v1.8.11

Bug Fixes

• Fix CSRF validation failures on video recording uploads — VideoRecorder was using plain fetch() instead of fetchWithCsrf() for upload-url, complete-upload, and share POST requests, causing middleware to reject every request with 403
• Add CSRF token cache TTL — Cached tokens now expire after 30 minutes to prevent stale token mismatches when cookies rotate
• Auto-retry on CSRF failure — fetchWithCsrf() now automatically fetches a fresh token and retries once on CSRF 403 errors
• Fix response body consumption — Use response.clone() before reading the body during CSRF error detection, preventing callers from getting empty responses
• Harden CSRF error detection — Use case-insensitive match for CSRF error string detection

v1.8.10

• Update AWS setup guide and CloudFormation template download instructions
• CloudFormation Template (private-video-setup.yaml)
  • Fixed typo: ExposeHeaders → ExposedHeaders
  • Removed redundant hardcoded localhost:3000 from CORS (the AppDomain parameter with localhost default already handles this)
  • The StepHeader and CodeBlock components were moved outside the main component and now receive state/callbacks as props to prevent the components from being recreated on every render
• Synced with dev - The dev branch already had the component refactoring (including InlineCode) done properly
• Applied URL fix - Changed the template URL from raw.githubusercontent.com to www.cheesebox.io

v1.8.9

• Add sorting functionality for video list and dashboard
• Introduced SortOption enum to define sorting criteria.
• Implemented sorting in VideoList component based on selected sort option.
• Added sort option selector in DashboardPage for user preference.
• Completed removing storing sort option in localstorage
• Implement persistent sorting for video list and update sorting options
• Add type guard for sort options and improve sort option handling in dashboard
• Refactor video visibility handling to use a centralized VideoVisibility type
• Add URL utility functions for consistent embed URL construction
• Converted SVG into an icons
• implemented easy copy for public video URL
• Add a suggested release workflow

v1.8.1

[1.8.1] - 2026-01-15

Fixed

TypeScript Build Errors: Fixed compilation errors in VideoList component

• Removed unsupported title prop from Button components
• Button component doesn't support native HTML title attribute
• Fixed 5 TypeScript errors preventing production builds

[1.8.0] - 2026-01-14

Added

• Pending Team Invitations: Invite users to teams before they create an account
  • Team owners and admins can now invite users by email even if they don't have a Cheesebox account yet
  • Pending invitations are displayed separately from active members on team details page
  • Invitations include role assignment (OWNER, ADMIN, or MEMBER)
  • Pending invitations show with yellow "Pending" badge and clock icon
  • Team admins can cancel pending invitations before they're accepted
  • When invited user signs up (via web, mobile, or Google OAuth), they're automatically added to the team
  • Team members see invitation count and clear status messages
  • Database schema updated to support optional userId and email fields
  • New InvitationStatus enum (PENDING, ACCEPTED) added to TeamMember model
  • Enhanced authentication flows to auto-accept pending invitations on signup
  • New API endpoint: DELETE /api/teams/[id]/invitations/[memberId] for cancelling invitations
• Video Editing: New ability to edit video title and description after upload
  • Created EditVideoModal component for editing video details
  • Added PATCH endpoint /api/videos/[id] for updating video information
  • Title field required (max 255 characters) with character counter
  • Optional description field with multi-line text area
  • Edit button appears in video cards for video owners only
  • Form validation and error handling
  • CSRF protection on update requests
• Beta Badge in Navigation: Added beta badge to Cheesebox branding in dashboard navigation
  • Displays "BETA" badge next to Cheesebox logo
  • Hover tooltip explains beta status and what users can expect
  • Includes information about frequent updates, UI changes, and active development
  • Encourages user feedback
• Enhanced Onboarding API: Extended onboarding status endpoint with teams and groups data
  • GET /api/user/onboarding now returns user's teams with roles and counts
  • Includes user's groups (owned and member) with share counts
  • Added team information (members, videos, groups) to response
  • Mobile authentication endpoint returns onboardingCompleted status

