Trek_CN/server
jubnl 20bf9c2312
security: close SEC-H4/H6 gaps from second-pass review
- SEC-H6: remove conditional audience check in mcp/index.ts — audience is
  now always enforced against the mcpResource URL. Add migration to revoke
  pre-existing oauth_tokens with audience=NULL so dead rows don't linger.
- SEC-H4: validate doc.issuer against config.issuer inside discover() to
  prevent a MITM'd discovery doc from supplying a crafted expected issuer.
  verifyIdToken caller now passes config.issuer as ground truth, not
  doc.issuer.
- tests: cover three new OIDC callback failure paths (no_id_token,
  id_token_invalid, subject_mismatch) and two idempotency caps (key length
  >128 chars returns 400, body >256 KiB skips caching).
2026-04-20 21:35:30 +02:00
..
assets refactor: move airports.json out of server/data into server/assets 2026-04-18 02:02:09 +02:00
public chore(CRLF): normalize index.html line endings to LF 2026-04-05 04:35:17 +02:00
scripts docs: add full wiki with 74 pages, assets, and CI workflow 2026-04-20 10:11:53 +02:00
src security: close SEC-H4/H6 gaps from second-pass review 2026-04-20 21:35:30 +02:00
tests security: close SEC-H4/H6 gaps from second-pass review 2026-04-20 21:35:30 +02:00
.env.example feat(login): add language dropdown, browser auto-detection and configurable default 2026-04-12 20:03:57 -03:00
package-lock.json feat(bookings): show transport routes on map (#384, #587) 2026-04-17 14:04:40 +02:00
package.json feat(bookings): show transport routes on map (#384, #587) 2026-04-17 14:04:40 +02:00
reset-admin.js Stabilize core: better-sqlite3, versioned migrations, graceful shutdown 2026-03-22 17:52:24 +01:00
tsconfig.json some fixes 2026-03-30 06:59:24 +02:00
vitest.config.ts refactor(mcp): replace direct DB access with service layer calls 2026-04-04 18:12:53 +02:00