- Add .dockerignore: a local .env, the live SQLite database in data/, .git,
and node_modules were previously copied into the published image by COPY
- Run the app as the unprivileged node user; pre-create /app/data with
matching ownership so named volumes inherit it
- Set NODE_ENV=production in the image
- Document the one-time volume chown needed when upgrading existing
deployments
- Fix session store expiry: cookie.maxAge is already in milliseconds, so
stored sessions outlived the cookie by 1000x
- Regenerate the session ID on login, first-run setup, and OIDC login to
prevent session fixation
- Mark session cookies Secure on TLS connections (secure: 'auto') and add
TRUST_PROXY support for reverse-proxy deployments
- Build password reset links from APP_BASE_URL instead of the Host header
to prevent reset-link poisoning
- Rate-limit forgot-password requests (5 per IP per 15 minutes)
- Strip OIDC debug logging that leaked authorization codes, subject IDs,
and emails to logs
Update to reflect multi-account support, OIDC/SSO login, deposit
slips, QBO import, visual layout editor, SMTP password reset, and
env var configuration including all OIDC variables.
Viewers can no longer see New Check, New Deposit, Import .mdb, or
Import QBO buttons. Deposit row Edit/Delete buttons are also hidden
for viewers, matching the existing behavior on check rows.
- New Deposits tab with ledger: date, checks total, cash, deposit total, item count, status
- Slide-in deposit panel: date, currency, coin, cash back, dynamic check entry rows, live totals
- Save deposit, then generate Deposit Slip or Deposit Report PDF
- Deposit slip: 3.375" x 8.5" portrait with Style A background drawn server-side,
digit-column amounts, GnuMICR routing/account line rotated 90 deg, rotated
deposit total and check count in left margin
- Deposit report: plain Courier ledger with depositor/bank info, check grid, totals
- deposits and deposit_items tables in schema; ON DELETE CASCADE for items
- Routes: GET/POST/PUT/DELETE /api/deposits, POST /api/deposit-pdf
- Generating a slip marks deposit as printed; date range and status filters
- README updated to describe deposit slip feature
- Hardcode GnuMICR.otf path in pdfService.js; remove MICR_FONT_PATH env var
- Fix normalizeDate to handle MM/DD/YY (2-digit year) and return null on no match
- Fix generatePdf button DOM bug: update span directly instead of overwriting textContent
- Remove .env.example and NTFY_URL from docker-compose (app has no required config)
- Remove redundant fonts volume mount from docker-compose (fonts bundled in image)
- Mark MVP TODO items complete; add // TODO comments in source for post-MVP features
- Update README: correct slot height, remove stale env var docs
steve