13-07-2025

🛡️ Authentication System Hardening

This release delivers a focused set of critical security and stability enhancements to the API's authentication system, specifically targeting the dashboard login flow. We have refactored the authorization logic and implemented new security checks to create a more robust and secure login process.

Key Authentication Enhancements

• Critical Security Fix: Email Verification Check
  A new security check has been implemented during dashboard login code verification. This explicitly verifies that the email provided in the request matches the email associated with the found user, preventing a potential account access loophole.

• Enhanced Dashboard Authorization Logic
  Dashboard login access is now determined by a specific dashboard.login permission instead of a direct role check. The flow also includes a critical re-verification step during code validation to ensure permissions are checked at the exact moment of login.

• More Resilient API Request Parsing
  The /request-code endpoint has been improved to robustly handle the isDashboardLogin flag whether it is sent as a boolean (true) or a string ("true"), preventing potential client-side errors and improving API resilience.

• Improved Error Handling & Logging
  The authentication service now captures and logs full stack traces for unexpected exceptions, providing more comprehensive information for debugging. The internal validation logic has also been refactored for better clarity and maintainability.

12-07-2025

🚀 Architectural Revolution: Migration to MongoDB & Enhanced RBAC

This release represents a landmark architectural overhaul of the API. We have completed a full data store migration from PostgreSQL to MongoDB, embracing a more flexible document-oriented model to pave the way for future feature development.

In parallel, we have fundamentally refactored our core data models and rebuilt the user role system from the ground up. The new dual-role RBAC system (appRole and dashboardRole) provides more granular and secure access control, while model renames (Category -> Topic) align the API with our evolving domain language. These changes are supported by significant improvements in logging, configuration, and security enforcement.

✨ Key Architectural Changes

• Database Migration to MongoDB: The application's primary data store has been completely migrated from PostgreSQL to MongoDB. This involved a comprehensive update of the entire data access layer, repository implementations, and data seeding logic.
• Enhanced Dual-Role RBAC: The user role system has been overhauled. A user now has distinct appRole (for application features) and dashboardRole (for administrative functions), allowing for more precise and secure permission management across the entire platform.
• Core Model Refactoring: The Category model has been replaced by Topic, and AppConfig has been replaced by RemoteConfig. These changes are reflected across the database schema, repositories, and all related API endpoints.

🛡️ Security & API Enhancements

• Ownership Enforcement Middleware: A new middleware has been introduced to enforce data ownership on user-specific records (User, UserAppSettings, etc.). This ensures users can only access or modify their own data, unless they possess administrative privileges.
• Simplified API Querying: Collection endpoints (/api/v1/data) now accept a generic, JSON-encoded filter parameter for powerful, MongoDB-style queries. This replaces model-specific query parameters.
• Standardized Error Codes: HTTP error codes returned by the API are now standardized to camelCase for better consistency.

🔧 Technical Refinements & Performance

• Structured Logging: All print() statements have been replaced with a structured Logger, significantly improving system observability and making debugging more efficient.
• Optimized Dashboard Summary: The dashboard summary endpoint has been optimized to retrieve only document counts, drastically reducing data transfer and improving performance.
• Centralized Timestamp Handling: A new utility function now centralizes the conversion of DateTime objects to ISO 8601 strings, ensuring data consistency for all model deserialization.
• Robust Environment Loading: The .env file loading mechanism has been improved to be more resilient, making local development setup more reliable.

06-07-2025

🚀 Major Architectural Upgrade: PostgreSQL Database Integration

This release marks a fundamental shift in the application's architecture, migrating the entire data persistence layer from an in-memory solution to a robust PostgreSQL database. This crucial upgrade ensures data durability, provides scalability, and establishes a production-grade foundation for the API.

Alongside this migration, this release also includes a suite of critical fixes and refinements that stabilize the new data layer, improve dependency management, and harden the overall application configuration, ensuring the new system is reliable and robust from day one.

✨ Key Features & Architectural Changes

• PostgreSQL Data Persistence: The API no longer uses a temporary, in--memory store. All data is now persisted in a PostgreSQL database, managed via the DATABASE_URL environment variable. This is a foundational step towards a production-ready environment.
• Automated Database Setup & Seeding: A new DatabaseSeedingService has been introduced to automatically and idempotently create all necessary database tables and seed initial data on server startup. This drastically simplifies first-time setup and ensures database consistency across all environments.
• Centralized Dependency Management: The application's bootstrapping logic has been centralized. Core services and repositories are now managed and provided through a new AppDependencies singleton, ensuring consistent, efficient resource utilization and a cleaner middleware chain.

