v2.4.0 — OIDC login, OpenStreetMap search, account management

Features:
- Single Sign-On (OIDC) — login with Google, Apple, Authentik, Keycloak
- OpenStreetMap place search as free fallback when no Google API key
- Change password in user settings
- Delete own account (with last-admin protection)
- Last login column in admin user management
- SSO badge and provider info in user settings
- Google API key "Recommended" badge in admin panel

Improvements:
- API keys load correctly after page reload
- Validate auto-saves keys before testing
- Time format respects 12h/24h setting everywhere
- Dark mode fixes for popups and backup buttons
- Admin stats: removed photos, 4-column layout
- Profile picture upload button on avatar overlay
- TravelStats duplicate key fix
- Backup panel dark mode support

.github/workflows/docker.yml

@@ -0,0 +1,25 @@
+name: Build & Push Docker Image
+
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: docker/setup-buildx-action@v3
+
+      - uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          tags: mauriceboe/nomad:latest

LICENSE

@@ -1,21 +1,661 @@
-MIT License
+                    GNU AFFERO GENERAL PUBLIC LICENSE
+                       Version 3, 19 November 2007
 
-Copyright (c) 2026 mauriceboe
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
 
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
+                            Preamble
 
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
+  The GNU Affero General Public License is a free, copyleft license for
+software and other kinds of works, specifically designed to ensure
+cooperation with the community in the case of network server software.
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+  The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works.  By contrast,
+our General Public Licenses are intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+  Developers that use our General Public Licenses protect your rights
+with two steps: (1) assert copyright on the software, and (2) offer
+you this License which gives you legal permission to copy, distribute
+and/or modify the software.
+
+  A secondary benefit of defending all users' freedom is that
+improvements made in alternate versions of the program, if they
+receive widespread use, become available for other developers to
+incorporate.  Many developers of free software are heartened and
+encouraged by the resulting cooperation.  However, in the case of
+software used on network servers, this result may fail to come about.
+The GNU General Public License permits making a modified version and
+letting the public access it on a server without ever releasing its
+source code to the public.
+
+  The GNU Affero General Public License is designed specifically to
+ensure that, in such cases, the modified source code becomes available
+to the community.  It requires the operator of a network server to
+provide the source code of the modified version running there to the
+users of that server.  Therefore, public use of a modified version, on
+a publicly accessible server, gives the public access to the source
+code of the modified version.
+
+  An older license, called the Affero General Public License and
+published by Affero, was designed to accomplish similar goals.  This is
+a different license, not a version of the Affero GPL, but Affero has
+released a new version of the Affero GPL which permits relicensing under
+this license.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                       TERMS AND CONDITIONS
+
+  0. Definitions.
+
+  "This License" refers to version 3 of the GNU Affero General Public License.
+
+  "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+  "The Program" refers to any copyrightable work licensed under this
+License.  Each licensee is addressed as "you".  "Licensees" and
+"recipients" may be individuals or organizations.
+
+  To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy.  The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+  A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+  To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy.  Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+  To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies.  Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+  An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License.  If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+  1. Source Code.
+
+  The "source code" for a work means the preferred form of the work
+for making modifications to it.  "Object code" means any non-source
+form of a work.
+
+  A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+  The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form.  A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+  The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities.  However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work.  For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+  The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+  The Corresponding Source for a work in source code form is that
+same work.
+
+  2. Basic Permissions.
+
+  All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met.  This License explicitly affirms your unlimited
+permission to run the unmodified Program.  The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work.  This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+  You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force.  You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright.  Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+  Conveying under any other circumstances is permitted solely under
+the conditions stated below.  Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+  No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+  When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+  4. Conveying Verbatim Copies.
+
+  You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+  You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+  5. Conveying Modified Source Versions.
+
+  You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+    a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+
+    b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under section
+    7.  This requirement modifies the requirement in section 4 to
+    "keep intact all notices".
+
+    c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy.  This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged.  This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+
+    d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+
+  A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit.  Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+  6. Conveying Non-Source Forms.
+
+  You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+    a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+
+    b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the
+    Corresponding Source from a network server at no charge.
+
+    c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source.  This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+
+    d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge.  You need not require recipients to copy the
+    Corresponding Source along with the object code.  If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source.  Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+
+    e) Convey the object code using peer-to-peer transmission, provided
+    you inform other peers where the object code and Corresponding
+    Source of the work are being offered to the general public at no
+    charge under subsection 6d.
+
+  A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+  A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling.  In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage.  For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product.  A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+  "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source.  The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+  If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information.  But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+  The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed.  Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+  Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+  7. Additional Terms.
+
+  "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law.  If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+  When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it.  (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.)  You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+  Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+    a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+
+    b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+
+    c) Prohibiting misrepresentation of the origin of that material, or
+    requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+
+    d) Limiting the use for publicity purposes of names of licensors or
+    authors of the material; or
+
+    e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+
+    f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions of
+    it) with contractual assumptions of liability to the recipient, for
+    any liability that these contractual assumptions directly impose on
+    those licensors and authors.
+
+  All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10.  If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term.  If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+  If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+  Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+  8. Termination.
+
+  You may not propagate or modify a covered work except as expressly
+provided under this License.  Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+  However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+  Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+  Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License.  If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+  9. Acceptance Not Required for Having Copies.
+
+  You are not required to accept this License in order to receive or
+run a copy of the Program.  Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance.  However,
+nothing other than this License grants you permission to propagate or
+modify any covered work.  These actions infringe copyright if you do
+not accept this License.  Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+  10. Automatic Licensing of Downstream Recipients.
+
+  Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License.  You are not responsible
+for enforcing compliance by third parties with this License.
+
+  An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations.  If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+  You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License.  For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+  11. Patents.
+
+  A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based.  The
+work thus licensed is called the contributor's "contributor version".
+
+  A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version.  For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+  Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+  In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement).  To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+  If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients.  "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+  If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+  A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License.  You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+  Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+  12. No Surrender of Others' Freedom.
+
+  If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all.  For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+  13. Remote Network Interaction; Use with the GNU General Public License.
+
+  Notwithstanding any other provision of this License, if you modify the
+Program, your modified version must prominently offer all users
+interacting with it remotely through a computer network (if your version
+supports such interaction) an opportunity to receive the Corresponding
+Source of your version by providing access to the Corresponding Source
+from a network server at no charge, through some standard or customary
+means of facilitating copying of software.  This Corresponding Source
+shall include the Corresponding Source for any work covered by version 3
+of the GNU General Public License that is incorporated pursuant to the
+following paragraph.
+
+  Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU General Public License into a single
+combined work, and to convey the resulting work.  The terms of this
+License will continue to apply to the part which is the covered work,
+but the work with which it is combined will remain governed by version
+3 of the GNU General Public License.
+
+  14. Revised Versions of this License.
+
+  The Free Software Foundation may publish revised and/or new versions of
+the GNU Affero General Public License from time to time.  Such new versions
+will be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+  Each version is given a distinguishing version number.  If the
+Program specifies that a certain numbered version of the GNU Affero General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation.  If the Program does not specify a version number of the
+GNU Affero General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+  If the Program specifies that a proxy can decide which future
+versions of the GNU Affero General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+  Later license versions may give you additional or different
+permissions.  However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+  15. Disclaimer of Warranty.
+
+  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. Limitation of Liability.
+
+  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+  17. Interpretation of Sections 15 and 16.
+
+  If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU Affero General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU Affero General Public License for more details.
+
+    You should have received a copy of the GNU Affero General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+  If your software can interact with users remotely through a computer
+network, you should also make sure that it provides a way for users to
+get its source.  For example, if your program is a web application, its
+interface could display a "Source" link that leads users to an archive
+of the code.  There are many ways you could offer source, and different
+solutions will be better for different programs; see section 13 for the
+specific requirements.
+
+  You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU AGPL, see
+<https://www.gnu.org/licenses/>.

README.md

@@ -9,11 +9,27 @@ A self-hosted, real-time collaborative travel planner for organizing trips with
 [![GitHub Stars](https://img.shields.io/github/stars/mauriceboe/NOMAD)](https://github.com/mauriceboe/NOMAD)
 [![Last Commit](https://img.shields.io/github/last-commit/mauriceboe/NOMAD)](https://github.com/mauriceboe/NOMAD/commits)
 
+**[Live Demo](https://demo-nomad.pakulat.org)** — Try NOMAD without installing. Resets hourly.
+
+![NOMAD Screenshot](docs/screenshot.png)
+
+<details>
+<summary>More Screenshots</summary>
+
+| | |
+|---|---|
+| ![Plan Detail](docs/screenshot-plan-detail.png) | ![Bookings](docs/screenshot-bookings.png) |
+| ![Packing List](docs/screenshot-packing.png) | ![Budget](docs/screenshot-budget.png) |
+| ![Files](docs/screenshot-files.png) | |
+
+</details>
+
 ## Features
 
 - **Real-Time Collaboration** — Plan together via WebSocket live sync — changes appear instantly across all connected users
 - **Interactive Map** — Leaflet map with marker clustering, route visualization, and customizable tile sources
-- **Google Places Integration** — Search places, auto-fill details including ratings, reviews, opening hours, and photos (requires API key)
+- **Place Search** — Search via Google Places (with photos, ratings, opening hours) or OpenStreetMap (free, no API key needed)
+- **Single Sign-On (OIDC)** — Login with Google, Apple, Authentik, Keycloak, or any OIDC provider
 - **Drag & Drop Planner** — Organize places into day plans with reordering and cross-day moves
 - **Weather Forecasts** — Current weather and 5-day forecasts with smart caching (requires API key)
 - **Budget Tracking** — Category-based expenses with pie chart, per-person/per-day splitting, and multi-currency support
@@ -91,7 +107,53 @@ Your data is persisted in the mounted `data` and `uploads` volumes.
 
 For production, put NOMAD behind a reverse proxy with HTTPS (e.g. Nginx, Caddy, Traefik).
 
-Example with **Caddy**:
+> **Important:** NOMAD uses WebSockets for real-time sync. Your reverse proxy must support WebSocket upgrades on the `/ws` path.
+
+<details>
+<summary>Nginx</summary>
+
+```nginx
+server {
+    listen 80;
+    server_name nomad.yourdomain.com;
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    server_name nomad.yourdomain.com;
+
+    ssl_certificate /path/to/fullchain.pem;
+    ssl_certificate_key /path/to/privkey.pem;
+
+    location /ws {
+        proxy_pass http://localhost:3000;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 86400;
+    }
+
+    location / {
+        proxy_pass http://localhost:3000;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
+```
+
+</details>
+
+<details>
+<summary>Caddy</summary>
+
+Caddy handles WebSocket upgrades automatically:
 
 ```
 nomad.yourdomain.com {
@@ -99,6 +161,8 @@ nomad.yourdomain.com {
 }
 ```
 
+</details>
+
 ## Optional API Keys
 
 API keys are configured in the **Admin Panel** after login. Keys set by the admin are automatically shared with all users — no per-user configuration needed.

SECURITY.md

@@ -0,0 +1,26 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported |
+|---|---|
+| Latest | Yes |
+| Older | No |
+
+Only the latest version receives security updates. Please update to the latest release.
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability, please report it responsibly:
+
+1. **Do not** open a public issue
+2. Email: **mauriceboe@icloud.com**
+3. Include a description of the vulnerability and steps to reproduce
+
+You will receive a response within 48 hours. Once confirmed, a fix will be released as soon as possible.
+
+## Scope
+
+This policy covers the NOMAD application and its Docker image (`mauriceboe/nomad`).
+
+Third-party dependencies are monitored via GitHub Dependabot.

client/src/App.jsx

@@ -12,6 +12,8 @@ import AdminPage from './pages/AdminPage'
 import SettingsPage from './pages/SettingsPage'
 import { ToastContainer } from './components/shared/Toast'
 import { TranslationProvider } from './i18n'
+import DemoBanner from './components/Layout/DemoBanner'
+import { authApi } from './api/client'
 
 function ProtectedRoute({ children, adminRequired = false }) {
   const { isAuthenticated, user, isLoading } = useAuthStore()
@@ -53,13 +55,17 @@ function RootRedirect() {
 }
 
 export default function App() {
-  const { loadUser, token, isAuthenticated } = useAuthStore()
+  const { loadUser, token, isAuthenticated, demoMode, setDemoMode, setHasMapsKey } = useAuthStore()
   const { loadSettings } = useSettingsStore()
 
   useEffect(() => {
     if (token) {
       loadUser()
     }
+    authApi.getAppConfig().then(config => {
+      if (config?.demo_mode) setDemoMode(true)
+      if (config?.has_maps_key !== undefined) setHasMapsKey(config.has_maps_key)
+    }).catch(() => {})
   }, [])
 
   const { settings } = useSettingsStore()

client/src/api/client.js

@@ -53,6 +53,9 @@ export const authApi = {
   updateAppSettings: (data) => apiClient.put('/auth/app-settings', data).then(r => r.data),
   validateKeys: () => apiClient.get('/auth/validate-keys').then(r => r.data),
   travelStats: () => apiClient.get('/auth/travel-stats').then(r => r.data),
+  changePassword: (data) => apiClient.put('/auth/me/password', data).then(r => r.data),
+  deleteOwnAccount: () => apiClient.delete('/auth/me').then(r => r.data),
+  demoLogin: () => apiClient.post('/auth/demo-login').then(r => r.data),
 }
 
 export const tripsApi = {
@@ -121,6 +124,9 @@ export const adminApi = {
   updateUser: (id, data) => apiClient.put(`/admin/users/${id}`, data).then(r => r.data),
   deleteUser: (id) => apiClient.delete(`/admin/users/${id}`).then(r => r.data),
   stats: () => apiClient.get('/admin/stats').then(r => r.data),
+  saveDemoBaseline: () => apiClient.post('/admin/save-demo-baseline').then(r => r.data),
+  getOidc: () => apiClient.get('/admin/oidc').then(r => r.data),
+  updateOidc: (data) => apiClient.put('/admin/oidc', data).then(r => r.data),
 }
 
 export const mapsApi = {

client/src/components/Admin/BackupPanel.jsx

@@ -191,7 +191,7 @@ export default function BackupPanel() {
             <button
               onClick={handleCreate}
               disabled={isCreating}
-              className="flex items-center gap-2 bg-slate-700 text-white px-4 py-2 rounded-lg hover:bg-slate-900 text-sm font-medium disabled:opacity-60"
+              className="flex items-center gap-2 bg-slate-900 dark:bg-slate-100 text-white dark:text-slate-900 px-4 py-2 rounded-lg hover:bg-slate-900 text-sm font-medium disabled:opacity-60"
             >
               {isCreating ? (
                 <div className="w-4 h-4 border-2 border-white border-t-transparent rounded-full animate-spin" />
@@ -289,7 +289,7 @@ export default function BackupPanel() {
             </div>
             <button
               onClick={() => handleAutoSettingsChange('enabled', !autoSettings.enabled)}
-              className={`relative inline-flex h-6 w-11 items-center rounded-full transition-colors ${autoSettings.enabled ? 'bg-slate-700' : 'bg-gray-200'}`}
+              className={`relative inline-flex h-6 w-11 items-center rounded-full transition-colors ${autoSettings.enabled ? 'bg-slate-900 dark:bg-slate-100' : 'bg-gray-200 dark:bg-gray-600'}`}
             >
               <span className={`inline-block h-4 w-4 transform rounded-full bg-white shadow transition-transform ${autoSettings.enabled ? 'translate-x-6' : 'translate-x-1'}`} />
             </button>
@@ -307,7 +307,7 @@ export default function BackupPanel() {
                       onClick={() => handleAutoSettingsChange('interval', opt.value)}
                       className={`px-4 py-2 rounded-lg text-sm font-medium border transition-colors ${
                         autoSettings.interval === opt.value
-                          ? 'bg-slate-700 text-white border-slate-700'
+                          ? 'bg-slate-900 dark:bg-slate-100 text-white dark:text-slate-900 border-slate-700'
                           : 'bg-white text-gray-600 border-gray-200 hover:border-gray-300'
                       }`}
                     >
@@ -327,7 +327,7 @@ export default function BackupPanel() {
                       onClick={() => handleAutoSettingsChange('keep_days', opt.value)}
                       className={`px-4 py-2 rounded-lg text-sm font-medium border transition-colors ${
                         autoSettings.keep_days === opt.value
-                          ? 'bg-slate-700 text-white border-slate-700'
+                          ? 'bg-slate-900 dark:bg-slate-100 text-white dark:text-slate-900 border-slate-700'
                           : 'bg-white text-gray-600 border-gray-200 hover:border-gray-300'
                       }`}
                     >
@@ -344,7 +344,7 @@ export default function BackupPanel() {
             <button
               onClick={handleSaveAutoSettings}
               disabled={autoSettingsSaving || !autoSettingsDirty}
-              className="flex items-center gap-2 bg-slate-700 text-white px-5 py-2 rounded-lg hover:bg-slate-900 text-sm font-medium disabled:opacity-50 transition-colors"
+              className="flex items-center gap-2 bg-slate-900 dark:bg-slate-100 text-white dark:text-slate-900 px-5 py-2 rounded-lg hover:bg-slate-900 text-sm font-medium disabled:opacity-50 transition-colors"
             >
               {autoSettingsSaving
                 ? <div className="w-4 h-4 border-2 border-white border-t-transparent rounded-full animate-spin" />

client/src/components/Dashboard/TravelStats.jsx

@@ -5,7 +5,7 @@ import { useTranslation } from '../../i18n'
 import { useSettingsStore } from '../../store/settingsStore'
 
