Commit Graph

184 Commits

Author SHA1 Message Date
myron 76726dc47c feat: #41-#47 admin root controls — enhanced pages + new APIs
#41 phpMyAdmin: quick-access links in database manager
#43 PostgreSQL: Adminer at /adminer.php (MySQL + PostgreSQL)
#44 Mail server: virtual domains list, mail log tail, better service controls
#45 FTP server: full account list from DB, better service controls
#47 Web server: stats cards, PHP defaults, log viewer

New APIs: system/read-log, email/domains
Fix: PHP-FPM pm.max_children increased to 20 (was 5, causing exhaustion)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01LP9Q4kfCAYAjJnsbHBrViZ
2026-06-22 12:20:53 +00:00
github-actions[bot] 8405772e01 chore: bump version to 1.0.54 [skip ci] 2026-06-22 05:11:11 +00:00
myron 6b59730bec fix: user account settings page — use stats/account instead of forbidden accounts/usage+me 2026-06-22 05:11:00 +00:00
github-actions[bot] 9157307ae1 chore: bump version to 1.0.53 [skip ci] 2026-06-22 05:02:31 +00:00
myron e0447bc5f5 sync: admin/index.php sidebar cleanup (subdomains/parked nav onclick attrs removed) 2026-06-22 05:02:20 +00:00
github-actions[bot] b278effdfb chore: bump version to 1.0.52 [skip ci] 2026-06-22 04:52:20 +00:00
myron 697763f333 fix: wrap server_stats INSERT in try/catch — SQLite lock was killing stats API
Concurrent cron writes (collect-stats.php every 5min) caused DB lock errors
that aborted the entire stats response, leaving web/mail/FTP pages empty.
History insert is now non-fatal.
2026-06-22 04:52:08 +00:00
github-actions[bot] fcde84d2ad chore: bump version to 1.0.51 [skip ci] 2026-06-22 04:33:42 +00:00
myron 9caaa65b31 fix: broken adminSubdomains/adminParked JS from bad patch; CORS PORT_* constants 2026-06-22 04:33:32 +00:00
github-actions[bot] fe41a97e74 chore: bump version to 1.0.50 [skip ci] 2026-06-22 04:29:23 +00:00
myron 2ecf93a344 fix: hardcode panel ports in CORS check — PORT_USER etc undefined before Core.php loads
Using PORT_USER ?? 8880 threw Error in PHP 8 since the constant isn't defined
until Core.php is require_once'd later in the file. Every API request was
hitting the exception handler and returning 'An internal error occurred.',
breaking all logins and API calls.
2026-06-22 04:29:15 +00:00
github-actions[bot] a5bb5dfddd chore: bump version to 1.0.49 [skip ci] 2026-06-22 04:22:08 +00:00
myron 6f494e96fd feat: #38 account settings page (user panel); #39 better default index template
#38 — User panel Account > Settings page: account info, resource usage
gauges, PHP config (version/memory/upload/exec), quick links to SSL/2FA/password.

#39 — AccountManager: dark-themed modern default index.html on account
creation; supports custom HTML template from admin Server Options
(saved as default_index_template setting, {domain}/{username} placeholders).
Admin Server Options: new card to set/reset the custom template.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01LP9Q4kfCAYAjJnsbHBrViZ
2026-06-22 04:21:58 +00:00
github-actions[bot] 5a2e81e754 chore: bump version to 1.0.48 [skip ci] 2026-06-22 04:12:49 +00:00
myron 5d1d47a007 feat: #36 subdomains + #37 parked domains sections in all 3 panels
Admin: global view of all subdomains/parked across accounts; nav items added
Reseller: filtered view scoped to their customers' accounts
User: create/remove subdomains and parked domains for own account

Backend already existed in api/endpoints/domains.php (add-subdomain,
add-alias, list, remove actions).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01LP9Q4kfCAYAjJnsbHBrViZ
2026-06-22 04:12:41 +00:00
github-actions[bot] 6b945bb0fa chore: bump version to 1.0.47 [skip ci] 2026-06-22 04:07:11 +00:00
myron 7b11439f9c feat: #48 collapsible nav in all 3 panels; #50 post-restore automation script
- nova.js: _initCollapsibleNav() exposed as window._initCollapsibleNav
- user.js + reseller.js: call _initCollapsibleNav after renderNav()
- deploy/novacpx-post-restore.sh: fixes config.ini, pools, vhost, dashboard

