Lionel Ringenbach 6d0938be64 🔒 refactor: Set ALLOW_SHARED_LINKS_PUBLIC to false by Default (#12100) ... * fix: default ALLOW_SHARED_LINKS_PUBLIC to false for security Shared links were publicly accessible by default when ALLOW_SHARED_LINKS_PUBLIC was not explicitly set, which could lead to unintentional data exposure. Users may assume their authentication settings protect shared links when they do not. This changes the default behavior so shared links require JWT authentication unless ALLOW_SHARED_LINKS_PUBLIC is explicitly set to true. * Document ALLOW_SHARED_LINKS_PUBLIC in .env.example Add comment explaining ALLOW_SHARED_LINKS_PUBLIC setting. --------- Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Danny Avila <danacordially@gmail.com>		2026-03-06 19:05:56 -05:00
..
controllers	🚪 fix: Complete OIDC RP-Initiated Logout With id_token_hint and Redirect Race Fix (#12024)	2026-03-02 21:34:13 -05:00
middleware	🧮 refactor: Bulk Transactions & Balance Updates for Token Spending (#11996)	2026-03-01 12:26:36 -05:00
routes	🔒 refactor: Set ALLOW_SHARED_LINKS_PUBLIC to false by Default (#12100)	2026-03-06 19:05:56 -05:00
services	🗝️ feat: Credential Variables for DB-Sourced MCP Servers (#12044)	2026-03-03 18:02:37 -05:00
utils	🧮 refactor: Bulk Transactions & Balance Updates for Token Spending (#11996)	2026-03-01 12:26:36 -05:00
cleanup.js	🪣 fix: Prevent Memory Retention from AsyncLocalStorage Context Propagation (#11942)	2026-02-25 17:41:23 -05:00
experimental.js	🚦 fix: 404 JSON Responses for Unmatched API Routes (#11976)	2026-02-27 22:49:54 -05:00
index.js	🚦 fix: 404 JSON Responses for Unmatched API Routes (#11976)	2026-02-27 22:49:54 -05:00
index.spec.js	🚦 fix: 404 JSON Responses for Unmatched API Routes (#11976)	2026-02-27 22:49:54 -05:00
socialLogins.js	🔒 fix: Secure Cookie Localhost Bypass and OpenID Token Selection in AuthService (#11782)	2026-02-13 10:35:51 -05:00