 // Numeric ISO → country name lookup (countries-110m uses numeric IDs)
-const NUMERIC_TO_NAME = {"004":"Afghanistan","008":"Albania","012":"Algeria","024":"Angola","032":"Argentina","036":"Australia","040":"Austria","050":"Bangladesh","056":"Belgium","064":"Bhutan","068":"Bolivia","070":"Bosnia and Herzegovina","072":"Botswana","076":"Brazil","100":"Bulgaria","104":"Myanmar","108":"Burundi","112":"Belarus","116":"Cambodia","120":"Cameroon","124":"Canada","140":"Central African Republic","144":"Sri Lanka","148":"Chad","152":"Chile","156":"China","170":"Colombia","178":"Congo","180":"Democratic Republic of the Congo","188":"Costa Rica","191":"Croatia","192":"Cuba","196":"Cyprus","203":"Czech Republic","204":"Benin","208":"Denmark","214":"Dominican Republic","218":"Ecuador","818":"Egypt","222":"El Salvador","226":"Equatorial Guinea","232":"Eritrea","233":"Estonia","231":"Ethiopia","238":"Falkland Islands","246":"Finland","250":"France","266":"Gabon","270":"Gambia","268":"Georgia","276":"Germany","288":"Ghana","300":"Greece","320":"Guatemala","324":"Guinea","328":"Guyana","332":"Haiti","340":"Honduras","348":"Hungary","352":"Iceland","356":"India","360":"Indonesia","364":"Iran","368":"Iraq","372":"Ireland","376":"Israel","380":"Italy","384":"Ivory Coast","388":"Jamaica","392":"Japan","400":"Jordan","398":"Kazakhstan","404":"Kenya","408":"North Korea","410":"South Korea","414":"Kuwait","417":"Kyrgyzstan","418":"Laos","422":"Lebanon","426":"Lesotho","430":"Liberia","434":"Libya","440":"Lithuania","442":"Luxembourg","450":"Madagascar","454":"Malawi","458":"Malaysia","466":"Mali","478":"Mauritania","484":"Mexico","496":"Mongolia","498":"Moldova","504":"Morocco","508":"Mozambique","516":"Namibia","524":"Nepal","528":"Netherlands","540":"New Caledonia","554":"New Zealand","558":"Nicaragua","562":"Niger","566":"Nigeria","578":"Norway","512":"Oman","586":"Pakistan","591":"Panama","598":"Papua New Guinea","600":"Paraguay","604":"Peru","608":"Philippines","616":"Poland","620":"Portugal","630":"Puerto Rico","634":"Qatar","642":"Romania","643":"Russia","646":"Rwanda","682":"Saudi Arabia","686":"Senegal","688":"Serbia","694":"Sierra Leone","703":"Slovakia","705":"Slovenia","706":"Somalia","710":"South Africa","724":"Spain","144":"Sri Lanka","729":"Sudan","740":"Suriname","748":"Swaziland","752":"Sweden","756":"Switzerland","760":"Syria","762":"Tajikistan","764":"Thailand","768":"Togo","780":"Trinidad and Tobago","788":"Tunisia","792":"Turkey","795":"Turkmenistan","800":"Uganda","804":"Ukraine","784":"United Arab Emirates","826":"United Kingdom","840":"United States of America","858":"Uruguay","860":"Uzbekistan","862":"Venezuela","704":"Vietnam","887":"Yemen","894":"Zambia","716":"Zimbabwe"}
+const NUMERIC_TO_NAME = {"004":"Afghanistan","008":"Albania","012":"Algeria","024":"Angola","032":"Argentina","036":"Australia","040":"Austria","050":"Bangladesh","056":"Belgium","064":"Bhutan","068":"Bolivia","070":"Bosnia and Herzegovina","072":"Botswana","076":"Brazil","100":"Bulgaria","104":"Myanmar","108":"Burundi","112":"Belarus","116":"Cambodia","120":"Cameroon","124":"Canada","140":"Central African Republic","144":"Sri Lanka","148":"Chad","152":"Chile","156":"China","170":"Colombia","178":"Congo","180":"Democratic Republic of the Congo","188":"Costa Rica","191":"Croatia","192":"Cuba","196":"Cyprus","203":"Czech Republic","204":"Benin","208":"Denmark","214":"Dominican Republic","218":"Ecuador","818":"Egypt","222":"El Salvador","226":"Equatorial Guinea","232":"Eritrea","233":"Estonia","231":"Ethiopia","238":"Falkland Islands","246":"Finland","250":"France","266":"Gabon","270":"Gambia","268":"Georgia","276":"Germany","288":"Ghana","300":"Greece","320":"Guatemala","324":"Guinea","328":"Guyana","332":"Haiti","340":"Honduras","348":"Hungary","352":"Iceland","356":"India","360":"Indonesia","364":"Iran","368":"Iraq","372":"Ireland","376":"Israel","380":"Italy","384":"Ivory Coast","388":"Jamaica","392":"Japan","400":"Jordan","398":"Kazakhstan","404":"Kenya","408":"North Korea","410":"South Korea","414":"Kuwait","417":"Kyrgyzstan","418":"Laos","422":"Lebanon","426":"Lesotho","430":"Liberia","434":"Libya","440":"Lithuania","442":"Luxembourg","450":"Madagascar","454":"Malawi","458":"Malaysia","466":"Mali","478":"Mauritania","484":"Mexico","496":"Mongolia","498":"Moldova","504":"Morocco","508":"Mozambique","516":"Namibia","524":"Nepal","528":"Netherlands","540":"New Caledonia","554":"New Zealand","558":"Nicaragua","562":"Niger","566":"Nigeria","578":"Norway","512":"Oman","586":"Pakistan","591":"Panama","598":"Papua New Guinea","600":"Paraguay","604":"Peru","608":"Philippines","616":"Poland","620":"Portugal","630":"Puerto Rico","634":"Qatar","642":"Romania","643":"Russia","646":"Rwanda","682":"Saudi Arabia","686":"Senegal","688":"Serbia","694":"Sierra Leone","703":"Slovakia","705":"Slovenia","706":"Somalia","710":"South Africa","724":"Spain","729":"Sudan","740":"Suriname","748":"Swaziland","752":"Sweden","756":"Switzerland","760":"Syria","762":"Tajikistan","764":"Thailand","768":"Togo","780":"Trinidad and Tobago","788":"Tunisia","792":"Turkey","795":"Turkmenistan","800":"Uganda","804":"Ukraine","784":"United Arab Emirates","826":"United Kingdom","840":"United States of America","858":"Uruguay","860":"Uzbekistan","862":"Venezuela","704":"Vietnam","887":"Yemen","894":"Zambia","716":"Zimbabwe"}
 
 // Our country names from addresses → match against GeoJSON names
 function isCountryMatch(geoName, visitedCountries) {

client/src/components/Files/FileManager.jsx

@@ -165,11 +165,16 @@ export default function FileManager({ files = [], onUpload, onDelete, onUpdate,
                 </button>
               </div>
             </div>
-            <iframe
-              src={`${previewFile.url || `/uploads/files/${previewFile.filename}`}#view=FitH`}
+            <object
+              data={`${previewFile.url || `/uploads/files/${previewFile.filename}`}#view=FitH`}
+              type="application/pdf"
               style={{ flex: 1, width: '100%', border: 'none' }}
               title={previewFile.original_name}
-            />
+            >
+              <p style={{ padding: 24, textAlign: 'center', color: 'var(--text-muted)' }}>
+                <a href={previewFile.url || `/uploads/files/${previewFile.filename}`} target="_blank" rel="noopener noreferrer" style={{ color: 'var(--text-primary)', textDecoration: 'underline' }}>PDF herunterladen</a>
+              </p>
+            </object>
           </div>
         </div>
       )}

client/src/components/Layout/DemoBanner.jsx

@@ -0,0 +1,147 @@
+import React, { useState, useEffect } from 'react'
+import { Info, Github, Shield, Key, Users, Database, Upload, Clock } from 'lucide-react'
+import { useTranslation } from '../../i18n'
+
+const texts = {
+  de: {
+    title: 'Willkommen zur NOMAD Demo',
+    description: 'Du kannst Reisen ansehen, bearbeiten und eigene erstellen. Alle Aenderungen werden jede Stunde automatisch zurueckgesetzt.',
+    resetIn: 'Naechster Reset in',
+    minutes: 'Minuten',
+    uploadNote: 'Datei-Uploads (Fotos, Dokumente, Cover) sind in der Demo deaktiviert.',
+    fullVersionTitle: 'In der Vollversion zusaetzlich verfuegbar:',
+    features: [
+      'Datei-Uploads (Fotos, Dokumente, Reise-Cover)',
+      'API-Schluessel verwalten (Google Maps, Wetter)',
+      'Benutzer & Rechte verwalten',
+      'Automatische Backups & Wiederherstellung',
+    ],
+    selfHost: 'NOMAD ist Open Source — ',
+    selfHostLink: 'selbst hosten',
+    close: 'Verstanden',
+  },
+  en: {
+    title: 'Welcome to the NOMAD Demo',
+    description: 'You can view, edit and create trips. All changes are automatically reset every hour.',
+    resetIn: 'Next reset in',
+    minutes: 'minutes',
+    uploadNote: 'File uploads (photos, documents, covers) are disabled in demo mode.',
+    fullVersionTitle: 'Additionally available in the full version:',
+    features: [
+      'File uploads (photos, documents, trip covers)',
+      'API key management (Google Maps, Weather)',
+      'User & permission management',
+      'Automatic backups & restore',
+    ],
+    selfHost: 'NOMAD is open source — ',
+    selfHostLink: 'self-host it',
+    close: 'Got it',
+  },
+}
+
+const featureIcons = [Upload, Key, Users, Database]
+
+export default function DemoBanner() {
+  const [dismissed, setDismissed] = useState(false)
+  const [minutesLeft, setMinutesLeft] = useState(59 - new Date().getMinutes())
+  const { language } = useTranslation()
+  const t = texts[language] || texts.en
+
+  useEffect(() => {
+    const interval = setInterval(() => setMinutesLeft(59 - new Date().getMinutes()), 10000)
+    return () => clearInterval(interval)
+  }, [])
+
+  if (dismissed) return null
+
+  return (
+    <div style={{
+      position: 'fixed', inset: 0, zIndex: 9999,
+      background: 'rgba(0,0,0,0.5)', backdropFilter: 'blur(4px)',
+      display: 'flex', alignItems: 'center', justifyContent: 'center',
+      padding: 24,
+      fontFamily: "-apple-system, BlinkMacSystemFont, 'SF Pro Text', system-ui, sans-serif",
+    }} onClick={() => setDismissed(true)}>
+      <div style={{
+        background: 'white', borderRadius: 20, padding: '32px 28px 24px',
+        maxWidth: 440, width: '100%',
+        boxShadow: '0 20px 60px rgba(0,0,0,0.3)',
+      }} onClick={e => e.stopPropagation()}>
+
+        <div style={{ display: 'flex', alignItems: 'center', gap: 10, marginBottom: 16 }}>
+          <div style={{
+            width: 36, height: 36, borderRadius: 10,
+            background: 'linear-gradient(135deg, #f59e0b, #d97706)',
+            display: 'flex', alignItems: 'center', justifyContent: 'center',
+          }}>
+            <Info size={20} style={{ color: 'white' }} />
+          </div>
+          <h2 style={{ margin: 0, fontSize: 18, fontWeight: 700, color: '#111827' }}>
+            {t.title}
+          </h2>
+        </div>
+
+        <p style={{ fontSize: 14, color: '#6b7280', lineHeight: 1.6, margin: '0 0 12px' }}>
+          {t.description}
+        </p>
+
+        <div style={{
+          display: 'flex', alignItems: 'center', gap: 8, margin: '0 0 12px',
+          background: '#f0f9ff', border: '1px solid #bae6fd', borderRadius: 10, padding: '10px 12px',
+        }}>
+          <Clock size={15} style={{ flexShrink: 0, color: '#0284c7' }} />
+          <span style={{ fontSize: 13, color: '#0369a1', fontWeight: 600 }}>
+            {t.resetIn} {minutesLeft} {t.minutes}
+          </span>
+        </div>
+
+        <p style={{
+          fontSize: 13, color: '#b45309', lineHeight: 1.5, margin: '0 0 20px',
+          background: '#fffbeb', border: '1px solid #fde68a', borderRadius: 10, padding: '10px 12px',
+          display: 'flex', alignItems: 'center', gap: 8,
+        }}>
+          <Upload size={15} style={{ flexShrink: 0 }} />
+          {t.uploadNote}
+        </p>
+
+        <p style={{ fontSize: 12, fontWeight: 700, color: '#374151', margin: '0 0 10px', textTransform: 'uppercase', letterSpacing: '0.05em' }}>
+          {t.fullVersionTitle}
+        </p>
+
+        <div style={{ display: 'flex', flexDirection: 'column', gap: 8, marginBottom: 20 }}>
+          {t.features.map((text, i) => {
+            const Icon = featureIcons[i]
+            return (
+              <div key={text} style={{ display: 'flex', alignItems: 'center', gap: 10, fontSize: 13, color: '#4b5563' }}>
+                <Icon size={15} style={{ flexShrink: 0, color: '#d97706' }} />
+                <span>{text}</span>
+              </div>
+            )
+          })}
+        </div>
+
+        <div style={{
+          paddingTop: 16, borderTop: '1px solid #e5e7eb',
+          display: 'flex', alignItems: 'center', justifyContent: 'space-between',
+        }}>
+          <div style={{ display: 'flex', alignItems: 'center', gap: 6, fontSize: 12, color: '#9ca3af' }}>
+            <Github size={14} />
+            <span>{t.selfHost}</span>
+            <a href="https://github.com/mauriceboe/NOMAD" target="_blank" rel="noopener noreferrer"
+              style={{ color: '#d97706', fontWeight: 600, textDecoration: 'none' }}>
+              {t.selfHostLink}
+            </a>
+          </div>
+
+          <button onClick={() => setDismissed(true)} style={{
+            background: '#111827', color: 'white', border: 'none',
+            borderRadius: 10, padding: '8px 20px', fontSize: 13,
+            fontWeight: 600, cursor: 'pointer', fontFamily: 'inherit',
+          }}>
+            {t.close}
+          </button>
+        </div>
+      </div>
+    </div>
+  )
+}

client/src/components/Layout/Navbar.jsx

@@ -1,4 +1,4 @@
-import React, { useState } from 'react'
+import React, { useState, useEffect } from 'react'
 import { Link, useNavigate } from 'react-router-dom'
 import { useAuthStore } from '../../store/authStore'
 import { useSettingsStore } from '../../store/settingsStore'
@@ -11,8 +11,15 @@ export default function Navbar({ tripTitle, tripId, onBack, showBack, onShare })
   const { t, locale } = useTranslation()
   const navigate = useNavigate()
   const [userMenuOpen, setUserMenuOpen] = useState(false)
+  const [appVersion, setAppVersion] = useState(null)
   const dark = settings.dark_mode
 
+  useEffect(() => {
+    import('../../api/client').then(({ authApi }) => {
+      authApi.getAppConfig?.().then(c => setAppVersion(c?.version)).catch(() => {})
+    })
+  }, [])
+
   const handleLogout = () => {
     logout()
     navigate('/login')
@@ -146,6 +153,11 @@ export default function Navbar({ tripTitle, tripId, onBack, showBack, onShare })
                     <LogOut className="w-4 h-4" />
                     {t('nav.logout')}
                   </button>
+                  {appVersion && (
+                    <div className="px-4 py-1.5 text-center" style={{ fontSize: 10, color: 'var(--text-faint)' }}>
+                      NOMAD v{appVersion}
+                    </div>
+                  )}
                 </div>
               </div>
             </>

client/src/components/PDF/TripPDF.jsx

@@ -193,7 +193,7 @@ export async function downloadTripPDF({ trip, days, places, assignments, categor
 <head>
 <meta charset="UTF-8">
 <base href="${window.location.origin}/">
-<title>${escHtml(trip?.name || tr('pdf.travelPlan'))}</title>
+<title>${escHtml(trip?.title || tr('pdf.travelPlan'))}</title>
 <link href="https://fonts.googleapis.com/css2?family=Poppins:ital,wght@0,400;0,500;0,600;0,700;1,400&display=swap" rel="stylesheet">
 <style>
   *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
@@ -326,7 +326,7 @@ export async function downloadTripPDF({ trip, days, places, assignments, categor
       ? `<div class="cover-circle"><img src="${escHtml(coverImg)}" /></div>`
       : `<div class="cover-circle-ph"></div>`}
     <div class="cover-label">${escHtml(tr('pdf.travelPlan'))}</div>
-    <div class="cover-title">${escHtml(trip?.name || 'Meine Reise')}</div>
+    <div class="cover-title">${escHtml(trip?.title || 'Meine Reise')}</div>
     ${trip?.description ? `<div class="cover-desc">${escHtml(trip.description)}</div>` : ''}
     ${range ? `<div class="cover-dates">${range}</div>` : ''}
     <div class="cover-line"></div>
@@ -356,15 +356,11 @@ ${daysHtml}
 
