fix(pwa): fix offline session redirect and file download auth (#505 #541)

**#541 — File downloads broken in PWA standalone mode** Replace getAuthUrl + window.open pattern with blob-based fetch using credentials:include. The old approach minted a 60s single-use ephemeral token then called window.open, which handed the URL to the system browser on Android/iOS — losing the PWA cookie jar and producing "invalid or expired token". The new approach fetches the file directly inside the PWA WebView as a blob URL, so no auth handoff occurs. New helper client/src/utils/fileDownload.ts with downloadFile and openFile. Updated FileManager, ReservationsPanel, ReservationModal, PlaceInspector, CollabNotes. Security hardening in fileDownload.ts: - assertRelativeUrl() guard prevents credentials being sent to external hosts - openFile() checks blob.type against a safe-inline allowlist; HTML, SVG and other script-capable MIME types are forced to download instead of being opened inline, preventing same-origin XSS via blob URLs - resp.ok check covers all non-2xx responses, not just 401 **#505 — PWA offline session lost on reload** Wrap authStore with Zustand persist middleware, serializing only {user, isAuthenticated} to localStorage key trek_auth_snapshot. maps_api_key is intentionally excluded from the snapshot. On cold start with no network: persist hydrates isAuthenticated:true, App.tsx clears isLoading and calls loadUser({silent:true}), ProtectedRoute renders the dashboard immediately. The network error from loadUser leaves isAuthenticated intact so no login redirect occurs. On 401 or logout: store state is cleared, persist writes {isAuthenticated:false} — stale snapshot does not grant offline access after session expiry.
2026-06-19 13:21:46 +00:00 · 2026-04-14 21:48:25 +02:00
parent 1268d3e7b1
commit 8c7567faf3
10 changed files with 314 additions and 26 deletions
@@ -0,0 +1,135 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest'
+import { downloadFile, openFile } from '../../../src/utils/fileDownload'
+
+function makeFetchMock(status: number, blob: Blob = new Blob(['data'], { type: 'application/pdf' })) {
+  return vi.fn().mockResolvedValue({
+    status,
+    ok: status >= 200 && status < 300,
+    blob: () => Promise.resolve(blob),
+  })
+}
+
+beforeEach(() => {
+  vi.spyOn(URL, 'createObjectURL').mockReturnValue('blob:mock-url')
+  vi.spyOn(URL, 'revokeObjectURL').mockImplementation(() => {})
+  vi.spyOn(document.body, 'appendChild').mockImplementation((el) => el)
+  vi.spyOn(document.body, 'removeChild').mockImplementation((el) => el)
+  vi.useFakeTimers()
+})
+
+afterEach(() => {
+  vi.restoreAllMocks()
+  vi.useRealTimers()
+})
+
+describe('assertRelativeUrl (URL guard)', () => {
+  it('rejects absolute http URLs', async () => {
+    await expect(downloadFile('https://evil.com/x')).rejects.toThrow('Refusing to fetch non-relative URL')
+  })
+  it('rejects protocol-relative URLs', async () => {
+    await expect(downloadFile('//evil.com/x')).rejects.toThrow('Refusing to fetch non-relative URL')
+  })
+  it('allows relative paths', async () => {
+    vi.stubGlobal('fetch', makeFetchMock(200))
+    vi.spyOn(HTMLAnchorElement.prototype, 'click').mockImplementation(() => {})
+    await expect(downloadFile('/trips/1/files/2/download')).resolves.toBeUndefined()
+  })
+})
+
+describe('downloadFile', () => {
+  it('fetches with credentials:include and triggers anchor download', async () => {
+    const fetchMock = makeFetchMock(200)
+    vi.stubGlobal('fetch', fetchMock)
+
+    const clickSpy = vi.spyOn(HTMLAnchorElement.prototype, 'click').mockImplementation(() => {})
+
+    await downloadFile('/uploads/files/test.pdf', 'test.pdf')
+
