Trek_CN/client
jubnl 8c7567faf3
fix(pwa): fix offline session redirect and file download auth (#505 #541)
**#541 — File downloads broken in PWA standalone mode**
Replace getAuthUrl + window.open pattern with blob-based fetch using
credentials:include. The old approach minted a 60s single-use ephemeral
token then called window.open, which handed the URL to the system browser
on Android/iOS — losing the PWA cookie jar and producing "invalid or
expired token". The new approach fetches the file directly inside the
PWA WebView as a blob URL, so no auth handoff occurs.

New helper client/src/utils/fileDownload.ts with downloadFile and openFile.
Updated FileManager, ReservationsPanel, ReservationModal, PlaceInspector,
CollabNotes.

Security hardening in fileDownload.ts:
- assertRelativeUrl() guard prevents credentials being sent to external hosts
- openFile() checks blob.type against a safe-inline allowlist; HTML, SVG and
  other script-capable MIME types are forced to download instead of being
  opened inline, preventing same-origin XSS via blob URLs
- resp.ok check covers all non-2xx responses, not just 401

**#505 — PWA offline session lost on reload**
Wrap authStore with Zustand persist middleware, serializing only
{user, isAuthenticated} to localStorage key trek_auth_snapshot.
maps_api_key is intentionally excluded from the snapshot.

On cold start with no network: persist hydrates isAuthenticated:true,
App.tsx clears isLoading and calls loadUser({silent:true}), ProtectedRoute
renders the dashboard immediately. The network error from loadUser leaves
isAuthenticated intact so no login redirect occurs.

On 401 or logout: store state is cleared, persist writes
{isAuthenticated:false} — stale snapshot does not grant offline access
after session expiry.
2026-04-14 21:48:25 +02:00
..
public ui(trip): replace plane loading animation with TREK logo GIF 2026-04-05 17:28:04 +02:00
scripts Add PWA support for iOS home screen install 2026-03-21 22:21:23 +01:00
src fix(pwa): fix offline session redirect and file download auth (#505 #541) 2026-04-14 21:48:25 +02:00
tests fix(pwa): fix offline session redirect and file download auth (#505 #541) 2026-04-14 21:48:25 +02:00
index.html feat: Journey addon — travel journal with entries, photos, public sharing & PDF export 2026-04-11 19:01:34 +02:00
package-lock.json fix(collab): preserve line breaks in notes display (#608) 2026-04-13 20:24:13 +02:00
package.json fix(collab): preserve line breaks in notes display (#608) 2026-04-13 20:24:13 +02:00
postcss.config.js Initial commit — NOMAD (Navigation Organizer for Maps, Activities & Destinations) 2026-03-18 23:58:08 +01:00
tailwind.config.js Initial commit — NOMAD (Navigation Organizer for Maps, Activities & Destinations) 2026-03-18 23:58:08 +01:00
tsconfig.json test(front): add test suite frontend (WIP) 2026-04-07 12:31:09 +02:00
vite.config.js fix(csp): disable Vite module preload polyfill to prevent inline script violation 2026-04-10 01:10:32 +02:00
vitest.config.ts fix(tests): restore native AbortController for undici fetch compatibility 2026-04-14 15:08:55 +02:00