 </body></html>`
 
-  // Open print window
-  const blob = new Blob([html], { type: 'text/html' })
-  const url = URL.createObjectURL(blob)
-
-  // Modal in die App einfügen
+  // Open in modal with srcdoc iframe (no URL loading = no X-Frame-Options issue)
   const overlay = document.createElement('div')
   overlay.id = 'pdf-preview-overlay'
   overlay.style.cssText = 'position:fixed;inset:0;background:rgba(0,0,0,0.7);z-index:9999;display:flex;align-items:center;justify-content:center;padding:8px;'
-  overlay.onclick = (e) => { if (e.target === overlay) { overlay.remove(); URL.revokeObjectURL(url) } }
+  overlay.onclick = (e) => { if (e.target === overlay) overlay.remove() }
 
   const card = document.createElement('div')
   card.style.cssText = 'width:100%;max-width:1000px;height:95vh;background:var(--bg-card);border-radius:12px;overflow:hidden;display:flex;flex-direction:column;box-shadow:0 20px 60px rgba(0,0,0,0.3);'
@@ -372,7 +368,7 @@ ${daysHtml}
   const header = document.createElement('div')
   header.style.cssText = 'display:flex;align-items:center;justify-content:space-between;padding:10px 16px;border-bottom:1px solid var(--border-primary);flex-shrink:0;'
   header.innerHTML = `
-    <span style="font-size:13px;font-weight:600;color:var(--text-primary)">${escHtml(trip?.name || tr('pdf.travelPlan'))}</span>
+    <span style="font-size:13px;font-weight:600;color:var(--text-primary)">${escHtml(trip?.title || tr('pdf.travelPlan'))}</span>
     <div style="display:flex;align-items:center;gap:8px">
       <button id="pdf-print-btn" style="display:flex;align-items:center;gap:5px;font-size:12px;font-weight:500;color:var(--text-muted);background:none;border:none;cursor:pointer;padding:4px 8px;border-radius:6px;font-family:inherit">${tr('pdf.saveAsPdf')}</button>
       <button id="pdf-close-btn" style="background:none;border:none;cursor:pointer;color:var(--text-faint);display:flex;padding:4px;border-radius:6px">
@@ -383,13 +379,14 @@ ${daysHtml}
 
   const iframe = document.createElement('iframe')
   iframe.style.cssText = 'flex:1;width:100%;border:none;'
-  iframe.src = url
+  iframe.sandbox = 'allow-same-origin allow-modals'
+  iframe.srcdoc = html
 
   card.appendChild(header)
   card.appendChild(iframe)
   overlay.appendChild(card)
   document.body.appendChild(overlay)
 
-  header.querySelector('#pdf-close-btn').onclick = () => { overlay.remove(); URL.revokeObjectURL(url) }
+  header.querySelector('#pdf-close-btn').onclick = () => overlay.remove()
   header.querySelector('#pdf-print-btn').onclick = () => { iframe.contentWindow?.print() }
 }

client/src/components/Places/PlaceFormModal.jsx

@@ -3,6 +3,7 @@ import Modal from '../shared/Modal'
 import { mapsApi, tagsApi, categoriesApi } from '../../api/client'
 import { useToast } from '../shared/Toast'
 import { useAuthStore } from '../../store/authStore'
+import { useTranslation } from '../../i18n'
 import { Search, Plus, MapPin, Loader } from 'lucide-react'
 
 const STATUSES = [
@@ -23,7 +24,8 @@ export default function PlaceFormModal({
   onTagCreated,
 }) {
   const isEditing = !!place
-  const { user } = useAuthStore()
+  const { user, hasMapsKey } = useAuthStore()
+  const { t } = useTranslation()
   const toast = useToast()
 
   const [categories, setCategories] = useState(initialCategories)
@@ -124,14 +126,17 @@ export default function PlaceFormModal({
     }
   }
 
+  const [searchSource, setSearchSource] = useState(null)
+
   const handleMapSearch = async () => {
     if (!mapQuery.trim()) return
     setMapSearching(true)
     try {
       const data = await mapsApi.search(mapQuery)
       setMapResults(data.places || [])
+      setSearchSource(data.source || 'google')
     } catch (err) {
-      toast.error(err.response?.data?.error || 'Maps search failed')
+      toast.error(err.response?.data?.error || t('places.mapsSearchError'))
     } finally {
       setMapSearching(false)
     }
@@ -218,9 +223,13 @@ export default function PlaceFormModal({
           </div>
         )}
 
-        {/* Google Maps search — always visible when API key is set */}
-        {user?.maps_api_key && (
+        {/* Place search — Google Maps or OpenStreetMap fallback */}
           <div className="bg-slate-50 rounded-xl p-3 border border-slate-200">
+            {!hasMapsKey && (
+              <p className="mb-2 text-xs" style={{ color: 'var(--text-faint)' }}>
+                {t('places.osmActive')}
+              </p>
+            )}
             <div className="flex gap-2">
               <div className="relative flex-1">
                 <Search className="absolute left-2.5 top-1/2 -translate-y-1/2 w-4 h-4 text-slate-400" />
@@ -229,7 +238,7 @@ export default function PlaceFormModal({
                   value={mapQuery}
                   onChange={e => setMapQuery(e.target.value)}
                   onKeyDown={e => e.key === 'Enter' && handleMapSearch()}
-                  placeholder="Google Maps suchen..."
+                  placeholder={t('places.mapsSearchPlaceholder')}
                   className="w-full pl-8 pr-3 py-2 text-sm border border-slate-200 rounded-lg focus:ring-2 focus:ring-slate-400 focus:border-transparent bg-white"
                 />
               </div>
@@ -238,7 +247,7 @@ export default function PlaceFormModal({
                 disabled={mapSearching}
                 className="px-3 py-2 bg-slate-900 text-white text-sm rounded-lg hover:bg-slate-700 disabled:opacity-50"
               >
-                {mapSearching ? <Loader className="w-4 h-4 animate-spin" /> : 'Suchen'}
+                {mapSearching ? <Loader className="w-4 h-4 animate-spin" /> : t('common.search')}
               </button>
             </div>
 
@@ -263,7 +272,6 @@ export default function PlaceFormModal({
               </div>
             )}
           </div>
-        )}
 
         {/* Name */}
         <div>

client/src/components/Planner/PlaceFormModal.jsx

@@ -2,6 +2,7 @@ import React, { useState, useEffect } from 'react'
 import Modal from '../shared/Modal'
 import CustomSelect from '../shared/CustomSelect'
 import { mapsApi } from '../../api/client'
+import { useAuthStore } from '../../store/authStore'
 import { useToast } from '../shared/Toast'
 import { Search } from 'lucide-react'
 import { useTranslation } from '../../i18n'
@@ -44,6 +45,7 @@ export default function PlaceFormModal({
   const [isSaving, setIsSaving] = useState(false)
   const toast = useToast()
   const { t, language } = useTranslation()
+  const { hasMapsKey } = useAuthStore()
 
   useEffect(() => {
     if (place) {
@@ -139,8 +141,13 @@ export default function PlaceFormModal({
       size="lg"
     >
       <form onSubmit={handleSubmit} className="space-y-4">
-        {/* Google Maps Search */}
+        {/* Place Search */}
         <div className="bg-slate-50 rounded-xl p-3 border border-slate-200">
+          {!hasMapsKey && (
+            <p className="mb-2 text-xs" style={{ color: 'var(--text-faint)' }}>
+              {t('places.osmActive')}
+            </p>
+          )}
           <div className="flex gap-2">
             <input
               type="text"

client/src/components/Trips/TripFormModal.jsx

@@ -92,7 +92,25 @@ export default function TripFormModal({ isOpen, onClose, onSave, trip, onCoverUp
     }
   }
 
-  const update = (field, value) => setFormData(prev => ({ ...prev, [field]: value }))
+  const update = (field, value) => setFormData(prev => {
+    const next = { ...prev, [field]: value }
+    // Auto-adjust end date when start date changes
+    if (field === 'start_date' && value) {
+      if (!prev.end_date || prev.end_date < value) {
+        // If no end date or end date is before new start, set end = start
+        next.end_date = value
+      } else if (prev.start_date) {
+        // Preserve trip duration: shift end date by same delta
+        const oldStart = new Date(prev.start_date + 'T00:00:00')
+        const oldEnd = new Date(prev.end_date + 'T00:00:00')
+        const duration = Math.round((oldEnd - oldStart) / 86400000)
+        const newEnd = new Date(value + 'T00:00:00')
+        newEnd.setDate(newEnd.getDate() + duration)
+        next.end_date = newEnd.toISOString().split('T')[0]
+      }
+    }
+    return next
+  })
 
   const inputCls = "w-full px-3 py-2.5 border border-slate-200 rounded-lg text-slate-900 placeholder-slate-400 focus:outline-none focus:ring-2 focus:ring-slate-300 focus:border-transparent text-sm"
 

client/src/components/shared/CustomDateTimePicker.jsx

@@ -73,11 +73,26 @@ export function CustomDatePicker({ value, onChange, placeholder, style = {} }) {
       {open && ReactDOM.createPortal(
         <div ref={dropRef} style={{
           position: 'fixed',
-          top: (() => { const r = ref.current?.getBoundingClientRect(); return r ? r.bottom + 4 : 0 })(),
-          left: (() => { const r = ref.current?.getBoundingClientRect(); return r ? r.left : 0 })(),
+          ...(() => {
+            const r = ref.current?.getBoundingClientRect()
+            if (!r) return { top: 0, left: 0 }
+            const w = 268, pad = 8
+            const vw = window.innerWidth
+            const vh = window.innerHeight
+            let left = r.left
+            let top = r.bottom + 4
+            // Keep within viewport horizontally
+            if (left + w > vw - pad) left = Math.max(pad, vw - w - pad)
+            // If not enough space below, open above
+            if (top + 320 > vh) top = Math.max(pad, r.top - 320)
+            // On very small screens, center horizontally
+            if (vw < 360) left = Math.max(pad, (vw - w) / 2)
+            return { top, left }
+          })(),
           zIndex: 99999,
           background: 'var(--bg-card)', border: '1px solid var(--border-primary)',
           borderRadius: 14, boxShadow: '0 8px 32px rgba(0,0,0,0.12)', padding: 12, width: 268,
+          maxWidth: 'calc(100vw - 16px)',
           animation: 'selectIn 0.15s ease-out',
           backdropFilter: 'blur(24px)', WebkitBackdropFilter: 'blur(24px)',
         }}>

client/src/i18n/translations/de.js

@@ -125,6 +125,22 @@ const de = {
   'settings.email': 'E-Mail',
   'settings.role': 'Rolle',
   'settings.roleAdmin': 'Administrator',
+  'settings.oidcLinked': 'Verknüpft mit',
+  'settings.changePassword': 'Passwort ändern',
+  'settings.currentPassword': 'Aktuelles Passwort',
+  'settings.newPassword': 'Neues Passwort',
+  'settings.confirmPassword': 'Neues Passwort bestätigen',
+  'settings.updatePassword': 'Passwort aktualisieren',
+  'settings.passwordRequired': 'Bitte aktuelles und neues Passwort eingeben',
+  'settings.passwordTooShort': 'Passwort muss mindestens 8 Zeichen lang sein',
+  'settings.passwordMismatch': 'Passwörter stimmen nicht überein',
+  'settings.passwordChanged': 'Passwort erfolgreich geändert',
+  'settings.deleteAccount': 'Account löschen',
+  'settings.deleteAccountTitle': 'Account wirklich löschen?',
+  'settings.deleteAccountWarning': 'Dein Account und alle deine Reisen, Orte und Dateien werden unwiderruflich gelöscht. Diese Aktion kann nicht rückgängig gemacht werden.',
+  'settings.deleteAccountConfirm': 'Endgültig löschen',
+  'settings.deleteBlockedTitle': 'Löschung nicht möglich',
+  'settings.deleteBlockedMessage': 'Du bist der einzige Administrator. Ernenne zuerst einen anderen Benutzer zum Admin, bevor du deinen Account löschen kannst.',
   'settings.roleUser': 'Benutzer',
   'settings.saveProfile': 'Profil speichern',
   'settings.toast.mapSaved': 'Karteneinstellungen gespeichert',
@@ -188,6 +204,7 @@ const de = {
   'admin.table.email': 'E-Mail',
   'admin.table.role': 'Rolle',
   'admin.table.created': 'Erstellt',
+  'admin.table.lastLogin': 'Letzter Login',
   'admin.table.actions': 'Aktionen',
   'admin.you': '(Du)',
   'admin.editUser': 'Benutzer bearbeiten',
@@ -212,12 +229,20 @@ const de = {
   'admin.apiKeys': 'API-Schlüssel',
   'admin.mapsKey': 'Google Maps API Key',
   'admin.mapsKeyHint': 'Für Ortsuche benötigt. Erstellen unter console.cloud.google.com',
+  'admin.mapsKeyHintLong': 'Ohne API Key wird OpenStreetMap für die Ortssuche genutzt. Mit Google API Key können zusätzlich Bilder, Bewertungen und Öffnungszeiten geladen werden. Erstellen unter console.cloud.google.com.',
+  'admin.recommended': 'Empfohlen',
   'admin.weatherKey': 'OpenWeatherMap API Key',
   'admin.weatherKeyHint': 'Für Wetterdaten. Kostenlos unter openweathermap.org',
   'admin.validateKey': 'Test',
   'admin.keyValid': 'Verbunden',
   'admin.keyInvalid': 'Ungültig',
   'admin.keySaved': 'API-Schlüssel gespeichert',
+  'admin.oidcTitle': 'Single Sign-On (OIDC)',
+  'admin.oidcSubtitle': 'Anmeldung über externe Anbieter wie Google, Apple, Authentik oder Keycloak.',
+  'admin.oidcDisplayName': 'Anzeigename',
+  'admin.oidcIssuer': 'Issuer URL',
+  'admin.oidcIssuerHint': 'Die OpenID Connect Issuer URL des Anbieters. z.B. https://accounts.google.com',
+  'admin.oidcSaved': 'OIDC-Konfiguration gespeichert',
 
   // Trip Planner
   'trip.tabs.plan': 'Planung',
@@ -293,8 +318,10 @@ const de = {
   'places.formNotesPlaceholder': 'Persönliche Notizen...',
   'places.formReservation': 'Reservierung',
   'places.reservationNotesPlaceholder': 'Reservierungsnotizen, Bestätigungsnummer...',
-  'places.mapsSearchPlaceholder': 'Google Maps suchen...',
-  'places.mapsSearchError': 'Google Maps Suche fehlgeschlagen. Bitte API-Schlüssel in den Einstellungen hinterlegen.',
+  'places.mapsSearchPlaceholder': 'Ortssuche...',
+  'places.mapsSearchError': 'Ortssuche fehlgeschlagen.',
+  'places.osmHint': 'OpenStreetMap-Suche aktiv (ohne Bilder, Öffnungszeiten, Bewertungen). Für erweiterte Daten Google API Key in den Einstellungen hinterlegen.',
+  'places.osmActive': 'Suche via OpenStreetMap (ohne Bilder, Bewertungen & Öffnungszeiten). Google API Key in den Einstellungen hinterlegen für erweiterte Daten.',
   'places.categoryCreateError': 'Fehler beim Erstellen der Kategorie',
   'places.nameRequired': 'Bitte einen Namen eingeben',
   'places.saveError': 'Fehler beim Speichern',

client/src/i18n/translations/en.js

@@ -125,6 +125,22 @@ const en = {
   'settings.email': 'Email',
   'settings.role': 'Role',
   'settings.roleAdmin': 'Administrator',
+  'settings.oidcLinked': 'Linked with',
+  'settings.changePassword': 'Change Password',
+  'settings.currentPassword': 'Current password',
+  'settings.newPassword': 'New password',
+  'settings.confirmPassword': 'Confirm new password',
+  'settings.updatePassword': 'Update password',
+  'settings.passwordRequired': 'Please enter current and new password',
+  'settings.passwordTooShort': 'Password must be at least 8 characters',
+  'settings.passwordMismatch': 'Passwords do not match',
+  'settings.passwordChanged': 'Password changed successfully',
+  'settings.deleteAccount': 'Delete account',
+  'settings.deleteAccountTitle': 'Delete your account?',
+  'settings.deleteAccountWarning': 'Your account and all your trips, places, and files will be permanently deleted. This action cannot be undone.',
+  'settings.deleteAccountConfirm': 'Delete permanently',
+  'settings.deleteBlockedTitle': 'Deletion not possible',
+  'settings.deleteBlockedMessage': 'You are the only administrator. Promote another user to admin before deleting your account.',
   'settings.roleUser': 'User',
   'settings.saveProfile': 'Save Profile',
   'settings.toast.mapSaved': 'Map settings saved',
@@ -188,6 +204,7 @@ const en = {
   'admin.table.email': 'Email',
   'admin.table.role': 'Role',
   'admin.table.created': 'Created',
+  'admin.table.lastLogin': 'Last Login',
   'admin.table.actions': 'Actions',
   'admin.you': '(You)',
   'admin.editUser': 'Edit User',
@@ -212,12 +229,20 @@ const en = {
   'admin.apiKeys': 'API Keys',
   'admin.mapsKey': 'Google Maps API Key',
   'admin.mapsKeyHint': 'Required for place search. Get at console.cloud.google.com',
+  'admin.mapsKeyHintLong': 'Without an API key, OpenStreetMap is used for place search. With a Google API key, photos, ratings, and opening hours can be loaded as well. Get one at console.cloud.google.com.',
+  'admin.recommended': 'Recommended',
   'admin.weatherKey': 'OpenWeatherMap API Key',
   'admin.weatherKeyHint': 'For weather data. Free at openweathermap.org',
   'admin.validateKey': 'Test',
   'admin.keyValid': 'Connected',
   'admin.keyInvalid': 'Invalid',
   'admin.keySaved': 'API keys saved',
+  'admin.oidcTitle': 'Single Sign-On (OIDC)',
+  'admin.oidcSubtitle': 'Allow login via external providers like Google, Apple, Authentik or Keycloak.',
+  'admin.oidcDisplayName': 'Display Name',
+  'admin.oidcIssuer': 'Issuer URL',
+  'admin.oidcIssuerHint': 'The OpenID Connect Issuer URL of the provider. e.g. https://accounts.google.com',
+  'admin.oidcSaved': 'OIDC configuration saved',
 
