domnitor/CHANGELOG.md

Changelog

All notable changes to Domain Monitor will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[1.1.2] - 2026-02-09

Added

• Google Chat Webhook Support - Selectable payload formats: Generic (n8n/Zapier/Make), Google Chat (rich card), and Simple Text
• Domain Status Change Notifications - Configurable alerts for domain lifecycle events: available, registered, expired, redemption_period, pending_delete
• Failed Login Notifications - In-app alerts for failed login attempts with geolocation, device info, and reason
• Domain Expiration Bell Notifications - In-app notifications for expiring domains, respects user isolation mode
• Admin User Profile Page (/users/{id}) - Detailed view with Overview, Domains, Tags, and Notification Groups tabs
• Dashboard Insights Widgets - Registrar distribution, tag usage, and notification coverage for logged-in users
• Quick Actions Dropdown - Top-nav + button with Add Domain, Create Group, Create Tag, and WHOIS Lookup
• WHOIS Rate Limit Handling - Exponential backoff with retry logic, grouped by TLD to avoid repeated throttling
• Admin TLD Registry Editing - Edit WHOIS and RDAP servers directly from the TLD registry UI
• Redemption Period & Pending Delete Detection - New domain statuses parsed from EPP status codes (redemptionPeriod, pendingDelete)
• Configurable Status Triggers - Settings UI to choose which domain status changes trigger notifications
• Sidebar Branding - SVG logo with clickable "Domain Monitor" title and "Track your domains" subtitle
• 404 Error Logging - Router logs 404 errors with request method, IP, user-agent, and referer details
• Copy Error Report - Clipboard copy with toast feedback in admin error detail view

Changed

• Dashboard Redesigned - Compact admin system status bar, balanced widget grid, removed Quick Actions widget
• Mobile UI Overhauled - Sidebar overlay with swipe-to-close, body scroll lock, responsive layout tweaks
• Error Log Deduplication Improved - Matches on type + file + line + message; resolution operates on all matching errors
• Webhook Logging Enhanced - Masked URLs, response body truncation, payload previews, structured error handling
• Notification Dropdown Enriched - Country flags, device icons for login alerts, clickable domain links
• User Create Form Redesigned - Centered card layout, responsive grid, password show/hide toggles, live validation
• WHOIS Date Parsing - Added DD/MM/YYYY format support for European registries (.pt, .es, .fr)
• Domain Status ENUM Expanded - Added redemption_period and pending_delete values
• Status Detection Improved - Better handling for .nl and .eu domains missing expiration dates
• Login Success Messages - Now include the user's full name
• Centralized Logging - Logger service replaces all remaining error_log() calls

Fixed

• Notification Group Delete - Changed from GET to POST with CSRF token (was vulnerable to CSRF)
• Bulk Domain Create - Wrapped in try/catch to handle duplicate domain conflicts gracefully
• User Edit Form Action - Fixed route mismatch (/users/update → /users/{id}/update)
• Tag Isolation Access - Enforced permission checks in TagController for isolated mode
• RDAP Server Route - Fixed route name mismatch between definition and controller method
• Top-Nav Dropdowns - Fixed broken dropdown toggle logic after Quick Actions addition
• PHP 8.x Compatibility - Fixed null parameter warnings in date functions
• Sidebar Quick Stats - Fixed variable collision when viewing user profiles

Security

• CSRF Protection - Added to profile delete, notification delete/clear-all, user delete, user toggle-status
• POST Method Enforced - All destructive actions changed from GET to POST (profile, notifications, users, groups)
• Failed Login Alerts - Target user notified with IP address and user-agent details
• Tag Access Control - Isolated mode users blocked from viewing other users' tags via direct URL

Migrations

• 024_add_status_notifications_v1.1.2.sql - Expands domain status ENUM, adds notification status triggers setting, updates app version

---

[1.1.1] - 2025-11-18

Added

• Pushover Notification Channel - Send domain expiration alerts via Pushover (iOS, Android, Desktop)
  • Priority-based notifications (Emergency, High, Normal, Low) based on days until expiration
  • Emergency alerts (expired or expiring in ≤1 day) with auto-retry every 5 minutes for 1 hour
  • 23 custom notification sounds to choose from
  • Device targeting - send to specific devices or all devices
  • Rich notifications with title, message, and clickable URL to domain details
  • Optional custom sound and device configuration
  • Database migration 022_add_pushover_channel_type.sql to add Pushover support

