v0.5.0 - passkey auth and stellar linking

Hoops Finance Dashboard v0.5.0 — Release Notes

Release date: 2025-10-18
Target range: v0.4.0 → v0.5.0

Highlights

• WebAuthn passkeys: login, link, 2FA, and removal + profile passkey manager UI.
• SRP-6a zero-knowledge auth with Argon2id WASM (PBKDF2 fallback) and Next.js proxy routes.
• Stellar SEP-10 wallet linking and wallet context extended for transaction signing.
• Developer API keys (list/create).
• Build-time token logo mirroring → public/token-logos/ + public/token-logos.json with next/image circular logos & fallbacks.
• Auth/session hardening: centralized 401 JSON, safer auth() handling, OAuth callback/state checks, CSRF fix.
• Email verification flow.
• Data API: ?period= support, standardized candles / tokeninfo, no-store for freshness.
• Routing/UX: daily ISR revalidate for pools/protocol pages, route cap via MAX_ROUTES, direct-entry pool back-nav fix.
• UI/Perf: removed framer-motion → CSS animations; Suspense wrapper for ClientLayout.
• Client fingerprint primitives: stable device id + snapshot (canvas/WebGL/audio) + SHA-256 hash (for risk signals).

---

Unified-Auth Service — Summary (for integrators)

Applies when pairing this UI with the unified-auth backend (v1.1.0).

Authentication

• SRP-6a: Zero-knowledge password auth (RFC-5054 2048-bit); Argon2id (SIMD WASM) with PBKDF2 fallback.

  • Immediate migration path purges legacy password hashes and rotates refresh tokens on first SRP login.
  • HTTP endpoints surfaced in unified-auth and proxied here via:
    POST /api/auth/srp/register, POST /api/auth/srp/login/start, POST /api/auth/srp/login/finish.

• Passkeys (WebAuthn): register/link, login, 2FA, remove; metadata stored correctly; robust test harness.

  • UI includes a Profile → Passkey Manager.

• Stellar SEP-10: Challenge builder/verify routes; wallet linking integrated with profile; wallet context supports signing.

Hardening & Middleware

• Email normalization (case-insensitive dedupe), encoding utilities, improved OAuth error handling.
• verifyJWT middleware and safer JWE decode with kid verification; condensed refresh-token flows.
• Logging refinements (no double-logging; explicit color mapping; safe numeric formatting).

Testing & Tooling

• E2E coverage for SRP, WebAuthn, and SEP-10; native HTTP test runner with stronger isolation.
• “Test mode” support; modernized imports/build config; environment example updated.

Integration Notes

• Configure SRP proxy in the UI (AUTH_API_URL, AUTH_API_KEY).
• Expect token rotation on first SRP login after migration.
• Ensure RPID/origin align with your domain for passkeys; confirm HTTPS and proper rpId/origin values.

---

Breaking & Potentially Breaking Changes

• Animations: framer-motion removed. Motion components replaced by CSS helpers (e.g., anim-fadeSlideInUp-*, hover/tap scale).
• Token logos: mirrored to /public/token-logos/ with manifest public/token-logos.json; update any hardcoded remote URLs.
• Types: GlobalMetrics period now accepts string values.
• Build/runtime: ISR daily revalidate and MAX_ROUTES cap may change SSG/ISR assumptions.

New Features

Authentication & Identity

• Passkeys (WebAuthn): register/link, login, 2FA, removal; Profile → passkey manager UI.
• SRP-6a: full client implementation (mutual proofs); Argon2id (SIMD) with PBKDF2 fallback.
  Proxy routes:
  POST /api/auth/srp/register · POST /api/auth/srp/login/start · POST /api/auth/srp/login/finish
• Email verification flow.

Wallet & On-Chain

• Stellar SEP-10 wallet linking in profile.
• Wallet context extended for signing.

Developer & Platform

• Developer API keys: list/create.

Token Logos & Visuals

• Build-time mirroring with concurrent workers, MIME detection, and incremental updates.
• Circular next/image logos with robust fallbacks (incl. native XLM).

Risk & Integrity Signals

• Fingerprint primitives (client-only): stable device id, lightweight canvas/WebGL/audio snapshot, SHA-256 hash.

Improvements

Security & Auth Hardening

• Central noAuthResponse for consistent 401 JSON.
• Safer auth() usage with try/catch across API routes; verified session shape.
• OAuth callback/state checks and CSRF parity with NextAuth v5 cookie format.
• Provider avatars: Google/Discord CDN preferred with strict type guards; next/image domains updated.

Data & API

• getmetrics / getstatistics accept ?period=; no-store where freshness matters.
• Standardized candles/tokeninfo; improved URL handling; graceful abort/error fallbacks.

Routing & UX

• Pools/protocol pages revalidate daily.
• Back-nav from deep pool routes returns to /pools.
• Top Pools pinned to 30d; require ≥ $10k liquidity.

UI/Performance

• Motion → CSS animations; smaller bundle, better SSR reliability.
• Suspense around ClientLayout.
• Token page build stability + caching refactors.

Build/Config/Tooling

• Typed env wrapper; Next config updates; .nvmrc added.
• Image remotePatterns expanded for provider avatars.
• Misc. lint/type/formatting fixes.

