This feature include a critical security patch. The vulnerability impacts owner of shared instances which share their internal lightning nodes. Credits to @yilakb to have noticed us.
* Greenfield: Adds the Archive status to Invoice model @TheHazeEffect
* Greenfield: Add pagination to the get invoices operation @TheHazeEffect
### Bug fixes:
* Crowdfunding topup invoice doesn't work when there isn't a perk added (#3048 #3064) @satwo
* Crowdfund: Fix perk value display (#3060) @dennisreimann
* Lightning address payment would fail if millisatoshi is not 0 mod 1000 on LND (#3056) @NicolasDorier
* The Test Connection feature during lightning setup was hidding cause of failure @NicolasDorier
* Creating a new invoice in payment request with LNURL activated would crash @NicolasDorier
* Improve error reporting in (#3065) @NicolasDorier
* After loading the Update PoS Settings page and selecting an item to edit, it will always show the price type selected as Fixed regardless of what the actual price type is. (#3049) @fabu21
* Fixes label on Point of Sale page (#3037) @dstrukt
### Improvements:
* If no default payment method, the fallback should be in order of preference: BTC, then Lightning (via BOLT11)
* UI Improvement of the maintenance page @dstrukt
* In the invoice's details page, show the url of webhook's deliveries (#3034) @satwo
* Improves upload button for files (#3044) @dstrukt
* Fix: The checkout page would reload the page when changing payment method, causing annoying an annoying flickering @NicolasDorier
* Fix: When browsing to BTCPay with explicit paymentMethodId such as `https://btcpay.../i/{invoiceId}/{paymentMethodId}`, it was impossible to switch to any other payment method @NicolasDorier
* If `Only enable the payment method after user explicitly chooses it` is enabled for a store and a payment method is unavailable, the server could become unresponsive. @NicolasDorier
* Authorize API key page was broken when trying to select specific stores (#2858) @ubolator
* The /docs page was broken in 1.2.3 due to CSP @NicolasDorier
* Fixing crashes happening when someone migrate from BTCPay Server altcoins edition back to bitcoin only @Kukks
This release fixes three XSS vulnerabilities. Those vulnerabilities only impacts shared BTCPay instances.
Special thanks to Ajmal "@b3ef" Aboobacker and Abdul "@b1nslashsh" muhaimin for finding them who contacted us through @huntrdev.
See [1](https://huntr.dev/bounties/ffabdac8-7280-4806-b70c-9b0d1aafbb6e/), [2](https://www.huntr.dev/bounties/32e30ecf-31fa-45f6-8552-47250ef0e613/) and [3](https://huntr.dev/bounties/0fcdee5f-1f07-47ce-b650-ea8b4a7d35d8/).
* The checkout would crash for some client if automatic detection of language was checked, and the browser was not setting the accepted language @NicolasDorier
* Various UI Tweaks and improvements (#2558 #2562#2568#2572#2606#2608#2615#2627#2628#2649#2645#2673#2646#2647#2745#2746) @dstrukt@dennisreimann@woutersamaey@johanf85@bolatovumar
* Notify users to use newer BTCPay Vault app if necessary @nicolasdorier
* Set lightning invoice fallback in QR code as uppercase (#2492) @bjarnemagnussen@Kukks
* Update BC-UR bundle and support decoding hex format of wallet (#2505 #2499) @Kukks
### Bug fixes:
* During refund or payout, some payments issued from BTCPay were not properly detected. (#2513 #2518) @Kukks@NicolasDorier
* Fix payment button steps and validation range (#2506 #2503) @Kukks
* The local culture of the server could break some feature on BTCPay Server (#2512) @NicolasDorier
* Make sure unaccounted payments (double spent payments, or payjoin original transaction), are not accounted by the payment requests and crowdfund app @NicolasDorier
* Add `BTCPAY_TOR_SERVICES` configuration to expose tor services via the server settings. Useful for integration with self-hosted node such as Umbrel (#2388) @Kukks@junderw
* Payment methods can be toggled directly from the update store page, rather than inside the page of each payment method (#2469) @dennisreimann
* Start separation of Coinswitch feature and Shopify integration as plugins (#2384 #2390) @Kukks
* Greenfield: Ability to pass more query parameters to filter results of api/v1/invoices @SakerOmera
* Human friendly error if webhook or webhook delivery not found @NicolasDorier
* Add button to copy API key to clipboard (#2439) @ubolator
### New features:
* Support WebAuthN/FIDO2 as second factor @Kukks
* Can get a receive address in the wallet accepting Payjoin (without creating an invoice) @Kukks
* Can disable modification of SSH settings via the server settings to prevent escalation of privilege. (See #2468) @NicolasDorier
* Manual coin selection has a "confirmed utxo" filter @Kukks
* Greenfield: Can query fee rate @Kukks
* New setting for checkout: Ability to activate specific payment methods after the creation of the invoice @xpayserver@Kukks@rockstardev
### Bug fixes:
* Fix: Clicking on "Unreserve this address" was not properly reflected in the UI @Kukks
* Fix: Block explorer links for signet @kristapsk
* Fix: Typo in PoS cart view (#2428) @MaxHillebrand
* Greenfield: Fix typo of webhook type OrignalDeliveryId => OriginalDeliveryId @NicolasDorier
* If the posData property of invoice metadata was not a JObject, the invoice would crash @Kukks
* If a store was created via the Greenfield API, warning signs of unconfigured stores would not appear. (Fix #2434) @bolatovumar
* Do not crash if plugin folder mismatches plugin identifier @Kukks
* Fix notification count on mobile (#2483) @dennisreimann
* Fix: Passing invalid query parameters or route value in the Greenfield API should returns HTTP 422 + validation details rather than empty 400. @NicolasDorier
* Greenfield: Deleting a store in the server, should delete only webhooks of this store @NicolasDorier
### Miscellaneous
* Add user id in logs when somebody logs in. @NicolasDorier
* Due to a privacy leak vulnerability, users of the payment button are strongly encouraged to update as soon as possible.