Fixed

• Security: PHP 8.x URI Injection Vulnerability - Fixed deprecated strpos() null parameter warning
  • Added early request validation in public/index.php to block malformed URIs
  • Enhanced core/Auth.php to handle null values from parse_url() gracefully
  • Malformed requests are now logged and return 400 Bad Request
  • Prevents attackers from causing PHP warnings via malformed URI probes
• PHP 8.x Compatibility: strtotime() Null Parameter - Fixed deprecated warnings for null expiration dates
  • Added null checks before calling strtotime() in all domain view templates
  • Displays "Unknown" for domains without expiration dates (e.g., .nl domains)
  • Updated 9 view files: groups/edit, domains/index, domains/view, domains/edit, dashboard/index, tags/view, search/results
  • Also fixed NotificationService::formatExpirationMessage() to handle null dates
• Domain Status Detection for .nl Domains - Fixed incorrect "available" status for registered .nl domains
  • .nl WHOIS/RDAP doesn't always provide expiration dates or explicit status flags
  • Improved WhoisService::getDomainStatus() to detect registered domains via nameservers and valid registrar
  • Cron job now preserves existing expiration dates when WHOIS doesn't return one
  • Prevents false positives for domain availability
• Domain Status Detection for .eu Domains - Fixed incorrect status and registrar parsing for .eu domains
  • Added specific .eu registrar format parsing (Name: Registrar Name)
  • Fixed RDAP vCard parsing to strip "Name:" prefix from registrar field
  • Fixed WHOIS parsing to handle "Name: Company" format in registrar sections
  • Enhanced status detection logic to recognize registered domains without explicit status flags
  • Consistent behavior between manual refresh and automated cron checks
• Logging Consistency - Replaced all remaining error_log() calls with custom Logger service
  • Updated WhoisService.php, NotificationService.php, AuthController.php, UserController.php
  • Centralized structured logging throughout the application
  • Better debugging and audit trail capabilities

Changed

• Status Detection - Unified DomainHelper::determineStatus() to use WhoisService::getDomainStatus() for consistency
• Documentation - Updated README.md to reflect all available notification channels including Pushover

[1.1.0] - 2025-10-09

Added

• User Notifications System - In-app notification center with filtering and pagination
• Welcome Notifications - Automatically sent to new users on registration or fresh install
• System Upgrade Notifications - Admins notified when system is upgraded with migration details
• Notification Types:
  • System: Welcome, Upgrade notifications
  • Domain: Expiring, Expired, Updated
  • Security: New login detection
  • WHOIS: Lookup failures
• Notification Features:
  • Unread notification count in top navigation
  • Dropdown preview of recent notifications
  • Full notification page with filtering (status, type, date range)
  • Pagination and sorting
  • Mark as read / Mark all as read
  • Delete individual / Clear all notifications
• Database-Backed Sessions - Full session management stored in database
• Active Session Management - View, monitor, and control all logged-in devices
• Geolocation Tracking - IP-based location detection (country, city, region, ISP)
• Session Details Display:
  • Country flags with flag-icons library
  • City and country name
  • ISP/Network provider
  • Device type detection (Desktop/Mobile/Tablet)
  • Browser detection (Chrome/Firefox/Safari/Edge/Opera)
  • Session age and last activity timestamps
  • Remember me indicator (cookie badge)
• Remote Session Control:
  • Terminate individual sessions with delete button
  • Logout all other sessions with one click
  • Immediate logout validation (deleted sessions can't access anything)
• Enhanced Profile Page:
  • Sidebar navigation layout
  • Four sections: Profile Information, Security, Active Sessions, Danger Zone
  • URL hash navigation (#profile, #security, #sessions, #danger)
  • Clean design matching application theme
• Remember Token Security:
  • Remember tokens linked to specific sessions
  • Deleting session also invalidates remember token
  • Prevents auto-login after remote logout
• Session Validator Middleware - Validates sessions on every request
• Auto-Detected Cron Paths - Settings page shows actual installation paths (thanks @jadeops)
• Automatic Session Cleanup - Multiple cleanup triggers (no cron job needed)
• User registration with email verification
• Password reset via email
• Remember me functionality (30-day cookies)
• User profile management
• Change password
• Email verification with token expiry (24h)
• Password reset tokens (1h expiry)
• Registration enable/disable toggle
• User CRUD management (admin-only)
• Role-based access control (admin/user)
• Centralized app version in database
• Web-based installer (replaces CLI migrate.php)
• Web-based updater for new migrations
• Auto-detection of installation status
• Migration tracking system
• Consolidated database schema for v1.1.0 fresh installs
• Smart migration system (consolidated for new, incremental for upgrades)
• Two-Factor Authentication (2FA) System:
  • TOTP (Time-based One-Time Password) implementation
  • Email backup codes for 2FA recovery
  • 2FA verification attempts tracking with rate limiting
  • 2FA policy settings (optional/required/disabled)
  • Complete 2FA setup, verification, and management flow
  • Backup codes generation and verification system
• CAPTCHA Security System:
  • Support for reCAPTCHA v2, reCAPTCHA v3, and Cloudflare Turnstile
  • Configurable CAPTCHA settings in admin panel
  • Score-based verification for reCAPTCHA v3
  • Integration with login and registration forms
  • CAPTCHA provider selection and configuration
• Domain Tags System:
  • Domain tagging for organization and categorization
  • Comma-separated tags field in domains table
  • Tag-based domain filtering and organization
  • Indexed tag searches for performance
• Advanced Error Logging System:
  • Database-backed error logging and tracking
  • Error deduplication and occurrence counting
  • Request context capture (method, URI, data)
  • User context (IP, user agent, session data)
  • System context (PHP version, memory usage)
  • Error resolution tracking and management
  • Admin error log interface for debugging
• Enhanced Logger Service:
  • Structured logging with context arrays
  • Multiple log levels (debug, info, warning, error, critical)
  • Date-based log file rotation
  • Context-aware logging throughout the application
  • JSON-formatted log entries with timestamps
• User Avatar System:
  • Avatar upload and deletion functionality
  • Gravatar integration with fallback to user initials
  • Dynamic web root detection for file uploads
  • Avatar display in profile, navigation, and user listings
  • File validation and security measures
• WHOIS Parsing Improvements:
  • Enhanced WHOIS data parsing and processing
  • Better referral server handling and following
  • Improved domain availability detection
  • Status parsing cleanup and consistency
  • WHOIS server display improvements

