k1nq/TREK

Fork 0

mirror of https://github.com/mauriceboe/TREK.git synced 2026-06-19 13:21:46 +00:00

Commit Graph

Author	SHA1	Message	Date
Maurice	e65acb3de7	Fix a batch of reported bugs (#1145 ) * fix(maps): fall back to OSM/Wikipedia for place photos and normalize non-standard language codes (#1137) * fix(auth): refuse password reset for OIDC/SSO-linked accounts (#1129) * fix(docker): ship server/assets (airports + atlas geo) in the runtime image (#1133, #1119) * fix(unraid): point the template at a PNG icon Unraid can render (#1073) * fix(offline): serve cached file blobs when offline or on network failure (#1046, #1069) * fix(map): centre the selected pin in the visible map area above the bottom panel (#1125) * fix(pdf): render persisted place-photo proxy URLs as images (#1130) * fix(planner): show the selected place category in the edit form (#1134) * fix(dashboard): collapse list-view trip cards to a compact row on mobile (#1132)	2026-06-11 13:31:43 +02:00
Xre0uS	28dbd86d03	fix(files): open attachments only in new tab (#840 ) window.open with noreferrer returns null, which triggered the popup-blocked download fallback in addition to the new-tab open. Use a target=_blank anchor click instead.	2026-04-23 10:06:56 +02:00
jubnl	8c7567faf3	fix(pwa): fix offline session redirect and file download auth (#505 #541 ) #541 — File downloads broken in PWA standalone mode Replace getAuthUrl + window.open pattern with blob-based fetch using credentials:include. The old approach minted a 60s single-use ephemeral token then called window.open, which handed the URL to the system browser on Android/iOS — losing the PWA cookie jar and producing "invalid or expired token". The new approach fetches the file directly inside the PWA WebView as a blob URL, so no auth handoff occurs. New helper client/src/utils/fileDownload.ts with downloadFile and openFile. Updated FileManager, ReservationsPanel, ReservationModal, PlaceInspector, CollabNotes. Security hardening in fileDownload.ts: - assertRelativeUrl() guard prevents credentials being sent to external hosts - openFile() checks blob.type against a safe-inline allowlist; HTML, SVG and other script-capable MIME types are forced to download instead of being opened inline, preventing same-origin XSS via blob URLs - resp.ok check covers all non-2xx responses, not just 401 #505 — PWA offline session lost on reload Wrap authStore with Zustand persist middleware, serializing only {user, isAuthenticated} to localStorage key trek_auth_snapshot. maps_api_key is intentionally excluded from the snapshot. On cold start with no network: persist hydrates isAuthenticated:true, App.tsx clears isLoading and calls loadUser({silent:true}), ProtectedRoute renders the dashboard immediately. The network error from loadUser leaves isAuthenticated intact so no login redirect occurs. On 401 or logout: store state is cleared, persist writes {isAuthenticated:false} — stale snapshot does not grant offline access after session expiry.	2026-04-14 21:48:25 +02:00

Author

SHA1

Message

Date

Maurice

e65acb3de7

Fix a batch of reported bugs (#1145 )

* fix(maps): fall back to OSM/Wikipedia for place photos and normalize non-standard language codes (#1137)

* fix(auth): refuse password reset for OIDC/SSO-linked accounts (#1129)

* fix(docker): ship server/assets (airports + atlas geo) in the runtime image (#1133, #1119)

* fix(unraid): point the template at a PNG icon Unraid can render (#1073)

* fix(offline): serve cached file blobs when offline or on network failure (#1046, #1069)

* fix(map): centre the selected pin in the visible map area above the bottom panel (#1125)

* fix(pdf): render persisted place-photo proxy URLs as images (#1130)

* fix(planner): show the selected place category in the edit form (#1134)

* fix(dashboard): collapse list-view trip cards to a compact row on mobile (#1132)

2026-06-11 13:31:43 +02:00

Xre0uS

28dbd86d03

fix(files): open attachments only in new tab (#840 )

window.open with noreferrer returns null, which triggered the popup-blocked download fallback in addition to the new-tab open. Use a target=_blank anchor click instead.

2026-04-23 10:06:56 +02:00

jubnl

8c7567faf3

fix(pwa): fix offline session redirect and file download auth (#505 #541 )

**#541 — File downloads broken in PWA standalone mode**
Replace getAuthUrl + window.open pattern with blob-based fetch using
credentials:include. The old approach minted a 60s single-use ephemeral
token then called window.open, which handed the URL to the system browser
on Android/iOS — losing the PWA cookie jar and producing "invalid or
expired token". The new approach fetches the file directly inside the
PWA WebView as a blob URL, so no auth handoff occurs.

New helper client/src/utils/fileDownload.ts with downloadFile and openFile.
Updated FileManager, ReservationsPanel, ReservationModal, PlaceInspector,
CollabNotes.

Security hardening in fileDownload.ts:
- assertRelativeUrl() guard prevents credentials being sent to external hosts
- openFile() checks blob.type against a safe-inline allowlist; HTML, SVG and
  other script-capable MIME types are forced to download instead of being
  opened inline, preventing same-origin XSS via blob URLs
- resp.ok check covers all non-2xx responses, not just 401

**#505 — PWA offline session lost on reload**
Wrap authStore with Zustand persist middleware, serializing only
{user, isAuthenticated} to localStorage key trek_auth_snapshot.
maps_api_key is intentionally excluded from the snapshot.

On cold start with no network: persist hydrates isAuthenticated:true,
App.tsx clears isLoading and calls loadUser({silent:true}), ProtectedRoute
renders the dashboard immediately. The network error from loadUser leaves
isAuthenticated intact so no login redirect occurs.

On 401 or logout: store state is cleared, persist writes
{isAuthenticated:false} — stale snapshot does not grant offline access
after session expiry.

2026-04-14 21:48:25 +02:00

3 Commits