v3.0.22 Bug Fixes & Improvements (#1041)

Bundles the v3.0.22 bug fixes and improvements. See the release notes for the full list.
2026-06-19 21:31:46 +00:00 · 2026-05-25 01:13:20 +02:00
parent 75772445a7
commit 86ee8044da
54 changed files with 1110 additions and 234 deletions
@@ -100,6 +100,12 @@ export const COUNTRY_BOXES: Record<string, [number, number, number, number]> = {
  UG:[29.6,-1.5,35.0,4.2],UY:[-58.4,-34.9,-53.1,-30.1],UZ:[55.9,37.2,73.1,45.6],VE:[-73.4,0.7,-59.8,12.2],
  AE:[51.6,22.6,56.4,26.1],GB:[-8,49.9,2,60.9],US:[-125,24.5,-66.9,49.4],VN:[102.1,8.6,109.5,23.4],XK:[20.0,41.9,21.8,43.3],
  YE:[42.5,12.1,54.0,19.0],ZM:[21.9,-18.1,33.7,-8.2],ZW:[25.2,-22.4,33.1,-15.6],
+  // Territories with their own ISO code that sit inside a larger country's box.
+  // Listed so getCountryFromCoords()'s smallest-box match picks them over the host
+  // (e.g. Hong Kong/Macau over China, San Marino/Vatican over Italy).
+  HK:[113.83,22.15,114.43,22.56],MO:[113.53,22.10,113.60,22.21],SM:[12.40,43.89,12.52,43.99],
+  VA:[12.44,41.90,12.46,41.91],MC:[7.40,43.72,7.44,43.75],LI:[9.47,47.05,9.64,47.27],
+  GI:[-5.36,36.11,-5.33,36.16],PR:[-67.30,17.88,-65.22,18.53],
 };

 export const NAME_TO_CODE: Record<string, string> = {
@@ -144,6 +150,9 @@ export const NAME_TO_CODE: Record<string, string> = {
  'angola':'AO','namibia':'NA','botswana':'BW','zimbabwe':'ZW','zambia':'ZM','malawi':'MW',
  'mozambique':'MZ','mozambik':'MZ','madagascar':'MG','rwanda':'RW','burundi':'BI',
  'somalia':'SO','papua new guinea':'PG','brunei':'BN',
+  'hong kong':'HK','hong kong sar':'HK','macau':'MO','macao':'MO','macau sar':'MO',
+  'san marino':'SM','vatican':'VA','vatican city':'VA','holy see':'VA','monaco':'MC',
+  'liechtenstein':'LI','gibraltar':'GI','puerto rico':'PR',
 };

 export const CONTINENT_MAP: Record<string, string> = {
@@ -167,6 +176,7 @@ export const CONTINENT_MAP: Record<string, string> = {
  ZA:'Africa',SE:'Europe',CH:'Europe',TH:'Asia',TR:'Europe',UA:'Europe',UG:'Africa',UY:'South America',
  UZ:'Asia',VE:'South America',AE:'Asia',GB:'Europe',US:'North America',VN:'Asia',XK:'Europe',
  YE:'Asia',ZM:'Africa',ZW:'Africa',NG:'Africa',
+  HK:'Asia',MO:'Asia',SM:'Europe',VA:'Europe',MC:'Europe',LI:'Europe',GI:'Europe',PR:'North America',
 };

 // ── Geocoding helpers ───────────────────────────────────────────────────────
@@ -366,11 +376,17 @@ export async function getStats(userId: number) {
  for (const place of places) {
    if (place.address) {
      const parts = place.address.split(',').map((s: string) => s.trim()).filter(Boolean);
-      let raw = parts.length >= 2 ? parts[parts.length - 2] : parts[0];
-      if (raw) {
-        const city = raw.replace(/[\d\-\u2212\u3012]+/g, '').trim().toLowerCase();
-        if (city) citySet.add(city);
+      // The last part is the country; the city is usually right before it, but a
+      // full formatted address can have a postal code sitting between them
+      // (e.g. "Bucharest, 010071, Romania"). Walk back from the country and take
+      // the first part that still has letters once digits/postal noise is stripped.
+      const candidates = parts.length >= 2 ? parts.slice(0, -1) : parts;
+      let city = '';
+      for (let i = candidates.length - 1; i >= 0; i--) {
+        const cleaned = candidates[i].replace(/[\d\-\u2212\u3012]+/g, '').trim();
+        if (cleaned) { city = cleaned.toLowerCase(); break; }
      }
+      if (city) citySet.add(city);
    }
  }
  const totalCities = citySet.size;
@@ -96,6 +96,17 @@ export function createBudgetItem(
  return item;
 }