Changed

• Profile page completely redesigned with sidebar layout
• Session system migrated from file-based to database-backed
• Top navigation dropdown links updated with hash navigation
• Settings → System tab now shows auto-detected cron paths
• Help & Support menu links to GitHub repository
• Auth views refactored with base layout
• System section (Settings/Users) restricted to admins
• TLD Registry read-only for regular users
• Sidebar shows role-based links
• Profile integrated with dashboard layout
• Installation now via web UI instead of CLI
• Auto-redirect to installer on first run
• Domain management enhanced with tagging system
• Error handling improved with comprehensive logging
• WHOIS parsing enhanced with better data extraction
• User interface updated with avatar display throughout

Security

• Database Session Storage - True session control with remote termination
• Session Validation - Every request validates session exists in database
• Geolocation Logging - Track suspicious login locations
• Remember Token Linking - Tokens tied to sessions, deleted together
• Immediate Logout - Deleted sessions invalidated within seconds
• Bcrypt password hashing
• Secure 32-byte tokens
• Time-limited tokens
• One-time use reset tokens
• HttpOnly secure cookies
• Email enumeration protection
• Session-based verification resend
• Admin-only route protection
• Two-Factor Authentication - TOTP and email backup codes for enhanced security
• CAPTCHA Protection - Anti-bot protection for login and registration
• Advanced Error Logging - Comprehensive error tracking and debugging
• File Upload Security - Avatar upload validation and secure file handling

Technical

• MVC Architecture Refactoring - Complete separation of concerns
  • LayoutHelper - Global layout data (notifications, stats, settings)
  • DomainHelper - Domain formatting and business logic
  • SessionHelper - Session display formatting
  • NotificationService - Notification creation and management
  • All business logic removed from views (~265 lines cleaned)
• Database session handler implementing SessionHandlerInterface
• IP geolocation via ip-api.com (free, 45 req/min)
• Session validator middleware for real-time validation
• Automatic session cleanup (no cron needed for sessions)
• Flag-icons library integration for country flags
• User-agent parsing for device and browser detection
• Remember token cascade deletion on session termination
• Notification system with 7 notification types
• Welcome notifications on user creation and fresh install
• Upgrade notifications for admins with version tracking
• TwoFactorService - Complete 2FA implementation with TOTP and backup codes
• CaptchaService - Multi-provider CAPTCHA verification system
• ErrorHandler - Centralized error handling with database logging
• Logger - Enhanced logging service with structured context
• AvatarHelper - User avatar management with Gravatar integration
• Tag Model - Domain tagging system with user isolation
• ErrorLog Model - Error tracking and deduplication system