   // Trip Planner
   'trip.tabs.plan': 'Plan',
@@ -293,8 +318,10 @@ const en = {
   'places.formNotesPlaceholder': 'Personal notes...',
   'places.formReservation': 'Reservation',
   'places.reservationNotesPlaceholder': 'Reservation notes, confirmation number...',
-  'places.mapsSearchPlaceholder': 'Search Google Maps...',
-  'places.mapsSearchError': 'Google Maps search failed. Please add an API key in settings.',
+  'places.mapsSearchPlaceholder': 'Search places...',
+  'places.mapsSearchError': 'Place search failed.',
+  'places.osmHint': 'Using OpenStreetMap search (no photos, opening hours, or ratings). Add a Google API key in settings for full details.',
+  'places.osmActive': 'Search via OpenStreetMap (no photos, ratings or opening hours). Add a Google API key in Settings for enhanced data.',
   'places.categoryCreateError': 'Failed to create category',
   'places.nameRequired': 'Please enter a name',
   'places.saveError': 'Failed to save',

client/src/pages/AdminPage.jsx

@@ -2,6 +2,7 @@ import React, { useEffect, useState } from 'react'
 import { useNavigate } from 'react-router-dom'
 import { adminApi, authApi } from '../api/client'
 import { useAuthStore } from '../store/authStore'
+import { useSettingsStore } from '../store/settingsStore'
 import { useTranslation } from '../i18n'
 import Navbar from '../components/Layout/Navbar'
 import Modal from '../components/shared/Modal'
@@ -12,7 +13,9 @@ import { Users, Map, Briefcase, Shield, Trash2, Edit2, Camera, FileText, Eye, Ey
 import CustomSelect from '../components/shared/CustomSelect'
 
 export default function AdminPage() {
-  const { t } = useTranslation()
+  const { demoMode } = useAuthStore()
+  const { t, locale } = useTranslation()
+  const hour12 = useSettingsStore(s => s.settings.time_format) === '12h'
   const TABS = [
     { id: 'users', label: t('admin.tabs.users') },
     { id: 'categories', label: t('admin.tabs.categories') },
@@ -29,6 +32,10 @@ export default function AdminPage() {
   const [showCreateUser, setShowCreateUser] = useState(false)
   const [createForm, setCreateForm] = useState({ username: '', email: '', password: '', role: 'user' })
 
+  // OIDC config
+  const [oidcConfig, setOidcConfig] = useState({ issuer: '', client_id: '', client_secret: '', display_name: '' })
+  const [savingOidc, setSavingOidc] = useState(false)
+
   // Registration toggle
   const [allowRegistration, setAllowRegistration] = useState(true)
 
@@ -48,6 +55,7 @@ export default function AdminPage() {
     loadData()
     loadAppConfig()
     loadApiKeys()
+    adminApi.getOidc().then(setOidcConfig).catch(() => {})
   }, [])
 
   const loadData = async () => {
@@ -77,9 +85,9 @@ export default function AdminPage() {
 
   const loadApiKeys = async () => {
     try {
-      const data = await authApi.me()
-      setMapsKey(data.user?.maps_api_key || '')
-      setWeatherKey(data.user?.openweather_api_key || '')
+      const data = await authApi.getSettings()
+      setMapsKey(data.settings?.maps_api_key || '')
+      setWeatherKey(data.settings?.openweather_api_key || '')
     } catch (err) {
       // ignore
     }
@@ -117,6 +125,8 @@ export default function AdminPage() {
   const handleValidateKeys = async () => {
     setValidating({ maps: true, weather: true })
     try {
+      // Save first so validation uses the current values
+      await updateApiKeys({ maps_api_key: mapsKey, openweather_api_key: weatherKey })
       const result = await authApi.validateKeys()
       setValidation(result)
     } catch (err) {
@@ -129,6 +139,8 @@ export default function AdminPage() {
   const handleValidateKey = async (keyType) => {
     setValidating(prev => ({ ...prev, [keyType]: true }))
     try {
+      // Save first so validation uses the current values
+      await updateApiKeys({ maps_api_key: mapsKey, openweather_api_key: weatherKey })
       const result = await authApi.validateKeys()
       setValidation(prev => ({ ...prev, [keyType]: result[keyType] }))
     } catch (err) {
@@ -208,14 +220,36 @@ export default function AdminPage() {
             </div>
           </div>
 
+          {/* Demo Baseline Button */}
+          {demoMode && (
+            <div className="mb-6 p-4 bg-amber-50 border border-amber-200 rounded-xl flex items-center justify-between">
+              <div>
+                <p className="text-sm font-semibold text-amber-900">Demo Baseline</p>
+                <p className="text-xs text-amber-700">Save current state as the hourly reset point. All admin trips and settings will be preserved.</p>
+              </div>
+              <button
+                onClick={async () => {
+                  try {
+                    await adminApi.saveDemoBaseline()
+                    toast.success('Baseline saved! Resets will restore to this state.')
+                  } catch (e) {
+                    toast.error(e.response?.data?.error || 'Failed to save baseline')
+                  }
+                }}
+                className="px-4 py-2 bg-amber-600 text-white rounded-lg text-sm font-semibold hover:bg-amber-700 transition-colors flex-shrink-0 ml-4"
+              >
+                Save Baseline
+              </button>
+            </div>
+          )}
+
           {/* Stats */}
           {stats && (
-            <div className="grid grid-cols-2 sm:grid-cols-5 gap-4 mb-6">
+            <div className="grid grid-cols-2 sm:grid-cols-4 gap-4 mb-6">
               {[
                 { label: t('admin.stats.users'), value: stats.totalUsers, icon: Users },
                 { label: t('admin.stats.trips'), value: stats.totalTrips, icon: Briefcase },
                 { label: t('admin.stats.places'), value: stats.totalPlaces, icon: Map },
-                { label: t('admin.stats.photos'), value: stats.totalPhotos || 0, icon: Camera },
                 { label: t('admin.stats.files'), value: stats.totalFiles || 0, icon: FileText },
               ].map(({ label, value, icon: Icon }) => (
                 <div key={label} className="rounded-xl border p-4" style={{ background: 'var(--bg-card)', borderColor: 'var(--border-primary)' }}>
@@ -275,6 +309,7 @@ export default function AdminPage() {
                         <th className="px-5 py-3">{t('admin.table.email')}</th>
                         <th className="px-5 py-3">{t('admin.table.role')}</th>
                         <th className="px-5 py-3">{t('admin.table.created')}</th>
+                        <th className="px-5 py-3">{t('admin.table.lastLogin')}</th>
                         <th className="px-5 py-3 text-right">{t('admin.table.actions')}</th>
                       </tr>
                     </thead>
@@ -306,7 +341,10 @@ export default function AdminPage() {
                             </span>
                           </td>
                           <td className="px-5 py-3 text-sm text-slate-500">
-                            {new Date(u.created_at).toLocaleDateString('de-DE')}
+                            {new Date(u.created_at).toLocaleDateString(locale)}
+                          </td>
+                          <td className="px-5 py-3 text-sm text-slate-500">
+                            {u.last_login ? new Date(u.last_login).toLocaleDateString(locale, { day: 'numeric', month: 'short', hour: '2-digit', minute: '2-digit', hour12 }) : '—'}
                           </td>
                           <td className="px-5 py-3">
                             <div className="flex items-center gap-2 justify-end">
@@ -375,7 +413,10 @@ export default function AdminPage() {
                 <div className="p-6 space-y-4">
                   {/* Google Maps Key */}
                   <div>
-                    <label className="block text-sm font-medium text-slate-700 mb-1.5">{t('admin.mapsKey')}</label>
+                    <label className="flex items-center gap-2 text-sm font-medium text-slate-700 mb-1.5">
+                      {t('admin.mapsKey')}
+                      <span style={{ fontSize: 10, fontWeight: 500, padding: '1px 7px', borderRadius: 99, background: '#dbeafe', color: '#1d4ed8' }}>{t('admin.recommended')}</span>
+                    </label>
                     <div className="flex gap-2">
                       <div className="relative flex-1">
                         <input
@@ -408,7 +449,7 @@ export default function AdminPage() {
                         {t('admin.validateKey')}
                       </button>
                     </div>
-                    <p className="text-xs text-slate-400 mt-1">{t('admin.mapsKeyHint')}</p>
+                    <p className="text-xs text-slate-400 mt-1">{t('admin.mapsKeyHintLong')}</p>
                     {validation.maps === true && (
                       <p className="text-xs text-emerald-600 mt-1 flex items-center gap-1">
                         <span className="w-2 h-2 bg-emerald-500 rounded-full inline-block"></span>
@@ -483,6 +524,73 @@ export default function AdminPage() {
                   </button>
                 </div>
               </div>
+
+              {/* OIDC / SSO Configuration */}
+              <div className="bg-white rounded-xl border border-slate-200 overflow-hidden">
+                <div className="px-6 py-4 border-b border-slate-100">
+                  <h2 className="font-semibold text-slate-900">{t('admin.oidcTitle')}</h2>
+                  <p className="text-xs text-slate-400 mt-0.5">{t('admin.oidcSubtitle')}</p>
+                </div>
+                <div className="p-6 space-y-4">
+                  <div>
+                    <label className="block text-sm font-medium text-slate-700 mb-1.5">{t('admin.oidcDisplayName')}</label>
+                    <input
+                      type="text"
+                      value={oidcConfig.display_name}
+                      onChange={e => setOidcConfig(c => ({ ...c, display_name: e.target.value }))}
+                      placeholder='z.B. Google, Authentik, Keycloak'
+                      className="w-full px-3 py-2 border border-slate-300 rounded-lg text-sm focus:ring-2 focus:ring-slate-400 focus:border-transparent"
+                    />
+                  </div>
+                  <div>
+                    <label className="block text-sm font-medium text-slate-700 mb-1.5">{t('admin.oidcIssuer')}</label>
+                    <input
+                      type="url"
+                      value={oidcConfig.issuer}
+                      onChange={e => setOidcConfig(c => ({ ...c, issuer: e.target.value }))}
+                      placeholder='https://accounts.google.com'
+                      className="w-full px-3 py-2 border border-slate-300 rounded-lg text-sm focus:ring-2 focus:ring-slate-400 focus:border-transparent"
+                    />
+                    <p className="text-xs text-slate-400 mt-1">{t('admin.oidcIssuerHint')}</p>
+                  </div>
+                  <div>
+                    <label className="block text-sm font-medium text-slate-700 mb-1.5">Client ID</label>
+                    <input
+                      type="text"
+                      value={oidcConfig.client_id}
+                      onChange={e => setOidcConfig(c => ({ ...c, client_id: e.target.value }))}
+                      className="w-full px-3 py-2 border border-slate-300 rounded-lg text-sm focus:ring-2 focus:ring-slate-400 focus:border-transparent"
+                    />
+                  </div>
+                  <div>
+                    <label className="block text-sm font-medium text-slate-700 mb-1.5">Client Secret</label>
+                    <input
+                      type="password"
+                      value={oidcConfig.client_secret}
+                      onChange={e => setOidcConfig(c => ({ ...c, client_secret: e.target.value }))}
+                      className="w-full px-3 py-2 border border-slate-300 rounded-lg text-sm focus:ring-2 focus:ring-slate-400 focus:border-transparent"
+                    />
+                  </div>
+                  <button
+                    onClick={async () => {
+                      setSavingOidc(true)
+                      try {
+                        await adminApi.updateOidc(oidcConfig)
+                        toast.success(t('admin.oidcSaved'))
+                      } catch (err) {
+                        toast.error(err.response?.data?.error || t('common.error'))
+                      } finally {
+                        setSavingOidc(false)
+                      }
+                    }}
+                    disabled={savingOidc}
+                    className="flex items-center gap-2 px-4 py-2 bg-slate-900 text-white rounded-lg text-sm hover:bg-slate-700 disabled:bg-slate-400"
+                  >
+                    {savingOidc ? <div className="w-4 h-4 border-2 border-white/30 border-t-white rounded-full animate-spin" /> : <Save className="w-4 h-4" />}
+                    {t('common.save')}
+                  </button>
+                </div>
+              </div>
             </div>
           )}
 

client/src/pages/DashboardPage.jsx

@@ -4,6 +4,7 @@ import { tripsApi } from '../api/client'
 import { useAuthStore } from '../store/authStore'
 import { useTranslation } from '../i18n'
 import Navbar from '../components/Layout/Navbar'
+import DemoBanner from '../components/Layout/DemoBanner'
 import TravelStats from '../components/Dashboard/TravelStats'
 import TripFormModal from '../components/Trips/TripFormModal'
 import { useToast } from '../components/shared/Toast'
@@ -348,6 +349,7 @@ export default function DashboardPage() {
   const navigate = useNavigate()
   const toast = useToast()
   const { t, locale } = useTranslation()
+  const { demoMode } = useAuthStore()
 
   useEffect(() => { loadTrips() }, [])
 
@@ -437,6 +439,7 @@ export default function DashboardPage() {
   return (
     <div style={{ minHeight: '100vh', background: 'var(--bg-secondary)', ...font }}>
       <Navbar />
+      {demoMode && <DemoBanner />}
       <div style={{ paddingTop: 56 }}>
         <div style={{ maxWidth: 1300, margin: '0 auto', padding: '32px 20px 60px' }}>
 

client/src/pages/LoginPage.jsx

@@ -4,7 +4,7 @@ import { useAuthStore } from '../store/authStore'
 import { useSettingsStore } from '../store/settingsStore'
 import { useTranslation } from '../i18n'
 import { authApi } from '../api/client'
-import { Plane, Eye, EyeOff, Mail, Lock, MapPin, Calendar, Package, User, Globe, Zap, Users, Wallet, Map, CheckSquare, BookMarked, FolderOpen, Route } from 'lucide-react'
+import { Plane, Eye, EyeOff, Mail, Lock, MapPin, Calendar, Package, User, Globe, Zap, Users, Wallet, Map, CheckSquare, BookMarked, FolderOpen, Route, Shield } from 'lucide-react'
 
 export default function LoginPage() {
   const { t, language } = useTranslation()
@@ -17,7 +17,7 @@ export default function LoginPage() {
   const [error, setError] = useState('')
   const [appConfig, setAppConfig] = useState(null)
 
-  const { login, register } = useAuthStore()
+  const { login, register, demoLogin } = useAuthStore()
   const { setLanguageLocal } = useSettingsStore()
   const navigate = useNavigate()
 
@@ -28,8 +28,43 @@ export default function LoginPage() {
         if (!config.has_users) setMode('register')
       }
     })
+
+    // Handle OIDC callback token
+    const params = new URLSearchParams(window.location.search)
+    const token = params.get('token')
+    const oidcError = params.get('oidc_error')
+    if (token) {
+      localStorage.setItem('auth_token', token)
+      window.history.replaceState({}, '', '/login')
+      login.__fromOidc = true
+      navigate('/dashboard')
+      window.location.reload()
+    }
+    if (oidcError) {
+      const errorMessages = {
+        registration_disabled: language === 'de' ? 'Registrierung ist deaktiviert. Kontaktiere den Administrator.' : 'Registration is disabled. Contact your administrator.',
+        no_email: language === 'de' ? 'Keine E-Mail vom Provider erhalten.' : 'No email received from provider.',
+        token_failed: language === 'de' ? 'Authentifizierung fehlgeschlagen.' : 'Authentication failed.',
+        invalid_state: language === 'de' ? 'Ungueltige Sitzung. Bitte erneut versuchen.' : 'Invalid session. Please try again.',
+      }
+      setError(errorMessages[oidcError] || oidcError)
+      window.history.replaceState({}, '', '/login')
+    }
   }, [])
 
+  const handleDemoLogin = async () => {
+    setError('')
+    setIsLoading(true)
+    try {
+      await demoLogin()
+      navigate('/dashboard')
+    } catch (err) {
+      setError(err.message || 'Demo-Login fehlgeschlagen')
+    } finally {
+      setIsLoading(false)
+    }
+  }
+
   const handleSubmit = async (e) => {
     e.preventDefault()
     setError('')
@@ -315,7 +350,7 @@ export default function LoginPage() {
             </form>
 