Changed

• Teams Page UI Redesign: Improved layout and visual hierarchy
  • Removed separate stats cards section
  • Moved team statistics to header subtitle (members, videos, groups)
  • Improved spacing and typography throughout
  • Enhanced view mode toggle with better visual feedback
  • More compact and cleaner member management section
  • Consistent button styling across all actions
  • Better visual separation between sections
• Groups Page UI Redesign: Improved layout and visual hierarchy
  • Removed separate stats cards section
  • Moved group statistics to header subtitle (members, shared videos)
  • Enhanced view mode toggle matching teams page style
  • Improved spacing and section organization
  • Better visual separation of "How to Use" instructions
  • Consistent button styling across all actions
• Onboarding Button Text: Removed arrow symbols from onboarding navigation buttons
  • Changed "← Back" to "Back"
  • Changed "Next →" style buttons to remove arrows
  • Changed "Open CloudFormation Guide →" to "Open CloudFormation Guide"
  • Changed "I've Completed AWS Setup →" to "I've Completed AWS Setup"
  • Changed "I'm Ready to Set Up AWS →" to "I'm Ready to Set Up AWS"
  • Changed "Finish Setup →" to "Finish Setup"
  • Cleaner, more modern button appearance
• Email Setup Copy: Changed em dash to hyphen in email setup step message
  • Changed "Videos will still work perfectly—recipients" to "Videos will still work perfectly - recipients"

Fixed

• CSRF Mobile Authentication: Fixed CSRF validation blocking legitimate mobile API requests
  • Added JWT Bearer token detection to CSRF validation logic
  • Mobile app requests with Authorization: Bearer <token> now bypass CSRF checks
  • Prevents false positive CSRF validation failures for mobile clients
  • Maintains CSRF protection for web browser sessions

Removed

• Proxy Matcher Configuration: Removed unused middleware config export
  • Removed config.matcher export from src/proxy.ts
  • Matcher configuration is now handled at a different level
  • Cleaned up unused code

[1.7.5] - 2026-01-12

Fixed

• Presigned URL Signature Mismatch: Fixed 413 Content Too Large errors during S3 uploads
  • Removed ContentType from presigned URL generation to prevent signature mismatch
  • Removed Content-Type header from XHR upload request
  • S3 now auto-detects content type based on file extension
  • Resolves upload failures caused by header/signature discrepancies
• Video Action Buttons During Processing: Hidden action buttons until video transcoding completes
  • Play, Share, Embed, and Delete buttons now only appear for COMPLETED videos
  • Prevents user confusion and errors from interacting with incomplete videos
  • Status badges (PENDING, PROCESSING, FAILED) clearly indicate video state
  • Applies to both Grid and List view modes

Changed

• Upload Error Logging: Enhanced debugging information for upload failures
  • Added file size in both MB and GB to error messages
  • Logs S3 response text and HTTP status details
  • Helps diagnose upload issues more quickly

[1.7.4] - 2026-01-12

Fixed

• CORS Configuration for Direct S3 Uploads: Fixed CORS errors preventing video uploads
  • Added PUT method to CloudFormation template CORS configuration
  • Updated AWS setup documentation to include PUT method in CORS examples
  • Updated help page CORS section title: "Required for Uploads & Streaming"
  • Allows browser to upload directly to S3 using presigned URLs
  • Users with existing S3 buckets need to update CORS settings to include PUT method
• CSRF Token Protection: Fixed video upload CSRF validation errors
  • Updated VideoUpload component to use fetchWithCsrf() for all API calls
  • Upload-url endpoint now includes CSRF token automatically
  • Complete-upload endpoint now includes CSRF token automatically

Added

• Video Upload Security Tests: Comprehensive test suite for upload functionality
  • 29 tests covering direct S3 upload architecture
  • File size validation (frontend & backend)
  • CORS configuration verification
  • Error handling and user feedback
  • Authentication & authorization checks
  • Security best practices validation
  • CloudFormation template security audit
  • Progress tracking verification

[1.7.3] - 2026-01-12

Added

• Direct S3 Uploads with Presigned URLs: Bypass Vercel serverless function limits for video uploads
  • New API endpoint: POST /api/videos/upload-url - Generate presigned S3 URL and create video record
  • New API endpoint: POST /api/videos/complete-upload - Finalize upload and start transcoding
  • 3-step upload flow:
    1. Request presigned URL from backend
    2. Upload directly to S3 (client → S3, no intermediary)
    3. Notify backend to start transcoding
  • Removes 4.5MB Vercel serverless function payload limit
  • Supports full 5GB video uploads
  • Faster uploads with direct S3 connection
  • Better progress tracking with XHR upload events

