Release History

Changelog

Features, improvements, and fixes shipped to the BulkSMSRates platform.

v1.6.0

June 2026

Major hardening release covering security, correctness, and platform reliability across the full stack.

  • SecurityFixed silent logout loop caused by malformed token-refresh response handling.
  • SecurityGoogle OAuth now uses CSRF state verification and one-time code exchange — tokens are never exposed in URLs.
  • SecurityUpgraded to Next.js 14.2.28 (addresses CVE-2025-29927); weak default secrets removed from production configuration.
  • SecuritySMPP: per-tenant session limits enforced, webhook HMAC now uses constant-time comparison, tenant SMPP passwords are hashed.
  • FixSQL rate-limit and role-promotion queries corrected; request body size limit added to prevent oversized payloads.
  • ImprovedBackend models aligned to production schema (column renames, type widths, migration ordering).
  • ImprovedSMS send and bulk-send API responses now include paginated message lists and a costMicros field.
  • ImprovedDashboard: MFA UI fully wired, FX rates labelled as approximate, toast/dialog notifications replace native browser alerts.
  • PlatformBlocked send and routing to China and Russia at the application layer; entries removed from marketing and dashboard data.
  • PlatformMarketing sitemap is now generated as a build artifact; broken footer links and dial codes corrected.
  • PlatformInfrastructure: Docker healthchecks hardened, base images pinned, Prometheus 3 and Grafana 11 adopted.

v1.5.0

May 2026

Resolved activation blockers that prevented new signups from verifying email and sending messages.

  • FixCritical fix: SMS sends were returning 500 errors due to a type mismatch between the wallets.currency column and the Rust Currency enum. A migration converts the column to the correct enum type.
  • FixVerify-email page (the link destination in signup emails) now exists — the route and page were previously missing.
  • FixGeneric 500 on send is replaced with an actionable 402 WALLET_ERROR response when the wallet balance is insufficient.
  • ImprovedRegistration no longer issues JWT tokens; new users land on a 'check your inbox' screen and must verify email before logging in.
  • FixSuper-admin users can now view message detail — a role check previously excluded them.
  • FixAdmin 'Total Revenue' now shows the all-time figure instead of month-only.
  • FixDrip campaign summary cards no longer show NaN for counts.
  • ImprovedSend SMS: cost preview shown only when recipient and message are filled; disabled send button explains the first unmet condition.

v1.4.1

March 2026

Crypto payment reliability improvements — dead code removed and a silent error path fixed.

  • FixIdempotency check in crypto webhook no longer swallows database errors — a DB failure now propagates as a proper error instead of silently skipping the duplicate check.
  • ImprovedRemoved dead payment-status polling functions that were never called; IPN-based webhook flow is the sole payment confirmation path.

v1.4.0

March 2026

Google OAuth is now fully implemented — users can sign up and log in with their Google account.

  • NewGoogle OAuth callback handler exchanges the auth code, upserts the user, and redirects to the dashboard.
  • NewNew users created via Google have their email marked as verified automatically.
  • NewExisting accounts found by email are linked to their Google ID on first OAuth sign-in.
  • ImprovedGoogle sign-in buttons on Login and Register pages are now active (previously shown as 'Coming soon').
  • SecurityOAuth error redirects go to /login?error=<reason> — no tokens are exposed on the failure path.

Older releases are available in the repository history. For questions or issues, contact [email protected].