V1.0.x
V1.0.1 | 03/06/2026
Security Patch – JWT Token Storage Hardened
🔐 Security Fix: JWT Tokens Moved to HttpOnly Cookies
Vulnerability addressed: JWT access tokens were previously stored in localStorage, making them accessible to any JavaScript running on the page (including third-party scripts), which exposed users to XSS-based token theft.
What changed:
- Backend – Login (
POST /users/login,POST /admin/login): Server now setsaccessTokenandrefreshToken(user) /adminToken(super admin) asHttpOnly; Secure; SameSitecookies. Token values are no longer returned in the response body. - Backend – Logout (
POST /users/logout,POST /admin/logout): Server clears auth cookies viares.clearCookie(). Client-side cookie removal is no longer required. - Backend – Refresh Token (
POST /users/refresh-token,POST /admin/refresh-token): Server reads the refresh token from theHttpOnlycookie directly. New access token is rotated back as a cookie — no token in the request or response body. - Backend – Auth Middleware: Now accepts token from
Authorization: Bearerheader or fromreq.cookies.accessToken/req.cookies.adminTokenas a fallback, maintaining full backward compatibility with mobile/API clients. - Frontend – Axios / Fetch clients (
axiosInstance.ts,lib/api.ts,services/api.client.ts,store/api/api.client.ts): AddedwithCredentials: trueso the browser automatically sends the HttpOnly cookie on every request. Removed all manualAuthorizationheader injection fromlocalStorage. - Frontend – Auth Service (
services/auth.service.ts): Removed alllocalStorage.setItem("accessToken"),localStorage.removeItem("accessToken"), anddocument.cookiewrites. Auth state is now fully managed by the browser cookie. - Frontend – Image Upload (
lib/uploadBuilderImage.ts): Replacedheaders: { Authorization: token }withcredentials: "include"on the nativefetch()call. - Frontend – Login page (
Login.tsx,PhoneOtpLogin.tsx,EmailpasswordLogin.tsx): RemovedlocalStorage.clear()calls on submit. RemovedCookies.set("whoxa_business_token")/Cookies.set("whoxa_business_refresh_token")— tokens are now set exclusively by the backend. - Frontend – Logout / Delete Account modals: Removed
localStorage.clear()and JS removal ofwhoxa_business_token/whoxa_business_refresh_tokencookies — server handles cleanup. - Frontend – Next.js Middleware (
middleware.ts): Updated route-guard to read theadminTokenHttpOnly cookie instead of the oldaccessTokencookie name.
Cookie Security Attributes Applied
| Attribute | Value |
|---|---|
HttpOnly | true — not readable by JavaScript |
Secure | true in production — HTTPS only |
SameSite | Strict in production / Lax in development |
Path | / |
Max-Age | accessToken: 15 min · refreshToken: 30 days · adminToken: 7 days |
Files Modified
Backend (whoxa-whatsapp-business-api)
src/controller/admin_controller/login_admin.controller.jssrc/controller/admin_controller/logout_admin.controller.jssrc/controller/admin_controller/refresh_token_admin.controller.jssrc/controller/user_controller/login.controller.jssrc/controller/user_controller/logout.controller.jssrc/controller/user_controller/refresh_token.controller.jssrc/middleware/authMiddleware.js
Super Admin (whoxa_super_admin)
src/lib/api.tssrc/services/api.client.tssrc/services/auth.service.tssrc/store/api/api.client.tssrc/lib/uploadBuilderImage.tssrc/middleware.ts
Business Web (whoxa_business_web)
src/store/api/axiosInstance.tssrc/pages/Register/Login.tsxsrc/pages/Register/PhoneOtpLogin.tsxsrc/pages/Register/EmailpasswordLogin.tsxsrc/pages/Home/Settings/LogOutModal.tsxsrc/pages/Home/Settings/DeleteAccountModal.tsxsrc/store/api/useUserProfile.ts
V1.0.0 | 05/05/2026
Whoxa CRM - WhatsApp Business API Launch
Core CRM Features
- Customer Relationship Management: Complete CRM system for managing customer interactions
- Contact Management: Organize and manage customer contacts efficiently
- Chat Labels: Categorize and organize conversations with custom labels
- Dashboard Analytics: Real-time insights and reporting for business metrics
WhatsApp Business Integration
- WhatsApp Business API: Full integration with WhatsApp Business Cloud API
- Meta Catalog Management: Product catalog management for WhatsApp business
- Template Management: WhatsApp message templates for business communication
- Automated Responses: Smart chat automation and default messages
Advanced CRM Capabilities
- AI-Powered Insights: Intelligent customer behavior analysis and predictions
- Advanced Analytics: Enhanced dashboard with real-time business metrics
- Custom Workflows: Automated business process workflows
- Multi-channel Integration: Unified communication across all channels
Enhanced WhatsApp Business Features
- Advanced Template Management: Dynamic template variables and personalization
- Chatbot Integration: AI-powered chatbots for customer support
- Campaign Management: Bulk messaging campaigns with analytics
- Conversation Analytics: Detailed conversation tracking and insights
Technical Improvements
- Performance Optimization: 50% faster response times
- Enhanced Security: Advanced encryption and security protocols
- Scalability Improvements: Support for higher concurrent users
- API Enhancements: Extended API capabilities and endpoints
User Experience
- Improved Dashboard: More intuitive and responsive admin interface
- Mobile Optimization: Better mobile experience across all devices
- Real-time Updates: Instant synchronization across all platforms
- Enhanced Reporting: More comprehensive and customizable reports
Technical Infrastructure
- Real-time Communication: Socket.io based real-time messaging
- Redis Caching: High-performance caching with Redis
- PostgreSQL Database: Robust database management with Sequelize ORM
- File Upload System: Comprehensive media and file handling
Admin Panel Features
- User Management: Complete user administration and permissions
- API Key Management: Secure API key generation and management
- System Configuration: Flexible system settings and configurations
- Report Management: Comprehensive reporting and analytics
Security & Performance
- JWT Authentication: Secure token-based authentication
- Webhook Security: Secure webhook handling with signature verification
- Rate Limiting: API rate limiting and abuse prevention
- Data Encryption: Secure data handling and encryption
Communication Channels
- WhatsApp Business: Primary communication channel
- Email Integration: SMTP email configuration and templates
- SMS Integration: Twilio and MSG91 SMS services
- Push Notifications: OneSignal push notification support