🔧 Stability Fixes & Core Refinements

• Robust Data Type Handling: Resolved critical data integrity issues by implementing explicit serialization and deserialization logic for complex data types like DateTime and JSONB when interacting with the PostgreSQL database.
• Enhanced Environment Configuration: Migrated to the dotenv package for loading environment variables, providing more robust configuration management and better error handling for missing variables.
• Refined CORS Behavior: The CORS middleware has been improved to dynamically handle localhost origins for development while enforcing a strict CORS_ALLOWED_ORIGIN for production, with added logging for easier debugging.
• Updated Database Schema: The database schemas and seeding logic for core entities have been updated to support richer data models and ensure correct data population.

05-07-2025

🛡️ Major Authentication & Role Management Overhaul

This release introduces a fundamental refactor of our API's security and user management model. We have transitioned from a single-role assignment to a flexible, multi-role architecture, enabling more granular and powerful access control.

Building on this, we've implemented a context-aware authentication flow that hardens security for the administrative dashboard. Instead of a sign-up process, dashboard access is now strictly limited to pre-existing users with privileged roles, preventing unauthorized access attempts at the earliest stage.

✨ Key Features & Enhancements

Enhanced Role-Based Access Control (RBAC)

• Multi-Role Architecture: The core system has been re-engineered to support multiple roles per user. A user can now simultaneously be a standardUser, a publisher, and more, allowing for precise permission management.
• Granular Permission Checks: The PermissionService now leverages the new multi-role system, checking a user's entire list of roles to determine access rights. A new publisher role with content creation permissions has also been introduced.
• JWT Claims Update: JSON Web Tokens (JWTs) issued by the API now include a complete list of a user's roles, providing client applications with all the necessary information for authorization.

Secure, Context-Aware Authentication

• Hardened Dashboard Login: The authentication flow is now context-aware. Login attempts to the dashboard (using an is_dashboard_login: true flag) now trigger a strict pre-validation check. This ensures the user's email is already registered and that they possess the required admin or publisher role before an authentication code is sent. This prevents unauthorized users from even initiating a login to the dashboard.
• Streamlined User Creation: Legacy logic for migrating anonymous guest accounts has been removed from the user creation process, simplifying the overall authentication service and making it more robust.

🔧 Developer Experience & Code Quality

• Admin User Seeding: To simplify local development and testing, the API now automatically seeds the user repository with a default admin@example.com user on application startup.
• Refactored Auth Service: The AuthService has been refactored to centralize and de-duplicate user retrieval logic, improving code maintainability and reusability.
• Documentation Updates: The README.md has been updated to detail the new "Flexible Role-Based Access Control (RBAC)" and "Secure Authentication" features.

04-07-2025

🚀 API Enhancements: Dashboard Summary & Flexible Sorting

This release significantly enhances our API, introducing a new dedicated endpoint to power the dashboard and implementing a powerful, flexible sorting mechanism across all major data endpoints. These changes provide richer data for monitoring and give clients greater control over how data is presented.

✨ New Features & Enhancements

• New Dashboard Summary API: This provides real-time, aggregated counts of key entities like headlines, categories, and sources, specifically designed to power the new dashboard overview page in the front-end application.

• Flexible Data Sorting: List endpoints now support dynamic sorting. Clients can use the sortBy and sortOrder (asc or desc) query parameters to control the order of returned data. This feature has been implemented across all major data models (headlines, categories, sources, users, etc.) for consistent and powerful data control.

🔧 Under the Hood

• Dashboard Summary Service: A new DashboardSummaryService has been implemented to handle the logic for calculating and providing dashboard metrics efficiently.
• Robust Sorting Implementation: The new sorting capability includes validation to ensure only valid sort orders are accepted, returning a BadRequestException for invalid inputs.
• Dependency Injection & Model Registration: The new service has been integrated into the application's dependency injection system, and the DashboardSummary model has been registered with read-only permissions for administrators.