Minor bug fixes release, update recommended for shared hosting.
### Bug fixes
* If `Only enable the payment method after user explicitly chooses it` is enabled for a store and a payment method is unavailable, the server could become unresponsive. @NicolasDorier
* Authorize API key page was broken when trying to select specific stores (#2858) @ubolator
* The /docs page was broken in 1.2.3 due to CSP @NicolasDorier
* Fixing crashes happening when someone migrate from BTCPay Server altcoins edition back to bitcoin only @Kukks
This release fixes three XSS vulnerabilities. Those vulnerabilities only impacts shared BTCPay instances.
Special thanks to Ajmal "@b3ef" Aboobacker and Abdul "@b1nslashsh" muhaimin for finding them who contacted us through @huntrdev.
See [1](https://huntr.dev/bounties/ffabdac8-7280-4806-b70c-9b0d1aafbb6e/), [2](https://www.huntr.dev/bounties/32e30ecf-31fa-45f6-8552-47250ef0e613/) and [3](https://huntr.dev/bounties/0fcdee5f-1f07-47ce-b650-ea8b4a7d35d8/).
* The checkout would crash for some client if automatic detection of language was checked, and the browser was not setting the accepted language @NicolasDorier
* Various UI Tweaks and improvements (#2558 #2562#2568#2572#2606#2608#2615#2627#2628#2649#2645#2673#2646#2647#2745#2746) @dstrukt@dennisreimann@woutersamaey@johanf85@bolatovumar
* Notify users to use newer BTCPay Vault app if necessary @nicolasdorier
* Set lightning invoice fallback in QR code as uppercase (#2492) @bjarnemagnussen@Kukks
* Update BC-UR bundle and support decoding hex format of wallet (#2505 #2499) @Kukks
### Bug fixes:
* During refund or payout, some payments issued from BTCPay were not properly detected. (#2513 #2518) @Kukks@NicolasDorier
* Fix payment button steps and validation range (#2506 #2503) @Kukks
* The local culture of the server could break some feature on BTCPay Server (#2512) @NicolasDorier
* Make sure unaccounted payments (double spent payments, or payjoin original transaction), are not accounted by the payment requests and crowdfund app @NicolasDorier
* Add `BTCPAY_TOR_SERVICES` configuration to expose tor services via the server settings. Useful for integration with self-hosted node such as Umbrel (#2388) @Kukks@junderw
* Payment methods can be toggled directly from the update store page, rather than inside the page of each payment method (#2469) @dennisreimann
* Start separation of Coinswitch feature and Shopify integration as plugins (#2384 #2390) @Kukks
* Greenfield: Ability to pass more query parameters to filter results of api/v1/invoices @SakerOmera
* Human friendly error if webhook or webhook delivery not found @NicolasDorier
* Add button to copy API key to clipboard (#2439) @ubolator
### New features:
* Support WebAuthN/FIDO2 as second factor @Kukks
* Can get a receive address in the wallet accepting Payjoin (without creating an invoice) @Kukks
* Can disable modification of SSH settings via the server settings to prevent escalation of privilege. (See #2468) @NicolasDorier
* Manual coin selection has a "confirmed utxo" filter @Kukks
* Greenfield: Can query fee rate @Kukks
* New setting for checkout: Ability to activate specific payment methods after the creation of the invoice @xpayserver@Kukks@rockstardev
### Bug fixes:
* Fix: Clicking on "Unreserve this address" was not properly reflected in the UI @Kukks
* Fix: Block explorer links for signet @kristapsk
* Fix: Typo in PoS cart view (#2428) @MaxHillebrand
* Greenfield: Fix typo of webhook type OrignalDeliveryId => OriginalDeliveryId @NicolasDorier
* If the posData property of invoice metadata was not a JObject, the invoice would crash @Kukks
* If a store was created via the Greenfield API, warning signs of unconfigured stores would not appear. (Fix #2434) @bolatovumar
* Do not crash if plugin folder mismatches plugin identifier @Kukks
* Fix notification count on mobile (#2483) @dennisreimann
* Fix: Passing invalid query parameters or route value in the Greenfield API should returns HTTP 422 + validation details rather than empty 400. @NicolasDorier
* Greenfield: Deleting a store in the server, should delete only webhooks of this store @NicolasDorier
### Miscellaneous
* Add user id in logs when somebody logs in. @NicolasDorier
* Due to a privacy leak vulnerability, users of the payment button are strongly encouraged to update as soon as possible.