             {/* Toggle login/register */}
-            {showRegisterOption && appConfig?.has_users && (
+            {showRegisterOption && appConfig?.has_users && !appConfig?.demo_mode && (
               <p style={{ textAlign: 'center', marginTop: 16, fontSize: 13, color: '#9ca3af' }}>
                 {mode === 'login' ? t('login.noAccount') + ' ' : t('login.hasAccount') + ' '}
                 <button onClick={() => { setMode(m => m === 'login' ? 'register' : 'login'); setError('') }}
@@ -325,6 +360,53 @@ export default function LoginPage() {
               </p>
             )}
           </div>
+
+          {/* OIDC / SSO login button */}
+          {appConfig?.oidc_configured && (
+            <>
+              <div style={{ display: 'flex', alignItems: 'center', gap: 12, marginTop: 16 }}>
+                <div style={{ flex: 1, height: 1, background: '#e5e7eb' }} />
+                <span style={{ fontSize: 12, color: '#9ca3af' }}>{language === 'de' ? 'oder' : 'or'}</span>
+                <div style={{ flex: 1, height: 1, background: '#e5e7eb' }} />
+              </div>
+              <a href="/api/auth/oidc/login"
+                style={{
+                  marginTop: 12, width: '100%', padding: '12px',
+                  background: 'white', color: '#374151',
+                  border: '1px solid #d1d5db', borderRadius: 12,
+                  fontSize: 14, fontWeight: 600, cursor: 'pointer',
+                  fontFamily: 'inherit', display: 'flex', alignItems: 'center', justifyContent: 'center', gap: 8,
+                  textDecoration: 'none', transition: 'all 0.15s',
+                  boxSizing: 'border-box',
+                }}
+                onMouseEnter={e => { e.currentTarget.style.background = '#f9fafb'; e.currentTarget.style.borderColor = '#9ca3af' }}
+                onMouseLeave={e => { e.currentTarget.style.background = 'white'; e.currentTarget.style.borderColor = '#d1d5db' }}
+              >
+                <Shield size={16} />
+                {language === 'de' ? `Anmelden mit ${appConfig.oidc_display_name}` : `Sign in with ${appConfig.oidc_display_name}`}
+              </a>
+            </>
+          )}
+
+          {/* Demo login button */}
+          {appConfig?.demo_mode && (
+            <button onClick={handleDemoLogin} disabled={isLoading}
+              style={{
+                marginTop: 16, width: '100%', padding: '14px',
+                background: 'linear-gradient(135deg, #f59e0b, #d97706)',
+                color: '#451a03', border: 'none', borderRadius: 14,
+                fontSize: 15, fontWeight: 700, cursor: isLoading ? 'default' : 'pointer',
+                fontFamily: 'inherit', display: 'flex', alignItems: 'center', justifyContent: 'center', gap: 10,
+                opacity: isLoading ? 0.7 : 1, transition: 'all 0.2s',
+                boxShadow: '0 2px 12px rgba(245, 158, 11, 0.3)',
+              }}
+              onMouseEnter={e => { if (!isLoading) e.currentTarget.style.transform = 'translateY(-1px)'; e.currentTarget.style.boxShadow = '0 4px 16px rgba(245, 158, 11, 0.4)' }}
+              onMouseLeave={e => { e.currentTarget.style.transform = 'translateY(0)'; e.currentTarget.style.boxShadow = '0 2px 12px rgba(245, 158, 11, 0.3)' }}
+            >
+              <Plane size={18} />
+              Demo ausprobieren — ohne Registrierung
+            </button>
+          )}
         </div>
       </div>
 

client/src/pages/SettingsPage.jsx

@@ -6,7 +6,8 @@ import { useTranslation } from '../i18n'
 import Navbar from '../components/Layout/Navbar'
 import CustomSelect from '../components/shared/CustomSelect'
 import { useToast } from '../components/shared/Toast'
-import { Save, Map, Palette, User, Moon, Sun, Shield, Camera, Trash2 } from 'lucide-react'
+import { Save, Map, Palette, User, Moon, Sun, Shield, Camera, Trash2, Lock } from 'lucide-react'
+import { authApi, adminApi } from '../api/client'
 
 const MAP_PRESETS = [
   { name: 'OpenStreetMap', url: 'https://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png' },
@@ -31,7 +32,8 @@ function Section({ title, icon: Icon, children }) {
 }
 
 export default function SettingsPage() {
-  const { user, updateProfile, uploadAvatar, deleteAvatar } = useAuthStore()
+  const { user, updateProfile, uploadAvatar, deleteAvatar, logout } = useAuthStore()
+  const [showDeleteConfirm, setShowDeleteConfirm] = useState(false)
   const avatarInputRef = React.useRef(null)
   const { settings, updateSetting, updateSettings } = useSettingsStore()
   const { t, locale } = useTranslation()
@@ -52,6 +54,8 @@ export default function SettingsPage() {
   // Account
   const [username, setUsername] = useState(user?.username || '')
   const [email, setEmail] = useState(user?.email || '')
+  const [newPassword, setNewPassword] = useState('')
+  const [confirmPassword, setConfirmPassword] = useState('')
 
   useEffect(() => {
     setMapTileUrl(settings.map_tile_url || '')
@@ -344,76 +348,244 @@ export default function SettingsPage() {
               />
             </div>
 
+            {/* Change Password */}
+            <div style={{ paddingTop: 8, marginTop: 8, borderTop: '1px solid var(--border-secondary)' }}>
+              <label className="block text-sm font-medium text-slate-700 mb-3">{t('settings.changePassword')}</label>
+              <div className="space-y-3">
+                <input
+                  type="password"
+                  value={newPassword}
+                  onChange={e => setNewPassword(e.target.value)}
+                  placeholder={t('settings.newPassword')}
+                  className="w-full px-3 py-2 border border-slate-300 rounded-lg text-sm focus:ring-2 focus:ring-slate-400 focus:border-transparent"
+                />
+                <input
+                  type="password"
+                  value={confirmPassword}
+                  onChange={e => setConfirmPassword(e.target.value)}
+                  placeholder={t('settings.confirmPassword')}
+                  className="w-full px-3 py-2 border border-slate-300 rounded-lg text-sm focus:ring-2 focus:ring-slate-400 focus:border-transparent"
+                />
+                <button
+                  onClick={async () => {
+                    if (!newPassword) return toast.error(t('settings.passwordRequired'))
+                    if (newPassword.length < 8) return toast.error(t('settings.passwordTooShort'))
+                    if (newPassword !== confirmPassword) return toast.error(t('settings.passwordMismatch'))
+                    try {
+                      await authApi.changePassword({ new_password: newPassword })
+                      toast.success(t('settings.passwordChanged'))
+                      setNewPassword(''); setConfirmPassword('')
+                    } catch (err) {
+                      toast.error(err.response?.data?.error || t('common.error'))
+                    }
+                  }}
+                  className="flex items-center gap-2 px-4 py-2 rounded-lg text-sm font-medium transition-colors"
+                  style={{ border: '1px solid var(--border-primary)', background: 'var(--bg-card)', color: 'var(--text-secondary)' }}
+                  onMouseEnter={e => e.currentTarget.style.background = 'var(--bg-hover)'}
+                  onMouseLeave={e => e.currentTarget.style.background = 'var(--bg-card)'}
+                >
+                  <Lock size={14} />
+                  {t('settings.updatePassword')}
+                </button>
+              </div>
+            </div>
+
             <div className="flex items-center gap-4">
-              {user?.avatar_url ? (
-                <img src={user.avatar_url} alt="" style={{ width: 64, height: 64, borderRadius: '50%', objectFit: 'cover', flexShrink: 0 }} />
-              ) : (
-                <div style={{
-                  width: 64, height: 64, borderRadius: '50%', flexShrink: 0,
-                  display: 'flex', alignItems: 'center', justifyContent: 'center',
-                  fontSize: 24, fontWeight: 700,
-                  background: 'var(--bg-hover)', color: 'var(--text-secondary)',
-                }}>
-                  {user?.username?.charAt(0).toUpperCase()}
-                </div>
-              )}
-              <div className="flex flex-col gap-2">
+              <div style={{ position: 'relative', flexShrink: 0 }}>
+                {user?.avatar_url ? (
+                  <img src={user.avatar_url} alt="" style={{ width: 64, height: 64, borderRadius: '50%', objectFit: 'cover' }} />
+                ) : (
+                  <div style={{
+                    width: 64, height: 64, borderRadius: '50%',
+                    display: 'flex', alignItems: 'center', justifyContent: 'center',
+                    fontSize: 24, fontWeight: 700,
+                    background: 'var(--bg-hover)', color: 'var(--text-secondary)',
+                  }}>
+                    {user?.username?.charAt(0).toUpperCase()}
+                  </div>
+                )}
+                <input
+                  ref={avatarInputRef}
+                  type="file"
+                  accept="image/*"
+                  onChange={handleAvatarUpload}
+                  style={{ display: 'none' }}
+                />
+                <button
+                  onClick={() => avatarInputRef.current?.click()}
+                  style={{
+                    position: 'absolute', bottom: -3, right: -3,
+                    width: 28, height: 28, borderRadius: '50%',
+                    background: 'var(--text-primary)', color: 'var(--bg-card)',
+                    border: '2px solid var(--bg-card)',
+                    display: 'flex', alignItems: 'center', justifyContent: 'center',
+                    cursor: 'pointer', padding: 0, transition: 'transform 0.15s, opacity 0.15s',
+                  }}
+                  onMouseEnter={e => { e.currentTarget.style.transform = 'scale(1.15)'; e.currentTarget.style.opacity = '0.85' }}
+                  onMouseLeave={e => { e.currentTarget.style.transform = 'scale(1)'; e.currentTarget.style.opacity = '1' }}
+                >
+                  <Camera size={14} />
+                </button>
+                {user?.avatar_url && (
+                  <button
+                    onClick={handleAvatarRemove}
+                    style={{
+                      position: 'absolute', top: -2, right: -2,
+                      width: 20, height: 20, borderRadius: '50%',
+                      background: '#ef4444', color: 'white',
+                      border: '2px solid var(--bg-card)',
+                      display: 'flex', alignItems: 'center', justifyContent: 'center',
+                      cursor: 'pointer', padding: 0,
+                    }}
+                  >
+                    <Trash2 size={10} />
+                  </button>
+                )}
+              </div>
+              <div className="flex flex-col gap-1">
                 <div className="text-sm" style={{ color: 'var(--text-muted)' }}>
                   <span className="font-medium" style={{ display: 'inline-flex', alignItems: 'center', gap: 4, color: 'var(--text-secondary)' }}>
                     {user?.role === 'admin' ? <><Shield size={13} /> {t('settings.roleAdmin')}</> : t('settings.roleUser')}
                   </span>
-                </div>
-                <div className="flex items-center gap-2">
-                  <input
-                    ref={avatarInputRef}
-                    type="file"
-                    accept="image/*"
-                    onChange={handleAvatarUpload}
-                    style={{ display: 'none' }}
-                  />
-                  <button
-                    onClick={() => avatarInputRef.current?.click()}
-                    className="flex items-center gap-1.5 px-3 py-1.5 rounded-lg text-xs font-medium transition-colors"
-                    style={{
-                      border: '1px solid var(--border-primary)',
-                      background: 'var(--bg-card)',
-                      color: 'var(--text-secondary)',
-                    }}
-                    onMouseEnter={e => e.currentTarget.style.background = 'var(--bg-hover)'}
-                    onMouseLeave={e => e.currentTarget.style.background = 'var(--bg-card)'}
-                  >
-                    <Camera size={14} />
-                    {t('settings.uploadAvatar')}
-                  </button>
-                  {user?.avatar_url && (
-                    <button
-                      onClick={handleAvatarRemove}
-                      className="flex items-center gap-1.5 px-3 py-1.5 rounded-lg text-xs font-medium transition-colors"
-                      style={{
-                        border: '1px solid var(--border-primary)',
-                        background: 'var(--bg-card)',
-                        color: '#ef4444',
-                      }}
-                      onMouseEnter={e => e.currentTarget.style.background = 'var(--bg-hover)'}
-                      onMouseLeave={e => e.currentTarget.style.background = 'var(--bg-card)'}
-                    >
-                      <Trash2 size={14} />
-                      {t('settings.removeAvatar')}
-                    </button>
+                  {user?.oidc_issuer && (
+                    <span style={{
+                      display: 'inline-flex', alignItems: 'center', gap: 4,
+                      fontSize: 10, fontWeight: 500, padding: '1px 8px', borderRadius: 99,
+                      background: '#dbeafe', color: '#1d4ed8', marginLeft: 6,
+                    }}>
+                      SSO
+                    </span>
                   )}
                 </div>
+                {user?.oidc_issuer && (
+                  <p style={{ fontSize: 11, color: 'var(--text-faint)', marginTop: -2 }}>
+                    {t('settings.oidcLinked')} {user.oidc_issuer.replace('https://', '').replace(/\/+$/, '')}
+                  </p>
+                )}
               </div>
             </div>
 
-            <button
-              onClick={saveProfile}
-              disabled={saving.profile}
-              className="flex items-center gap-2 px-4 py-2 bg-slate-900 text-white rounded-lg text-sm hover:bg-slate-700 disabled:bg-slate-400"
-            >
-              {saving.profile ? <div className="w-4 h-4 border-2 border-white/30 border-t-white rounded-full animate-spin" /> : <Save className="w-4 h-4" />}
-              {t('settings.saveProfile')}
-            </button>
+            <div style={{ display: 'flex', justifyContent: 'space-between', alignItems: 'center', marginTop: 12 }}>
+              <button
+                onClick={saveProfile}
+                disabled={saving.profile}
+                className="flex items-center gap-2 px-4 py-2 bg-slate-900 text-white rounded-lg text-sm hover:bg-slate-700 disabled:bg-slate-400"
+              >
+                {saving.profile ? <div className="w-4 h-4 border-2 border-white/30 border-t-white rounded-full animate-spin" /> : <Save className="w-4 h-4" />}
+                {t('settings.saveProfile')}
+              </button>
+              <button
+                onClick={async () => {
+                  if (user?.role === 'admin') {
+                    try {
+                      const data = await adminApi.stats()
+                      const adminUsers = (await adminApi.users()).users.filter(u => u.role === 'admin')
+                      if (adminUsers.length <= 1) {
+                        setShowDeleteConfirm('blocked')
+                        return
+                      }
+                    } catch {}
+                  }
+                  setShowDeleteConfirm(true)
+                }}
+                className="flex items-center gap-2 px-4 py-2 rounded-lg text-sm font-medium transition-colors text-red-500 hover:bg-red-50"
+                style={{ border: '1px solid #fecaca' }}
+              >
+                <Trash2 size={14} />
+                {t('settings.deleteAccount')}
+              </button>
+            </div>
           </Section>
+
+          {/* Delete Account Confirmation */}
+          {showDeleteConfirm === 'blocked' && (
+            <div style={{
+              position: 'fixed', inset: 0, zIndex: 9999,
+              background: 'rgba(0,0,0,0.5)', backdropFilter: 'blur(4px)',
+              display: 'flex', alignItems: 'center', justifyContent: 'center', padding: 24,
+            }} onClick={() => setShowDeleteConfirm(false)}>
+              <div style={{
+                background: 'var(--bg-card)', borderRadius: 16, padding: '28px 24px',
+                maxWidth: 400, width: '100%', boxShadow: '0 20px 60px rgba(0,0,0,0.3)',
+              }} onClick={e => e.stopPropagation()}>
+                <div style={{ display: 'flex', alignItems: 'center', gap: 10, marginBottom: 16 }}>
+                  <div style={{ width: 36, height: 36, borderRadius: 10, background: '#fef3c7', display: 'flex', alignItems: 'center', justifyContent: 'center' }}>
+                    <Shield size={18} style={{ color: '#d97706' }} />
+                  </div>
+                  <h3 style={{ margin: 0, fontSize: 16, fontWeight: 700, color: 'var(--text-primary)' }}>{t('settings.deleteBlockedTitle')}</h3>
+                </div>
+                <p style={{ fontSize: 13, color: 'var(--text-muted)', lineHeight: 1.6, margin: '0 0 20px' }}>
+                  {t('settings.deleteBlockedMessage')}
+                </p>
+                <div style={{ display: 'flex', justifyContent: 'flex-end' }}>
+                  <button
+                    onClick={() => setShowDeleteConfirm(false)}
+                    style={{
+                      padding: '8px 16px', borderRadius: 8, fontSize: 13, fontWeight: 500,
+                      border: '1px solid var(--border-primary)', background: 'var(--bg-card)', color: 'var(--text-secondary)',
+                      cursor: 'pointer', fontFamily: 'inherit',
+                    }}
+                  >
+                    {t('common.ok') || 'OK'}
+                  </button>
+                </div>
+              </div>
+            </div>
+          )}
+
+          {showDeleteConfirm === true && (
+            <div style={{
+              position: 'fixed', inset: 0, zIndex: 9999,
+              background: 'rgba(0,0,0,0.5)', backdropFilter: 'blur(4px)',
+              display: 'flex', alignItems: 'center', justifyContent: 'center', padding: 24,
+            }} onClick={() => setShowDeleteConfirm(false)}>
+              <div style={{
+                background: 'var(--bg-card)', borderRadius: 16, padding: '28px 24px',
+                maxWidth: 400, width: '100%', boxShadow: '0 20px 60px rgba(0,0,0,0.3)',
+              }} onClick={e => e.stopPropagation()}>
+                <div style={{ display: 'flex', alignItems: 'center', gap: 10, marginBottom: 16 }}>
+                  <div style={{ width: 36, height: 36, borderRadius: 10, background: '#fef2f2', display: 'flex', alignItems: 'center', justifyContent: 'center' }}>
+                    <Trash2 size={18} style={{ color: '#ef4444' }} />
+                  </div>
+                  <h3 style={{ margin: 0, fontSize: 16, fontWeight: 700, color: 'var(--text-primary)' }}>{t('settings.deleteAccountTitle')}</h3>
+                </div>
+                <p style={{ fontSize: 13, color: 'var(--text-muted)', lineHeight: 1.6, margin: '0 0 20px' }}>
+                  {t('settings.deleteAccountWarning')}
+                </p>
+                <div style={{ display: 'flex', justifyContent: 'flex-end', gap: 8 }}>
+                  <button
+                    onClick={() => setShowDeleteConfirm(false)}
+                    style={{
+                      padding: '8px 16px', borderRadius: 8, fontSize: 13, fontWeight: 500,
+                      border: '1px solid var(--border-primary)', background: 'var(--bg-card)', color: 'var(--text-secondary)',
+                      cursor: 'pointer', fontFamily: 'inherit',
+                    }}
+                  >
+                    {t('common.cancel')}
+                  </button>
+                  <button
+                    onClick={async () => {
+                      try {
+                        await authApi.deleteOwnAccount()
+                        logout()
+                        navigate('/login')
+                      } catch (err) {
+                        toast.error(err.response?.data?.error || t('common.error'))
+                        setShowDeleteConfirm(false)
+                      }
+                    }}
+                    style={{
+                      padding: '8px 16px', borderRadius: 8, fontSize: 13, fontWeight: 600,
+                      border: 'none', background: '#ef4444', color: 'white',
+                      cursor: 'pointer', fontFamily: 'inherit',
+                    }}
+                  >
+                    {t('settings.deleteAccountConfirm')}
+                  </button>
+                </div>
+              </div>
+            </div>
+          )}
         </div>
       </div>
     </div>

