Tokens issued before 'id' was added to the JWT payload pass signature
verification but cause a KeyError when endpoints access user['id'].
verify_token() now returns None for any token missing id/username/role,
triggering a 401 → the frontend interceptor clears localStorage and
redirects to /login so a fresh token is issued automatically.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
migrations.py
- schema_migrations table tracks applied versions (version, description, applied_at)
- MIGRATIONS list is append-only; each entry is (version, description, sql)
- backup() dumps all user-data tables to a timestamped JSON file in backups/
before any schema changes so data can be recovered if something goes wrong
- run_migrations() is idempotent: already-applied versions are skipped
Integration
- app.py calls _run_startup_migrations() at module load so every restart
applies any pending migrations (no-op if schema is current)
- setup_routes.py calls run_migrations() after the initial setup form is
submitted so all tables exist before the user hits the main page for the
first time
- notes.py and admin.py: removed all per-request CREATE TABLE DDL; schema is
now owned entirely by the migration system
Docker
- docker-compose.dev.yml: add backups-data volume so JSON backups survive
container restarts and rebuilds
- Dockerfile: pre-create /app/backend/logs and /app/backend/backups so the
directories exist even before volumes are mounted
Adding future schema changes
- Append a new (version, description, sql) tuple to MIGRATIONS in migrations.py
- The next restart will detect it as pending, back up first, then apply it
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- logger.py: note why log path uses abspath(__file__) instead of a relative path
- token.py: note why [7:] slice is safe (startswith already verified)
- ipcalc.py: explain /32 single-host and /31 RFC-3021 point-to-point special
cases; explain why (~netmask) must be masked with 0xFFFFFFFF (Python ~int
returns a negative arbitrary-precision value, not a 32-bit unsigned integer)
- notes.py: document the module-level _table_ready flag lifetime; explain why
tzinfo is stripped before passing datetime to mysql-connector
- admin.py: document the module-level _tables_initialized flag lifetime
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Fix AttributeError crash on empty request body in md5, hasher, textdiff,
jwtdecoder, timestamp, passwordgen (get_json without silent=True / or {})
- Fix memory exhaustion in ipcalc: replace list(network.hosts()) with direct
arithmetic — safe for /8 and larger networks
- Fix O(1M) loop in cronexplainer.get_next_runs: rewrite to skip by
month/day/hour instead of iterating every minute
- Fix connection leak in notes.ensure_table: add try/finally around conn.close
- Fix admin._ensure_tables / notes._ensure_table running DDL on every request:
guard with module-level flags (_tables_initialized, _table_ready)
- Fix update_website returning 200 when no row matched; delete_website returning
success when nothing was deleted; add rowcount checks for both
- Add role validation in admin create_user / update_user (_VALID_ROLES guard)
- Add delimiter length guard in csvviewer (csv.reader requires single char)
- Fix loremipsum: wrap int(count) in try/except ValueError → 400 response
- Fix auth/token: use auth_header[7:] instead of fragile .replace()
- Fix app.py: remove duplicate import sys; cache DB liveness check with 30s TTL
to avoid a new TCP connection on every frontend page load; move api/setup
path guard before DB check
- Replace FileHandler with RotatingFileHandler (5 MB / 3 backups) in logger;
fix relative log paths to absolute paths anchored to __file__
- Wrap all DB connections in try/finally conn.close() throughout admin and notes
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- auth/login.py: guard against missing JSON body (get_json silent=True, empty-string check)
- app.py: replace infinite redirect with 404 for unknown /api/* and /setup/* paths
- tools/jwtdecoder.py: add algorithms list to jwt.decode() for PyJWT 2.x compatibility
- util/setup_routes.py: call reset_pool() after save_config() so pool re-initialises with new DB credentials
- util/logger.py: set ERROR level on error.log handler so it no longer receives INFO/WARNING messages
- LoginForm.jsx: remove dead navigate() call that was immediately overridden by window.location.href
- main.jsx: remove base.css, dark.css, light.css that were already imported in App.jsx (duplicate imports)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- backend/tools/hasher.py: POST /api/hash/sha256 and /api/hash/bcrypt (bcrypt added to requirements)
- backend/tools/base64tool.py: POST /api/base64/encode and /api/base64/decode
- backend/tools/jwtdecoder.py: POST /api/jwt/decode (signature verification disabled)
- backend/tools/passwordgen.py: POST /api/password/generate with charset and length options
- backend/tools/timestamp.py: POST /api/timestamp/convert (unix<->date, ISO 8601 + German format)
- backend/tools/textdiff.py: POST /api/text/diff returning structured added/removed/unchanged lines
- All blueprints registered in app.py and tools/__init__.py
- React components with copy button, dark/light mode support via CSS variables
- ToolOverview rebuilt as card grid; App.jsx routes added for all tools
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Move SECRET_KEY out of docker-compose into .env (env_file), add .env.example
- Add flask-limiter with 10 req/min on login route; introduce util/limiter.py
- Replace direct mysql.connector.connect() calls with MySQLConnectionPool via util/db_pool.py
- Fix deprecated datetime.utcnow() -> datetime.now(timezone.utc) in auth/login.py
- Remove dead /api/scripts 410 route from admin.py
- Add MD5 security warning in Md5Tool.jsx
- Add ErrorBoundary component and wrap App.jsx
- Expand README with setup guide, screenshot and project structure
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Nirodan