### New features
* Add QR code scan/show for PSBT + Import wallet via QR [spec](https://github.com/BlockchainCommons/Research/blob/master/papers/bcr-2020-005-ur.md) (supported by Cobo vault / Blue wallet) (#1931)
* Checkout experience: Unified QR Code for on-chain and offchain payment (ref #2060) (@rockstardev)
* Greenfield: Clean webhook API github-like (ref #2058) (@NicolasDorier @Kukks)
* Greenfield: Can query invoice payment data (@Kukks)
* Allow users to select block explorers from a list or specify their own URL (@Kukks)
* Allow disabling live notifications globally and disabling specific notifications per user (ref #1991) (@Kukks)
* Allow custom redirect_url for PoS (ref #1924) (@mariodian)
* A new experimental plugin system (@Kukks)
### Improvements
* UI: Make store setup more intuitive (ref #2011) (@dennisreimann @dstrukt)
* UI: Improvement of the modal checkout overlay (see [this comment](https://github.com/btcpayserver/btcpayserver/pull/1930#issuecomment-701298441)) (@dennisreimann)
* BTCPay Server vault operations can now be retried without having to refresh the page (@NicolasDorier)
* UX: Warning and hint system for stores not completely set up (@dennisreimann @rockstardev)
* Greenfield (Breaking change): Invoice state renamed `Confirmed/Complete` to `Settled`. (@NicolasDorier)
* Greenfield (Breaking change): Invoice state renamed `Paid` to `Processing`. (@NicolasDorier)
* Breaking change: Remove SQLite as the default database option (@Kukks)
* UI: Make sure transaction labels display correctly when there are many (ref #2076) (@ubolator)
* UI: Properly center payment button content (@ubolator)
* UI: Improvement of the lightning node info view (ref #2066) (@dennisreimann)
* Share the link of a pay button so one can embed in a QR code (fix #635) (@Kukks)
* Checkout experience: Make QR codes with bech32 uppercase again (@rockstardev)
* Add warning if the merchant setup invoice confirmation to zero conf (@ubolator)
* Adds a warning to configure the e-mail server before "Requires a confirmation mail for registering" checkbox can be checked if e-mail server is not configured. (@ubolator)
* Payment requests: Partially paid invoices are reused for future payments in payment requests. (@NicolasDorier)
* API Keys UI: Properly align form items (@dennisreimann)
* Wallets: By default, created PSBT were including previous transactions. Some hardware wallets ended up returning timeouts, so we reverted this decision. (@NicolasDorier)
### Bug fixes:
* Fix payment button page title (ref #1952) (@sgracia13)
* Do not log the database connection string (@Kukks)
* Payjoin: Use base64 instead of hex for BIP78 (fix #1984) (@Kukks)
* If a password fail to be reset by mail, show proper error (fix #1986) (@NicolasDorier)
* Email was not included in the invoice text search (@Kukks)
* Greenfield: The create invoice route should not sending back generic errors if it fails (@dennisreimann)
* Fix-up links which were ignoring custom root path (@ubolator)
* Greenfield: Opening a channel with lightning was not working properly (ref #2054) (@dennisreimann)
* Docs: Create invoice route was referencing the wrong type in the doc (@dennisreimann)
* Payment Request user input rounding issue (ref #2014) (@Kukks)
* In store settings, the create new token button was returning an error (@NicolasDorier)
* Wallet: When clicking on the app's label of a transaction, an error 404 occured (@Kukks)
* Checkout experience: If coinswitch was activated, the altcoin tab was missing (@Kukks)
* If Email verification is turned off but you requested a forgot password form, it would ignore the request internally. (@Kukks)
* Docs: Fix swagger format for dates (@Kukks)
* Payjoin: Do not include maxadditionalfeecontribution if there is no change. (ref #2007) (@NicolasDorier)
* Checkout: If an invoice accepting lightning payments was partially paid, the payment of the new lightning invoice was buggy. (@Kukks)
* Can enable/disable any payment method based on the amount of the invoice #1871@xpayserver
* New Invoice API in Greenfield (Still incomplete, more for next release) @Kukks@NicolasDorier
* A new light view more adapted for Point of Sale @mariodian