client/src/store/authStore.js

@@ -8,6 +8,8 @@ export const useAuthStore = create((set, get) => ({
   isAuthenticated: !!localStorage.getItem('auth_token'),
   isLoading: false,
   error: null,
+  demoMode: localStorage.getItem('demo_mode') === 'true',
+  hasMapsKey: false,
 
   login: async (email, password) => {
     set({ isLoading: true, error: null })
@@ -129,4 +131,34 @@ export const useAuthStore = create((set, get) => ({
     await authApi.deleteAvatar()
     set(state => ({ user: { ...state.user, avatar_url: null } }))
   },
+
+  setDemoMode: (val) => {
+    if (val) localStorage.setItem('demo_mode', 'true')
+    else localStorage.removeItem('demo_mode')
+    set({ demoMode: val })
+  },
+
+  setHasMapsKey: (val) => set({ hasMapsKey: val }),
+
+  demoLogin: async () => {
+    set({ isLoading: true, error: null })
+    try {
+      const data = await authApi.demoLogin()
+      localStorage.setItem('auth_token', data.token)
+      set({
+        user: data.user,
+        token: data.token,
+        isAuthenticated: true,
+        isLoading: false,
+        demoMode: true,
+        error: null,
+      })
+      connect(data.token)
+      return data
+    } catch (err) {
+      const error = err.response?.data?.error || 'Demo-Login fehlgeschlagen'
+      set({ isLoading: false, error })
+      throw new Error(error)
+    }
+  },
 }))

server/package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "nomad-server",
-  "version": "2.0.0",
+  "version": "2.3.4",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "nomad-server",
-      "version": "2.0.0",
+      "version": "2.3.4",
       "dependencies": {
         "archiver": "^6.0.1",
         "bcryptjs": "^2.4.3",

server/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nomad-server",
-  "version": "2.0.0",
+  "version": "2.4.0",
   "main": "src/index.js",
   "scripts": {
     "start": "node --experimental-sqlite src/index.js",

server/src/db/database.js

@@ -250,6 +250,9 @@ function initDb() {
     `ALTER TABLE trips ADD COLUMN is_archived INTEGER DEFAULT 0`,
     `ALTER TABLE categories ADD COLUMN user_id INTEGER REFERENCES users(id) ON DELETE SET NULL`,
     `ALTER TABLE users ADD COLUMN avatar TEXT`,
+    `ALTER TABLE users ADD COLUMN oidc_sub TEXT`,
+    `ALTER TABLE users ADD COLUMN oidc_issuer TEXT`,
+    `ALTER TABLE users ADD COLUMN last_login DATETIME`,
   ];
 
   // Recreate budget_items to allow NULL persons (SQLite can't ALTER NOT NULL)
@@ -309,6 +312,16 @@ function initDb() {
 // Initialize on module load
 initDb();
 
+// Demo mode: seed admin + demo user + example trips
+if (process.env.DEMO_MODE === 'true') {
+  try {
+    const { seedDemoData } = require('../demo/demo-seed');
+    seedDemoData(_db);
+  } catch (err) {
+    console.error('[Demo] Seed error:', err.message);
+  }
+}
+
 // Proxy so all route modules always use the current _db instance
 // without needing a server restart after reinitialize()
 const db = new Proxy({}, {

server/src/demo/demo-reset.js

@@ -0,0 +1,84 @@
+const fs = require('fs');
+const path = require('path');
+
+const dataDir = path.join(__dirname, '../../data');
+const dbPath = path.join(dataDir, 'travel.db');
+const baselinePath = path.join(dataDir, 'travel-baseline.db');
+
+function resetDemoUser() {
+  if (!fs.existsSync(baselinePath)) {
+    console.log('[Demo Reset] No baseline found, skipping. Admin must save baseline first.');
+    return;
+  }
+
+  const { db, closeDb, reinitialize } = require('../db/database');
+
+  // Save admin's current credentials and API keys (these should survive the reset)
+  const adminEmail = process.env.DEMO_ADMIN_EMAIL || 'admin@nomad.app';
+  let adminData = null;
+  try {
+    adminData = db.prepare(
+      'SELECT password_hash, maps_api_key, openweather_api_key, unsplash_api_key, avatar FROM users WHERE email = ?'
+    ).get(adminEmail);
+  } catch (e) {
+    console.error('[Demo Reset] Failed to read admin data:', e.message);
+  }
+
+  // Flush WAL to main DB file
+  try { db.exec('PRAGMA wal_checkpoint(TRUNCATE)'); } catch (e) {}
+
+  // Close DB connection
+  closeDb();
+
+  // Restore baseline
+  try {
+    fs.copyFileSync(baselinePath, dbPath);
+    // Remove WAL/SHM files if they exist (stale from old connection)
+    try { fs.unlinkSync(dbPath + '-wal'); } catch (e) {}
+    try { fs.unlinkSync(dbPath + '-shm'); } catch (e) {}
+  } catch (e) {
+    console.error('[Demo Reset] Failed to restore baseline:', e.message);
+    reinitialize();
+    return;
+  }
+
+  // Reinitialize DB connection with restored baseline
+  reinitialize();
+
+  // Restore admin's latest credentials (in case admin changed password/API keys after baseline was saved)
+  if (adminData) {
+    try {
+      const { db: freshDb } = require('../db/database');
+      freshDb.prepare(
+        'UPDATE users SET password_hash = ?, maps_api_key = ?, openweather_api_key = ?, unsplash_api_key = ?, avatar = ? WHERE email = ?'
+      ).run(
+        adminData.password_hash,
+        adminData.maps_api_key,
+        adminData.openweather_api_key,
+        adminData.unsplash_api_key,
+        adminData.avatar,
+        adminEmail
+      );
+    } catch (e) {
+      console.error('[Demo Reset] Failed to restore admin credentials:', e.message);
+    }
+  }
+
+  console.log('[Demo Reset] Database restored from baseline');
+}
+
+function saveBaseline() {
+  const { db } = require('../db/database');
+
+  // Flush WAL so baseline file is self-contained
+  try { db.exec('PRAGMA wal_checkpoint(TRUNCATE)'); } catch (e) {}
+
+  fs.copyFileSync(dbPath, baselinePath);
+  console.log('[Demo] Baseline saved');
+}
+
+function hasBaseline() {
+  return fs.existsSync(baselinePath);
+}
+
+module.exports = { resetDemoUser, saveBaseline, hasBaseline };

server/src/demo/demo-seed.js

@@ -0,0 +1,248 @@
+const bcrypt = require('bcryptjs');
+
+function seedDemoData(db) {
+  const ADMIN_USER = process.env.DEMO_ADMIN_USER || 'admin';
+  const ADMIN_EMAIL = process.env.DEMO_ADMIN_EMAIL || 'admin@nomad.app';
+  const ADMIN_PASS = process.env.DEMO_ADMIN_PASS || 'admin12345';
+  const DEMO_EMAIL = 'demo@nomad.app';
+  const DEMO_PASS = 'demo12345';
+
+  // Create admin user if not exists
+  let admin = db.prepare('SELECT id FROM users WHERE email = ?').get(ADMIN_EMAIL);
+  if (!admin) {
+    const hash = bcrypt.hashSync(ADMIN_PASS, 10);
+    const r = db.prepare('INSERT INTO users (username, email, password_hash, role) VALUES (?, ?, ?, ?)').run(ADMIN_USER, ADMIN_EMAIL, hash, 'admin');
+    admin = { id: Number(r.lastInsertRowid) };
+    console.log('[Demo] Admin user created');
+  } else {
+    admin.id = Number(admin.id);
+  }
+
+  // Create demo user if not exists
+  let demo = db.prepare('SELECT id FROM users WHERE email = ?').get(DEMO_EMAIL);
+  if (!demo) {
+    const hash = bcrypt.hashSync(DEMO_PASS, 10);
+    const r = db.prepare('INSERT INTO users (username, email, password_hash, role) VALUES (?, ?, ?, ?)').run('demo', DEMO_EMAIL, hash, 'user');
+    demo = { id: Number(r.lastInsertRowid) };
+    console.log('[Demo] Demo user created');
+  } else {
+    demo.id = Number(demo.id);
+  }
+
+  // Disable registration in demo mode
+  db.prepare("INSERT OR REPLACE INTO app_settings (key, value) VALUES ('allow_registration', 'false')").run();
+
+  // Check if admin already has example trips
+  const adminTrips = db.prepare('SELECT COUNT(*) as count FROM trips WHERE user_id = ?').get(admin.id);
+  if (adminTrips.count > 0) {
+    console.log('[Demo] Example trips already exist, ensuring demo membership');
+    ensureDemoMembership(db, admin.id, demo.id);
+    return { adminId: admin.id, demoId: demo.id };
+  }
+
+  console.log('[Demo] Seeding example trips...');
+  seedExampleTrips(db, admin.id, demo.id);
+
+  // Auto-save baseline after first seed
+  const { saveBaseline, hasBaseline } = require('./demo-reset');
+  if (!hasBaseline()) {
+    saveBaseline();
+  }
+
+  return { adminId: admin.id, demoId: demo.id };
+}
+
+function ensureDemoMembership(db, adminId, demoId) {
+  const trips = db.prepare('SELECT id FROM trips WHERE user_id = ?').all(adminId);
+  const insertMember = db.prepare('INSERT OR IGNORE INTO trip_members (trip_id, user_id, invited_by) VALUES (?, ?, ?)');
+  for (const trip of trips) {
+    insertMember.run(trip.id, demoId, adminId);
+  }
+}
+
+function seedExampleTrips(db, adminId, demoId) {
+  const insertTrip = db.prepare('INSERT INTO trips (user_id, title, description, start_date, end_date, currency) VALUES (?, ?, ?, ?, ?, ?)');
+  const insertDay = db.prepare('INSERT INTO days (trip_id, day_number, date) VALUES (?, ?, ?)');
+  const insertPlace = db.prepare('INSERT INTO places (trip_id, name, lat, lng, address, category_id, place_time, duration_minutes, notes, image_url) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)');
+  const insertAssignment = db.prepare('INSERT INTO day_assignments (day_id, place_id, order_index) VALUES (?, ?, ?)');
+  const insertPacking = db.prepare('INSERT INTO packing_items (trip_id, name, checked, category, sort_order) VALUES (?, ?, ?, ?, ?)');
+  const insertBudget = db.prepare('INSERT INTO budget_items (trip_id, category, name, total_price, persons, note) VALUES (?, ?, ?, ?, ?, ?)');
+  const insertReservation = db.prepare('INSERT INTO reservations (trip_id, day_id, title, reservation_time, confirmation_number, status, type, location) VALUES (?, ?, ?, ?, ?, ?, ?, ?)');
+  const insertMember = db.prepare('INSERT OR IGNORE INTO trip_members (trip_id, user_id, invited_by) VALUES (?, ?, ?)');
+
+  // ─── Trip 1: Tokyo & Kyoto ───
+  const trip1 = insertTrip.run(adminId, 'Tokyo & Kyoto', 'Zwei Wochen Japan — von den neonbeleuchteten Strassen Tokyos bis zu den stillen Tempeln Kyotos.', '2026-04-15', '2026-04-21', 'EUR');
+  const t1 = Number(trip1.lastInsertRowid);
+
+  const t1days = [];
+  for (let i = 0; i < 7; i++) {
+    const d = insertDay.run(t1, i + 1, `2026-04-${15 + i}`);
+    t1days.push(Number(d.lastInsertRowid));
+  }
+
+  // Places — cat IDs: 1=Hotel, 2=Restaurant, 3=Sehenswuerdigkeit, 5=Transport, 7=Bar/Cafe, 9=Natur
+  const t1places = [
+    [t1, 'Hotel Shinjuku Granbell', 35.6938, 139.7035, 'Shinjuku, Tokyo, Japan', 1, '15:00', 60, 'Check-in ab 15 Uhr. Nahe Shinjuku Station.', null],
+    [t1, 'Senso-ji Tempel', 35.7148, 139.7967, 'Asakusa, Tokyo, Japan', 3, '09:00', 90, 'Aeltester Tempel Tokyos. Morgens weniger Touristen.', null],
+    [t1, 'Shibuya Crossing', 35.6595, 139.7004, 'Shibuya, Tokyo, Japan', 3, '18:00', 45, 'Die beruehmteste Kreuzung der Welt. Abends am beeindruckendsten.', null],
+    [t1, 'Tsukiji Outer Market', 35.6654, 139.7707, 'Tsukiji, Tokyo, Japan', 2, '08:00', 120, 'Frisches Sushi zum Fruehstueck! Strassenstaende erkunden.', null],
+    [t1, 'Meiji-Schrein', 35.6764, 139.6993, 'Shibuya, Tokyo, Japan', 3, '10:00', 75, 'Ruhige Oase mitten in der Stadt. Durch den Wald zum Schrein.', null],
+    [t1, 'Akihabara', 35.7023, 139.7745, 'Akihabara, Tokyo, Japan', 3, '14:00', 180, 'Electric Town — Anime, Manga, Elektronik. Retro-Gaming Shops!', null],
+    [t1, 'Shinkansen nach Kyoto', 35.6812, 139.7671, 'Tokyo Station, Japan', 5, '08:30', 140, 'Nozomi Shinkansen, ca. 2h15. Fensterplatz fuer Fuji-Blick!', null],
+    [t1, 'Hotel Granvia Kyoto', 34.9856, 135.7580, 'Kyoto Station, Kyoto, Japan', 1, '14:00', 60, 'Direkt am Bahnhof. Perfekte Lage fuer Tagesausfluege.', null],
+    [t1, 'Fushimi Inari Taisha', 34.9671, 135.7727, 'Fushimi, Kyoto, Japan', 3, '07:00', 150, '10.000 rote Torii-Tore. Frueh morgens starten fuer leere Wege!', null],
+    [t1, 'Kinkaku-ji (Goldener Pavillon)', 35.0394, 135.7292, 'Kita, Kyoto, Japan', 3, '10:00', 60, 'Der goldene Tempel am See. Ikonisches Fotomotiv.', null],
+    [t1, 'Arashiyama Bambushain', 35.0095, 135.6673, 'Arashiyama, Kyoto, Japan', 9, '09:00', 90, 'Magischer Bambuswald. Am besten morgens vor den Massen.', null],
+    [t1, 'Nishiki Market', 35.0050, 135.7647, 'Nakagyo, Kyoto, Japan', 2, '12:00', 90, 'Kyotos Kuechengasse. Matcha-Eis und frische Mochi probieren!', null],
+    [t1, 'Gion Viertel', 35.0037, 135.7755, 'Gion, Kyoto, Japan', 3, '17:00', 120, 'Historisches Geisha-Viertel. Abends beste Chance auf Maiko-Sichtung.', null],
+  ];
+
+  const t1pIds = t1places.map(p => Number(insertPlace.run(...p).lastInsertRowid));
+
+  // Assign places to days
+  // Day 1: Hotel Check-in, Shibuya
+  insertAssignment.run(t1days[0], t1pIds[0], 0);
+  insertAssignment.run(t1days[0], t1pIds[2], 1);
+  // Day 2: Tsukiji, Senso-ji, Akihabara
+  insertAssignment.run(t1days[1], t1pIds[3], 0);
+  insertAssignment.run(t1days[1], t1pIds[1], 1);
+  insertAssignment.run(t1days[1], t1pIds[5], 2);
+  // Day 3: Meiji-Schrein, free afternoon
+  insertAssignment.run(t1days[2], t1pIds[4], 0);
+  // Day 4: Shinkansen to Kyoto, Hotel
+  insertAssignment.run(t1days[3], t1pIds[6], 0);
+  insertAssignment.run(t1days[3], t1pIds[7], 1);
+  // Day 5: Fushimi Inari, Nishiki Market
+  insertAssignment.run(t1days[4], t1pIds[8], 0);
+  insertAssignment.run(t1days[4], t1pIds[11], 1);
+  // Day 6: Kinkaku-ji, Arashiyama
+  insertAssignment.run(t1days[5], t1pIds[9], 0);
+  insertAssignment.run(t1days[5], t1pIds[10], 1);
+  // Day 7: Gion
+  insertAssignment.run(t1days[6], t1pIds[12], 0);
+
+  // Packing
+  const t1packing = [
+    ['Reisepass', 1, 'Dokumente', 0], ['Japan Rail Pass', 1, 'Dokumente', 1],
+    ['Adapter Typ A/B', 0, 'Elektronik', 2], ['Kamera + Ladegeraet', 0, 'Elektronik', 3],
+    ['Bequeme Laufschuhe', 0, 'Kleidung', 4], ['Regenjacke', 0, 'Kleidung', 5],
+    ['Sonnencreme', 0, 'Hygiene', 6], ['Reiseapotheke', 0, 'Hygiene', 7],
+    ['Pocket WiFi Bestaetigung', 1, 'Elektronik', 8], ['Yen Bargeld', 0, 'Dokumente', 9],
+  ];
+  t1packing.forEach(p => insertPacking.run(t1, ...p));
+
+  // Budget
+  insertBudget.run(t1, 'Unterkunft', 'Hotel Shinjuku (3 Naechte)', 450, 2, 'Doppelzimmer');
+  insertBudget.run(t1, 'Unterkunft', 'Hotel Granvia Kyoto (4 Naechte)', 680, 2, 'Superior Room');
+  insertBudget.run(t1, 'Transport', 'Fluege FRA-NRT', 1200, 2, 'Lufthansa Direktflug');
+  insertBudget.run(t1, 'Transport', 'Japan Rail Pass (7 Tage)', 380, 2, 'Ordinaer');
+  insertBudget.run(t1, 'Essen', 'Tagesbudget Essen', 350, 2, 'Ca. 50 EUR/Tag');
+  insertBudget.run(t1, 'Aktivitaeten', 'Tempel-Eintritte & Erlebnisse', 120, 2, null);
+
+  // Reservations
+  insertReservation.run(t1, t1days[0], 'Hotel Shinjuku Check-in', '15:00', 'SG-2026-78432', 'confirmed', 'hotel', 'Shinjuku, Tokyo');
+  insertReservation.run(t1, t1days[3], 'Shinkansen Tokyo → Kyoto', '08:30', 'JR-NOZOMI-445', 'confirmed', 'transport', 'Tokyo Station');
+
+  // Share with demo user
+  insertMember.run(t1, demoId, adminId);
+
+  // ─── Trip 2: Barcelona Citytrip ───
+  const trip2 = insertTrip.run(adminId, 'Barcelona Citytrip', 'Gaudi, Tapas und Meerblick — ein langes Wochenende in Kataloniens Hauptstadt.', '2026-05-21', '2026-05-24', 'EUR');
+  const t2 = Number(trip2.lastInsertRowid);
+
+  const t2days = [];
+  for (let i = 0; i < 4; i++) {
+    const d = insertDay.run(t2, i + 1, `2026-05-${21 + i}`);
+    t2days.push(Number(d.lastInsertRowid));
+  }
+
+  const t2places = [
+    [t2, 'Hotel W Barcelona', 41.3686, 2.1920, 'Barceloneta, Barcelona, Spain', 1, '14:00', 60, 'Direkt am Strand. Rooftop-Bar mit Panorama!', null],
+    [t2, 'Sagrada Familia', 41.4036, 2.1744, 'Eixample, Barcelona, Spain', 3, '10:00', 120, 'Gaudis Meisterwerk. Tickets unbedingt vorher online buchen!', null],
+    [t2, 'Park Gueell', 41.4145, 2.1527, 'Gracia, Barcelona, Spain', 3, '09:00', 90, 'Mosaik-Terrasse mit Stadtblick. Frueh buchen fuer Monumental Zone.', null],
+    [t2, 'La Boqueria', 41.3816, 2.1717, 'La Rambla, Barcelona, Spain', 2, '12:00', 75, 'Beruehmter Markt an der Rambla. Frischer Saft und Jamon Iberico!', null],
+    [t2, 'Barceloneta Beach', 41.3784, 2.1925, 'Barceloneta, Barcelona, Spain', 8, '16:00', 120, 'Stadtstrand zum Entspannen nach dem Sightseeing.', null],
+    [t2, 'Barri Gotic', 41.3834, 2.1762, 'Ciutat Vella, Barcelona, Spain', 3, '15:00', 90, 'Mittelalterliche Gassen. Kathedrale und Placa Reial entdecken.', null],
+    [t2, 'Casa Batllo', 41.3916, 2.1650, 'Passeig de Gracia, Barcelona, Spain', 3, '11:00', 75, 'Gaudis Drachen-Haus. Die Fassade allein ist schon ein Erlebnis.', null],
+    [t2, 'El Born & Tapas', 41.3856, 2.1825, 'El Born, Barcelona, Spain', 7, '20:00', 120, 'Trendviertel mit den besten Tapas-Bars. Cal Pep oder El Xampanyet!', null],
+  ];
+
+  const t2pIds = t2places.map(p => Number(insertPlace.run(...p).lastInsertRowid));
+
+  // Day 1: Arrival, Beach, El Born
+  insertAssignment.run(t2days[0], t2pIds[0], 0);
+  insertAssignment.run(t2days[0], t2pIds[4], 1);
+  insertAssignment.run(t2days[0], t2pIds[7], 2);
+  // Day 2: Sagrada Familia, Casa Batllo, La Boqueria
+  insertAssignment.run(t2days[1], t2pIds[1], 0);
+  insertAssignment.run(t2days[1], t2pIds[6], 1);
+  insertAssignment.run(t2days[1], t2pIds[3], 2);
+  // Day 3: Park Gueell, Barri Gotic
+  insertAssignment.run(t2days[2], t2pIds[2], 0);
+  insertAssignment.run(t2days[2], t2pIds[5], 1);
+  // Day 4: Free morning, departure
+  insertAssignment.run(t2days[3], t2pIds[4], 0);
+
+  // Packing
+  ['Reisepass', 'Sonnencreme SPF50', 'Badehose/Bikini', 'Sonnenbrille', 'Bequeme Sandalen', 'Strandtuch'].forEach((name, i) => {
+    insertPacking.run(t2, name, 0, i < 1 ? 'Dokumente' : 'Sommer', i);
+  });
+
+  // Budget
+  insertBudget.run(t2, 'Unterkunft', 'Hotel W Barcelona (3 Naechte)', 780, 2, 'Sea View Room');
+  insertBudget.run(t2, 'Transport', 'Fluege BER-BCN', 180, 2, 'Eurowings');
+  insertBudget.run(t2, 'Essen', 'Restaurants & Tapas', 300, 2, 'Ca. 75 EUR/Tag');
+  insertBudget.run(t2, 'Aktivitaeten', 'Sagrada Familia + Park Gueell + Casa Batllo', 95, 2, 'Online-Tickets');
+
+  insertReservation.run(t2, t2days[1], 'Sagrada Familia Eintritt', '10:00', 'SF-2026-11234', 'confirmed', 'activity', 'Eixample, Barcelona');
+
+  insertMember.run(t2, demoId, adminId);
+
+  // ─── Trip 3: Wochenende in Wien ───
+  const trip3 = insertTrip.run(adminId, 'Wochenende in Wien', 'Kaffeehaus-Kultur, imperiale Pracht und Sachertorte.', '2026-06-12', '2026-06-14', 'EUR');
+  const t3 = Number(trip3.lastInsertRowid);
+
+  const t3days = [];
+  for (let i = 0; i < 3; i++) {
+    const d = insertDay.run(t3, i + 1, `2026-06-${12 + i}`);
+    t3days.push(Number(d.lastInsertRowid));
+  }
+
+  const t3places = [
+    [t3, 'Hotel Sacher Wien', 48.2038, 16.3699, 'Philharmonikerstrasse 4, Wien, Austria', 1, '15:00', 45, 'Das legendaere Hotel. Sachertorte im Cafe muss sein!', null],
+    [t3, 'Stephansdom', 48.2082, 16.3738, 'Stephansplatz, Wien, Austria', 3, '10:00', 60, 'Wahrzeichen Wiens. Turmbesteigung fuer 360-Grad-Blick.', null],
+    [t3, 'Schloss Schoenbrunn', 48.1845, 16.3122, 'Schoenbrunn, Wien, Austria', 3, '09:30', 150, 'Imperiale Pracht. Grand Tour Ticket fuer alle 40 Raeume.', null],
+    [t3, 'Naschmarkt', 48.1986, 16.3633, 'Wienzeile, Wien, Austria', 2, '12:00', 75, 'Wiens groesster Markt. Orientalische Gewuerze bis Wiener Schnitzel.', null],
+    [t3, 'Cafe Central', 48.2107, 16.3654, 'Herrengasse 14, Wien, Austria', 7, '15:00', 60, 'Wo einst Trotzki Schach spielte. Melange und Apfelstrudel!', null],
+    [t3, 'Prater & Riesenrad', 48.2166, 16.3964, 'Prater, Wien, Austria', 6, '17:00', 90, 'Riesenrad bei Sonnenuntergang. Blick ueber die ganze Stadt.', null],
+  ];
+
+  const t3pIds = t3places.map(p => Number(insertPlace.run(...p).lastInsertRowid));
+
+  // Day 1: Arrival, Stephansdom, Cafe Central
+  insertAssignment.run(t3days[0], t3pIds[0], 0);
+  insertAssignment.run(t3days[0], t3pIds[1], 1);
+  insertAssignment.run(t3days[0], t3pIds[4], 2);
+  // Day 2: Schoenbrunn, Naschmarkt, Prater
+  insertAssignment.run(t3days[1], t3pIds[2], 0);
+  insertAssignment.run(t3days[1], t3pIds[3], 1);
+  insertAssignment.run(t3days[1], t3pIds[5], 2);
+  // Day 3: Free morning
+  insertAssignment.run(t3days[2], t3pIds[4], 0);
+
+  // Packing
+  ['Personalausweis', 'Regenschirm', 'Bequeme Schuhe', 'Kamera'].forEach((name, i) => {
+    insertPacking.run(t3, name, 0, i < 1 ? 'Dokumente' : 'Sonstiges', i);
+  });
+
+  // Budget
+  insertBudget.run(t3, 'Unterkunft', 'Hotel Sacher (2 Naechte)', 520, 2, 'Classic Doppelzimmer');
+  insertBudget.run(t3, 'Transport', 'Zug MUC-VIE', 60, 2, 'OeBB Sparschiene');
+  insertBudget.run(t3, 'Essen', 'Restaurants & Cafes', 200, 2, null);
+
+  insertMember.run(t3, demoId, adminId);
+
+  console.log('[Demo] 3 example trips seeded and shared with demo user');
+}
+
+module.exports = { seedDemoData };