Contributors

• Special thanks to @jadeops for auto-detected cron path improvement & XSS protection enhancement (PR #1)

[1.0.0] - 2024-10-08

Added

• Initial release of Domain Monitor
• Modern PHP 8.1+ MVC architecture
• Domain management system with CRUD operations
• Automatic WHOIS lookup for domain information
• Multi-channel notification system:
  • Email notifications via PHPMailer
  • Telegram bot integration
  • Discord webhook support
  • Slack webhook support
• Notification groups feature
• Assign domains to notification groups
• Dashboard with real-time statistics
• Domain status tracking (active, expiring_soon, expired, error)
• Notification logging system
• Customizable notification intervals
• Cron job for automated domain checks
• Test notification script
• Responsive, modern UI design
• Database migration system
• Comprehensive documentation
• Installation guide
• Basic login/logout authentication
• Security features (prepared statements, session management)
• TLD Registry System with IANA integration
  • Import and manage TLD data (RDAP servers, WHOIS servers, registry URLs)
  • Progressive import workflow with real-time progress tracking
  • Support for 1,400+ TLDs with automatic updates
  • Import logs and history tracking
• Advanced domain verification using TLD registry data
• RDAP protocol support for modern domain queries
• Automatic WHOIS server discovery per TLD
• Monitoring status change notifications (activated/deactivated alerts)
• Notification group assignment change alerts
• Enhanced domain detail view with channel status indicators
• Comprehensive notification threshold configuration
• Debug logging for notification thresholds

Changed

• Unified design system across all views
  • Consistent header styles (bordered instead of gradients)
  • Standardized button sizes and padding
  • Consistent form input styling
  • Unified empty state designs
  • Removed emojis from UI elements
• Improved navigation flow (edit page returns to detail view)
• Enhanced cron job logging with threshold display
• Streamlined installation process
  • Encryption key auto-generation during migration
  • No separate script needed for encryption key setup

Fixed

• Notification channel type display error in domain view
• Navigation redirect after domain update
• Cancel button redirect in domain edit page
• Design inconsistencies in notification group views

Security

• Random secure password generation on installation
• One-time password display during migration
• Removed hardcoded default credentials
• 16-character cryptographically secure admin passwords

Features

• ✅ Add, edit, delete, and view domains
• ✅ Automatic expiration date detection via WHOIS
• ✅ Support for multiple notification channels per group
• ✅ Flexible notification scheduling (60, 30, 21, 14, 7, 5, 3, 2, 1 days before)
• ✅ Email notifications with HTML templates
• ✅ Rich Discord embeds with color coding
• ✅ Telegram messages with formatting
• ✅ Slack blocks for structured messages
• ✅ Notification deduplication (prevent spam)
• ✅ Manual domain refresh
• ✅ Active/inactive domain toggle
• ✅ Comprehensive logging
• ✅ Statistics dashboard
• ✅ Recent notifications view
• ✅ Domain details with WHOIS data
• ✅ Nameserver display
• ✅ Notification history per domain

Technical

• PHP 8.1+ with modern features (match expressions, typed properties)
• MySQL/MariaDB database
• PSR-4 autoloading
• Environment-based configuration
• MVC pattern implementation
• Service layer architecture
• Repository pattern for data access
• Interface-based notification channels
• JSON configuration storage
• Prepared statements for SQL injection prevention
• CSRF token support ready
• Responsive CSS with CSS variables
• No JavaScript framework dependencies (vanilla JS where needed)

Documentation

• README.md with comprehensive guide
• Inline code documentation
• Configuration examples
• Troubleshooting guide

---

Roadmap - Future Enhancements

• User authentication system (completed - v1.1.0)
• Session management with geolocation (completed - v1.1.0)
• TLD Registry System (completed - v1.0.0)
• Remote session termination (completed - v1.1.0)
• In-app user notifications (completed - v1.1.0)
• Multi-user support with advanced permissions and roles
• API for external integrations
• Domain grouping/tagging (completed - v1.1.0)
• Custom notification templates
• SMS notifications (Twilio)
• Google Chat notifications (completed - v1.1.2)
• WhatsApp notifications
• Export functionality (CSV, PDF)
• Import domains from CSV
• Domain transfer tracking
• DNS record monitoring
• SSL certificate monitoring
• Downtime monitoring
• 2FA for login (completed - v1.1.0)
• Mobile app
• Docker support
• Redis caching
• Rate limiting
• Webhook support for third-party integrations
• Dark mode UI toggle
• Multi-language support
• Advanced filtering and search (completed - v1.1.0)
• Bulk operations (completed - v1.1.0)
• Scheduled reports
• Integration with domain registrars

