chore: bump version to 3.0.2 [skip ci]

fix(oidc): normalize discovery doc issuer before trailing slash comparison

charts/trek/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
 name: trek
-version: 3.0.1
+version: 3.0.2
 description: Minimal Helm chart for TREK app
-appVersion: "3.0.1"
+appVersion: "3.0.2"

client/package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "trek-client",
-  "version": "3.0.1",
+  "version": "3.0.2",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "trek-client",
-      "version": "3.0.1",
+      "version": "3.0.2",
       "dependencies": {
         "@react-pdf/renderer": "^4.3.2",
         "axios": "^1.6.7",

client/package.json

@@ -1,6 +1,6 @@
 {
   "name": "trek-client",
-  "version": "3.0.1",
+  "version": "3.0.2",
   "private": true,
   "type": "module",
   "scripts": {

server/package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "trek-server",
-  "version": "3.0.1",
+  "version": "3.0.2",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "trek-server",
-      "version": "3.0.1",
+      "version": "3.0.2",
       "dependencies": {
         "@modelcontextprotocol/sdk": "^1.28.0",
         "archiver": "^6.0.1",

server/package.json

@@ -1,6 +1,6 @@
 {
   "name": "trek-server",
-  "version": "3.0.1",
+  "version": "3.0.2",
   "main": "src/index.ts",
   "scripts": {
     "start": "node --import tsx src/index.ts",

server/src/services/oidcService.ts

@@ -143,7 +143,7 @@ export async function discover(issuer: string, discoveryUrl?: string | null): Pr
   // Validate that the discovery doc's issuer matches the operator-configured
   // one. A MITM or compromised doc could otherwise supply a crafted issuer
   // that passes jwt.verify() because we used doc.issuer as the expected value.
-  if (doc.issuer && doc.issuer !== issuer) {
+  if (doc.issuer && doc.issuer.replace(/\/+$/, '') !== issuer) {
     throw new Error(`OIDC discovery issuer mismatch: expected "${issuer}", got "${doc.issuer}"`);
   }
   doc._issuer = url;

server/tests/integration/systemNotices.test.ts

@@ -84,8 +84,9 @@ describe('GET /api/system-notices/active', () => {
 
   it('returns empty array for non-first-login user with no applicable notices', async () => {
     const { user } = createUser(testDb);
-    // login_count > 1 means firstLogin condition does not match for any notice
+    // login_count > 1 means firstLogin condition does not match for any notice;
-    testDb.prepare('UPDATE users SET login_count = 5 WHERE id = ?').run(user.id);
+    // first_seen_version >= 3.0.0 means existingUserBeforeVersion('3.0.0') also does not match
+    testDb.prepare('UPDATE users SET login_count = 5, first_seen_version = ? WHERE id = ?').run('3.0.0', user.id);
     const res = await request(app)
       .get('/api/system-notices/active')
       .set('Cookie', authCookie(user.id));
@@ -122,7 +123,7 @@ describe('GET /api/system-notices/active', () => {
     SYSTEM_NOTICES.push(TEST_NOTICE);
     try {
       const { user } = createUser(testDb);
-      testDb.prepare('UPDATE users SET login_count = 5 WHERE id = ?').run(user.id);
+      testDb.prepare('UPDATE users SET login_count = 5, first_seen_version = ? WHERE id = ?').run('3.0.0', user.id);
 
       const res = await request(app)
         .get('/api/system-notices/active')