Fixes

• OAuth callback CSRF token mismatch resolved.
• Direct-entry pool back button.
• OpenGraph image path/presence fixes.
• Numerous lint/type fixes; safer error handling in API/data services.

Environment & Configuration

• SRP proxy backend config:
  • AUTH_API_URL (upstream auth service)
  • AUTH_API_KEY (proxy auth)
• reCAPTCHA: ensure RECAPTCHA_SECRET.
• Images: cdn.discordapp.com allowed; permissive remote patterns.
• Runtime port: prod default 3000.

New auth features (SRP, passkeys) require backend support; without it, standard OAuth continues to function.

Migration Notes (0.4.x → 0.5.0)

1. Use Node version from .nvmrc; fresh install.
2. Configure SRP proxy (AUTH_API_URL, AUTH_API_KEY) if enabling SRP.
3. Ensure build can write public/token-logos/ and public/token-logos.json.
4. Verify next.config.mjs image domains if adding providers.
5. Replace any custom framer-motion usage with provided CSS helpers.

Notable 0.4.5 → 0.5.0 Items

• Share to X, Facebook, LinkedIn, email.
• Tailwind upgrade + dark mode/config fixes; removed autoprefixer.
• Animation enhancements; tokens page improvements.
• “Fixcoolify” streamlining; prod port standardization; GTM.
• Route/candles cache updates; ISR fixes; server-data cache bypass switch.

Contributors

• Timothy Baker / Silence (@silence48)
• Bastian Koh (@alexanderkoh)
• Iver Romero (@iverlandth)

Credits & Special Thanks

• @alexanderkoh — The patience of a saint or maybe of the virgin mother or Christ himself. Thank you, your support is invaluable.
• @orbitlens — help with various data structure types, XDR, and meta parsing.
• @kalepail — technical support and guidance on passkeys and custom authorization.

Full Changelog

• See the repository’s changelog.md (main branch):
  https://github.com/Hoops-Finance/dashboard-ui/raw/refs/heads/main/changelog.md

Security note: This UI is beta and open-sourced for transparency; please report vulnerabilities privately via the repo’s Security → Report a vulnerability flow.

v0.4.0

What's Changed

• fix: #9 add extra user data by @iverlandth in #47
• feature/background-update-profile by @iverlandth in #49
• Bugfix/authfix by @silence48 in #50
• social media, ISR, PPR, next canary by @silence48 in #53
• version 4.0, Opengraph Image Generation, Incremental Static Regeneration (ISR), and nextjs Canary: by @silence48 in #54

Github Changelog: 0.3.4...v0.4.0
Written Changelog: https://github.com/Hoops-Finance/dashboard-ui/blob/04c016f7bd085c6f309ca28236504828953b6f64/changelog.md

0.3.4

What's Changed

• fix: #12 mobile view does not display profile menu by @iverlandth in #32
• Bugfix/mix desktop changes by @iverlandth in #31
• Merge staging to main by @silence48 in #43
• feature/update-profile-data-and-show-linked-accounts by @iverlandth in #33
• Resolve Merge Conflicts for Profile by @silence48 in #44
• Merge pull request #44 from Hoops-Finance/staging by @silence48 in #45
• Release 0.3.4 by @silence48 in #46

Full Changelog: 0.3.3...0.3.4

0.3.3

What's Changed

• bump to v0.3.3 by @silence48 in #42
• Fix profile view.
  Full Changelog: 0.3.2...0.3.3

0.3.2

What's Changed

• Auth Integration, Swap and Portfolio templates, UserProfile, Bugfixes. by @silence48 in #41

Full Changelog: v0.3.1...0.3.2

Associated pr 4 on auth... Hoops-Finance/auth#4

v0.3.1

What's Changed

• add nixpack by @silence48 in #37
• Resolve a variety of linting and other issues. add nixpacks by @silence48 in #38

Full Changelog: 0.3.0...v0.3.1

v0.3.0

What's Changed

Much and more has changed. This is basically a new site now. We have unified auth working with our backend auth provider, as well as oauth, and dataapi integrations. thanks for all the work.

• navbar and user pages by @alexanderkoh in #5
• Feature/protocols by @alexanderkoh in #6
• Feature/auth register login by @iverlandth in #7
• Bugfix/feature/auth register login by @silence48 in #13
• add TOS and privacy drafts by @silence48 in #14
• Update Authentication, add api keys (for data api) by @silence48 in #15
• add suspense boundry for auth routes by @silence48 in #16
• fix: #17 login & signup alignment and fix color discord icon by @iverlandth in #18
• Fix Build Problems by @silence48 in #22
• fix: #19 apply same layout for pool and token page by @iverlandth in #21
• fix: #20 mix mobile view changes by @iverlandth in #25
• bugfix/mix-desktop-changes by @iverlandth in #27
• Production/0.0.1 by @silence48 in #30
• Production/0.0.1 by @silence48 in #35
• Merge pull request #35 from Hoops-Finance/production/0.0.1 by @silence48 in #36

New Contributors

• @alexanderkoh made their first contribution in #5
• @iverlandth made their first contribution in #7

Full Changelog: v0.1.0-old-site...0.3.0

The old proof of concept site.

v0.1.0-old-site

fix build errors

v0.1.0-alpha

Update README.md