Changelog.md
This release is the first release using .NET 10. We invite plugin developers to follow our guide for a smoother migration.
We recommend that users update their plugins after upgrading to 2.3.7.
paymentMethodId parameter (#7209 #7208) @pwnfooBTCPAY_NODEFAULTCHAIN (#7180) @NicolasDorierdeliveryTime property to webhook deliveries in the API and UI (#7140) @NicolasDorierCanModifyInvoices permission now includes viewing Lightning invoices for the store (#6867 #7138) @NicolasDorierCoinGecko's API now mandates the use of an API Key for accessing rates. Consequently, we've decided to discontinue support of CoinGecko-based rate sources. For those who relied on CoinGecko, invoice creation will now fail, and you must choose an alternative rate provider.
In some circumstances, we were using CoinGecko rate providers to calculate the exchange rate (for example, for LTC).
Disable zero amount invoices in PoS doesn't show when Keypad mode is selected (#7071) @NicolasDorierThis release fixes an important regression from 2.3.1 affecting support for payment methods other than BTC and Lightning.
It also fixes several bugs in the new subscriptions feature that have been reported since the last release.
Some plugins such as Ecwid plugin would crash BTCPay Server at startup in a loop. (See this issue)
This release fixes that issue. If you experience this issue after upgrading to 2.3.0, you ne6772ed to update through command line. You can contact us on chat.btcpayserver.org, if you need some support.
Condition field to allow more complex conditions for triggering emails. (#7016) @NicolasDorierCC and BCC fields. (#6979) @NicolasDorierSubject, To, CC, and BCC fields now support placeholders. (#7016) @NicolasDorierUser: Password Reset Requested, User: Email Confirmation, User: Invitation, User: Account Approved, Admin: Approval Request. (#6979) @NicolasDorierWe recommend updating NBXplorer to version 2.5.28 to take full advantage of the features in this release.
Breaking change: This release renames and reorders the columns of the Legacy Invoice Export, now called Invoice Export. While we encourage you to utilize the updated report, we recognize this may disrupt workflows that rely on the old format.
If you need to restore the Legacy Invoice Export, install the Legacy Invoice Export plugin.
As a server administrator, go to Manage Plugins, search for [LegacyInvoiceExport], install it, and restart your server.
Additional rates to track in store settings (#6841) @NicolasDorieramountPaid on greenfield invoices (#6747 #2525) @TChukwuletaNote: If you installed the XPub Extractor plugin, you will need to update it.
Reference Id. (#6642) @rockstardevReference Id. (#6642) @rockstardev{PaymentRequest.Amount} in email template would not be properly replaced by its value. (#6666) @rockstardevDefault Include NonWitness Utxo. (#6678) @NicolasDorierBreaking change: If you are using Monero or ZCash, you will need to install their respective plugins after this update.
Note that if you aren't using the docker deployment, you will need to remove --chains xmr or --chains zec (or corresponding BTCPAY_CHAINS) from BTCPay Server configuration.
Please read our blog post for more details.
refundBOLT11Expiration to Get/Update store endpoint (#6644) @NicolasDorierinvitationLink and disabled properties to user APIs (#6649) @dennisreimannThis release contains a security fix for merchants using refunds/pull payments On-Chain with automated payout processors. Please update as soon as possible. We could not reproduce the reported issue on our own instances, but the reporting merchant confirmed the issue was resolved.
InProgress state to AwaitingPayment. (#6564) @NicolasDorierGET v1/stores/{storeId}/payment-methods/{paymentMethod} was returning a wrong enabled property if onlyEnabled query parameter was passed. (#6570) @NicolasDorierPUT v1/stores/{storeId}/payment-methods/{paymentMethod} for on-chain payment method was not supporting the documented config payload. (#6570) @NicolasDorierBTCPAY_ROOTPATH is used (#6506) < plugin dependency implementation (#6420) @jackstar12IGlobalCheckoutModelExtension to allow a plugin to customize checkout experience regardless of the payment method (#6470) @NicolasDorierIExtendedLightningClient to allow a plugin to better validate a lightning connection string, and customize display stringss. (#6467) @NicolasDorierIf you are using Boltcards, we advise you to update to this release.
If you are using the Nostr or Blink plugin, consider this release security-critical.
