Merged
Conversation
Owner
teelur
commented
Feb 21, 2026
teelur
commented
- Email updates
- CVE fix
Bumps [tar](https://github.com/isaacs/node-tar) from 7.5.7 to 7.5.9. - [Release notes](https://github.com/isaacs/node-tar/releases) - [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md) - [Commits](isaacs/node-tar@v7.5.7...v7.5.9) --- updated-dependencies: - dependency-name: tar dependency-version: 7.5.9 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* i should have broken up these commits * only send email once * some tweaks * Don't show email confirmation message when disabled * update deps * disconnect session afterwards * Update server/BudgetBoard.WebAPI/Utils/Helpers.cs Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update server/BudgetBoard.WebAPI/BudgetBoard.WebAPI.csproj Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Only run when enabled --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This pull request is a cherry-pick for patch containing email updates and a CVE fix related to X-Forwarded-Proto header handling. The changes improve security, enhance the email notification system, and upgrade dependencies.
Changes:
- Fixed CVE vulnerability in X-Forwarded-Proto header parsing to prevent header injection attacks
- Migrated email sender from System.Net.Mail to MailKit for better SMTP support and security
- Enhanced login flow with account lockout email notifications and better error differentiation (wrong password vs unverified email)
- Added RegisterResponse to indicate whether email confirmation is required
- Updated frontend dependencies and improved registration/login UI with resend verification email functionality
Reviewed changes
Copilot reviewed 17 out of 18 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| server/BudgetBoard.WebAPI/Utils/Helpers.cs | Fixed CVE by properly parsing comma-separated X-Forwarded-Proto headers and using request.Scheme as fallback instead of request.Protocol |
| server/BudgetBoard.WebAPI/Utils/EmailSender.cs | Migrated from System.Net.Mail to MailKit with proper connection management and better error handling |
| server/BudgetBoard.WebAPI/Resources/ApiResponseStrings.resx | Added localized error messages and account lockout email content |
| server/BudgetBoard.WebAPI/Overrides/RegisterResponse.cs | New model to communicate email confirmation requirements to client |
| server/BudgetBoard.WebAPI/Overrides/IdentityApiEndpointRouteBuilderExtensions.cs | Enhanced login flow with lockout detection, email notifications, and better error messages; updated register endpoint to return RegisterResponse |
| server/BudgetBoard.WebAPI/BudgetBoard.WebAPI.csproj | Updated Microsoft packages to 10.0.3, added MailKit 4.15.0 dependency |
| server/BudgetBoard.Tests/BudgetBoard.IntegrationTests.csproj | Updated test dependencies to match main project versions |
| server/BudgetBoard.Service/Resources/LogStrings.resx | Removed unused log string entry |
| server/BudgetBoard.Service/BudgetBoard.Service.csproj | Updated Microsoft.Extensions packages to 10.0.3 |
| server/BudgetBoard.Database/BudgetBoard.Database.csproj | Updated Microsoft packages to 10.0.3 |
| client/yarn.lock | Updated client-side dependencies including Babel, Mantine, React, ESLint, TypeScript, and Vite |
| client/src/models/auth.ts | New TypeScript interface for RegisterResponse |
| client/src/app/Unauthorized/Register/Register.tsx | Updated to handle conditional email verification message based on server response |
| client/src/app/Unauthorized/Login/Login.tsx | Added resend verification email functionality with better error handling for unverified accounts |
| client/public/locales/fr/translation.json | Reformatted with 2-space indentation and added partial translations for new features |
| client/public/locales/en-us/translation.json | Added translations for account lockout, verification email resend, and split account_created messages |
| client/public/locales/de/translation.json | Reformatted with 2-space indentation |
| client/package.json | Updated all dependencies to latest versions |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
server/BudgetBoard.WebAPI/Overrides/IdentityApiEndpointRouteBuilderExtensions.cs
Show resolved
Hide resolved
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.