chore: bump version to 3.0.4 [skip ci]

fix(oidc,ui): restore Authentik login and fix mobile delete dialog (#845 )
OIDC: when OIDC_DISCOVERY_URL is explicitly set, trust the discovery doc's issuer for id_token comparison instead of rejecting a path mismatch as an error. Authentik (and similar realm-path providers) return a canonical issuer like /application/o/<slug>/ that differs from the operator's base OIDC_ISSUER. Strict equality blocked login in 3.x despite working in v2. Default discovery (no custom URL) keeps the strict check. Adds OIDC-SVC-037/038/039. UI: ConfirmDialog and CopyTripDialog lacked the --bottom-nav-h paddingBottom offset that other overlays already use. On mobile portrait the action buttons were hidden behind the sticky bottom nav bar. Closes #843 Closes #844
2026-06-20 13:51:45 +00:00 · 2026-04-23 07:13:48 +00:00 · 2026-04-23 09:13:35 +02:00
10 changed files with 79 additions and 16 deletions
@@ -1,5 +1,5 @@
 apiVersion: v2
 name: trek
-version: 3.0.3
+version: 3.0.4
 description: Minimal Helm chart for TREK app
-appVersion: "3.0.3"
+appVersion: "3.0.4"
@@ -1,12 +1,12 @@
 {
  "name": "trek-client",
-  "version": "3.0.3",
+  "version": "3.0.4",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "trek-client",
-      "version": "3.0.3",
+      "version": "3.0.4",
      "dependencies": {
        "@react-pdf/renderer": "^4.3.2",
        "axios": "^1.6.7",
@@ -1,6 +1,6 @@
 {
  "name": "trek-client",
-  "version": "3.0.3",
+  "version": "3.0.4",
  "private": true,
  "type": "module",
  "scripts": {
@@ -41,7 +41,7 @@ export default function ConfirmDialog({
  return (
    <div
      className="fixed inset-0 z-[10000] flex items-center justify-center px-4 trek-backdrop-enter"
-      style={{ backgroundColor: 'rgba(15, 23, 42, 0.5)' }}
+      style={{ backgroundColor: 'rgba(15, 23, 42, 0.5)', paddingBottom: 'var(--bottom-nav-h)' }}
      onClick={onClose}
    >
      <div
@@ -42,7 +42,7 @@ export default function CopyTripDialog({ isOpen, tripTitle, onClose, onConfirm }
  return (
    <div
      className="fixed inset-0 z-[10000] flex items-center justify-center px-4 trek-backdrop-enter"
-      style={{ backgroundColor: 'rgba(15, 23, 42, 0.5)' }}
+      style={{ backgroundColor: 'rgba(15, 23, 42, 0.5)', paddingBottom: 'var(--bottom-nav-h)' }}
      onClick={onClose}
    >
      <div
@@ -1,12 +1,12 @@
 {
  "name": "trek-server",
-  "version": "3.0.3",
+  "version": "3.0.4",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "trek-server",
-      "version": "3.0.3",
+      "version": "3.0.4",
      "dependencies": {
        "@modelcontextprotocol/sdk": "^1.28.0",
        "archiver": "^6.0.1",
@@ -1,6 +1,6 @@
 {
  "name": "trek-server",
-  "version": "3.0.3",
+  "version": "3.0.4",
  "main": "src/index.ts",
  "scripts": {
    "start": "node --import tsx src/index.ts",
@@ -112,7 +112,7 @@ router.get('/callback', async (req: Request, res: Response) => {
      tokenData.id_token,
      doc,
      config.clientId,
-      config.issuer,
+      (doc.issuer ?? '').replace(/\/+$/, '') || config.issuer,
    );
    if (idVerify.ok !== true) {
      const reason = 'error' in idVerify ? idVerify.error : 'unknown';
@@ -140,11 +140,21 @@ export async function discover(issuer: string, discoveryUrl?: string | null): Pr
  const res = await fetch(url);
  if (!res.ok) throw new Error('Failed to fetch OIDC discovery document');
  const doc = (await res.json()) as OidcDiscoveryDoc;
-  // Validate that the discovery doc's issuer matches the operator-configured
-  // one. A MITM or compromised doc could otherwise supply a crafted issuer
-  // that passes jwt.verify() because we used doc.issuer as the expected value.