Without it, an attacker with access to a pull payment could drain the Lightning wallet without limit.
BTCPay Server 2.0 contains a lot of new features, but also breaking changes. Please refer to our blog post before upgrading — here are the most noteworthy things:
BitcoinCheckoutModelExtension support other payment handlers (#6311) @jackstar12If you are using Boltcards, we advise you to update to this release.
lightning: in html hyperlinks (#6002 #6001) @dennisreimannSend Wallet screen wasn't working (#6011) @NicolasDorierbuyerEmail field in a Payment Request's form will now set the email for the payment request (#5926) @Kukksmailto: links in descriptions (#5736) @dennisreimannRecommended update for users using Boltcard with pull payments or Top-Up invoices.
Breaking change: Boltcards linked to pull payments in version 1.12.0 are not compatible with version 1.12.1.
Amount Due and Recommended Fee (#5390) @dennisreimannAn update is recommended if you share your server with many users. Your server could crash (Error HTTP 500) if you have a high number of users.
Minor update recommended for deployment stacks which were using MySQL/SQLite backend in the past such as Raspiblitz, Umbrel, Embassy OS.
We fix a migration to postgres error that has been introduced a few versions ago.
Open with wallet deep link in the checkout page wasn't working properly on some browsers.Notice: Due to the substantial disk space consumption, we are removing all data pertaining to past webhook deliveries (#5005).
This data, generally used for debugging integrations, will be regularly purged. Hereafter, any Webhook delivery data older than two months will be automatically deleted.
Owner and Guest role available for users of a store, it is now possible to create new custom roles and to adjust the permissions granted by Owner and Guest. (#4940) @KukksPayouts menu would still show only the same pull payment's payout (#4788) @KukksAs part of our effort to withdraw support for MySQL and SQLite, if you start BTCPay Server with --sqlitefile or --mysql without being in the context of a migration, your server will fail to start.
We introduce another flag, --deprecated, which allows you to start with SQLite or MySQL even if it is deprecated. We will remove this flag in version 1.10.
--sqlitefile or --mysql (#4772) @NicolasDorierPay by LNURL Withdraw button if NFC isn't supported by the browser (#4822) @dennisreimannmissing-permission error when no store on /api/v1/stores (#4735 #4748) @NicolasDorierBear markets are for building: This version brings custom checkout forms, store branding options, a redesigned Point of Sale keypad view, new notification icons and address labeling.
Read more information in v1.8.0 blog's post.
Update recommended for shared instances.
With this release, we are providing a migration path for legacy MySql and SQLite installations.
If you are a BTCPay Server integrators such as developer of Raspiblitz, Umbrel, Embassy OS or anybody running BTCPay Server on SQLite or MySql, please refer to the documentation.
While SQLite and MySQL should still be working for one year or two, we will not fix bugs related to those backend. (unless it impacts migration)
Some users experienced Error 500 after login on to BTCPay Server from the 1.7.6. If it is your case, to update on docker deployments via the UI, you need to:
https://{yourserver}/server/maintenanceThere are two vulnerabilities fixed in this release. Those are not severe, as it requires the victim to actively click on a malicious link, but we recommend to update.
We also introduce a breaking change in the Greenfield API route /api/v1/stores/{storeId}/rates/configuration/preview. (#4607)
This breaking change shouldn't impact the majority of people.
Note for integrators such as Raspiblitz or Umbrel: As part of our effort to make BTCPay Server more welcoming to plugins, we have made a change that may impact you.
Previously, when a user uninstalled or installed a new plugin, BTCPay Server would prompt them to restart the server by clicking on a button. Prior to version 1.7.4, this restart button was not functional due to being coupled to our own Docker deployment stack.
As of now, the restart button will instead terminate the BTCPay Server process. The process manager, such as systemd or docker should then automatically restart BTCPay Server. Please ensure that automatic restart capability exists.
DescriptionHashOnly to Lightning invoice creation endpoint (#4411) @NicolasDorierDescriptionHash in the Lightning invoice creation endpoint has been removed (#4411) @NicolasDorierinvoicewithdescriptionhash anymoreallow-deprecated-apis=falsemonitoringExpiration field for invoice API docs (#4348) @bolatovumarThis fix a critical issue introduced by 1.6.0. If you are using altcoins integration, you need to update urgently as some change rate may be inverted for some pairs.
