fix: harden PWA caching and client-side auth security

- Exclude sensitive API paths (auth, admin, backup, settings) from SW cache - Restrict upload caching to public assets only (covers, avatars) - Remove opaque response caching (status 0) for API and uploads - Clear service worker caches on logout - Only logout on 401 errors, not transient network failures - Fix register() TypeScript interface to include invite_token parameter - Remove unused RegisterPage and DemoBanner imports - Disable source maps in production build - Add SRI hash for Leaflet CSS CDN https://claude.ai/code/session_01SoQKcF5Rz9Y8Nzo4PzkxY8
2026-03-30 23:35:05 +00:00
parent 804c2586a9
commit 2288f9d2fc
5 changed files with 50 additions and 34 deletions
--- a/client/vite.config.js
+++ b/client/vite.config.js
@@ -45,23 +45,24 @@ export default defineConfig({
          },
          {
            // API calls — prefer network, fall back to cache
-            urlPattern: /\/api\/.*/i,
+            // Exclude sensitive endpoints (auth, admin, backup, settings)
+            urlPattern: /\/api\/(?!auth|admin|backup|settings).*/i,
            handler: 'NetworkFirst',
            options: {
              cacheName: 'api-data',
              expiration: { maxEntries: 200, maxAgeSeconds: 24 * 60 * 60 },
              networkTimeoutSeconds: 5,
-              cacheableResponse: { statuses: [0, 200] },
+              cacheableResponse: { statuses: [200] },
            },
          },
          {
-            // Uploaded files (photos, covers, documents)
-            urlPattern: /\/uploads\/.*/i,
+            // Uploaded files (photos, covers — public assets only)
+            urlPattern: /\/uploads\/(?:covers|avatars)\/.*/i,
            handler: 'CacheFirst',
            options: {
              cacheName: 'user-uploads',
-              expiration: { maxEntries: 300, maxAgeSeconds: 30 * 24 * 60 * 60 },
-              cacheableResponse: { statuses: [0, 200] },
+              expiration: { maxEntries: 300, maxAgeSeconds: 7 * 24 * 60 * 60 },
+              cacheableResponse: { statuses: [200] },
            },
          },
        ],
@@ -87,6 +88,9 @@ export default defineConfig({
      },
    }),
  ],
+  build: {
+    sourcemap: false,
+  },
  server: {
    port: 5173,
    proxy: {