asa.news - Unnamed repository; edit this file 'description' to name the repository.

	Commit message (Collapse)	Author	Age	Files	Lines
*	fix: P2 security hardening and tier limit parity	Fuwn	2026-02-10	2	-51/+19
\| \| \| \| \| \|	Webhook routes switched from admin client to server client (RLS). Added DNS-resolution SSRF protection for webhook URLs with private IP blocking. Added tier limit parity check script.
*	fix: P0 correctness and security fixes	Fuwn	2026-02-09	2	-2/+2
\| \| \| \| \| \|	- Add missing 'developer' case to check_custom_feed_limit trigger (was falling through to else 1) - Scope user_entry_states join to authenticated user in /api/v1/entries (admin client bypasses RLS) - Replace in-memory rate limiting with Supabase-backed solution (UNLOGGED table + check_rate_limit RPC + pg_cron cleanup)
*	security: harden API routes	Fuwn	2026-02-08	1	-6/+44
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	- Add rate limiting to /api/share (30/min), /api/export (5/hr), /api/account/data (3/day) - Add client-side 30s throttle to forgot-password form - Remove immediate tier upgrade on plan change; let invoice.paid webhook handle tier promotion to prevent free upgrades on payment failure - Add SSRF validation to webhook URLs: block localhost, private IPs, link-local, and metadata endpoints - Log Stripe webhook signature verification errors instead of swallowing silently - Mask webhook secret in GET response (show first/last 4 chars only) - Add error logging to API key last_used_at update - Remove internal error message leaking from checkout session route
*	feat: add Vercel BotID protection and fix billing origin fallback	Fuwn	2026-02-08	2	-0/+12
\| \| \| \| \| \| \| \| \|	Set up BotID bot detection on sensitive API routes (share, billing, account, webhook-config). Adds client instrumentation, server-side checkBotId() guards, and withBotId next config wrapper. Also fix checkout/portal session routes to fall back to request origin when NEXT_PUBLIC_APP_URL is not set, and center SVG icon properly.
*	fix: api key prefix rename, revoke fix, and webhook validation	Fuwn	2026-02-07	1	-1/+20
\| \| \| \| \| \|	Rename API key prefix from asn_ to asa_, fix key revoke by aligning response property names with frontend interface, and add server/client validation to prevent enabling webhooks without a URL.
*	style: lowercase all user-facing strings and add custom eslint rule	Fuwn	2026-02-07	2	-13/+13
\| \| \| \| \| \| \| \|	Comprehensive sweep of all user-facing text to enforce lowercase convention, including acronyms (api, rest, http, opml, json, totp, mfa, qr, hmac). Added asa-lowercase/lowercase-strings eslint rule that reports uppercase in notify() calls, error messages, jsx text, and checked attributes (placeholder, alt, title).
*	feat: asa.news RSS reader with developer tier, REST API, and webhooks	Fuwn	2026-02-07	2	-0/+218
	Full-stack RSS reader SaaS: Supabase + Next.js + Go worker. Includes three subscription tiers (free/pro/developer), API key auth, read-only REST API, webhook push notifications, Stripe billing with proration, and PWA support.