platform & CI
  • Added global footer with org contact info and vCard QR.
  • Centralized organization settings via app config + context injection.
  • Cleaned up .gitlab-ci.yml and validated with CI linter.
  • Updated .gitignore for temporary artifacts (*.bak, *.new).
2025-09-19 — CI/CD & Ops
  • Replaced runner_perms_check_apparmor with automated apparmor_update as part of deploy.
  • Removed legacy jobs: reload-only, runner_perms_check, runner_perms_check_systemd, backup-db.
  • Deploy pipeline order: systemd_update → apparmor_update → nginx_update → deploy:selfhosted.
  • Auto-deploy now runs on push to main.