v0.3.0
Cross-context login between extension and web, GDPR account deletion, branded error pages, and a hardening pass across auth + payments.
- Cross-context login — sign in once on the extension, the web app picks up the same session automatically.
- Forgot-password flow at /auth/password/forgot and /auth/password/reset.
- Account deletion (GDPR Art. 17) at DELETE /auth/me.
- Branded 404, error, loading, and maintenance pages — replaces the raw framework defaults.
- PWA install support — add to home screen on iOS / Android.
- /community/[id] URLs now in the sitemap.
- Refund Policy page and a non-tracking cookie-consent banner.
- This Changelog page.
- Refresh-token rotation — every /auth/refresh mints a new token and revokes the old one.
- Login lockout after 10 failed logins per username or 30 per IP.
- Password policy: ≥8 chars with at least one letter and one digit.
- Razorpay verify is now idempotent — webhook retries no longer double-credit.
- Production bundles ship without console.log; console.error / warn survive.
- Mannequin feed cached server-side for 30s; pricing-config for 1h.
- Removed the legacy /auth/token endpoint (the shipped 'client_secret' was effectively public).
- Per-resource ownership checks on tryon, mannequin rate, mannequin tryon, and lineage walks.
- Brute-force protection on /auth/login.
- Request body size cap (15 MiB) and per-request timeout (60s) middleware.
- File upload magic-byte verification — header Content-Type alone is no longer trusted.
- CORS default is now empty (was wildcard) — misconfigured deploys fail closed.
- Pre-commit + ruff configured for the backend.
- CI on GitHub Actions — backend lint + tests, web + extension build, every PR.
- Composite (user_id, created_at DESC) index speeds up the /history list query.
- Test suite expanded to 132 tests; 87% coverage on net-new services.