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01LP9Q4kfCAYAjJnsbHBrViZ
2026-06-22 04:07:00 +00:00
github-actions[bot] 3684f7c6c2 chore: bump version to 1.0.46 [skip ci] 2026-06-21 16:03:35 +00:00
myron 956defc34b fix: all code review security findings
- CORS: replace open regex with explicit hostname allowlist + port whitelist
- Exception handler: only expose RuntimeException/InvalidArgumentException
  messages; PDOException and others return generic 'internal error'
- Auth::portalUrl(): allowlist-validate HTTP_HOST before using it in
  redirect URL — prevents open redirect via Host header injection
- _branding.php custom_css: strip HTML tags, js: URLs, @import, expression()
  instead of just </style> which was trivially bypassable
- accounts create: check accounts table as well as users for username
  uniqueness (TOCTOU fix); wrap user INSERT + provisioning in single
  transaction so rollback is atomic on failure

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01LP9Q4kfCAYAjJnsbHBrViZ
2026-06-21 16:03:26 +00:00
github-actions[bot] 21dd846508 chore: bump version to 1.0.45 [skip ci] 2026-06-21 03:44:46 +00:00
myron 60004a29d6 fix: default web server to nginx, add php-fpm pool cron, sudoers for pool rm, disable apache on install (#49)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01LP9Q4kfCAYAjJnsbHBrViZ
2026-06-21 03:44:37 +00:00
github-actions[bot] b281768685 chore: bump version to 1.0.44 [skip ci] 2026-06-20 21:17:16 +00:00
myron 1a907d18b0 feat: collapsible sidebar nav with localStorage state (#48)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01LP9Q4kfCAYAjJnsbHBrViZ
2026-06-20 21:17:08 +00:00
github-actions[bot] c0cc88ac3b chore: bump version to 1.0.43 [skip ci] 2026-06-20 21:04:27 +00:00
myron 65a8690750 fix: use /bin/rm explicitly in removePool so sudoers path matches
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01LP9Q4kfCAYAjJnsbHBrViZ
2026-06-20 21:04:17 +00:00
github-actions[bot] 29e2744609 chore: bump version to 1.0.42 [skip ci] 2026-06-20 17:07:01 +00:00
myron 91d0e625c4 fix: decouple php-fpm reload from HTTP request using flag file + cron
Reload during account creation was causing 502 by killing the fpm worker
before nginx finished reading the response. Flag file picked up by cron
within 60s instead.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01LP9Q4kfCAYAjJnsbHBrViZ
2026-06-20 17:06:52 +00:00
github-actions[bot] 99829f628d chore: bump version to 1.0.41 [skip ci] 2026-06-20 16:44:17 +00:00
myron e12f569460 fix: replace global email UNIQUE with partial index scoped to role=user
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01LP9Q4kfCAYAjJnsbHBrViZ
2026-06-20 16:44:09 +00:00
github-actions[bot] def6edf4d5 chore: bump version to 1.0.40 [skip ci] 2026-06-20 16:42:24 +00:00
myron 9aa67f7efd fix: email uniqueness check only applies to hosting accounts, not admin/reseller users
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01LP9Q4kfCAYAjJnsbHBrViZ
2026-06-20 16:42:16 +00:00
github-actions[bot] a8a80bff5e chore: bump version to 1.0.39 [skip ci] 2026-06-20 16:39:57 +00:00
myron eb84504689 fix: remove php-fpm pool on account creation rollback to prevent fpm crash
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01LP9Q4kfCAYAjJnsbHBrViZ
2026-06-20 16:39:48 +00:00
github-actions[bot] 2d074ea25e chore: bump version to 1.0.38 [skip ci] 2026-06-20 16:35:08 +00:00
myron 8e623427e3 fix: reload php-fpm async to prevent killing the account-creation request
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01LP9Q4kfCAYAjJnsbHBrViZ
2026-06-20 16:34:59 +00:00
github-actions[bot] 79857a750a chore: bump version to 1.0.37 [skip ci] 2026-06-20 16:09:42 +00:00
myron 3ad7ee44c2 fix: nova.js 401 handler in correct panel/public path
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01LP9Q4kfCAYAjJnsbHBrViZ
2026-06-20 16:09:33 +00:00
github-actions[bot] 15bbe955fa chore: bump version to 1.0.36 [skip ci] 2026-06-20 15:59:42 +00:00
myron 3dab4ffe0f fix: show real error message on login 401, not misleading 'Session expired'
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01LP9Q4kfCAYAjJnsbHBrViZ
2026-06-20 15:59:34 +00:00
github-actions[bot] ee7e488f3d chore: bump version to 1.0.35 [skip ci] 2026-06-20 05:46:41 +00:00
myron b534e7e306 fix: nested transaction crash and favicon 404
- accounts.php: remove outer beginTransaction() — AccountManager already wraps in its own transaction; nested transactions fail in SQLite with 'already an active transaction'
- accounts.php: on AccountManager failure, manually delete the inserted user row instead
- admin/reseller/user index.php: fix favicon href from /assets/img/favicon.svg to nova-favicon.svg