### New features
* Add QR code scan/show for PSBT + Import wallet via QR [spec](https://github.com/BlockchainCommons/Research/blob/master/papers/bcr-2020-005-ur.md) (supported by Cobo vault / Blue wallet) (#1931)
* Checkout experience: Unified QR Code for on-chain and offchain payment (ref #2060) (@rockstardev)
* Greenfield: Clean webhook API github-like (ref #2058) (@NicolasDorier @Kukks)
* Greenfield: Can query invoice payment data (@Kukks)
* Allow users to select block explorers from a list or specify their own URL (@Kukks)
* Allow disabling live notifications globally and disabling specific notifications per user (ref #1991) (@Kukks)
* Allow custom redirect_url for PoS (ref #1924) (@mariodian)
* A new experimental plugin system (@Kukks)
### Improvements
* UI: Make store setup more intuitive (ref #2011) (@dennisreimann @dstrukt)
* UI: Improvement of the modal checkout overlay (see [this comment](https://github.com/btcpayserver/btcpayserver/pull/1930#issuecomment-701298441)) (@dennisreimann)
* BTCPay Server vault operations can now be retried without having to refresh the page (@NicolasDorier)
* UX: Warning and hint system for stores not completely set up (@dennisreimann @rockstardev)
* Greenfield (Breaking change): Invoice state renamed `Confirmed/Complete` to `Settled`. (@NicolasDorier)
* Greenfield (Breaking change): Invoice state renamed `Paid` to `Processing`. (@NicolasDorier)
* Breaking change: Remove SQLite as the default database option (@Kukks)
* UI: Make sure transaction labels display correctly when there are many (ref #2076) (@ubolator)
* UI: Properly center payment button content (@ubolator)
* UI: Improvement of the lightning node info view (ref #2066) (@dennisreimann)
* Share the link of a pay button so one can embed in a QR code (fix #635) (@Kukks)
* Checkout experience: Make QR codes with bech32 uppercase again (@rockstardev)
* Add warning if the merchant setup invoice confirmation to zero conf (@ubolator)
* Adds a warning to configure the e-mail server before "Requires a confirmation mail for registering" checkbox can be checked if e-mail server is not configured. (@ubolator)
* Payment requests: Partially paid invoices are reused for future payments in payment requests. (@NicolasDorier)
* API Keys UI: Properly align form items (@dennisreimann)
* Wallets: By default, created PSBT were including previous transactions. Some hardware wallets ended up returning timeouts, so we reverted this decision. (@NicolasDorier)
### Bug fixes:
* Fix payment button page title (ref #1952) (@sgracia13)
* Do not log the database connection string (@Kukks)
* Payjoin: Use base64 instead of hex for BIP78 (fix #1984) (@Kukks)
* If a password fail to be reset by mail, show proper error (fix #1986) (@NicolasDorier)
* Email was not included in the invoice text search (@Kukks)
* Greenfield: The create invoice route should not sending back generic errors if it fails (@dennisreimann)
* Fix-up links which were ignoring custom root path (@ubolator)
* Greenfield: Opening a channel with lightning was not working properly (ref #2054) (@dennisreimann)
* Docs: Create invoice route was referencing the wrong type in the doc (@dennisreimann)
* Payment Request user input rounding issue (ref #2014) (@Kukks)
* In store settings, the create new token button was returning an error (@NicolasDorier)
* Wallet: When clicking on the app's label of a transaction, an error 404 occured (@Kukks)
* Checkout experience: If coinswitch was activated, the altcoin tab was missing (@Kukks)
* If Email verification is turned off but you requested a forgot password form, it would ignore the request internally. (@Kukks)
* Docs: Fix swagger format for dates (@Kukks)
* Payjoin: Do not include maxadditionalfeecontribution if there is no change. (ref #2007) (@NicolasDorier)
* Checkout: If an invoice accepting lightning payments was partially paid, the payment of the new lightning invoice was buggy. (@Kukks)
* Can enable/disable any payment method based on the amount of the invoice #1871@xpayserver
* New Invoice API in Greenfield (Still incomplete, more for next release) @Kukks@NicolasDorier
* A new light view more adapted for Point of Sale @mariodian