+export function linkBudgetItemToReservation(
+  tripId: string | number,
+  reservationId: number,
+  data: { name: string; category?: string; total_price: number },
+) {
+  const item = createBudgetItem(tripId, data) as BudgetItem & { reservation_id?: number | null };
+  db.prepare('UPDATE budget_items SET reservation_id = ? WHERE id = ?').run(reservationId, item.id);
+  item.reservation_id = reservationId;
+  return item;
+}
+
 export function updateBudgetItem(
  id: string | number,
  tripId: string | number,
@@ -60,6 +60,7 @@ interface OAuthClientRow {
  created_at: string;
  is_public: number;       // 0 | 1 (SQLite boolean)
  created_via: string;     // 'settings_ui' | 'browser-registration'
+  allows_client_credentials: number; // 0 | 1
 }

 interface OAuthTokenRow {
@@ -106,11 +107,12 @@ function generateRefreshToken(): string {

 export function listOAuthClients(userId: number): Record<string, unknown>[] {
  const rows = db.prepare(
-    'SELECT id, user_id, name, client_id, redirect_uris, allowed_scopes, created_at, is_public, created_via FROM oauth_clients WHERE user_id = ? ORDER BY created_at DESC'
+    'SELECT id, user_id, name, client_id, redirect_uris, allowed_scopes, created_at, is_public, created_via, allows_client_credentials FROM oauth_clients WHERE user_id = ? ORDER BY created_at DESC'
  ).all(userId) as OAuthClientRow[];
  return rows.map(r => ({
    ...r,
    is_public: Boolean(r.is_public),
+    allows_client_credentials: Boolean(r.allows_client_credentials),
    redirect_uris: JSON.parse(r.redirect_uris),
    allowed_scopes: JSON.parse(r.allowed_scopes),
  }));
@@ -132,11 +134,12 @@ export function createOAuthClient(
  redirectUris: string[],
  allowedScopes: string[],
  ip?: string | null,
-  options?: { isPublic?: boolean; createdVia?: string },
+  options?: { isPublic?: boolean; createdVia?: string; allowsClientCredentials?: boolean },
 ): { error?: string; status?: number; client?: Record<string, unknown> } {
  if (!name?.trim()) return { error: 'Name is required', status: 400 };
  if (name.trim().length > 100) return { error: 'Name must be 100 characters or less', status: 400 };
-  if (!redirectUris || redirectUris.length === 0) return { error: 'At least one redirect URI is required', status: 400 };
+  const isMachineClient = Boolean(options?.allowsClientCredentials);
+  if (!isMachineClient && (!redirectUris || redirectUris.length === 0)) return { error: 'At least one redirect URI is required', status: 400 };
  if (redirectUris.length > 10) return { error: 'Maximum 10 redirect URIs per client', status: 400 };

  for (const uri of redirectUris) {
@@ -164,7 +167,8 @@ export function createOAuthClient(
    if (count >= 500) return { error: 'server_error', status: 503 };
  }

-  const isPublic    = options?.isPublic ?? false;
+  // Machine clients (client_credentials) must always be confidential — ignore isPublic for them.
+  const isPublic    = isMachineClient ? false : (options?.isPublic ?? false);
  const createdVia  = options?.createdVia ?? 'settings_ui';
  const id          = randomUUID();
  const clientId    = randomUUID();
@@ -173,14 +177,14 @@ export function createOAuthClient(
  const secretHash  = rawSecret ? hashToken(rawSecret) : randomBytes(32).toString('hex');