Fixed

• Video Upload Error Handling: Comprehensive error feedback for file size limits
  • File selection validation: Shows actual file size in GB when limit exceeded
  • Form submission double-check: Prevents wasted upload attempts
  • Clear error messages at multiple validation points:
    • "File size (X.XX GB) exceeds the maximum allowed size of 5 GB"
    • Actionable guidance: "Please compress your video or select a smaller file"
  • Added helpful UI hints:
    • "Maximum file size: 5 GB. Supported formats: MP4, MOV, AVI, WebM, MKV"
  • S3 upload error handling:
    • HTTP 400/413 errors with specific file size feedback
    • Network error messages: "Please check your internet connection"
    • Upload cancellation detection
  • Automatic file input clearing when oversized file selected
  • Backend validation with detailed error messages including compression suggestions

Changed

• being replacing console.log with the developer log package

[1.7.2] - 2026-01-11

Added

• User Onboarding Flow: Interactive onboarding experience for new users
  • Database schema: Added onboardingCompleted and onboardingPath fields to User model
  • Path selection: Users choose between "uploader" or "recipient" roles
  • Uploader path: 7-step guided setup (Welcome → Path → How It Works → AWS → Email → Sharing → Completion)
  • Recipient path: 3-step quick setup (Welcome → Path → Completion)
  • Onboarding components:
    • OnboardingLayout - Wrapper with progress bar and step counter
    • WelcomeStep - Introduction and benefits overview
    • PathSelectionStep - Role selection with detailed descriptions
    • HowItWorksStep - Video upload and sharing process explanation
    • AWSSetupStep - AWS configuration guidance with CloudFormation option
    • EmailSetupStep - Email provider setup guidance
    • SharingDemoStep - Video sharing workflow demonstration
    • CompletionStep - Personalized completion message with quick reference card
  • Integration with signup flow: New users redirected to /onboarding after account creation
  • State persistence: Progress saved to localStorage for multi-session completion
  • Dashboard integration: "Setup Guide" link in navigation for easy access
  • API endpoint: `PATCH /api/user/onboar...

v1.7.0

• add homepage
• add google sso
• add interchangeable themes
• team and group management
• csrf protection
  ...

v1.5.0 - Groups & Teams

Added - Teams Feature (Family Accounts)

• Teams System: Share AWS and email credentials with family or team members
  • Create teams with unique names (e.g., "Smith Family")
  • Invite members by email address
  • Role-based access control (OWNER, ADMIN, MEMBER)
  • Team credentials shared across all members
  • Members choose which team to upload to on each video
• Teams UI: Complete web interface for team management
  • /dashboard/teams - List all teams you're part of
  • /dashboard/teams/[id] - Team details, members, and credentials
  • Create team button with helpful info modal
  • Role badges (OWNER: purple, ADMIN: blue, MEMBER: gray)
  • Display AWS credentials (bucket name, region) if configured
  • Display Email credentials (provider, from email) if configured
  • Member list with email and role
• Member Management: Full control over team membership
  • Invite members by email with role selection (OWNER only can assign ADMIN/OWNER)
  • Change member roles (OWNER only)
  • Remove members with permission checks
  • Leave team (all roles, OWNER must assign another owner first)
  • Delete team (OWNER only, cascade deletes all related data)
• Video Upload Team Selection: Choose account on each upload
  • Dropdown shows "My Personal Account" and all teams
  • Display role badge next to each team name
  • Backend validates team membership
  • Videos tagged with teamId and use team's AWS/Email credentials
• Teams API Endpoints:
  • POST /api/teams - Create team
  • GET /api/teams - List user's teams
  • GET /api/teams/[id] - Get team details
  • PATCH /api/teams/[id] - Update team (OWNER/ADMIN only)
  • DELETE /api/teams/[id] - Delete team (OWNER only)
  • POST /api/teams/[id]/members - Invite member
  • PATCH /api/teams/[id]/members/[userId] - Update member role (OWNER only)
  • DELETE /api/teams/[id]/members/[userId] - Remove member
  • DELETE /api/teams/[id]/leave - Leave team
  • Grid and list views on the dashboard
  • Group/Team selector on the dashboard

Changed

• Updated video upload to support teamId parameter
• Video upload now validates team membership before using team credentials
• Added "Teams" and "Groups" navigation links to dashboard header
• Removed email address display from dashboard header

Technical - Teams

• Teams can have AWS credentials (shared bucket and region)
• Teams can have Email credentials (shared provider and settings)
• Videos have optional teamId field linking to team
• Groups can be team-owned or personal
• Cascade deletes maintain data integrity
• Role hierarchy: OWNER > ADMIN > MEMBER