+    expect(fetchMock).toHaveBeenCalledWith('/uploads/files/test.pdf', { credentials: 'include' })
+    expect(URL.createObjectURL).toHaveBeenCalled()
+    expect(clickSpy).toHaveBeenCalled()
+
+    // Revoke happens after setTimeout(100)
+    vi.runAllTimers()
+    expect(URL.revokeObjectURL).toHaveBeenCalledWith('blob:mock-url')
+  })
+
+  it('sets download attribute to filename when provided', async () => {
+    vi.stubGlobal('fetch', makeFetchMock(200))
+    vi.spyOn(HTMLAnchorElement.prototype, 'click').mockImplementation(() => {})
+
+    await downloadFile('/uploads/files/report.pdf', 'report.pdf')
+
+    // Check anchor was created with download attribute
+    const appendCalls = (document.body.appendChild as ReturnType<typeof vi.fn>).mock.calls
+    const anchor = appendCalls[0]?.[0] as HTMLAnchorElement
+    expect(anchor.download).toBe('report.pdf')
+  })
+
+  it('throws on 401 response', async () => {
+    vi.stubGlobal('fetch', makeFetchMock(401))
+    await expect(downloadFile('/uploads/files/secret.pdf')).rejects.toThrow('Unauthorized')
+    expect(URL.createObjectURL).not.toHaveBeenCalled()
+  })
+})
+
+describe('openFile', () => {
+  it('fetches with credentials:include and opens blob URL in new tab', async () => {
+    vi.stubGlobal('fetch', makeFetchMock(200))
+    const mockWin = { closed: false }
+    const openSpy = vi.spyOn(window, 'open').mockReturnValue(mockWin as Window)
+
+    await openFile('/uploads/files/doc.pdf')
+
+    expect(window.fetch).toHaveBeenCalledWith('/uploads/files/doc.pdf', { credentials: 'include' })
+    expect(URL.createObjectURL).toHaveBeenCalled()
+    expect(openSpy).toHaveBeenCalledWith('blob:mock-url', '_blank', 'noreferrer')
+
+    // Revoke happens after 30s timeout
+    vi.runAllTimers()
+    expect(URL.revokeObjectURL).toHaveBeenCalledWith('blob:mock-url')
+  })
+
+  it('falls back to anchor download when popup is blocked', async () => {
+    vi.stubGlobal('fetch', makeFetchMock(200))
+    vi.spyOn(window, 'open').mockReturnValue(null)
+    const clickSpy = vi.spyOn(HTMLAnchorElement.prototype, 'click').mockImplementation(() => {})
+
+    await openFile('/uploads/files/doc.pdf')
+
+    expect(clickSpy).toHaveBeenCalled()
+    vi.runAllTimers()
+    expect(URL.revokeObjectURL).toHaveBeenCalledWith('blob:mock-url')
+  })
+
+  it('throws on 401 response', async () => {
+    vi.stubGlobal('fetch', makeFetchMock(401, new Blob([], { type: 'application/pdf' })))
+    await expect(openFile('/uploads/files/secret.pdf')).rejects.toThrow('Unauthorized')
+    expect(URL.createObjectURL).not.toHaveBeenCalled()
+  })
+
+  it('forces download for unsafe MIME types (HTML, SVG) instead of opening inline', async () => {
+    const htmlBlob = new Blob(['<script>alert(1)</script>'], { type: 'text/html' })
+    vi.stubGlobal('fetch', makeFetchMock(200, htmlBlob))
+    const openSpy = vi.spyOn(window, 'open').mockReturnValue({} as Window)
+    const clickSpy = vi.spyOn(HTMLAnchorElement.prototype, 'click').mockImplementation(() => {})
+
+    await openFile('/uploads/files/malicious.html')
+
+    // Must NOT open inline — download anchor clicked instead
+    expect(openSpy).not.toHaveBeenCalled()
+    expect(clickSpy).toHaveBeenCalled()
+  })
+
+  it('forces download for SVG MIME type', async () => {
+    const svgBlob = new Blob(['<svg><script>alert(1)</script></svg>'], { type: 'image/svg+xml' })
+    vi.stubGlobal('fetch', makeFetchMock(200, svgBlob))
+    vi.spyOn(window, 'open').mockReturnValue({} as Window)
+    const clickSpy = vi.spyOn(HTMLAnchorElement.prototype, 'click').mockImplementation(() => {})
+
+    await openFile('/uploads/files/malicious.svg')
+
+    expect(window.open).not.toHaveBeenCalled()
+    expect(clickSpy).toHaveBeenCalled()
+  })
+})