Skip to main content

V1.0.x

V1.0.1 | 03/06/2026

Security Patch – JWT Token Storage Hardened

🔐 Security Fix: JWT Tokens Moved to HttpOnly Cookies

Vulnerability addressed: JWT access tokens were previously stored in localStorage, making them accessible to any JavaScript running on the page (including third-party scripts), which exposed users to XSS-based token theft.

What changed:

  • Backend – Login (POST /users/login, POST /admin/login): Server now sets accessToken and refreshToken (user) / adminToken (super admin) as HttpOnly; Secure; SameSite cookies. Token values are no longer returned in the response body.
  • Backend – Logout (POST /users/logout, POST /admin/logout): Server clears auth cookies via res.clearCookie(). Client-side cookie removal is no longer required.
  • Backend – Refresh Token (POST /users/refresh-token, POST /admin/refresh-token): Server reads the refresh token from the HttpOnly cookie directly. New access token is rotated back as a cookie — no token in the request or response body.
  • Backend – Auth Middleware: Now accepts token from Authorization: Bearer header or from req.cookies.accessToken / req.cookies.adminToken as a fallback, maintaining full backward compatibility with mobile/API clients.
  • Frontend – Axios / Fetch clients (axiosInstance.ts, lib/api.ts, services/api.client.ts, store/api/api.client.ts): Added withCredentials: true so the browser automatically sends the HttpOnly cookie on every request. Removed all manual Authorization header injection from localStorage.
  • Frontend – Auth Service (services/auth.service.ts): Removed all localStorage.setItem("accessToken"), localStorage.removeItem("accessToken"), and document.cookie writes. Auth state is now fully managed by the browser cookie.
  • Frontend – Image Upload (lib/uploadBuilderImage.ts): Replaced headers: { Authorization: token } with credentials: "include" on the native fetch() call.
  • Frontend – Login page (Login.tsx, PhoneOtpLogin.tsx, EmailpasswordLogin.tsx): Removed localStorage.clear() calls on submit. Removed Cookies.set("whoxa_business_token") / Cookies.set("whoxa_business_refresh_token") — tokens are now set exclusively by the backend.
  • Frontend – Logout / Delete Account modals: Removed localStorage.clear() and JS removal of whoxa_business_token / whoxa_business_refresh_token cookies — server handles cleanup.
  • Frontend – Next.js Middleware (middleware.ts): Updated route-guard to read the adminToken HttpOnly cookie instead of the old accessToken cookie name.
AttributeValue
HttpOnlytrue — not readable by JavaScript
Securetrue in production — HTTPS only
SameSiteStrict in production / Lax in development
Path/
Max-AgeaccessToken: 15 min · refreshToken: 30 days · adminToken: 7 days

Files Modified

Backend (whoxa-whatsapp-business-api)

  • src/controller/admin_controller/login_admin.controller.js
  • src/controller/admin_controller/logout_admin.controller.js
  • src/controller/admin_controller/refresh_token_admin.controller.js
  • src/controller/user_controller/login.controller.js
  • src/controller/user_controller/logout.controller.js
  • src/controller/user_controller/refresh_token.controller.js
  • src/middleware/authMiddleware.js

Super Admin (whoxa_super_admin)

  • src/lib/api.ts
  • src/services/api.client.ts
  • src/services/auth.service.ts
  • src/store/api/api.client.ts
  • src/lib/uploadBuilderImage.ts
  • src/middleware.ts

Business Web (whoxa_business_web)

  • src/store/api/axiosInstance.ts
  • src/pages/Register/Login.tsx
  • src/pages/Register/PhoneOtpLogin.tsx
  • src/pages/Register/EmailpasswordLogin.tsx
  • src/pages/Home/Settings/LogOutModal.tsx
  • src/pages/Home/Settings/DeleteAccountModal.tsx
  • src/store/api/useUserProfile.ts

V1.0.0 | 05/05/2026

Whoxa CRM - WhatsApp Business API Launch

Core CRM Features

  • Customer Relationship Management: Complete CRM system for managing customer interactions
  • Contact Management: Organize and manage customer contacts efficiently
  • Chat Labels: Categorize and organize conversations with custom labels
  • Dashboard Analytics: Real-time insights and reporting for business metrics

WhatsApp Business Integration

  • WhatsApp Business API: Full integration with WhatsApp Business Cloud API
  • Meta Catalog Management: Product catalog management for WhatsApp business
  • Template Management: WhatsApp message templates for business communication
  • Automated Responses: Smart chat automation and default messages

Advanced CRM Capabilities

  • AI-Powered Insights: Intelligent customer behavior analysis and predictions
  • Advanced Analytics: Enhanced dashboard with real-time business metrics
  • Custom Workflows: Automated business process workflows
  • Multi-channel Integration: Unified communication across all channels

Enhanced WhatsApp Business Features

  • Advanced Template Management: Dynamic template variables and personalization
  • Chatbot Integration: AI-powered chatbots for customer support
  • Campaign Management: Bulk messaging campaigns with analytics
  • Conversation Analytics: Detailed conversation tracking and insights

Technical Improvements

  • Performance Optimization: 50% faster response times
  • Enhanced Security: Advanced encryption and security protocols
  • Scalability Improvements: Support for higher concurrent users
  • API Enhancements: Extended API capabilities and endpoints

User Experience

  • Improved Dashboard: More intuitive and responsive admin interface
  • Mobile Optimization: Better mobile experience across all devices
  • Real-time Updates: Instant synchronization across all platforms
  • Enhanced Reporting: More comprehensive and customizable reports

Technical Infrastructure

  • Real-time Communication: Socket.io based real-time messaging
  • Redis Caching: High-performance caching with Redis
  • PostgreSQL Database: Robust database management with Sequelize ORM
  • File Upload System: Comprehensive media and file handling

Admin Panel Features

  • User Management: Complete user administration and permissions
  • API Key Management: Secure API key generation and management
  • System Configuration: Flexible system settings and configurations
  • Report Management: Comprehensive reporting and analytics

Security & Performance

  • JWT Authentication: Secure token-based authentication
  • Webhook Security: Secure webhook handling with signature verification
  • Rate Limiting: API rate limiting and abuse prevention
  • Data Encryption: Secure data handling and encryption

Communication Channels

  • WhatsApp Business: Primary communication channel
  • Email Integration: SMTP email configuration and templates
  • SMS Integration: Twilio and MSG91 SMS services
  • Push Notifications: OneSignal push notification support