Trek_CN/server
Maurice 292e443dbe security: address silent-failure review findings on top of batch 1
Second-pass fixes caught by a self-review after the initial commit — each
one would have undermined a fix from the previous commit.

- mfaPolicy now goes through `verifyJwtAndLoadUser` too. Without this,
  a JWT stolen before a password reset still satisfied `require_mfa`
  until its natural 24h expiry, defeating the whole point of the
  password_version bump.
- Drop the `?? keys[0]` fallback in OIDC JWKS key selection. When the
  token carries a `kid` that is not in the current JWKS, refuse
  outright instead of picking an arbitrary key and letting the
  signature check produce a generic failure — the real failure mode
  deserves a specific error code.
- Tighten OAuth DCR custom-scheme rule so `javascript:`, `data:`,
  `vbscript:`, `file:`, `blob:`, `about:`, `chrome:` are all rejected.
  Previously the catch-all "not http/https" check admitted them; the
  authorize flow later 302s the browser to whatever is registered,
  which with a `javascript:` URI would execute attacker script on
  redirect. Also require the private-use scheme body to be reverse-DNS
  (contain a dot), matching RFC 8252 §7.1.
- permanentDeleteFile / emptyTrash only delete the trip_files row when
  the on-disk unlink actually succeeded. Previously Promise.all
  swallowed individual unlink failures and DELETE ran unconditionally,
  so a permission / ENOSPC failure would orphan bytes on disk.
- restoreFromZip also invalidates the permissions cache in the outer
  catch. If extraction threw before the DB swap even started, the
  cache wasn't stale, but belt-and-braces is cheap and guarantees no
  failed-restore path leaves stale cache behind.
2026-04-20 20:44:57 +02:00
..
assets refactor: move airports.json out of server/data into server/assets 2026-04-18 02:02:09 +02:00
public chore(CRLF): normalize index.html line endings to LF 2026-04-05 04:35:17 +02:00
scripts docs: add full wiki with 74 pages, assets, and CI workflow 2026-04-20 10:11:53 +02:00
src security: address silent-failure review findings on top of batch 1 2026-04-20 20:44:57 +02:00
tests security: internal audit — batch 1 2026-04-20 20:36:52 +02:00
.env.example feat(login): add language dropdown, browser auto-detection and configurable default 2026-04-12 20:03:57 -03:00
package-lock.json feat(bookings): show transport routes on map (#384, #587) 2026-04-17 14:04:40 +02:00
package.json feat(bookings): show transport routes on map (#384, #587) 2026-04-17 14:04:40 +02:00
reset-admin.js Stabilize core: better-sqlite3, versioned migrations, graceful shutdown 2026-03-22 17:52:24 +01:00
tsconfig.json some fixes 2026-03-30 06:59:24 +02:00
vitest.config.ts refactor(mcp): replace direct DB access with service layer calls 2026-04-04 18:12:53 +02:00