* Allows administrator to invite new users via link and email @Kukks
* New labels in the wallet for payment requests, apps, and improvement of the payout label @Kukks
* Allows entry in wallet send via fiat #1891@Kukks
* Allows partial invoice refund #1882@Kukks
* In the Request API key flow, let the user be redirected to the original website #1800@Kukks@dennisreimann ([more info](https://docs.btcpayserver.org/API/Greenfield/v1/#tag/Authorization))
* Invoice logs now show their severity #1681@Kukks (see https://i.imgur.com/eyMO9M3.png)
* Update PSBT and PSBT sent to Hardware wallet will include `non_witness_utxo` by default, when possible, to match Bitcoin Core 0.20.1 behavior. @NicolasDorier
* Improvement of the UX flow for requesting an API Key of a BTCPay Server user (#1898) @dennisreimann
* Don't send notification email for expired invoices @dennisreimann
* Greenfield API: Add `Roles` property to the user data. @dennisreimann
* Remove Changelly integration @Kukks
* Better wording in transaction list page #1887@maltokyo
* Fix alerts text break. #1865@bolatovumar
* Remove Tor link from navbar @NicolasDorier
* Improve invoices list view #1815@dennisreimann
* Improve sync progress dialog #1929@Kukks
* Show index of payment address for onchain payments @Kukks
### Bug fixes:
* When an invoice is partially paid on-chain and allow off-chain, a new lightning network invoice should be created for the remainder of the payment. @Kukks
* Changing the inventory of a PoS item was not working properly (@mariodian)
* Greenfield API: The internal lightning API was returning error 403, even when used as an administrator (@Kukks)
* Using lightning charge as lightning network invoice provider over HTTP was not working properly @bolatovumar
* Fix: If the hot wallet failed to sign a PSBT, should not show a blank page crash (@NicolasDorier)
* Fix bug: The wallet was sending only round amount of sat per byte (@NicolasDorier)
* BTCPayServer has now two different build Bitcoin-Only and Altcoins. See more [in our blog post](https://blog.btcpayserver.org/btcpay-server-1-0-5-4) (@xpayserver)
* Can sort apps list by store name, name or app type #1753@bolatovumar
* Improve query performance when listing invoices @NicolasDorier
* Add margin to Delete store #1773@bolatovumar
* Add pagination to wallet's transaction page #1772@bolatovumar
* Improve VSCode user development experience #1769@msafi
* Fix error message positioning in PoS #1759@bolatovumar
* Fix swagger doc for approve payout @NicolasDorier
* Use BTCPay doc for RBF explanation tooltip @britttttk
* Allow mass archiving of invoices #1742@bolatovumar
* Improve 2FA UI #1741@dennisreimann
* .gitignore .DStore @Eskyee
* Allow RPC access in services when the node is synching @NicolasDorier
### Bug fixes
* Fix: In the PoS app, embedded CSS was ignored. @NicolasDorier
* Fix error when modifying user who does not have admin right. #1793@NicolasDorier
* Fix null instance on invoice when using paymentCurrencies #1766@Kukks
* Fix: Sluggish scrolling in pages having a rich text editor @dennisreimann
* Fix: Crash in payment request if there is several invoice in "new" state @Kukks
* Fix: Crowdfund app doesn't count old invoices. It was only invoices created after enabling the option. @Kukks
### Security fixes
Those are low risk injection vulnerabilities.
* Prevent script injection via X-Forwarded-For (reported by @benichmt1) @NicolasDorier
* Prevent script injection via the csv invoice export (reported by @benichmt1) @NicolasDorier
### Altcoins
* BTCPay Server build is Bitcoin Only by default. If you are developer and wants to work on the altcoins build, please read [the documentation](https://docs.btcpayserver.org/LocalDevelopment/).
* Show sync progress for monero and show amount of monero payment #1729@xpayserver
* Show warning when create a hot wallet when you are not admin of the server (@kukks)
* In store settings, shows "Not set" if a derivation scheme is not set. If it is set, always show the last few letters of the derivation scheme. (@kukks)
* Do not show lightning network configuration for Liquid assets. (@kukks)
* Better UTXO selection for payjoin receiver (@kukks #1470)
