wishlist Home

Changelog

You're currently on v0.2.0. New here? Make a wishlist.

v0.2.0 · First real release — light rebrand, PWA, reservations

26 April 2026

Big consolidation release. Pivot away from the dark-slate noobventure-default to a warm cream-and-pink theme with a Fraunces display serif, gift-themed side decorations, and confetti backgrounds — wishlist now reads as celebratory, not productivity. Adds the gift-giver killer feature (anonymous reservations on shared wishlists), drag-to-reorder + inline edit on items, password reset, a toast notification system that replaces every browser confirm() and silent action, and a fully installable PWA. Plus the legal pages and this changelog.

Added
  • Reservations on shared wishlists — anonymous gift-givers click "I'll get this", type a name, and the item shows as reserved to other viewers (with the same browser able to undo via cookie). Owner doesn't see who reserved what by default to preserve the surprise; opt-in toggle per wishlist for registries.
  • Inline item edit — pencil icon flips a card into a full edit form. PATCH /api/wishlists/[id]/items/[itemId] with the same Auto-fill button as the create form.
  • Drag-to-reorder items — HTML5 native drag with optimistic local reorder and bulk position persist via POST /api/wishlists/[id]/items/reorder.
  • Password reset flow — /forgot-password and /reset-password/[token] backed by Mailjet REST + bcrypt-hashed token + 1h expiry. Branded HTML email with the wishlist mark.
  • PWA — installable on Android (one-tap banner) and iOS (Share → Add to Home Screen instructions). Service worker with stale-while-revalidate navigation, cache-first for /_next/static, never caches /api. Dynamic apple-touch-icon and Android maskable icon generated by Next/og.
  • Toast notification system — global ToastProvider with success / error / info / warn variants, plus a styled confirm modal that replaces every browser confirm(). Hooked up across dashboard, wishlist detail, item card, and share page.
  • Legal pages — Privacy, Terms, Cookies under a shared (legal) route group with cross-links between them.
  • This changelog page (/changelog) backed by a typed lib/changelog.ts data file. Footer version badge pulses pink until you open the page.
  • Side decor — nine floating gift-themed SVG illustrations (gift boxes, balloons, ribbons, sparkles, hearts) in the wide-screen margins, each on a staggered float animation. Hidden below lg.
  • Landing page rebuild — Fraunces display serif, mock browser-chrome wishlist preview, "For every moment" occasion grid (8 cards: birthday/wedding/baby/holiday/housewarming/etc), 3-step "How it works" strip, testimonial-style quote block, FAQ accordion, vivid CTA card.
  • Auth split layout — login / register / forgot / reset all share an AuthShell with a bold pink/rose marketing column on the right (mock browser preview + feature checklist + animated logo).
  • Hero gradient panels on /wishlists/[id] and /share/[token] — vibrant gradient picked stably from the wishlist id, with stats row (items / must-have / estimated total) and confetti.
  • Dashboard greeting + stats row (lists / items / shared) with stable per-id gradient backdrops on each wishlist card.
Changed
  • Visual identity — switched from dark slate (#07040d) to warm cream (#fff7f4) with peach/blush/lavender ambient gradients. Pink/coral accents replace indigo. Fraunces serif paired with Geist sans for headlines.
  • Footer — added Privacy / Cookies / Terms / Changelog links and replaced the plain version text with a VersionBadge that pulses for unseen versions.
  • Cookie names prefixed with `wishlist.` so dev sessions don't collide with sibling stacklog cookies on localhost.
Fixed
  • serialize() type signature now correctly maps Mongoose ObjectId/Date to string in the output type. Caught at production build time only — Turbopack dev mode skipped strict type-check.
  • Dashboard item-count aggregation no longer matches every WishlistItem when the user has zero wishlists.
Security
  • OG preview endpoint (/api/og) is auth-gated with an SSRF guard rejecting private hosts, byte-cap, and per-IP rate limit so it can't be abused as an open server-side fetch proxy.
  • Reservation endpoint rate-limited per IP. Reserver tokens are SHA-256 hashed before storage so a leaked database wouldn't expose the cookie value.
  • Password reset always returns the same response regardless of whether the email exists — prevents email enumeration.
  • Password reset tokens are stored as SHA-256 hashes (not plaintext) with a 1-hour expiry.

v0.1.0 · Initial scaffold

22 April 2026

First working version. Email/password auth (with optional Google OAuth), private/link wishlist visibility with stable share tokens, items with title/url/image/price/notes/priority, OG-preview helper that auto-fills new items from any product URL, owner dashboard, public /share/[token] viewer, multi-stage Dockerfile + docker-compose. Built on the noobventure stack (Next.js 16, React 19, Tailwind 4, Mongoose, next-auth v5).

Added
  • Email/password registration and login with bcrypt + per-account login rate limiting.
  • Optional Google OAuth — auto-enables when AUTH_GOOGLE_ID and AUTH_GOOGLE_SECRET env vars are set.
  • Wishlist + WishlistItem MongoDB models with private vs link visibility and stable share tokens.
  • Owner dashboard listing all your wishlists, with create / delete.
  • Wishlist detail page — add items, set priority, view all items.
  • Public /share/[token] viewer — anyone with the link can view a link-visibility wishlist without an account.
  • /api/og URL preview helper that scrapes OpenGraph + Twitter card meta and product:price for auto-fill.
  • Multi-stage Dockerfile (Node 20 alpine, standalone output) + docker-compose with external wishlist-network on Unraid.
  • Footer with version number sourced from package.json.

Format inspired by Keep a Changelog and semver.