Trek_CN/client
jubnl 9b1baaf7b8
feat(oauth): browser-initiated dynamic client registration (DCR)
Adds an OAuth 2.1 public client registration flow so MCP clients can
self-register via a user-facing consent page instead of requiring manual
setup in Settings.

Server:
- DB migration adds `is_public` and `created_via` columns to oauth_clients
- New GET /api/oauth/register/validate — validates DCR params, returns
  requested scopes; unauthenticated callers get loginRequired flag
- New POST /api/oauth/register — creates a public client, saves consent,
  and redirects with client_id (cookie auth required)
- `authenticateClient` / `refreshTokens` skip secret check for public
  clients (PKCE provides the security guarantee)
- `createOAuthClient` accepts options for isPublic/createdVia; public
  clients store an opaque secret hash instead of a usable secret
- `rotateOAuthClientSecret` blocked on public clients
- `isValidRedirectUri` extracted as a shared helper
- Discovery metadata now advertises registration_endpoint and auth method
  `none`; token/revoke endpoints no longer require client_secret for
  public clients

Client:
- New OAuthRegisterPage (/oauth/register) — loading → optional
  login-required gate → scope selection → done states
- New ScopeGroupPicker component — collapsible groups, indeterminate
  checkboxes, select-all per group or globally
- oauthApi.register.{validate,submit} added to api/client.ts
- apiClient exported so it can be reused outside api/client.ts
- IntegrationsTab tests fixed for new collapsible section structure
- collab_notes fallback changed from undefined to [] in MCP trip tools
2026-04-10 05:20:54 +02:00
..
public ui(trip): replace plane loading animation with TREK logo GIF 2026-04-05 17:28:04 +02:00
scripts Add PWA support for iOS home screen install 2026-03-21 22:21:23 +01:00
src feat(oauth): browser-initiated dynamic client registration (DCR) 2026-04-10 05:20:54 +02:00
tests feat(oauth): browser-initiated dynamic client registration (DCR) 2026-04-10 05:20:54 +02:00
index.html fix: harden PWA caching and client-side auth security 2026-03-31 00:33:58 +00:00
package-lock.json fix(client): downgrade vitest to ^3.x to align with vite@5 2026-04-09 23:23:04 +02:00
package.json fix(client): downgrade vitest to ^3.x to align with vite@5 2026-04-09 23:23:04 +02:00
postcss.config.js Initial commit — NOMAD (Navigation Organizer for Maps, Activities & Destinations) 2026-03-18 23:58:08 +01:00
tailwind.config.js Initial commit — NOMAD (Navigation Organizer for Maps, Activities & Destinations) 2026-03-18 23:58:08 +01:00
tsconfig.json test(front): add test suite frontend (WIP) 2026-04-07 12:31:09 +02:00
vite.config.js fix(csp): disable Vite module preload polyfill to prevent inline script violation 2026-04-10 01:10:32 +02:00
vitest.config.ts test(front): add test suite frontend (WIP) 2026-04-07 12:31:09 +02:00