fix: harden PWA caching and client-side auth security

- Exclude sensitive API paths (auth, admin, backup, settings) from SW cache - Restrict upload caching to public assets only (covers, avatars) - Remove opaque response caching (status 0) for API and uploads - Clear service worker caches on logout - Only logout on 401 errors, not transient network failures - Fix register() TypeScript interface to include invite_token parameter - Remove unused RegisterPage and DemoBanner imports - Disable source maps in production build - Add SRI hash for Leaflet CSS CDN https://claude.ai/code/session_01SoQKcF5Rz9Y8Nzo4PzkxY8
2026-03-30 23:35:05 +00:00
parent 804c2586a9
commit 2288f9d2fc
5 changed files with 50 additions and 34 deletions
--- a/client/src/App.tsx
+++ b/client/src/App.tsx
@@ -3,7 +3,6 @@ import { Routes, Route, Navigate, useLocation } from 'react-router-dom'
 import { useAuthStore } from './store/authStore'
 import { useSettingsStore } from './store/settingsStore'
 import LoginPage from './pages/LoginPage'
-import RegisterPage from './pages/RegisterPage'
 import DashboardPage from './pages/DashboardPage'
 import TripPlannerPage from './pages/TripPlannerPage'
 import FilesPage from './pages/FilesPage'
@@ -14,7 +13,6 @@ import AtlasPage from './pages/AtlasPage'
 import SharedTripPage from './pages/SharedTripPage'
 import { ToastContainer } from './components/shared/Toast'
 import { TranslationProvider, useTranslation } from './i18n'
-import DemoBanner from './components/Layout/DemoBanner'
 import { authApi } from './api/client'

 interface ProtectedRouteProps {
--- a/client/src/store/authStore.ts
+++ b/client/src/store/authStore.ts
@@ -29,7 +29,7 @@ interface AuthState {

  login: (email: string, password: string) => Promise<LoginResult>
  completeMfaLogin: (mfaToken: string, code: string) => Promise<AuthResponse>
-  register: (username: string, email: string, password: string) => Promise<AuthResponse>
+  register: (username: string, email: string, password: string, invite_token?: string) => Promise<AuthResponse>
  logout: () => void
  /** Pass `{ silent: true }` to refresh the user without toggling global isLoading (avoids unmounting protected routes). */
  loadUser: (opts?: { silent?: boolean }) => Promise<void>
@@ -126,6 +126,11 @@ export const useAuthStore = create<AuthState>((set, get) => ({
  logout: () => {
    disconnect()
    localStorage.removeItem('auth_token')
+    // Clear service worker caches containing sensitive data
+    if ('caches' in window) {
+      caches.delete('api-data').catch(() => {})
+      caches.delete('user-uploads').catch(() => {})
+    }
    set({
      user: null,
      token: null,
@@ -151,13 +156,20 @@ export const useAuthStore = create<AuthState>((set, get) => ({
      })
      connect(token)
    } catch (err: unknown) {
-      localStorage.removeItem('auth_token')
-      set({
-        user: null,
-        token: null,
-        isAuthenticated: false,
-        isLoading: false,
-      })
+      // Only clear auth state on 401 (invalid/expired token), not on network errors
+      const isAuthError = err && typeof err === 'object' && 'response' in err &&
+        (err as { response?: { status?: number } }).response?.status === 401
+      if (isAuthError) {
+        localStorage.removeItem('auth_token')
+        set({
+          user: null,
+          token: null,
+          isAuthenticated: false,
+          isLoading: false,
+        })
+      } else {
+        set({ isLoading: false })
+      }
    }
  },