  db.prepare(
-    'INSERT INTO oauth_clients (id, user_id, name, client_id, client_secret_hash, redirect_uris, allowed_scopes, is_public, created_via) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)'
-  ).run(id, userId, name.trim(), clientId, secretHash, JSON.stringify(redirectUris), JSON.stringify(allowedScopes), isPublic ? 1 : 0, createdVia);
+    'INSERT INTO oauth_clients (id, user_id, name, client_id, client_secret_hash, redirect_uris, allowed_scopes, is_public, created_via, allows_client_credentials) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)'
+  ).run(id, userId, name.trim(), clientId, secretHash, JSON.stringify(redirectUris), JSON.stringify(allowedScopes), isPublic ? 1 : 0, createdVia, isMachineClient ? 1 : 0);

  const row = db.prepare(
-    'SELECT id, user_id, name, client_id, redirect_uris, allowed_scopes, created_at, is_public, created_via FROM oauth_clients WHERE id = ?'
+    'SELECT id, user_id, name, client_id, redirect_uris, allowed_scopes, created_at, is_public, created_via, allows_client_credentials FROM oauth_clients WHERE id = ?'
  ).get(id) as OAuthClientRow;

-  writeAudit({ userId, action: 'oauth.client.create', details: { client_id: clientId, name: name.trim(), is_public: isPublic }, ip });
+  writeAudit({ userId, action: 'oauth.client.create', details: { client_id: clientId, name: name.trim(), is_public: isPublic, allows_client_credentials: isMachineClient }, ip });

  return {
    client: {
@@ -192,6 +196,7 @@ export function createOAuthClient(
      allowed_scopes: JSON.parse(row.allowed_scopes),
      created_at: row.created_at,
      is_public: Boolean(row.is_public),
+      allows_client_credentials: Boolean(row.allows_client_credentials),
      created_via: row.created_via,
      // client_secret only present for confidential clients — shown once, not stored in plain text
      ...(rawSecret ? { client_secret: rawSecret } : {}),
@@ -330,6 +335,43 @@ export function issueTokens(
  };
 }

+// Issues an access token only — no refresh token (RFC 6749 §4.4.3).
+// Used exclusively for the client_credentials grant. A random opaque hash is
+// stored in refresh_token_hash to satisfy the NOT NULL/UNIQUE constraint; it
+// can never be presented as a valid refresh token (same precedent as public
+// client secret hashes stored in client_secret_hash).
+export function issueClientCredentialsToken(
+  clientId: string,
+  userId: number,
+  scopes: string[],
+  audience: string,
+): {
+  access_token: string;
+  token_type: 'Bearer';
+  expires_in: number;
+  scope: string;
+} {
+  const rawAccess       = generateAccessToken();
+  const accessHash      = hashToken(rawAccess);
+  const placeholderHash = randomBytes(32).toString('hex');
+
+  const now         = new Date();
+  const accessExpiry = new Date(now.getTime() + ACCESS_TOKEN_TTL_S * 1000);
+
+  db.prepare(`
+    INSERT INTO oauth_tokens
+      (client_id, user_id, access_token_hash, refresh_token_hash, scopes, audience, access_token_expires_at, refresh_token_expires_at, parent_token_id)
+    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
+  `).run(clientId, userId, accessHash, placeholderHash, JSON.stringify(scopes), audience, accessExpiry.toISOString(), now.toISOString(), null);
+
+  return {
+    access_token: rawAccess,
+    token_type:   'Bearer',
+    expires_in:   ACCESS_TOKEN_TTL_S,
+    scope:        scopes.join(' '),
+  };
+}
+
 // ---------------------------------------------------------------------------
 // Token verification (used by MCP handler on every request)
 // ---------------------------------------------------------------------------
@@ -506,6 +506,11 @@ export function exportICS(tripId: string | number): { ics: string; filename: str
  // Reservations as events
  for (const r of reservations) {
    if (!r.reservation_time) continue;
+    // Skip time-only values (no calendar date — occurs on relative "Day N" trips)
+    const hasDate = r.reservation_time.includes('T')
+      ? /^\d{4}-\d{2}-\d{2}$/.test(r.reservation_time.split('T')[0])
+      : /^\d{4}-\d{2}-\d{2}$/.test(r.reservation_time);
+    if (!hasDate) continue;
    const hasTime = r.reservation_time.includes('T');
    const meta = r.metadata ? (typeof r.metadata === 'string' ? JSON.parse(r.metadata) : r.metadata) : {};