The bug was that the upload handler was checking request.session.get('user_id') directly instead of using the proper authenticated user_id from request.state. When API authentication was also active, the middleware would set request.state.user_id which was being ignored.

Now correctly uses:
current_user_id = getattr(request.state, 'user_id', request.session.get('user_id'))

This respects both session authentication and API authentication state while properly identifying the config admin from aisbf.json who has no user_id.

- Replaced all is_config_admin checks to properly check role == 'admin'
- Fixed 19 occurrences throughout the codebase
- Config admin file uploads now save to filesystem instead of database
- This fixes credential file uploads for aisbf.json defined admin users

- Added md5 filter to Jinja2 templates for Gravatar
- Added popup=1 parameter to OAuth2 URLs
- Added persistent oauth2_popup_mode session flag
- Both Google and GitHub OAuth flows now properly detect popup mode
- Callback now correctly sends postMessage to opener window
- Popup closes automatically and main window redirects to dashboard

OAuth2 signup/login endpoints (/auth/oauth2/google, /auth/oauth2/github) now work correctly when API authentication is enabled. API authentication should only apply to LLM proxy endpoints, not authentication/signup routes.

Fix: Model performance Type column now shows provider type (kilo, claude, qwen, etc) instead of generic 'Provider Model'

- Added fallback logic to get provider/model combinations from token_usage table
- Added context dimension recording in request success path
- Model performance now displays data even if context_dimensions table is empty
- Skip providers with zero requests in selected time range

- Simplified get_cost_overview to use tokens from provider stats (which already respect date range)
- Removed redundant get_token_usage_by_date_range call
- Cost overview now properly reflects selected time period filter

- Added from_datetime and to_datetime parameters to get_model_performance()
- Added from_datetime and to_datetime parameters to get_optimization_recommendations()
- Model performance now uses date-filtered provider stats instead of all-time stats
- All analytics sections now respect the selected time range filter
- Added optimization_savings placeholder to template context

- Fixed analytics token counting for Kilo/Kilocode ChatCompletion objects
- Fixed database migrations to add missing columns (success, latency_ms, error_type, token_id)
- Restored model retrieval with proper handle_model_list method
- Fixed response cache serialization for ChatCompletion objects
- Fixed MySQL timezone issues in all analytics queries using _format_timestamp()
- Added comprehensive cost calculation debug logging at INFO level
- Added kilo providers to DEFAULT_PRICING with $0.00 (subscription/free)
- Enhanced database tracking with full parameter trace logging
- Added 'Yesterday' time range filter to analytics page
- Improved custom date range handling
- All changes maintain 100% backwards compatibility
- Version bumped to 0.99.33

- Fixed duplicate authentication area in providers dashboard
- Restored full OAuth authentication with popup windows for all providers
- Added missing JavaScript authentication functions (authenticateClaude, authenticateQwen, authenticateCodex, authenticateKilo)
- Added missing backend endpoint /dashboard/providers/{provider_name}/auth/check
- Fixed import errors and attribute access for OAuth provider configs
- Fixed credential structure access for each OAuth provider type
- Fixed polling status responses (approved -> completed)
- Added human-readable expiration time formatting (days, hours, minutes, seconds)
- All OAuth flows now work with proper popup windows, polling, and status updates

- Restore Rate Limits and Response Cache links in analytics page for admin users
- Add detailed Optimization Savings section with token and cost breakdown
- Fix JavaScript syntax error in rate limits page
- Add response cache dashboard page with statistics and management
- Update setup.py to include new response cache template

- Add Estimated Savings card showing money saved from cache hits
- Fetch cache statistics via AJAX and calculate savings
- Display savings prominently in Cost Overview section
- Assumes average cost of $0.002 per cached request

- Add quick links navigation to Analytics, Response Cache, and Rate Limits pages
- Create response_cache.html template with cache statistics and management
- Add /dashboard/response-cache route to display cache page (not just JSON)
- Fix rate_limits URL in navigation (use /dashboard/rate-limits)
- All three pages now have consistent navigation between them

- Move updateUsers and getUrlParams functions outside DOMContentLoaded
- Add attachEventListeners function to reattach event handlers after AJAX updates
- Fixes 'updateUsers is not defined' error when performing bulk operations

- Add status_filter and role_filter query parameters with validation
- Pass filter parameters to database method
- Include filter values in template context for UI persistence

- Add back search controls with filter dropdowns (status/role) that were accidentally removed
- Add missing bulk action helper functions: updateBulkActionsVisibility, updateSelectAllState, clearSelection, performBulkAction
- Ensure bulk selection and bulk operations work correctly

- Implement POST /dashboard/users/bulk route for bulk operations
- Support enable, disable, delete, and tier change actions
- Add input validation for action and user_ids parameters
- Include error handling and appropriate JSON responses
- Log errors for debugging purposes

- Add status filter (active/inactive) and role filter (admin/user) dropdowns
- Add select all checkbox and individual user checkboxes
- Add bulk action bar with tier change, enable/disable, delete buttons
- Include selection counter and clear selection button

- Add status_filter parameter (active/inactive)
- Add role_filter parameter (admin/user)
- Combine filters with existing search functionality
- Update both main query and count query

- Advanced filtering by user status (active/inactive) and role (admin/user)
- Bulk selection with checkboxes and select all functionality
- Bulk operations: enable, disable, delete, change tier
- Confirmation dialogs for destructive actions
- Selection counter and clear selection
- Combined filtering with existing search/sorting/pagination

- Pagination works correctly across page sizes
- Search filters users by username, email, display name
- Sorting works for all columns in both directions
- URL state maintained for bookmarking
- Edge cases handled gracefully

All 30+ test cases passed successfully.

- Debounced search input with clear functionality
- Clickable sortable headers with direction indicators
- Pagination controls with previous/next buttons and page size selector
- URL state management for bookmarking
- Loading states and error handling

- Add search input field with current search value
- Make username, created_at, last_login headers sortable with indicators
- Add pagination controls with page size selector
- Include 'showing X-Y of Z' counter

- Add query parameters: page, limit, search, order_by, direction
- Use new get_users_paginated database method
- Calculate pagination metadata (total pages, current range)
- Pass filters and pagination data to template

- Support pagination with LIMIT/OFFSET
- Case-insensitive search across username, email, display_name
- Sorting by username, last_login, created_at, tier_name
- Return both users list and total count for pagination

- Database layer: get_users_paginated method with search and sorting
- API layer: /dashboard/users route with query parameters
- Frontend: Search input, sortable headers, pagination controls
- JavaScript: AJAX updates with URL state management
- Testing: Complete functionality verification

Plan structured as 5 bite-sized tasks with TDD approach.

- Pagination with customizable page sizes (10, 25, 50, 100)
- Search by username, email, display name (case-insensitive)
- Multi-column sorting (username, last login, signup date, tier)
- URL state management for bookmarking
- AJAX-based updates for smooth UX
- Comprehensive error handling and performance considerations