remnawave-bedolaga-telegram-bot/CHANGELOG.md

Changelog

3.17.1 (2026-02-23)

Bug Fixes

• add diagnostic logging for device_limit sync to RemnaWave (97b3f89)
• add int32 overflow guards and strengthen auth validation (50a931e)
• add missing broadcast_history columns and harden subscription logic (d4c4a8a)
• allow tariff switch when less than 1 day remains (67f3547)
• cap expected_monthly_referrals to prevent int32 overflow (2ef6185)
• cross-validate Telegram identity on every authenticated request (973b3d3)
• handle RemnaWave API errors in traffic aggregation (ed4624c)
• migrate all remaining naive timestamp columns to timestamptz (708bb9e)
• prevent partner self-referral via own campaign link (115c0c8)
• protect active paid subscriptions from being disabled in RemnaWave (1b6bbc7)
• repair missing DB columns and make backup resilient to schema mismatches (c20355b)
• show negative amounts for withdrawals in admin transaction list (5ee45f9)
• suppress web page preview when logo mode is disabled (1f4430f)
• uploaded backup restore button not triggering handler (ebe5083)
• use aiogram 3.x bot.download() instead of document.download() (205c8d9)

3.17.0 (2026-02-18)

New Features

• add referral code tracking to all cabinet auth methods + email_templates migration (18c2477)

Bug Fixes

• prevent 'caption is too long' error in logo mode (6e28a1a)
• skip blocked users in trial notifications and broadcasts without DB status change (493f315)

3.16.3 (2026-02-18)

Bug Fixes

• 3 user deletion bugs — type cast, inner savepoint, lazy load (af31c55)
• auth middleware catches all commit errors, not just connection errors (6409b0c)
• connected_squads stores UUIDs, not int IDs — use get_server_ids_by_uuids (d7039d7)
• deadlock on user deletion + robust migration 0002 (b7b83ab)
• eliminate deadlock by matching lock order with webhook (d651a6c)
• make migration 0002 robust with table existence checks (f076269)
• wrap user deletion steps in savepoints to prevent transaction cascade abort (a38dfcb)

3.16.2 (2026-02-18)

Bug Fixes

• auto-convert naive datetimes to UTC-aware on model load (f7d33a7)
• extend naive datetime guard to all model properties (bd11801)
• handle naive datetime in raw SQL row comparison (payment/common) (38f3a9a)
• handle naive datetimes in Subscription properties (e512e5f)
• use AwareDateTime TypeDecorator for all datetime columns (a7f3d65)

3.16.1 (2026-02-18)

Bug Fixes

• add migration for partner system tables and columns (4645be5)
• add migration for partner system tables and columns (79ea398)

3.16.0 (2026-02-18)

New Features

• add admin notifications for partner applications and withdrawals (cf7cc5a)
• add admin partner settings API (withdrawal toggle, requisites text, partner visibility) (6881d97)
• add campaign_id to ReferralEarning for campaign attribution (0c07812)
• add partner system and withdrawal management to cabinet (58bfaea)
• attribute campaign registrations to partner for referral earnings (767e965)
• blocked user detection during broadcasts, filter blocked from all notifications (10e231e)
• enforce 1-to-1 partner-campaign binding with partner info in campaigns (366df18)
• expose traffic_reset_mode in subscription response (59383bd)
• expose traffic_reset_mode in tariff API response (5d4a94b)
• include partner campaigns in /partner/status response (ea5d932)
• link campaign registrations to partner for referral earnings (c4dc43e)
• notify users on partner/withdrawal approve/reject (327d4f4)