server/src/index.js

@@ -47,7 +47,7 @@ app.use(express.json());
 // Security headers
 app.use((req, res, next) => {
   res.setHeader('X-Content-Type-Options', 'nosniff');
-  res.setHeader('X-Frame-Options', 'DENY');
+  res.setHeader('X-Frame-Options', 'SAMEORIGIN');
   res.setHeader('X-XSS-Protection', '1; mode=block');
   res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
   next();
@@ -76,7 +76,9 @@ const settingsRoutes = require('./routes/settings');
 const budgetRoutes = require('./routes/budget');
 const backupRoutes = require('./routes/backup');
 
+const oidcRoutes = require('./routes/oidc');
 app.use('/api/auth', authRoutes);
+app.use('/api/auth/oidc', oidcRoutes);
 app.use('/api/trips', tripsRoutes);
 app.use('/api/trips/:tripId/days', daysRoutes);
 app.use('/api/trips/:tripId/places', placesRoutes);
@@ -115,7 +117,9 @@ const PORT = process.env.PORT || 3001;
 const server = app.listen(PORT, () => {
   console.log(`NOMAD API running on port ${PORT}`);
   console.log(`Environment: ${process.env.NODE_ENV || 'development'}`);
+  if (process.env.DEMO_MODE === 'true') console.log('Demo mode: ENABLED');
   scheduler.start();
+  scheduler.startDemoReset();
   const { setupWebSocket } = require('./websocket');
   setupWebSocket(server);
 });

server/src/middleware/auth.js

@@ -53,4 +53,11 @@ const adminOnly = (req, res, next) => {
   next();
 };
 
-module.exports = { authenticate, optionalAuth, adminOnly };
+const demoUploadBlock = (req, res, next) => {
+  if (process.env.DEMO_MODE === 'true' && req.user?.email === 'demo@nomad.app') {
+    return res.status(403).json({ error: 'Uploads are disabled in demo mode. Self-host NOMAD for full functionality.' });
+  }
+  next();
+};
+
+module.exports = { authenticate, optionalAuth, adminOnly, demoUploadBlock };

server/src/routes/admin.js

@@ -11,7 +11,7 @@ router.use(authenticate, adminOnly);
 // GET /api/admin/users
 router.get('/users', (req, res) => {
   const users = db.prepare(
-    'SELECT id, username, email, role, created_at, updated_at FROM users ORDER BY created_at DESC'
+    'SELECT id, username, email, role, created_at, updated_at, last_login FROM users ORDER BY created_at DESC'
   ).all();
   res.json({ users });
 });
@@ -104,10 +104,45 @@ router.get('/stats', (req, res) => {
   const totalUsers = db.prepare('SELECT COUNT(*) as count FROM users').get().count;
   const totalTrips = db.prepare('SELECT COUNT(*) as count FROM trips').get().count;
   const totalPlaces = db.prepare('SELECT COUNT(*) as count FROM places').get().count;
-  const totalPhotos = db.prepare('SELECT COUNT(*) as count FROM photos').get().count;
   const totalFiles = db.prepare('SELECT COUNT(*) as count FROM trip_files').get().count;
 
-  res.json({ totalUsers, totalTrips, totalPlaces, totalPhotos, totalFiles });
+  res.json({ totalUsers, totalTrips, totalPlaces, totalFiles });
+});
+
+// GET /api/admin/oidc — get OIDC config
+router.get('/oidc', (req, res) => {
+  const get = (key) => db.prepare("SELECT value FROM app_settings WHERE key = ?").get(key)?.value || '';
+  res.json({
+    issuer: get('oidc_issuer'),
+    client_id: get('oidc_client_id'),
+    client_secret: get('oidc_client_secret'),
+    display_name: get('oidc_display_name'),
+  });
+});
+
+// PUT /api/admin/oidc — update OIDC config
+router.put('/oidc', (req, res) => {
+  const { issuer, client_id, client_secret, display_name } = req.body;
+  const set = (key, val) => db.prepare("INSERT OR REPLACE INTO app_settings (key, value) VALUES (?, ?)").run(key, val || '');
+  set('oidc_issuer', issuer);
+  set('oidc_client_id', client_id);
+  set('oidc_client_secret', client_secret);
+  set('oidc_display_name', display_name);
+  res.json({ success: true });
+});
+
+// POST /api/admin/save-demo-baseline (demo mode only)
+router.post('/save-demo-baseline', (req, res) => {
+  if (process.env.DEMO_MODE !== 'true') {
+    return res.status(404).json({ error: 'Not found' });
+  }
+  try {
+    const { saveBaseline } = require('../demo/demo-reset');
+    saveBaseline();
+    res.json({ success: true, message: 'Demo baseline saved. Hourly resets will restore to this state.' });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to save baseline: ' + err.message });
+  }
 });
 
 module.exports = router;

server/src/routes/auth.js

@@ -7,7 +7,7 @@ const fs = require('fs');
 const { v4: uuid } = require('uuid');
 const fetch = require('node-fetch');
 const { db } = require('../db/database');
-const { authenticate } = require('../middleware/auth');
+const { authenticate, demoUploadBlock } = require('../middleware/auth');
 
 const router = express.Router();
 const { JWT_SECRET } = require('../config');
@@ -65,7 +65,37 @@ router.get('/app-config', (req, res) => {
   const userCount = db.prepare('SELECT COUNT(*) as count FROM users').get().count;
   const setting = db.prepare("SELECT value FROM app_settings WHERE key = 'allow_registration'").get();
   const allowRegistration = userCount === 0 || (setting?.value ?? 'true') === 'true';
-  res.json({ allow_registration: allowRegistration, has_users: userCount > 0 });
+  const isDemo = process.env.DEMO_MODE === 'true';
+  const { version } = require('../../package.json');
+  const hasGoogleKey = !!db.prepare("SELECT maps_api_key FROM users WHERE role = 'admin' AND maps_api_key IS NOT NULL AND maps_api_key != '' LIMIT 1").get();
+  const oidcDisplayName = db.prepare("SELECT value FROM app_settings WHERE key = 'oidc_display_name'").get()?.value || null;
+  const oidcConfigured = !!(
+    db.prepare("SELECT value FROM app_settings WHERE key = 'oidc_issuer'").get()?.value &&
+    db.prepare("SELECT value FROM app_settings WHERE key = 'oidc_client_id'").get()?.value
+  );
+  res.json({
+    allow_registration: isDemo ? false : allowRegistration,
+    has_users: userCount > 0,
+    version,
+    has_maps_key: hasGoogleKey,
+    oidc_configured: oidcConfigured,
+    oidc_display_name: oidcConfigured ? (oidcDisplayName || 'SSO') : undefined,
+    demo_mode: isDemo,
+    demo_email: isDemo ? 'demo@nomad.app' : undefined,
+    demo_password: isDemo ? 'demo12345' : undefined,
+  });
+});
+
+// POST /api/auth/demo-login (demo mode only)
+router.post('/demo-login', (req, res) => {
+  if (process.env.DEMO_MODE !== 'true') {
+    return res.status(404).json({ error: 'Not found' });
+  }
+  const user = db.prepare('SELECT * FROM users WHERE email = ?').get('demo@nomad.app');
+  if (!user) return res.status(500).json({ error: 'Demo user not found' });
+  const token = generateToken(user);
+  const { password_hash, maps_api_key, openweather_api_key, unsplash_api_key, ...safe } = user;
+  res.json({ token, user: { ...safe, avatar_url: avatarUrl(user) } });
 });
 
 // POST /api/auth/register
@@ -137,6 +167,7 @@ router.post('/login', authLimiter, (req, res) => {
     return res.status(401).json({ error: 'Ungültige E-Mail oder Passwort' });
   }
 
