Release History
Changelog
Features, improvements, and fixes shipped to the BulkSMSRates platform.
v1.6.0
June 2026Major hardening release covering security, correctness, and platform reliability across the full stack.
- SecurityFixed silent logout loop caused by malformed token-refresh response handling.
- SecurityGoogle OAuth now uses CSRF state verification and one-time code exchange — tokens are never exposed in URLs.
- SecurityUpgraded to Next.js 14.2.28 (addresses CVE-2025-29927); weak default secrets removed from production configuration.
- SecuritySMPP: per-tenant session limits enforced, webhook HMAC now uses constant-time comparison, tenant SMPP passwords are hashed.
- FixSQL rate-limit and role-promotion queries corrected; request body size limit added to prevent oversized payloads.
- ImprovedBackend models aligned to production schema (column renames, type widths, migration ordering).
- ImprovedSMS send and bulk-send API responses now include paginated message lists and a costMicros field.
- ImprovedDashboard: MFA UI fully wired, FX rates labelled as approximate, toast/dialog notifications replace native browser alerts.
- PlatformBlocked send and routing to China and Russia at the application layer; entries removed from marketing and dashboard data.
- PlatformMarketing sitemap is now generated as a build artifact; broken footer links and dial codes corrected.
- PlatformInfrastructure: Docker healthchecks hardened, base images pinned, Prometheus 3 and Grafana 11 adopted.
v1.5.0
May 2026Resolved activation blockers that prevented new signups from verifying email and sending messages.
- FixCritical fix: SMS sends were returning 500 errors due to a type mismatch between the wallets.currency column and the Rust Currency enum. A migration converts the column to the correct enum type.
- FixVerify-email page (the link destination in signup emails) now exists — the route and page were previously missing.
- FixGeneric 500 on send is replaced with an actionable 402 WALLET_ERROR response when the wallet balance is insufficient.
- ImprovedRegistration no longer issues JWT tokens; new users land on a 'check your inbox' screen and must verify email before logging in.
- FixSuper-admin users can now view message detail — a role check previously excluded them.
- FixAdmin 'Total Revenue' now shows the all-time figure instead of month-only.
- FixDrip campaign summary cards no longer show NaN for counts.
- ImprovedSend SMS: cost preview shown only when recipient and message are filled; disabled send button explains the first unmet condition.
v1.4.1
March 2026Crypto payment reliability improvements — dead code removed and a silent error path fixed.
- FixIdempotency check in crypto webhook no longer swallows database errors — a DB failure now propagates as a proper error instead of silently skipping the duplicate check.
- ImprovedRemoved dead payment-status polling functions that were never called; IPN-based webhook flow is the sole payment confirmation path.
v1.4.0
March 2026Google OAuth is now fully implemented — users can sign up and log in with their Google account.
- NewGoogle OAuth callback handler exchanges the auth code, upserts the user, and redirects to the dashboard.
- NewNew users created via Google have their email marked as verified automatically.
- NewExisting accounts found by email are linked to their Google ID on first OAuth sign-in.
- ImprovedGoogle sign-in buttons on Login and Register pages are now active (previously shown as 'Coming soon').
- SecurityOAuth error redirects go to /login?error=<reason> — no tokens are exposed on the failure path.
Older releases are available in the repository history. For questions or issues, contact [email protected].