Use Cases

• Family sharing one AWS account (parents + kids)
• Small teams collaborating on video content
• Anyone wanting to give others access without sharing credentials
• Multiple users sharing storage costs

v1.4.0 - Deeplink integration

Added - Universal Deep Linking with LinkForty

• Deep Link Service: Backend service for generating LinkForty universal links
  • Created DeepLinkService class in /src/lib/deep-link.ts
  • Generates video-specific deep links with fallback URLs
  • Supports custom parameters (video ID, recipient email)
  • Environment-based configuration (dev/production URLs)
  • Configurable via LINKFORTY_BASE_URL environment variable
• Enhanced Email Templates: Video sharing emails now use universal links
  • Updated /api/videos/[id]/share endpoint to use LinkForty links
  • Generated links work for both individual and group sharing
  • Links open directly in mobile app if installed
  • Automatic web fallback if app not installed (/watch/{videoId})
  • Styled "Watch Video" button with improved visual design
  • Helper text explaining app-first behavior
• Universal Link Flow:
  • LinkForty detects platform and routes appropriately
  • Mobile app opens directly to video player
  • Web users redirected to web video viewer
  • Supports deferred deep linking for new app installs

Changed - Video Sharing

• Updated email HTML templates with styled button and user guidance
• Enhanced both individual and group share emails with deep links
• Improved email messaging to explain universal link behavior

Technical - Deep Linking

• LinkForty handles platform detection automatically
• Deep links include recipient tracking for analytics
• Privacy-focused operation (no persistent device IDs)
• Works seamlessly across iOS, Android, and web platforms

Configuration Required

• Set up custom domain at LinkForty cloud service
• Configure LINKFORTY_BASE_URL in environment
• Coordinate with mobile app configuration for scheme handling

v1.2.0 - Public Video Embeds & AWS CloudFormation Setup

Overview

This release introduces public video embeds and one-click AWS setup via CloudFormation, making Cheesebox more accessible and versatile. Users can now share videos publicly on external websites while maintaining the security of private videos for authenticated users.

Major Features

1. Public Video Embeds

Users can now mark videos as "public" and embed them on external websites without requiring authentication.

Key Capabilities:

• Toggle video visibility between Private and Public
• Generate embed codes (responsive and fixed-size)
• Live embed preview in modal
• Public API endpoint for streaming (no auth required)
• iframe-based embedding for maximum compatibility

Use Cases:

• Marketing videos on company websites
• Tutorial videos in documentation
• Product demos on landing pages
• Public educational content

2. One-Click AWS Setup via CloudFormation

Simplified AWS setup from 15-20 minutes to ~2 minutes with our CloudFormation template.

What Gets Created Automatically:

• S3 bucket with CORS configuration
• IAM user with least-privilege permissions
• IAM access keys (shown once during creation)
• MediaConvert role for video transcoding
• All required policies and permissions

Features:

• Interactive setup guide at /help/aws-setup
• Visual step-by-step instructions
• Copy-to-clipboard for all commands
• CloudFormation launch button
• Fallback to manual setup if preferred

3. Rebranding & Analytics

• Project renamed from "Private Video Sharing" to "Cheesebox"
• Vercel Analytics integrated for usage tracking
• Updated branding across all documentation

Detailed Changes

Database Schema

Added visibility field to Video model:

enum VideoVisibility {
  PRIVATE  // Only owner and shared users can view
  PUBLIC   // Anyone with the link can view (embeddable)
}

model Video {
  // ... existing fields
  visibility VideoVisibility @default(PRIVATE)
  // ... existing fields

  @@index([visibility])
}

Migration: 20251231183151_add_video_visibility

• Adds VideoVisibility enum
• Adds visibility column to videos table (defaults to PRIVATE)
• Creates index on visibility for performance

New API Endpoints

Endpoint	Method	Auth	Description
/api/embed/[videoId]/stream	GET	None	Get pre-signed stream URL for PUBLIC videos
/api/videos/[videoId]/visibility	PATCH	Required	Update video visibility (PRIVATE/PUBLIC)

New UI Components

1. VisibilityToggle Component (src/components/VisibilityToggle.tsx)

• Toggle switch for Private/Public visibility
• Confirmation dialog when making videos public
• Visual feedback during state changes
• Disabled state during updates

2. EmbedCodeModal Component (src/components/EmbedCodeModal.tsx)

• Live embed preview
• Direct link with copy button
• Two embed code formats:
  • Responsive (16:9 aspect ratio)
  • Fixed (640x360 pixels)
• Syntax-highlighted code blocks
• One-click copy functionality
• Usage instructions
• Security warnings