---

Version History

1.1.2 (2026-02-09)

• Google Chat Webhook Support - Selectable payload formats (Generic, Google Chat, Simple Text)
• Domain Status Change Notifications - Configurable alerts for available, registered, expired, redemption_period, pending_delete
• Failed Login Notifications - In-app alerts with geolocation, device info, and failure reason
• Domain Expiration Bell Notifications - In-app alerts respecting user isolation mode
• Admin User Profile Page - /users/{id} with Overview, Domains, Tags, Notification Groups tabs
• Dashboard Insights - Registrar distribution, tag usage, notification coverage widgets
• Quick Actions Dropdown - Top-nav shortcut for Add Domain, Create Group, Create Tag, WHOIS Lookup
• WHOIS Rate Limit Handling - Exponential backoff with TLD-grouped retry logic
• Admin TLD Registry Editing - Edit WHOIS/RDAP servers from UI
• Redemption Period & Pending Delete - New domain lifecycle statuses from EPP codes
• Sidebar Branding - Logo, title, and subtitle in sidebar navigation
• Mobile UI Overhaul - Sidebar overlay, swipe-to-close, responsive layout improvements
• CSRF Protection - POST method enforced on all destructive actions
• Error Log Deduplication - Improved matching on type + file + line + message
• WHOIS Date Parsing - DD/MM/YYYY format support for European registries
• 404 Error Logging - Router logs with full request context
• Migration: 024_add_status_notifications_v1.1.2.sql

1.1.0 (2025-10-09)

• User Notifications System - In-app notification center with 7 notification types, filtering, pagination
• Advanced Session Management - Database-backed sessions with geolocation (country, city, ISP)
• Remote Session Control - Terminate any device instantly with immediate logout validation
• Enhanced Profile Page - Sidebar navigation with 4 tabs, hash-based routing (#profile, #security, #sessions)
• Two-Factor Authentication - Complete TOTP implementation with email backup codes and rate limiting
• CAPTCHA Security System - Support for reCAPTCHA v2/v3 and Cloudflare Turnstile with admin configuration
• Domain Tags System - Organize domains with custom tags for better categorization and filtering
• Advanced Error Logging - Database-backed error tracking with deduplication, context capture, and admin interface
• User Avatar System - Avatar upload with Gravatar integration and fallback to user initials
• Enhanced Logger Service - Structured logging with context arrays and multiple log levels
• WHOIS Parsing Improvements - Enhanced domain data parsing, referral handling, and availability detection
• MVC Architecture Refactoring - 3 new Helpers (Layout, Domain, Session), ~265 lines cleaned from views
• Geolocation Tracking - IP-based location detection using ip-api.com, country flags with flag-icons
• Device Detection - Browser & device type parsing (Chrome/Firefox/Safari, Desktop/Mobile/Tablet)
• Auto-Detected Cron Paths - Settings show actual installation paths (thanks @jadeops)
• Welcome Notifications - Sent to new users on registration or fresh install
• Upgrade Notifications - Admins notified on system updates with version & migration count
• Web-Based Installer - Replaces CLI, auto-generates encryption key, one-time password display
• Web-Based Updater - /install/update for running new migrations with smart detection
• User Registration - Full signup flow with email verification, password reset, resend verification
• User Management - CRUD for users with filtering, sorting, pagination (admin-only)
• Remember Me - 30-day secure tokens linked to sessions, cascade deletion on logout
• Session Validator - Middleware validates sessions on every request for instant remote logout
• Consistent UI/UX - Unified filtering, sorting, pagination across Domains, Users, Notifications, TLD Registry
• Smart Migrations - Consolidated schema for fresh installs, incremental for upgrades
• XSS Protection - htmlspecialchars() applied across all user-facing data (thanks @jadeops)

1.0.0 (2024-10-08)

• Initial public release
• Created by Hosteroid - Premium Hosting Solutions

---

🙏 Special Thanks

Contributors

• @jadeops - Auto-detected cron path improvement & XSS protection enhancement (PR #1)