Bug Fixes

• add blocked_count column migration to universal_migration.py (b4b10c9)
• add missing payment providers to payment_utils and fix {total_amount} formatting (bdb6161)
• add selectinload for subscription in campaign user list (eb9dba3)
• campaign web link uses ?campaign= param, not ?start= (28f524b)
• correct subscription_service import in broadcast cleanup (6c4e035)
• critical security and data integrity fixes for partner system (8899749)
• handle YooKassa NotFoundError gracefully in get_payment_info (df5b1a0)
• medium-priority fixes for partner system (7c20fde)
• move PartnerStatus enum before User class to fix NameError (acc1323)
• prevent fileConfig from destroying structlog handlers (e78b104)
• reorder button_click_logs migration to nullify before ALTER TYPE (df5415f)
• resolve HIGH-priority performance and security issues in partner system (fcf3a2c)
• return zeroed stats dict when withdrawal is disabled (7883efc)
• unassign all campaigns when revoking partner status (d39063b)

Refactoring

• replace universal_migration.py with Alembic (b6c7f91)
• replace universal_migration.py with Alembic (784616b)

3.15.1 (2026-02-17)

Bug Fixes

• add naive datetime guards to fromisoformat() in Redis cache readers (1b3e6f2)
• add naive datetime guards to fromisoformat() in Redis cache readers (6fa4948)

3.15.0 (2026-02-17)

New Features

• add LOG_COLORS env setting to toggle console ANSI colors (27309f5)
• add web campaign links with bonus processing in auth flow (d955279)

Bug Fixes

• AttributeError in withdrawal admin notification (send_to_admins → send_admin_notification) (c75ec0b)
• remove local UTC re-imports shadowing module-level import in purchase.py (e68760c)

3.14.1 (2026-02-17)

Bug Fixes

• add naive datetime guards to parsers and fix test datetime literals (0946090)
• address remaining abs() issues from review (ff21b27)
• complete datetime.utcnow() → datetime.now(UTC) migration (eb18994)
• normalize transaction amount signs across all aggregations (4247981)
• prevent negative amounts in spent display and balance history (c30972f)

3.14.0 (2026-02-16)

New Features

• show all active webhook endpoints in startup log (9d71005)

Bug Fixes

• force basicConfig to replace pre-existing handlers (7eb8d4e)
• NameError in set_user_devices_button — undefined action_text (1b8ef69)
• remove unused PaymentService from MonitoringService init (491a7e1)
• resolve MissingGreenlet error when accessing subscription.tariff (a93a32f)
• sync support mode from cabinet admin to SupportSettingsService (516be6e)
• sync SUPPORT_SYSTEM_MODE between SystemSettings and SupportSettings (0807a9f)

Refactoring

• improve log formatting — logger name prefix and table alignment (f637204)

3.13.0 (2026-02-16)

New Features

• colored console logs via structlog + rich + FORCE_COLOR (bf64611)

Bug Fixes

• limit Rich traceback output to prevent console flood (11ef714)
• resolve exc_info for admin notifications, clean log formatting (11f8af0)
• suppress startup log noise (~350 lines → ~30) (8a6650e)
• traceback in Telegram notifications + reduce log padding (909a403)
• use sync context manager for structlog bound_contextvars (25e8c9f)

Refactoring

• complete structlog migration with contextvars, kwargs, and logging hardening (1f0fef1)

3.12.1 (2026-02-16)

Bug Fixes

• add /start burst rate-limit to prevent spam abuse (61a9722)
• add promo code anti-abuse protections (97ec39a)
• handle TelegramBadRequest in ticket edit_message_text calls (8e61fe4)
• replace deprecated Query(regex=) with pattern= (871ceb8)

3.12.0 (2026-02-15)

New Features

• add 'default' (no color) option for button styles (10538e7)
• add button style and emoji support for cabinet mode (Bot API 9.4) (bf2b2f1)
• add per-button enable/disable toggle and custom labels per locale (68773b7)
• add per-section button style and emoji customization via admin API (a968791)
• add web admin button for admins in cabinet mode (9ac6da4)
• rename MAIN_MENU_MODE=text to cabinet with deep-linking to frontend sections (ad87c5f)

Bug Fixes

• daily tariff subscriptions stuck in expired/disabled with no resume path (80914c1)
• filter out traffic packages with zero price from purchase options (64a684c)
• handle photo message in ticket creation flow (e182280)
• handle tariff_extend callback without period (back button crash) (ba0a5e9)
• pre-validate CABINET_BUTTON_STYLE to prevent invalid values from suppressing per-section defaults (46c1a69)
• remove redundant trial inactivity monitoring checks (d712ab8)
• webhook notification 'My Subscription' button uses unregistered callback_data (1e2a7e3)