3. Updated VideoList Component

• Visibility badge (Public/Private)
• Purple "Embed" button for public videos
• Integrated visibility toggle
• Responsive layout for action buttons

New Pages

Embed Page (src/app/embed/[videoId]/page.tsx)

• Standalone page for iframe embedding
• Minimal UI (video only)
• Works without authentication
• SEO meta tags
• Query parameter support:
  • autoplay=true - Auto-play video
  • muted=true - Mute audio

AWS Setup Guide (src/app/help/aws-setup/page.tsx)

• Interactive step-by-step guide
• Copy-to-clipboard for all commands
• CloudFormation launch button
• Prerequisites checklist
• Troubleshooting tips

CloudFormation Template

Location: /public/cloudformation/private-video-setup.yaml

Resources Created:

• CheeseboxBucket - S3 bucket for videos
• CheeseboxUser - IAM user with programmatic access
• CheeseboxUserAccessKey - Access key for API calls
• CheeseboxUserPolicy - Least-privilege IAM policy
• CheeseboxMediaConvertRole - Service role for MediaConvert

Parameters:

• BucketName (Required) - Globally unique S3 bucket name
• AppDomain (Optional) - Application domain for CORS (default: localhost:3000)

Outputs:

• Bucket name
• AWS region
• Access key ID
• Secret access key (⚠️ shown once)
• MediaConvert role ARN

Security Considerations

Public Embeds

• ✅ Only COMPLETED videos can be made public
• ✅ Only video owners can change visibility
• ✅ Confirmation dialog required when making public
• ✅ Pre-signed URLs still expire (3 hours)
• ✅ Public endpoint only works for explicitly PUBLIC videos
• ⚠️ Public videos are accessible to anyone with the link

CloudFormation Template

• ✅ Least-privilege IAM policies
• ✅ Block Public Access enabled on S3
• ✅ CORS configured for app domain only
• ✅ MediaConvert role scoped to specific bucket
• ✅ All credentials use AWS best practices

📊 Migration Guide

For Existing Installations

1. Pull latest changes:

   git pull origin main

2. Install dependencies:

   npm install

3. Run database migration:

   npx prisma migrate deploy

4. Regenerate Prisma client:

   npx prisma generate

5. Restart application:

   npm run dev

For New Installations

1. Use CloudFormation for AWS setup:

   • Deploy the app first
   • Visit /help/aws-setup
   • Click "Launch Stack in AWS"
   • Follow the prompts
   • Copy credentials from Outputs tab

2. Or follow manual setup:

   • Visit /help/aws-setup
   • Scroll to "Manual Setup"
   • Follow step-by-step instructions

Documentation Updates

• ✅ Updated README.md with CloudFormation setup
• ✅ Added /public/cloudformation/README.md
• ✅ Created /help/aws-setup interactive guide
• ✅ Updated project name to "Cheesebox"
• ✅ Added embed documentation to internal docs

Known Issues

None at this time.

Breaking Changes

None. All existing functionality remains unchanged. Default visibility for all videos is PRIVATE.

Metrics & Analytics

• Vercel Analytics integrated (tracks page views and user interactions)
• No PII collected
• Respects user privacy

v1.1.0 - BYOE

The BYOE (Bring Your Own Email Provider) feature is now fully implemented and ready to use:

1. 3 email providers (Resend, AWS SES, SMTP)
2. Comprehensive documentation (docs/EMAIL_SETUP.md)
3. Test email functionality (verify credentials work)
4. Beautiful settings UI with provider selection
5. No TypeScript errors
6. Successful production build

You can now:

• Start the dev server: npm run dev
• Go to Settings and configure an email provider
• Test it with the "Send Test Email" button
• Share a video and see the notification email in action!

v1.0.0 - Initial Release

Initial Release

• Initial release of Private Video platform
• User authentication with NextAuth.js
• AWS credentials management with AES-256-GCM encryption
• Video upload to user-owned S3 buckets
• Automatic HLS transcoding with AWS MediaConvert
• Video streaming via authenticated proxy endpoint
• Email-based video sharing (Google Docs-style)
• Email notifications via Resend
• Video deletion with automatic S3 cleanup
• Dashboard with "My Videos" and "Shared with Me" sections
• Video upload progress indicator
• File size validation (5GB limit)
• CORS configuration for S3 buckets
• Comprehensive AWS setup documentation
• Encrypted AWS credentials storage
• JWT-based authentication
• Pre-signed URL generation for video playback
• Permission-based access control