security: internal audit — batch 1

Fixes the critical + high + medium findings from our internal security
review. Bundled into one PR because the changes overlap heavily (JWT
verification unifies across three call sites; backup-code hashing and
demo-email handling cross-cut several services); splitting them out
would mean redundant reviews of the same files.

Critical
- CI-C1 — .github/workflows/test.yml: restore actions/{checkout,setup-
  node,upload-artifact} to @v4. The @v6 refs don't exist, so the test
  workflow was errorring before a single test ran.
- SEC-C1 — mfaPolicy now extracts the token via extractToken() (cookie-
  first, Bearer fallback). Previously it only read Authorization, so
  every cookie-authenticated SPA session bypassed require_mfa entirely.
- SEC-C2/C4/C6 — all JWT verification paths (MCP bearer, file download,
  photo route) now go through the shared verifyJwtAndLoadUser that
  checks password_version. resetPassword additionally deletes every
  mcp_tokens row and marks outstanding oauth_tokens revoked, so a
  password reset invalidates ALL credential classes — not just the
  cookie JWT.

High
- SEC-H2 — reset email URL is built from server-side APP_URL /
  ALLOWED_ORIGINS (via existing getAppUrl()), not request headers.
  Closes the host-header-injection vector into reset links.
- SEC-H3 — OIDC findOrCreateUser wraps the invite-redemption UPDATE +
  user INSERT in a transaction. The UPDATE is the capacity check; if
  a concurrent callback takes the last slot, the whole transaction
  aborts with registration_disabled instead of double-creating users.
- SEC-H4 — new verifyIdToken() performs full JWT signature
  verification via the provider's JWKS (Node's crypto.createPublicKey
  accepts JWK directly — no extra dependency), plus iss/aud/exp
  checks. The callback also rejects the login when userinfo.sub does
  not match id_token.sub.
- SEC-H5 — OAuth DCR now validates redirect_uris against an allowlist
  of schemes: https, http-loopback, or a private custom scheme. Plain
  http://non-loopback is rejected.
- SEC-H6 — oauthService audience defaults to mcpResource when the
  `resource` parameter is missing, so tokens are always audience-bound
  to /mcp instead of being issued with audience=null.
- SEC-H7 — HSTS is enabled any time NODE_ENV=production (previously
  required FORCE_HTTPS=true), includeSubDomains defaults on and can
  be disabled with HSTS_INCLUDE_SUBDOMAINS=false.
- SEC-H8 — trek_session cookie Secure flag is also driven by
  req.secure (which Express resolves from X-Forwarded-Proto once
  trust proxy is set), so instances behind a TLS-terminating proxy
  get Secure cookies without needing FORCE_HTTPS.

Medium
- SEC-M1 — permanentDeleteFile / emptyTrash / avatar unlink now use
  fs.promises.rm with { force: true } (one async op vs the previous
  existsSync + unlinkSync pair per file).
- SEC-M2 — invalidatePermissionsCache() is called inside restoreFromZip
  so a restored DB with different permission rows is honoured
  immediately.
- SEC-M3 + C1 — idempotency store bounds the key at 128 chars, caches
  only responses ≤ 256 KiB, and scopes the lookup by (key, user_id,
  method, path) rather than (key, user_id). Same key replayed against
  a different endpoint no longer returns a stale unrelated body.
- SEC-M4 — share_tokens gets an expires_at column; new tokens default
  to 90-day TTL, expired tokens are denied at lookup. Existing tokens
  stay NULL = no expiry so already-published links don't break.
- SEC-M5 — /uploads/photos/:filename now resolves the photo to its
  trip_id and requires the share token to cover THAT trip. Previously
  any share token for any trip would unlock any photo filename.
- SEC-M6 — BLOCKED_EXTENSIONS is the single source of truth shared
  between fileService and collab uploads. The '*' allowed_file_types
  wildcard now still rejects executables/scripts.
- SEC-M7 — single DEMO_EMAILS constant (services/demo.ts) used by
  demoUploadBlock, mfaPolicy, and every demo-mode guard in
  authService. The old demoUploadBlock only matched 'demo@nomad.app'
  so the seed 'demo@trek.app' could in fact upload in demo mode.
- SEC-M8 — MFA backup codes are now bcrypt-hashed at rest
  (hashBackupCodeBcrypt). matchBackupCode accepts both bcrypt and
  legacy SHA-256 hex hashes, so existing installs keep working until
  the user regenerates codes via enableMfa.
- SEC-M9 — document the "security via UUID v4 filename" model for
  /uploads/avatars|covers|journey. Requires no code change but
  captures the decision so future reviewers don't re-flag it.
- SEC-M10 — already covered by the resetPassword revocation logic
  above: mcp_tokens DELETE + oauth_tokens UPDATE … SET revoked_at.