* Allows administrator to invite new users via link and email @Kukks
* New labels in the wallet for payment requests, apps, and improvement of the payout label @Kukks
* Allows entry in wallet send via fiat #1891@Kukks
* Allows partial invoice refund #1882@Kukks
* In the Request API key flow, let the user be redirected to the original website #1800@Kukks@dennisreimann ([more info](https://docs.btcpayserver.org/API/Greenfield/v1/#tag/Authorization))
* Invoice logs now show their severity #1681@Kukks (see https://i.imgur.com/eyMO9M3.png)
* Update PSBT and PSBT sent to Hardware wallet will include `non_witness_utxo` by default, when possible, to match Bitcoin Core 0.20.1 behavior. @NicolasDorier
* Improvement of the UX flow for requesting an API Key of a BTCPay Server user (#1898) @dennisreimann
* Don't send notification email for expired invoices @dennisreimann
* Greenfield API: Add `Roles` property to the user data. @dennisreimann
* Remove Changelly integration @Kukks
* Better wording in transaction list page #1887@maltokyo
* Fix alerts text break. #1865@bolatovumar
* Remove Tor link from navbar @NicolasDorier
* Improve invoices list view #1815@dennisreimann
* Improve sync progress dialog #1929@Kukks
* Show index of payment address for onchain payments @Kukks
### Bug fixes:
* When an invoice is partially paid on-chain and allow off-chain, a new lightning network invoice should be created for the remainder of the payment. @Kukks
* Changing the inventory of a PoS item was not working properly (@mariodian)
* Greenfield API: The internal lightning API was returning error 403, even when used as an administrator (@Kukks)
* Using lightning charge as lightning network invoice provider over HTTP was not working properly @bolatovumar
* Fix: If the hot wallet failed to sign a PSBT, should not show a blank page crash (@NicolasDorier)
* Fix bug: The wallet was sending only round amount of sat per byte (@NicolasDorier)
* BTCPayServer has now two different build Bitcoin-Only and Altcoins. See more [in our blog post](https://blog.btcpayserver.org/btcpay-server-1-0-5-4) (@xpayserver)
* Can sort apps list by store name, name or app type #1753@bolatovumar
* Improve query performance when listing invoices @NicolasDorier
* Add margin to Delete store #1773@bolatovumar
* Add pagination to wallet's transaction page #1772@bolatovumar
* Improve VSCode user development experience #1769@msafi
* Fix error message positioning in PoS #1759@bolatovumar
* Fix swagger doc for approve payout @NicolasDorier
* Use BTCPay doc for RBF explanation tooltip @britttttk
* Allow mass archiving of invoices #1742@bolatovumar
* Improve 2FA UI #1741@dennisreimann
* .gitignore .DStore @Eskyee
* Allow RPC access in services when the node is synching @NicolasDorier
### Bug fixes
* Fix: In the PoS app, embedded CSS was ignored. @NicolasDorier
* Fix error when modifying user who does not have admin right. #1793@NicolasDorier
* Fix null instance on invoice when using paymentCurrencies #1766@Kukks
* Fix: Sluggish scrolling in pages having a rich text editor @dennisreimann
* Fix: Crash in payment request if there is several invoice in "new" state @Kukks
* Fix: Crowdfund app doesn't count old invoices. It was only invoices created after enabling the option. @Kukks
### Security fixes
Those are low risk injection vulnerabilities.
* Prevent script injection via X-Forwarded-For (reported by @benichmt1) @NicolasDorier
* Prevent script injection via the csv invoice export (reported by @benichmt1) @NicolasDorier
### Altcoins
* BTCPay Server build is Bitcoin Only by default. If you are developer and wants to work on the altcoins build, please read [the documentation](https://docs.btcpayserver.org/LocalDevelopment/).
* Show sync progress for monero and show amount of monero payment #1729@xpayserver
* Show warning when create a hot wallet when you are not admin of the server (@kukks)
* In store settings, shows "Not set" if a derivation scheme is not set. If it is set, always show the last few letters of the derivation scheme. (@kukks)
* Do not show lightning network configuration for Liquid assets. (@kukks)
* Better UTXO selection for payjoin receiver (@kukks #1470)