3.11.0 (2026-02-12)

New Features

• add cabinet admin API for pinned messages management (1a476c4)
• add startup warnings for missing HAPP_CRYPTOLINK_REDIRECT_TEMPLATE and MINIAPP_CUSTOM_URL (476b89f)

Bug Fixes

• add passive_deletes to Subscription relationships to prevent NOT NULL violation on cascade delete (bfd66c4)
• add startup warning for missing HAPP_CRYPTOLINK_REDIRECT_TEMPLATE in guide mode (1d43ae5)
• flood control handling in pinned messages and XSS hardening in HTML sanitizer (454b831)
• suppress expired callback query error in AuthMiddleware (2de4384)
• ticket creation crash and webhook PendingRollbackError (760c833)

3.10.3 (2026-02-12)

Bug Fixes

• handle unique constraint conflicts during backup restore without clear_existing (5893874)
• harden backup create/restore against serialization and constraint errors (fc42916)
• resolve deadlock on server_squads counter updates and add webhook notification toggles (57dc1ff)

3.10.2 (2026-02-12)

Bug Fixes

• allow email change for unverified emails (93bb8e0)
• clean stale squad UUIDs from tariffs during server sync (fcaa9df)
• delete subscription_servers before subscription to prevent FK violation (7d9ced8)
• handle StaleDataError in webhook user.deleted server counter decrement (c30c2fe)
• handle time/date types in backup JSON serialization (27365b3)
• HTML parse fallback, email change race condition, username length limit (d05ff67)
• payment race conditions, balance atomicity, renewal rollback safety (c5124b9)
• remove DisplayNameRestrictionMiddleware (640da34)
• suppress bot-blocked-by-user error in AuthMiddleware (fda9f3b)
• UnboundLocalError for get_logo_media in required_sub_channel_check (d3c14ac)
• use traffic topup config and add WATA 429 retry (b5998ea)

Refactoring

• remove modem functionality from classic subscriptions (ee2e79d)

3.10.1 (2026-02-11)

Bug Fixes

• address review issues in backup, updates, and webhook handlers (2094886)
• allow purchase when recalculated price is lower than cached (19dabf3)
• change CryptoBot URL priority to bot_invoice_url for Telegram opening (3193ffb)
• clear subscription data when user deleted from Remnawave panel (b0fd38d)
• downgrade Telegram timeout errors to warning in monitoring service (e43a8d6)
• expand backup coverage to all 68 models and harden restore (02e40bd)
• handle nullable traffic_limit_gb and end_date in subscription model (e94b93d)
• handle StaleDataError in webhook when user already deleted (d58a80f)
• ignore 'message is not modified' on privacy policy decline (be1da97)
• preserve purchased traffic when extending same tariff (b167ed3)
• prevent cascading greenlet errors after sync rollback (a1ffd5b)
• protect server counter callers and fix tariff change detection (bee4aa4)
• suppress 'message is not modified' error in updates panel (3a680b4)
• use callback fallback when MINIAPP_CUSTOM_URL is not set (eaf3a07)
• use flush instead of commit in server counter functions (6cec024)

3.10.0 (2026-02-10)

New Features

• add all remaining RemnaWave webhook events (node, service, crm, device) (1e37fd9)
• add close button to all webhook notifications (d9de15a)
• add MULENPAY_WEBSITE_URL setting for post-payment redirect (fe5f5de)
• add RemnaWave incoming webhooks for real-time subscription events (6d67cad)
• handle errors.bandwidth_usage_threshold_reached_max_notifications webhook (8e85e24)
• handle service.subpage_config_changed webhook event (43a326a)
• unified notification delivery for webhook events (email + WS support) (26637f0)
• webhook protection — prevent sync/monitoring from overwriting webhook data (184c52d)