+  db.prepare('UPDATE users SET last_login = CURRENT_TIMESTAMP WHERE id = ?').run(user.id);
   const token = generateToken(user);
   const { password_hash, maps_api_key, openweather_api_key, unsplash_api_key, ...userWithoutSensitive } = user;
 
@@ -146,7 +177,7 @@ router.post('/login', authLimiter, (req, res) => {
 // GET /api/auth/me
 router.get('/me', authenticate, (req, res) => {
   const user = db.prepare(
-    'SELECT id, username, email, role, avatar, created_at FROM users WHERE id = ?'
+    'SELECT id, username, email, role, avatar, oidc_issuer, created_at FROM users WHERE id = ?'
   ).get(req.user.id);
 
   if (!user) {
@@ -156,6 +187,30 @@ router.get('/me', authenticate, (req, res) => {
   res.json({ user: { ...user, avatar_url: avatarUrl(user) } });
 });
 
+// PUT /api/auth/me/password
+router.put('/me/password', authenticate, (req, res) => {
+  const { new_password } = req.body;
+  if (!new_password) return res.status(400).json({ error: 'New password is required' });
+  if (new_password.length < 8) return res.status(400).json({ error: 'Password must be at least 8 characters' });
+
+  const hash = bcrypt.hashSync(new_password, 10);
+  db.prepare('UPDATE users SET password_hash = ?, updated_at = CURRENT_TIMESTAMP WHERE id = ?').run(hash, req.user.id);
+  res.json({ success: true });
+});
+
+// DELETE /api/auth/me — delete own account
+router.delete('/me', authenticate, (req, res) => {
+  // Prevent deleting last admin
+  if (req.user.role === 'admin') {
+    const adminCount = db.prepare("SELECT COUNT(*) as count FROM users WHERE role = 'admin'").get().count;
+    if (adminCount <= 1) {
+      return res.status(400).json({ error: 'Cannot delete the last admin account' });
+    }
+  }
+  db.prepare('DELETE FROM users WHERE id = ?').run(req.user.id);
+  res.json({ success: true });
+});
+
 // PUT /api/auth/me/maps-key
 router.put('/me/maps-key', authenticate, (req, res) => {
   const { maps_api_key } = req.body;
@@ -222,7 +277,7 @@ router.get('/me/settings', authenticate, (req, res) => {
 });
 
 // POST /api/auth/avatar — upload avatar
-router.post('/avatar', authenticate, avatarUpload.single('avatar'), (req, res) => {
+router.post('/avatar', authenticate, demoUploadBlock, avatarUpload.single('avatar'), (req, res) => {
   if (!req.file) return res.status(400).json({ error: 'No image uploaded' });
 
   const current = db.prepare('SELECT avatar FROM users WHERE id = ?').get(req.user.id);
@@ -331,7 +386,7 @@ router.get('/travel-stats', authenticate, (req, res) => {
     SELECT COUNT(DISTINCT t.id) as trips,
            COUNT(DISTINCT d.id) as days
     FROM trips t
-    LEFT JOIN days d ON t.id = d.id
+    LEFT JOIN days d ON d.trip_id = t.id
     LEFT JOIN trip_members tm ON t.id = tm.trip_id
     WHERE (t.user_id = ? OR tm.user_id = ?) AND t.is_archived = 0
   `).get(userId, userId);

server/src/routes/files.js

@@ -4,7 +4,7 @@ const path = require('path');
 const fs = require('fs');
 const { v4: uuidv4 } = require('uuid');
 const { db, canAccessTrip } = require('../db/database');
-const { authenticate } = require('../middleware/auth');
+const { authenticate, demoUploadBlock } = require('../middleware/auth');
 const { broadcast } = require('../websocket');
 
 const router = express.Router({ mergeParams: true });
@@ -72,7 +72,7 @@ router.get('/', authenticate, (req, res) => {
 });
 
 // POST /api/trips/:tripId/files
-router.post('/', authenticate, upload.single('file'), (req, res) => {
+router.post('/', authenticate, demoUploadBlock, upload.single('file'), (req, res) => {
   const { tripId } = req.params;
   const { place_id, description, reservation_id } = req.body;
 

server/src/routes/maps.js

@@ -17,6 +17,34 @@ function getMapsKey(userId) {
 const photoCache = new Map();
 const PHOTO_TTL = 12 * 60 * 60 * 1000; // 12 hours
 
+// Nominatim search (OpenStreetMap) — free fallback when no Google API key
+async function searchNominatim(query, lang) {
+  const params = new URLSearchParams({
+    q: query,
+    format: 'json',
+    addressdetails: '1',
+    limit: '10',
+    'accept-language': lang || 'en',
+  });
+  const response = await fetch(`https://nominatim.openstreetmap.org/search?${params}`, {
+    headers: { 'User-Agent': 'NOMAD Travel Planner (https://github.com/mauriceboe/NOMAD)' },
+  });
+  if (!response.ok) throw new Error('Nominatim API error');
+  const data = await response.json();
+  return data.map(item => ({
+    google_place_id: null,
+    osm_id: `${item.osm_type}/${item.osm_id}`,
+    name: item.name || item.display_name?.split(',')[0] || '',
+    address: item.display_name || '',
+    lat: parseFloat(item.lat) || null,
+    lng: parseFloat(item.lon) || null,
+    rating: null,
+    website: null,
+    phone: null,
+    source: 'openstreetmap',
+  }));
+}
+
 // POST /api/maps/search
 router.post('/search', authenticate, async (req, res) => {
   const { query } = req.body;
@@ -24,8 +52,16 @@ router.post('/search', authenticate, async (req, res) => {
   if (!query) return res.status(400).json({ error: 'Suchanfrage ist erforderlich' });
 
   const apiKey = getMapsKey(req.user.id);
+
+  // No Google API key → use Nominatim (OpenStreetMap)
   if (!apiKey) {
-    return res.status(400).json({ error: 'Google Maps API-Schlüssel nicht konfiguriert. Bitte in den Einstellungen hinzufügen.' });
+    try {
+      const places = await searchNominatim(query, req.query.lang);
+      return res.json({ places, source: 'openstreetmap' });
+    } catch (err) {
+      console.error('Nominatim search error:', err);
+      return res.status(500).json({ error: 'Fehler bei der OpenStreetMap Suche' });
+    }
   }
 
   try {
@@ -54,9 +90,10 @@ router.post('/search', authenticate, async (req, res) => {
       rating: p.rating || null,
       website: p.websiteUri || null,
       phone: p.nationalPhoneNumber || null,
+      source: 'google',
     }));
 
-    res.json({ places });
+    res.json({ places, source: 'google' });
   } catch (err) {
     console.error('Maps search error:', err);
     res.status(500).json({ error: 'Fehler bei der Google Places Suche' });

server/src/routes/oidc.js

@@ -0,0 +1,206 @@
+const express = require('express');
+const crypto = require('crypto');
+const fetch = require('node-fetch');
+const jwt = require('jsonwebtoken');
+const { db } = require('../db/database');
+const { JWT_SECRET } = require('../config');
+
+const router = express.Router();
+
+// In-memory state store for CSRF protection (state → { createdAt, redirectUri })
+const pendingStates = new Map();
+const STATE_TTL = 5 * 60 * 1000; // 5 minutes
+
+// Cleanup expired states periodically
+setInterval(() => {
+  const now = Date.now();
+  for (const [state, data] of pendingStates) {
+    if (now - data.createdAt > STATE_TTL) pendingStates.delete(state);
+  }
+}, 60 * 1000);
+
+// Read OIDC config from app_settings
+function getOidcConfig() {
+  const get = (key) => db.prepare("SELECT value FROM app_settings WHERE key = ?").get(key)?.value || null;
+  const issuer = get('oidc_issuer');
+  const clientId = get('oidc_client_id');
+  const clientSecret = get('oidc_client_secret');
+  const displayName = get('oidc_display_name') || 'SSO';
+  if (!issuer || !clientId || !clientSecret) return null;
+  return { issuer: issuer.replace(/\/+$/, ''), clientId, clientSecret, displayName };
+}
+
+// Cache discovery document
+let discoveryCache = null;
+let discoveryCacheTime = 0;
+const DISCOVERY_TTL = 60 * 60 * 1000; // 1 hour
+
+async function discover(issuer) {
+  if (discoveryCache && Date.now() - discoveryCacheTime < DISCOVERY_TTL && discoveryCache._issuer === issuer) {
+    return discoveryCache;
+  }
+  const res = await fetch(`${issuer}/.well-known/openid-configuration`);
+  if (!res.ok) throw new Error('Failed to fetch OIDC discovery document');
+  const doc = await res.json();
+  doc._issuer = issuer;
+  discoveryCache = doc;
+  discoveryCacheTime = Date.now();
+  return doc;
+}
+
+function generateToken(user) {
+  return jwt.sign(
+    { id: user.id, username: user.username, email: user.email, role: user.role },
+    JWT_SECRET,
+    { expiresIn: '24h' }
+  );
+}
+
+function frontendUrl(path) {
+  const base = process.env.NODE_ENV === 'production' ? '' : 'http://localhost:5173';
+  return base + path;
+}
+
+// GET /api/auth/oidc/login — redirect to OIDC provider
+router.get('/login', async (req, res) => {
+  const config = getOidcConfig();
+  if (!config) return res.status(400).json({ error: 'OIDC not configured' });
+
+  try {
+    const doc = await discover(config.issuer);
+    const state = crypto.randomBytes(32).toString('hex');
+    const proto = req.headers['x-forwarded-proto'] || req.protocol;
+    const host = req.headers['x-forwarded-host'] || req.headers.host;
+    const redirectUri = `${proto}://${host}/api/auth/oidc/callback`;
+
+    pendingStates.set(state, { createdAt: Date.now(), redirectUri });
+
+    const params = new URLSearchParams({
+      response_type: 'code',
+      client_id: config.clientId,
+      redirect_uri: redirectUri,
+      scope: 'openid email profile',
+      state,
+    });
+
+    res.redirect(`${doc.authorization_endpoint}?${params}`);
+  } catch (err) {
+    console.error('[OIDC] Login error:', err.message);
+    res.status(500).json({ error: 'OIDC login failed' });
+  }
+});
+
+// GET /api/auth/oidc/callback — handle provider callback
+router.get('/callback', async (req, res) => {
+  const { code, state, error: oidcError } = req.query;
+
+  if (oidcError) {
+    console.error('[OIDC] Provider error:', oidcError);
+    return res.redirect(frontendUrl('/login?oidc_error=' + encodeURIComponent(oidcError)));
+  }
+
+  if (!code || !state) {
+    return res.redirect(frontendUrl('/login?oidc_error=missing_params'));
+  }
+
+  const pending = pendingStates.get(state);
+  if (!pending) {
+    return res.redirect(frontendUrl('/login?oidc_error=invalid_state'));
+  }
+  pendingStates.delete(state);
+
+  const config = getOidcConfig();
+  if (!config) return res.redirect(frontendUrl('/login?oidc_error=not_configured'));
+
+  try {
+    const doc = await discover(config.issuer);
+
+    // Exchange code for tokens
+    const tokenRes = await fetch(doc.token_endpoint, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      body: new URLSearchParams({
+        grant_type: 'authorization_code',
+        code,
+        redirect_uri: pending.redirectUri,
+        client_id: config.clientId,
+        client_secret: config.clientSecret,
+      }),
+    });
+
+    const tokenData = await tokenRes.json();
+    if (!tokenRes.ok || !tokenData.access_token) {
+      console.error('[OIDC] Token exchange failed:', tokenData);
+      return res.redirect(frontendUrl('/login?oidc_error=token_failed'));
+    }
+
+    // Get user info
+    const userInfoRes = await fetch(doc.userinfo_endpoint, {
+      headers: { Authorization: `Bearer ${tokenData.access_token}` },
+    });
+    const userInfo = await userInfoRes.json();
+
+    if (!userInfo.email) {
+      return res.redirect(frontendUrl('/login?oidc_error=no_email'));
+    }
+
+    const email = userInfo.email.toLowerCase();
+    const name = userInfo.name || userInfo.preferred_username || email.split('@')[0];
+    const sub = userInfo.sub;
+
+    // Find existing user by OIDC sub or email
+    let user = db.prepare('SELECT * FROM users WHERE oidc_sub = ? AND oidc_issuer = ?').get(sub, config.issuer);
+    if (!user) {
+      user = db.prepare('SELECT * FROM users WHERE LOWER(email) = ?').get(email);
+    }
+
+    if (user) {
+      // Existing user — link OIDC if not already linked
+      if (!user.oidc_sub) {
+        db.prepare('UPDATE users SET oidc_sub = ?, oidc_issuer = ? WHERE id = ?').run(sub, config.issuer, user.id);
+      }
+    } else {
+      // New user — check if registration is allowed
+      const userCount = db.prepare('SELECT COUNT(*) as count FROM users').get().count;
+      const isFirstUser = userCount === 0;
+
+      if (!isFirstUser) {
+        const setting = db.prepare("SELECT value FROM app_settings WHERE key = 'allow_registration'").get();
+        if (setting?.value === 'false') {
+          return res.redirect(frontendUrl('/login?oidc_error=registration_disabled'));
+        }
+      }
+
+      // Create user (first user = admin)
+      const role = isFirstUser ? 'admin' : 'user';
+      // Generate a random password hash (user won't use password login)
+      const randomPass = crypto.randomBytes(32).toString('hex');
+      const bcrypt = require('bcryptjs');
+      const hash = bcrypt.hashSync(randomPass, 10);
+
+      // Ensure unique username
+      let username = name.replace(/[^a-zA-Z0-9_-]/g, '').substring(0, 30) || 'user';
+      const existing = db.prepare('SELECT id FROM users WHERE LOWER(username) = LOWER(?)').get(username);
+      if (existing) username = `${username}_${Date.now() % 10000}`;
+
+      const result = db.prepare(
+        'INSERT INTO users (username, email, password_hash, role, oidc_sub, oidc_issuer) VALUES (?, ?, ?, ?, ?, ?)'
+      ).run(username, email, hash, role, sub, config.issuer);
+
+      user = { id: Number(result.lastInsertRowid), username, email, role };
+    }
+
+    // Update last login
+    db.prepare('UPDATE users SET last_login = CURRENT_TIMESTAMP WHERE id = ?').run(user.id);
+
+    // Generate JWT and redirect to frontend
+    const token = generateToken(user);
+    // In dev mode, frontend runs on a different port
+    res.redirect(frontendUrl(`/login?token=${token}`));
+  } catch (err) {
+    console.error('[OIDC] Callback error:', err);
+    res.redirect(frontendUrl('/login?oidc_error=server_error'));
+  }
+});
+
+module.exports = router;

server/src/routes/photos.js

@@ -4,7 +4,7 @@ const path = require('path');
 const fs = require('fs');
 const { v4: uuidv4 } = require('uuid');
 const { db, canAccessTrip } = require('../db/database');
-const { authenticate } = require('../middleware/auth');
+const { authenticate, demoUploadBlock } = require('../middleware/auth');
 
 const router = express.Router({ mergeParams: true });
 
@@ -68,7 +68,7 @@ router.get('/', authenticate, (req, res) => {
 });
 
 // POST /api/trips/:tripId/photos
-router.post('/', authenticate, upload.array('photos', 20), (req, res) => {
+router.post('/', authenticate, demoUploadBlock, upload.array('photos', 20), (req, res) => {
   const { tripId } = req.params;
   const { day_id, place_id, caption } = req.body;
 

server/src/routes/trips.js

@@ -4,7 +4,7 @@ const path = require('path');
 const fs = require('fs');
 const { v4: uuidv4 } = require('uuid');
 const { db, canAccessTrip, isOwner } = require('../db/database');
-const { authenticate } = require('../middleware/auth');
+const { authenticate, demoUploadBlock } = require('../middleware/auth');
 const { broadcast } = require('../websocket');
 
 const router = express.Router();
@@ -139,7 +139,7 @@ router.put('/:id', authenticate, (req, res) => {
 });
 
 // POST /api/trips/:id/cover
-router.post('/:id/cover', authenticate, uploadCover.single('cover'), (req, res) => {
+router.post('/:id/cover', authenticate, demoUploadBlock, uploadCover.single('cover'), (req, res) => {
   if (!isOwner(req.params.id, req.user.id))
     return res.status(403).json({ error: 'Nur der Eigentümer kann das Titelbild ändern' });
 

server/src/scheduler.js

@@ -102,4 +102,22 @@ function start() {
   console.log(`[Auto-Backup] Geplant: ${settings.interval} (${expression}), Aufbewahrung: ${settings.keep_days === 0 ? 'immer' : settings.keep_days + ' Tage'}`);
 }
 
-module.exports = { start, loadSettings, saveSettings, VALID_INTERVALS };
+// Demo mode: hourly reset of demo user data
+let demoTask = null;
+
+function startDemoReset() {
+  if (demoTask) { demoTask.stop(); demoTask = null; }
+  if (process.env.DEMO_MODE !== 'true') return;
+
+  demoTask = cron.schedule('0 * * * *', () => {
+    try {
+      const { resetDemoUser } = require('./demo/demo-reset');
+      resetDemoUser();
+    } catch (err) {
+      console.error('[Demo Reset] Error:', err.message);
+    }
+  });
+  console.log('[Demo] Hourly reset scheduled (at :00 every hour)');
+}
+
+module.exports = { start, startDemoReset, loadSettings, saveSettings, VALID_INTERVALS };