security: require auth for uploaded photos (GHSA-wxx3-84fc-mrx2) GHSA-pcr3-6647-jh72 (HIGH): - Add canAccessTrip check to all /trips/:tripId/photos and /trips/:tripId/album-links endpoints - Prevents authenticated users from accessing other trips' photos GHSA-wxx3-84fc-mrx2 (LOW): - /uploads/photos now requires JWT auth token or valid share token - Covers and avatars remain public (needed for login/share pages) - Files were already blocked behind auth |
||
|---|---|---|
| .. | ||
| public | ||
| src | ||
| .env.example | ||
| package-lock.json | ||
| package.json | ||
| reset-admin.js | ||
| tsconfig.json | ||