Bug Fixes

• add action buttons to webhook notifications and fix empty device names (7091eb9)
• add missing placeholders to Arabic SUBSCRIPTION_INFO template (fe54640)
• allow non-HTTP deep links in crypto link webhook updates (f779225)
• build composite device name from platform + hwid short suffix (17ce640)
• downgrade transient API errors (502/503/504) to warning level (ec8eaf5)
• extract device name from nested hwidUserDevice object (79793c4)
• preserve payment initiation time in transaction created_at (90d9df8)
• security and architecture fixes for webhook handlers (dc1e96b)
• stop CryptoBot webhook retry loop and save cabinet payments to DB (2cb6d73)
• sync subscription status from panel in user.modified webhook (5156d63)
• use event field directly as event_name (already includes scope prefix) (9aa22af)
• webhook:close button not working due to channel check timeout (019fbc1)

3.9.1 (2026-02-10)

Bug Fixes

• don't delete Heleket invoice message on status check (9943253)
• safe HTML preview truncation and lazy-load subscription fallback (40d8a6d)
• use actual DB columns for subscription fallback query (f0e7f8e)

3.9.0 (2026-02-09)

New Features

• add lite mode functionality with endpoints for retrieval and update (7b0403a)
• add Persian (fa) locale with complete translations (29a3b39)
• allow tariff deletion with active subscriptions (ebd6bee)
• localization: add Persian (fa) locale support and wire it across app flows (cc54a7a)

Bug Fixes

• nullify payment FK references before deleting transactions in user restoration (0b86f37)
• prevent sync from overwriting end_date for non-ACTIVE panel users (49871f8)
• promo code max_uses=0 conversion and trial UX after promo activation (1cae713)
• skip users with active subscriptions in admin inactive cleanup (e79f598)
• use selection.period.days instead of selection.period_days (4541016)

Performance

• cache logo file_id to avoid re-uploading on every message (142ff14)

Refactoring

• remove "both" mode from BOT_RUN_MODE, keep only polling and webhook (efa3a5d)
• remove Flask, use FastAPI exclusively for all webhooks (119f463)
• remove smart auto-activation & activation prompt, fix production bugs (a3903a2)

3.8.0 (2026-02-08)

New Features

• add admin device management endpoints (c57de10)
• add admin traffic packages and device limit management (2f90f91)
• add admin updates endpoint for bot and cabinet releases (11b8ab1)
• add endpoint for updating user referral commission percent (da6f746)
• add enrichment data to CSV export (f2dbab6)
• add server-side sorting for enrichment columns (15c7cc2)
• add system info endpoint for admin dashboard (02c30f8)
• add traffic usage enrichment endpoint with devices, spending, dates, last node (5cf3f2f)
• admin panel enhancements & bug fixes (e6ebf81)

Bug Fixes

• add debug logging for bulk device response structure (46da31d)
• add email field to traffic table for OAuth/email users (94fcf20)
• add email/UUID fallback for OAuth user panel sync (165965d)
• add enrichment device mapping debug logs (5be82f2)
• include additional devices in tariff renewal price and display (17e9259)
• paginate bulk device endpoint to fetch all HWID devices (4648a82)
• read bot version from pyproject.toml when VERSION env is not set (9828ff0)
• revert device pagination, add raw user data field discovery (8f7fa76)
• use bulk device endpoint instead of per-user calls (5f219c3)
• use correct pagination params (start/size) for bulk HWID devices (17af51c)
• use per-user panel endpoints for reliable device counts and last node data (9d39901)

3.7.2 (2026-02-08)

Bug Fixes

• handle FK violation in create_yookassa_payment when user is deleted (55d281b)
• remove dots from Remnawave username sanitization (d6fa86b)

3.7.1 (2026-02-08)

Bug Fixes

• release-please config — remove blocked workflow files (d88ca98)
• remove workflow files and pyproject.toml from release-please extra-files (5070bb3)
• resolve HWID reset and webhook FK violation (5f3e426)
• resolve HWID reset context manager bug and webhook FK violation (a9eee19)
• resolve merge conflict in release-please config (0ef4f55)
• resolve multiple production errors and performance issues (071c23d)