In the past six months, we fixed a critical security vulnerability in one of BTCPay's versions. The security vulnerability has been disclosed responsibly, and we granted a bounty to the security researcher who discovered it. As far as we know, this particular vulnerability has not been exploited in the wild as it depends on multiple factors. For security reasons, we will not publicly disclose details yet. Timeframe for public disclosure is 6-12 months. We already have a CVE number reserved for it.
It's very likely that by updating BTCPay Server in the past six months, you've already patched this vulnerability. To be safe, update your instance if you haven't done so in a long time.
Nicolas Dorier <[email protected]> rather than just [email protected] (#3891) @NicolasDorierspeedPolicy parameter (#3877) @ndeetView action to the Name column in Payouts & Payment Requests (#3873) @dstrukt @dennisreimannBTCPay Server started in August 2017 and meanwhile has been evolving incrementally thanks to the feedback of the community.
It was finally time to cleanup the UI/UX and technical debt we accumulated over the years.
We enumerate here a lot of new features and bug fixes, but we do not enumerate the UI/UX changes, we dedicated a separate blog post for this topic.
The heavy lifting of this work has been mainly brought to you thanks to the collaboration of @dstrukt and @dennisreimann. We thank also all the testers we brought us feedback, and all of you who participated in the weekly design meetings.
The work on the UI/UX is however never over and we will keep on improving it based on your feedback.
Note: If you are using our docker deployment on a raspberry pi 4, there is a small chance your docker version does not support the new docker image. If you have any issue with raspberry pi 4, you need to update your docker version following steps on this blog post. Note that you do not need to update libseccomp2, our update process does this for you automatically.
missingPermission field to 403 errors (#3195) @NicolasDorier @woutersamaeycreated field of payment request should be a unix timestamp @woutersamaey (#3221)created field of payment request should be a unix timestamp @woutersamaey (#3221)available property of nodes returned by /api/v1/server/info wasn't actually set (ee1a034c0ab7744a2988e5da874084bc7dfa8b73) @NicolasDorierThis feature include a critical security patch. The vulnerability impacts owner of shared instances which share their internal lightning nodes. Credits to @yilakb to have noticed us.
https://btcpay.../i/{invoiceId}/{paymentMethodId}, it was impossible to switch to any other payment method @NicolasDorierMinor bug fixes release, update recommended for shared hosting. (#2851)
Only enable the payment method after user explicitly chooses it is enabled for a store and a payment method is unavailable, the server could become unresponsive. @NicolasDorierThis release fixes three XSS vulnerabilities. Those vulnerabilities only impacts shared BTCPay instances. Special thanks to Ajmal "@b3ef" Aboobacker and Abdul "@b1nslashsh" muhaimin for finding them who contacted us through @huntrdev. See 1, 2 and 3.
enabledOnly filter to enabled @kukksCanModifyInvoices permission (#2595) @kukksOnly enable the payment method after user explicitly chooses it was checked for the store @kukksBTCPAY_TOR_SERVICES configuration to expose tor services via the server settings. Useful for integration with self-hosted node such as Umbrel (#2388) @Kukks @junderwSmall release fixing bugs introduced in 1.0.7.1:
new state @KukksThis release is trying some improvement to decrease the chances of being falsy flagged by Google Safe Browsing.
DefaultPaymentMethod to the store's settings @KukkscheckoutLink of the created invoice, where you need to redirect your customer to pay in BTC @NicolasDorierMark all as seen button to the notification dropdown @bolatovumar/docs miscellaneous features of BTCPay (such as optional arguments of the checkout page) @NicolasDorierIt turns out this is not compatible with every wallets.
Confirmed/Complete to Settled. (@NicolasDorier)Paid to Processing. (@NicolasDorier)non_witness_utxo by default, when possible, to match Bitcoin Core 0.20.1 behavior. @NicolasDorierRoles property to the user data. @dennisreimannThose are low risk injection vulnerabilities.
Payjoin not working correctly for P2SH-P2WPKH merchants. @kukks
Clicking on the balance amount on send wallet, was not checking "Substract fees" automatically @kukks
Since this release is substantial, we invite your to read our blog post as well.
Paid summary by Invoice Summary in the invoice preview of the invoice list page