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01LP9Q4kfCAYAjJnsbHBrViZ
2026-06-20 05:46:32 +00:00
github-actions[bot] 0b6850673a chore: bump version to 1.0.34 [skip ci] 2026-06-20 05:40:09 +00:00
myron 6dd2e3a08d fix: add all server-only assets and panel files missing from repo
Previously missing from git (rsync --delete was wiping them on every deploy):
- assets/css/nova.css
- assets/js/nova.js, features.js, reseller.js, user.js
- assets/img/*.svg (favicon, icons, logo, mark)
- index.php, _branding.php, errors/404.php, errors/500.php
- reseller/index.php, user/index.php

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01LP9Q4kfCAYAjJnsbHBrViZ
2026-06-20 05:40:00 +00:00
github-actions[bot] 89c1deea5c chore: bump version to 1.0.33 [skip ci] 2026-06-20 05:33:45 +00:00
myron b077226581 fix: recover full admin.js from server, fix port redirects and account create validation
- admin.js: 1292 lines of features were on server but not in repo — recovered and committed
- admin.js: impersonation redirect now uses location.origin instead of hardcoded :8880 port
- accounts.php: pre-validate email uniqueness and username before INSERT to prevent SQLSTATE 23000
- accounts.php: wrap user INSERT + AccountManager::create() in single transaction for full rollback

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01LP9Q4kfCAYAjJnsbHBrViZ
2026-06-20 05:33:35 +00:00
github-actions[bot] 7185fcca5f chore: bump version to 1.0.32 [skip ci] 2026-06-20 05:27:44 +00:00
myron 91bf8d965f fix: portalUrl stays on proxy host when accessed via reverse proxy on port 443
When HTTP_HOST has no port (NPM on 443), return URL without appending panel port.
Direct access (HTTP_HOST includes :8882 etc.) still redirects to correct port.
Prevents browser being sent to :8882 directly after login via novacpx.orbishosting.com.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01LP9Q4kfCAYAjJnsbHBrViZ
2026-06-20 05:27:34 +00:00
github-actions[bot] ab7c69d086 chore: bump version to 1.0.31 [skip ci] 2026-06-20 05:23:50 +00:00
myron 39942929a7 fix: global exception handler (prevents 502), transaction rollback on account create, CORS for reverse proxy
- set_exception_handler in api/index.php prevents uncaught exceptions from crashing PHP-FPM
- AccountManager::create() wrapped in DB transaction with rollback + Linux user cleanup on failure
- CORS origin regex updated to allow requests from port 443 (NPM reverse proxy)
- index.html written via sudo tee instead of file_put_contents (www-data permission fix)
- chpasswd now called with sudo prefix

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01LP9Q4kfCAYAjJnsbHBrViZ
2026-06-20 05:23:42 +00:00
github-actions[bot] cbd20c5390 chore: bump version to 1.0.30 [skip ci] 2026-06-20 04:36:37 +00:00