3.7.0 (2026-02-07)

Features

• add admin traffic usage API (aa1cd38)
• add admin traffic usage API with per-node statistics (6c2c25d)
• add node/status filters and custom date range to traffic page (ad260d9)
• add node/status filters, custom date range, connected devices to traffic page (9ea533a)
• add node/status filters, date range, devices to traffic page (ad6522f)
• add risk columns to traffic CSV export (7c1a142)
• add tariff filter, fix traffic data aggregation (fa01819)
• node/status filters + custom date range for traffic page (a161e2f)
• tariff filter + fix traffic data aggregation (1021c2c)
• traffic filters, date range & risk columns in CSV export (4c40b5b)

Bug Fixes

• close unclosed HTML tags in version notification (0b61c7f)
• close unclosed HTML tags when truncating version notification (b674550)
• correct response parsing for non-legacy node-users endpoint (a076dfb)
• correct response parsing for non-legacy node-users endpoint (91ac90c)
• handle mixed types in traffic sort (eeed2d6)
• handle mixed types in traffic sort for string fields (a194be0)
• resolve 429 rate limiting on traffic page (b12544d)
• resolve 429 rate limiting on traffic page (924d6bc)
• use legacy per-node endpoint for traffic aggregation (cc1c8ba)
• use legacy per-node endpoint with correct response format (b707b79)
• use PaymentService for cabinet YooKassa payments (61bb8fc)
• use PaymentService for cabinet YooKassa payments to save local DB record (ff5bba3)

3.6.0 (2026-02-07)

Features

• add OAuth 2.0 authorization (Google, Yandex, Discord, VK) (97be4af)
• add panel info, node usage endpoints and campaign to user detail (287a43b)
• add panel info, node usage endpoints and campaign to user detail (0703212)
• add TRIAL_DISABLED_FOR setting to disable trial by user type (c4794db)
• add user_id filter to admin tickets endpoint (8886d0d)
• add user_id filter to admin tickets endpoint (d3819c4)
• block registration with disposable email addresses (9ca24ef)
• block registration with disposable email addresses (116c845)
• disable trial by user type (email/telegram/all) (4e7438b)
• migrate OAuth state storage from in-memory to Redis (e9b98b8)
• OAuth 2.0 authorization (Google, Yandex, Discord, VK) (3cbb9ef)
• return 30-day daily breakdown for node usage (7102c50)
• return 30-day daily breakdown for node usage (e4c65ca)

Bug Fixes

• increase OAuth HTTP timeout to 30s (333a3c5)
• parse bandwidth stats series format for node usage (557dbf3)
• parse bandwidth stats series format for node usage (462f7a9)
• pass tariff object instead of tariff_id to set_tariff_promo_groups (1ffb8a5)
• query per-node legacy endpoint for user traffic breakdown (b94e3ed)
• query per-node legacy endpoint for user traffic breakdown (51ca3e4)
• reduce node usage to 2 API calls to avoid 429 rate limit (c68c4e5)
• reduce node usage to 2 API calls to avoid 429 rate limit (f00a051)
• use accessible nodes API and fix date format for node usage (943e9a8)
• use accessible nodes API and fix date format for node usage (c4da591)

3.5.0 (2026-02-06)

Features

• add tariff reorder API endpoint (4c2e11e)
• pass platform-level fields from RemnaWave config to frontend (095bc00)
• serve original RemnaWave config from app-config endpoint (43762ce)
• tariff reorder API endpoint (085a617)

Bug Fixes

• enforce blacklist via middleware (561708b)
• enforce blacklist via middleware instead of per-handler checks (966a599)
• exclude signature field from Telegram initData HMAC validation (5b64046)
• improve button URL resolution and pass uiConfig to frontend (0ed98c3)
• restore unquote for user data parsing in telegram auth (c2cabbe)

Reverts

• remove signature pop from HMAC validation (4234769)