b6fb43cba1
Fix remaining issues: pagination, throttle, i18n, config defaults, indexes
...
- Add pagination to ShopController (50 per page)
- Add throttle:3,10 to radio application store route
- Replace mixed Dutch/English labels in RadioWizardController (English only)
- Replace Dutch error messages in RadioController and RadioSetupController
- Add config('habbo.defaults.avatar_look') for SocialAuthController
- Remove hardcoded default stream URL from RadioSetupController
- Add database indexes for radio_listener_points.earned_at and bans.ip
2026-06-08 19:03:39 +02:00
4d8d22f40a
Security: admin radio routes now require auth+admin.security, CORS default no longer wildcard, README security section
2026-06-04 20:46:07 +02:00
36887244e6
Fix config/app.php missing semicolon (caused 500)
2026-06-04 20:22:51 +02:00
9b5c655c68
High priority fixes: PayPal env(), RadioApiKey Bearer-only, User restrict, SettingsService TTL, PHPStan config, + fix 7 broke points (forceFill)
2026-06-04 20:17:45 +02:00
b2bb1811d0
Medium priority fixes: CORS from env, shared HasRadioSettings trait, lazy RconService, validated() fixes, LogoGenerator hardening, DB indexes, user profile consistency, radio rank N+1 fix
2026-06-04 20:05:36 +02:00
4b6872e5e0
Low priority fixes: debug comments, Fortify cleanup, badge cost setting, profile query merge, User model fixes, VPN constructor cleanup, PayPal POST, PII removal, Dutch→English translations, duplicate rank check, CHANGELOG
2026-06-04 19:57:01 +02:00
1f04979ffe
Remove all auto-update functionality (commands, services, widgets, blades, translations)
2026-06-03 22:54:39 +02:00
e34300a8a1
Add /client/* to CORS paths
2026-05-26 19:15:50 +02:00
e754858c84
Remove nonexistent PHP 8.5 constraint, restrict CORS allowed_headers
2026-05-26 17:08:31 +02:00
769abddeca
Disable Boost browser_logs_watcher by default, remove old browser.log
2026-05-26 17:05:17 +02:00
c0077a6039
Fix session same_site to use env, fix Article model import, remove unused traits
2026-05-26 16:59:49 +02:00
55b5aab458
Security fixes: remove dangerous public scripts, add .htaccess hardening, disable log-viewer by default, remove root index.php
2026-05-26 16:52:09 +02:00
93e6f6a273
Add (bool) type casts to all boolean env() calls across config files
2026-05-26 16:40:52 +02:00
f5c21e36f1
Add (bool) type casts to all boolean env() calls in config/habbo.php
2026-05-26 16:37:29 +02:00
bf3b474ee1
feat: complete configuration and database upgrade to native mariadb driver
2026-05-24 18:43:57 +02:00
81839c7202
chore: update doctrine/dbal to v4, activitylog to v5, sluggable to v4, roadrunner-http to v4
2026-05-23 17:20:57 +02:00
a07d216635
fix: update axios, move env() to config, cache config/routes/events/filament
2026-05-21 16:23:56 +02:00
7f59024bef
fix(security): patch critical security vulnerabilities
...
- Remove User::$guarded = [] to prevent mass assignment attacks
- Enable SQL strict mode and disable emulated prepares (SQL injection prevention)
- Switch password hashing from bcrypt to argon2id (stronger algorithm)
- Enable session encryption to protect session data at rest
- Restrict TrustProxies to localhost only (prevent IP spoofing)
- Restrict CORS allowed_methods via env variable instead of wildcard
- Add PayPal amount mismatch detection to prevent payment manipulation
- Add double-capture prevention (idempotency check)
- Add expected_amount column to transactions table for verification
2026-05-19 19:37:15 +02:00
9d73f82529
Initial commit
2026-05-09 17:32:17 +02:00
root