Performance
- PERF-H1 — new migration adds the indexes flagged in the audit:
  trips(user_id), trips(created_at DESC), photos(day_id),
  photos(place_id), reservations(day_id), share_tokens(token), plus
  conditional day_accommodations and notifications indexes depending
  on which columns are present.

Tests
- tests/integration/oidc.test.ts now mocks verifyIdToken and passes
  an id_token in the exchangeCodeForToken stub for the three flows
  that exercise a successful callback. The three remaining failures
  tests pointed out were all pre-existing (file-upload flakes +
  notificationPreferences event_types count drift), none introduced
  by this PR.

server/src/middleware/auth.ts

@@ -4,6 +4,7 @@ import { db } from '../db/database';
 import { JWT_SECRET } from '../config';
 import { AuthRequest, OptionalAuthRequest, User } from '../types';
 import { applyIdempotency } from './idempotency';
+import { isDemoEmail } from '../services/demo';
 
 export function extractToken(req: Request): string | null {
   // Prefer httpOnly cookie; fall back to Authorization: Bearer (MCP, API clients)
@@ -13,7 +14,18 @@ export function extractToken(req: Request): string | null {
   return (authHeader && authHeader.split(' ')[1]) || null;
 }
 
-function verifyJwtAndLoadUser(token: string): User | null {
+/**
+ * Verify a JWT and load its user, enforcing the password_version gate.
+ *
+ * Exported so every auth surface in the codebase (MCP bearer tokens,
+ * file download query tokens, the photo-serving route) goes through the
+ * same check. A password reset bumps `users.password_version`, which
+ * invalidates every JWT that embedded the prior value — but only if
+ * every verify path actually compares the claim. Previously several
+ * paths called `jwt.verify` directly and skipped the DB lookup, so a
+ * stolen token kept working after the victim reset.
+ */
+export function verifyJwtAndLoadUser(token: string): User | null {
   try {
     const decoded = jwt.verify(token, JWT_SECRET, { algorithms: ['HS256'] }) as { id: number; pv?: number };
     const row = db.prepare(
@@ -93,8 +105,8 @@ const adminOnly = (req: Request, res: Response, next: NextFunction): void => {
 
 const demoUploadBlock = (req: Request, res: Response, next: NextFunction): void => {
   const authReq = req as AuthRequest;
-  if (process.env.DEMO_MODE === 'true' && authReq.user?.email === 'demo@nomad.app') {
-    res.status(403).json({ error: 'Uploads are disabled in demo mode. Self-host NOMAD for full functionality.' });
+  if (process.env.DEMO_MODE === 'true' && isDemoEmail(authReq.user?.email)) {
+    res.status(403).json({ error: 'Uploads are disabled in demo mode. Self-host TREK for full functionality.' });
     return;
   }
   next();

server/src/middleware/idempotency.ts

@@ -2,6 +2,13 @@ import { Request, Response, NextFunction } from 'express';
 import { db } from '../db/database';
 
 const MUTATING_METHODS = new Set(['POST', 'PUT', 'PATCH', 'DELETE']);
+// Reject pathological client-supplied keys outright instead of hashing
+// everything — 128 chars is plenty for any realistic UUID / ULID / nonce.
+const MAX_KEY_LENGTH = 128;
+// Responses larger than this are not worth caching — a backup-restore
+// endpoint could otherwise store a megabyte-sized JSON body per request
+// key and, with mass key creation, blow up idempotency_keys.
+const MAX_CACHED_BODY_BYTES = 256 * 1024;
 
