Backend/frontend hardening & consistency cleanups (#1113)

* refactor(auth): session token validation and password-change consistency

* refactor(journey): entry field allow-list and public share-link consistency

* refactor(mcp): align tool authorization with the REST permission checks

* chore: input validation and sanitisation touch-ups (uploads, pdf, maps, backup, csp)

server/tests/unit/services/backupService.test.ts

@@ -33,6 +33,9 @@ const archiverMock = vi.hoisted(() => vi.fn());
 
 const unzipperMock = vi.hoisted(() => ({
   Extract: vi.fn(),
+  // Central-directory reader used for the pre-extract zip-bomb size check.
+  // Default to an empty archive so existing restore tests proceed to Extract.
+  Open: { file: vi.fn().mockResolvedValue({ files: [] }) },
 }));
 
 const dbMock = vi.hoisted(() => ({
@@ -532,6 +535,19 @@ describe('BACKUP-038 restoreFromZip', () => {
     expect(result.error).toMatch(/travel\.db not found/i);
     expect(result.status).toBe(400);
   });
+
+  it('BACKUP-038b — rejects a zip bomb whose declared decompressed size exceeds the cap', async () => {
+    unzipperMock.Open.file.mockResolvedValueOnce({
+      files: [{ uncompressedSize: 6 * 1024 * 1024 * 1024 }], // 6 GB > 5 GB cap
+    });
+
+    const result = await restoreFromZip('/data/tmp/bomb.zip');
+
+    expect(result.success).toBe(false);
+    expect(result.status).toBe(400);
+    expect(result.error).toMatch(/decompressed size/i);
+    expect(unzipperMock.Extract).not.toHaveBeenCalled(); // bailed before extracting
+  });
 });
 
 // ---------------------------------------------------------------------------