-  if (doc.issuer && doc.issuer.replace(/\/+$/, '') !== issuer) {
-    throw new Error(`OIDC discovery issuer mismatch: expected "${issuer}", got "${doc.issuer}"`);
+  // Validate that the discovery doc's issuer matches the operator-configured one.
+  // When no custom discoveryUrl is set, a mismatch signals a MITM or misconfiguration
+  // and we reject. When the operator explicitly overrides the discovery URL (e.g.
+  // Authentik realm paths), the discovery doc's issuer is the canonical value —
+  // trust it and warn rather than blocking login.
+  const docIssuer = doc.issuer?.replace(/\/+$/, '') ?? '';
+  if (docIssuer && docIssuer !== issuer) {
+    if (discoveryUrl) {
+      console.warn(
+        `[OIDC] Discovery doc issuer "${doc.issuer}" differs from configured OIDC_ISSUER "${issuer}". ` +
+        `Using discovery doc issuer for id_token verification (custom OIDC_DISCOVERY_URL is set).`,
+      );
+    } else {
+      throw new Error(`OIDC discovery issuer mismatch: expected "${issuer}", got "${doc.issuer}"`);
+    }
  }
  doc._issuer = url;
  discoveryCache = doc;
@@ -219,6 +219,59 @@ describe('discover', () => {
    vi.stubGlobal('fetch', vi.fn().mockResolvedValue({ ok: false }));
    await expect(discover('https://bad-issuer.example.com')).rejects.toThrow();
  });
+
+  it('OIDC-SVC-037: accepts mismatched doc issuer when discoveryUrl is explicit', async () => {
+    const doc = {
+      issuer: 'https://auth.example.com/application/o/myapp/',
+      authorization_endpoint: 'https://auth.example.com/application/o/myapp/authorize/',
+      token_endpoint: 'https://auth.example.com/application/o/token/',
+      userinfo_endpoint: 'https://auth.example.com/application/o/userinfo/',
+    };
+    vi.stubGlobal('fetch', vi.fn().mockResolvedValue({ ok: true, json: async () => doc }));
+    const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+
+    const result = await discover(
+      'https://auth.example.com',
+      'https://auth.example.com/application/o/myapp/.well-known/openid-configuration',
+    );
+
+    expect(result.issuer).toBe(doc.issuer);
+    expect(warnSpy).toHaveBeenCalledWith(expect.stringContaining('differs from configured OIDC_ISSUER'));
+    warnSpy.mockRestore();
+  });
+
+  it('OIDC-SVC-038: throws on mismatched doc issuer when discoveryUrl is omitted', async () => {
+    const doc = {
+      issuer: 'https://evil.example.com',
+      authorization_endpoint: 'https://unique-2.example.com/auth',
+      token_endpoint: 'https://unique-2.example.com/token',
+      userinfo_endpoint: 'https://unique-2.example.com/userinfo',
+    };
+    vi.stubGlobal('fetch', vi.fn().mockResolvedValue({ ok: true, json: async () => doc }));
+
+    await expect(discover('https://unique-2.example.com')).rejects.toThrow(
+      'OIDC discovery issuer mismatch',
+    );
+  });
+
+  it('OIDC-SVC-039: trailing-slash-only mismatch with explicit discoveryUrl does not warn', async () => {
+    const doc = {
+      issuer: 'https://auth.example.com/',
+      authorization_endpoint: 'https://auth.example.com/auth',
+      token_endpoint: 'https://auth.example.com/token',
+      userinfo_endpoint: 'https://auth.example.com/userinfo',
+    };
+    vi.stubGlobal('fetch', vi.fn().mockResolvedValue({ ok: true, json: async () => doc }));
+    const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+
+    await discover(
+      'https://auth.example.com',
+      'https://auth.example.com/.well-known/openid-configuration',
+    );
+
+    expect(warnSpy).not.toHaveBeenCalled();
+    warnSpy.mockRestore();
+  });
 });

 // ── issuer trailing-slash regex (ReDoS guard) ─────────────────────────────────