# Changelog ## v4.8.10 — User-configurable STUN/TURN servers Adds optional, advanced control over WebRTC connectivity for power and privacy-focused users. Public servers remain the zero-config default. ### Added - "Advanced network settings" panel (header gear icon and the connection-creation screen) where users can supply their own STUN/TURN servers instead of the bundled public defaults. - Allowlist-based validation of user input: only `stun:`/`stuns:`/`turn:`/`turns:` URLs with valid hosts are accepted; `javascript:`, `data:`, `http(s):`, `ws(s):`, control characters, and oversized input are rejected before anything reaches `RTCPeerConnection`. - Optional on-device persistence, encrypted at rest with a non-extractable AES-GCM device key in IndexedDB, with an explicit save prompt and a "Forget saved" action. - "Test servers" button that gathers ICE candidates against the entered configuration and reports STUN/TURN reachability. - Privacy guidance in the panel: a TURN relay sees peer IPs and traffic timing (never message contents), so only a trusted/self-hosted relay improves privacy. ### Changed - Relay-only privacy mode now lives in the advanced settings panel. The standalone relay-only toggle on the start screen was removed to declutter the initial view. - Server selection priority: user custom servers > operator override (`config/ice-servers.js`) > built-in public defaults. ## v4.8.9 — Security hardening patch This release closes a vulnerable dependency, removes committed TURN credentials, and tightens production logging. ### Security - Upgraded DOMPurify from 3.4.4 to a patched release, resolving a high-severity XSS advisory (GHSA-87xg-pxx2-7hvx) in the incoming-message sanitizer. - Upgraded the `esbuild` build dependency to clear a high-severity advisory in the toolchain. `npm audit` now reports zero vulnerabilities. - Stopped tracking `config/ice-servers.js` (operator TURN credentials) in Git and added `config/ice-servers.example.js` as a template. Operators must rotate any previously committed credentials. - Removed temporary debug branches from the production logger so it no longer prints error context or info/debug payloads — only an opaque error code. ### Documentation - Updated the supported-release table in `SECURITY.md` to the v4.8.x line. - Synchronized the version string across the header, manifest, README, and in-app initialization message. ## v4.8.8 — File transfer consent fix This patch completes the mandatory receiver-consent gate for incoming file transfers and resolves a callback ownership conflict that caused every incoming file request to be silently auto-rejected. ### Fixed - Wired up the missing fourth `onIncomingFileRequest` callback in the main `setFileTransferCallbacks` call. Without it, `handleFileTransferStart` always saw `null` for the consent handler and auto-rejected every incoming file silently. - Removed independent callback registration from `FileTransferComponent`. The component was overwriting the application-level callbacks on mount and nulling all four on unmount, which destroyed the progress, received, and error handlers whenever the panel was hidden. - Centralized incoming-consent state (`pendingIncomingFiles`) in the root application component so consent prompts appear regardless of whether the file-transfer panel is currently visible. - Auto-opens the file-transfer panel when an incoming request arrives so the user sees the Accept / Reject prompt immediately. - Added `getReceivedFileObjectURL` / `revokeReceivedFileObjectURL` helpers to `EnhancedSecureWebRTCManager` so the panel can offer a download button for completed transfers without relying on captured callback closures. - Updated `file-transfer-ui-cleanup` regression test to match the new single-owner callback architecture. ### Security No change to the cryptographic or transport-level security model. Sender chunks are still gated behind an explicit `file_transfer_response` from the receiver before any data is transmitted. ### Verification - `npm test` — all 14 tests pass. - `npm run build` — clean production build. ## v4.8.7 — WebRTC manual join reliability patch This patch improves manual WebRTC setup across separate devices and restrictive local networks. ### Fixed - Stabilized the manual offer/answer join flow so verification waits for real transport readiness. - Preserved generated response data during manual exchange instead of resetting the joiner screen prematurely. - Preserved pending creator-side offer context so responses can be applied after transient ICE failures without false session-salt hijacking errors. - Added operator ICE override support through `config/ice-servers.js`. - Added ExpressTURN TURN/STUN configuration for relay fallback in environments where mDNS host candidates cannot connect. - Added user-visible warning when a remote peer provides only mDNS host candidates and no `srflx` or `relay` route. - Added safer ICE diagnostics that report candidate classes without exposing full IP addresses or TURN credentials. ### Verification - `npm test` - `npm run build` ## v4.8.7 — Security hardening patch release This patch release strengthens SecureBit.chat across verification, sanitization, privacy, transport abuse resistance, cache safety, and repository hygiene. ### Security hardening - Bound SAS verification to the actual DTLS fingerprint strings of both peers. - Replaced regex-based chat sanitization with DOMPurify-backed sanitization. - Made WebRTC privacy mode explicit and kept relay-only state synchronized at runtime. - Removed production exposure of internal debug/control hooks. - Added receiver-side rate limiting for inbound chat messages. - Added receiver-side throttling for inbound file chunks. ### Runtime and privacy safety - Hardened service-worker caching so only explicitly allowlisted safe assets are cached. - Removed an untracked disconnect timer so teardown no longer leaves delayed callbacks behind. - Preserved relay-only TURN behavior while making privacy implications clearer when relay-only mode is disabled or TURN is unavailable. ### Repository hygiene - Stopped tracking `node_modules` in Git so platform-specific dependency binaries no longer pollute the repository or break cross-platform builds. ### Validation - Full regression suite passes. - Clean install succeeds with `npm ci`. - Production build succeeds with `npm run build`. ## v4.8.7 — Security hardening release This release consolidates several months of security, privacy, and lifecycle hardening work by the SecureBit.chat team. ### Security - Added mandatory interactive SAS verification; passive click-through confirmation is no longer sufficient. - Made SAS computation deterministic across peers using shared session material. - Enforced protocol version `4.1` mismatch handling for incompatible clients. - Added TURN relay-only privacy mode and explicit warnings when TURN is unavailable. - Encrypted sensitive IndexedDB metadata and added safe lazy migration for legacy plaintext records. - Added mandatory consent gating for every incoming file transfer. - Replaced broad file acceptance with an explicit file-type allowlist and spoofing checks. - Sanitized every incoming decrypted chat message before UI delivery. ### Reliability and resource lifecycle - Consolidated disconnect behavior into one canonical cleanup path. - Added cleanup for tracked timers, deferred retries, peer-disconnect scheduling, and fake/decoy traffic. - Rejected pending sender consent promises immediately during cleanup. - Bounded retained received-file buffers and added graceful handling for expired download handles. - Cleared React file-transfer UI state and detached live callbacks on unmount. - Improved reconnect hygiene and stale-session cleanup behavior. ### Maintenance - Pinned dependency versions. - Applied safe transitive patch/minor updates. - Verified a clean `npm audit` result. - Expanded regression coverage for SAS, file consent, sanitization, privacy mode, metadata encryption, cleanup, and callback lifecycle behavior.