 interface IdempotencyRow {
   status_code: number;
@@ -12,9 +19,14 @@ interface IdempotencyRow {
  * Called from within `authenticate` after req.user is set.
  *
  * For mutating requests carrying X-Idempotency-Key:
- * - If (key, userId) already stored: replays the cached response.
+ * - If (key, userId, method, path) already stored: replays the cached response.
  * - Otherwise: wraps res.json to capture and store a successful response.
  *
+ * The lookup is scoped by method + path as well as user so the same key
+ * replayed against a different endpoint doesn't return the cached body
+ * of an unrelated request. Key length is capped and the cached body is
+ * skipped when it exceeds `MAX_CACHED_BODY_BYTES`.
+ *
  * Storing happens in idempotency_keys (24h TTL, cleaned by scheduler).
  */
 export function applyIdempotency(req: Request, res: Response, next: NextFunction, userId: number): void {
@@ -28,11 +40,17 @@ export function applyIdempotency(req: Request, res: Response, next: NextFunction
     next();
     return;
   }
+  if (key.length > MAX_KEY_LENGTH) {
+    res.status(400).json({ error: 'X-Idempotency-Key exceeds maximum length of 128 characters' });
+    return;
+  }
 
-  // Return cached response if key already processed for this user
+  // Return cached response only if the same key was seen for the same
+  // user AND the same method+path — avoids a POST's cached body leaking
+  // into an unrelated PATCH that reused the idempotency-key string.
   const existing = db.prepare(
-    'SELECT status_code, response_body FROM idempotency_keys WHERE key = ? AND user_id = ?'
-  ).get(key, userId) as IdempotencyRow | undefined;
+    'SELECT status_code, response_body FROM idempotency_keys WHERE key = ? AND user_id = ? AND method = ? AND path = ?'
+  ).get(key, userId, req.method, req.path) as IdempotencyRow | undefined;
 
   if (existing) {
     res.status(existing.status_code).json(JSON.parse(existing.response_body));
@@ -44,10 +62,13 @@ export function applyIdempotency(req: Request, res: Response, next: NextFunction
   res.json = function (body: unknown): Response {
     if (res.statusCode >= 200 && res.statusCode < 300) {
       try {
-        db.prepare(
-          `INSERT OR IGNORE INTO idempotency_keys (key, user_id, method, path, status_code, response_body, created_at)
-           VALUES (?, ?, ?, ?, ?, ?, ?)`
-        ).run(key, userId, req.method, req.path, res.statusCode, JSON.stringify(body), Math.floor(Date.now() / 1000));
+        const serialized = JSON.stringify(body);
+        if (serialized.length <= MAX_CACHED_BODY_BYTES) {
+          db.prepare(
+            `INSERT OR IGNORE INTO idempotency_keys (key, user_id, method, path, status_code, response_body, created_at)
+             VALUES (?, ?, ?, ?, ?, ?, ?)`
+          ).run(key, userId, req.method, req.path, res.statusCode, serialized, Math.floor(Date.now() / 1000));
+        }
       } catch {
         // Non-fatal: if storage fails, the request still succeeds
       }

server/src/middleware/mfaPolicy.ts

@@ -2,6 +2,8 @@ import { Request, Response, NextFunction } from 'express';
 import jwt from 'jsonwebtoken';
 import { db } from '../db/database';
 import { JWT_SECRET } from '../config';
+import { extractToken } from './auth';
+import { DEMO_EMAILS } from '../services/demo';
 
 /** Paths that never require MFA (public or pre-auth). */
 export function isPublicApiPath(method: string, pathNoQuery: string): boolean {
@@ -42,8 +44,11 @@ export function enforceGlobalMfaPolicy(req: Request, res: Response, next: NextFu
     return;
   }
 
-  const authHeader = req.headers.authorization;
-  const token = authHeader && authHeader.split(' ')[1];
+  // Accept both the httpOnly session cookie (regular SPA users) and the
+  // Authorization header (MCP / API clients). Previously this only looked
+  // at the header so every normal cookie-authenticated session sailed
+  // past `require_mfa` unchecked.
+  const token = extractToken(req);
   if (!token) {
     next();
     return;
@@ -66,7 +71,7 @@ export function enforceGlobalMfaPolicy(req: Request, res: Response, next: NextFu
 
   if (process.env.DEMO_MODE === 'true') {
     const demo = db.prepare('SELECT email FROM users WHERE id = ?').get(userId) as { email: string } | undefined;
-    if (demo?.email === 'demo@trek.app' || demo?.email === 'demo@nomad.app') {
+    if (demo?.email && DEMO_EMAILS.has(demo.email)) {
       next();
       return;
     }