mauriceboe/TREK v2.7.2

v2.7.2 — Critical Security Update

on GitHub

⚠️ Critical Security Update — Update Immediately

This release focuses on critical security hardening. All effort went into fixing vulnerabilities and strengthening the security posture of TREK. We strongly recommend all users to update to v2.7.2 as soon as possible.

🔒 Security Fixes

Advisories (reported by @QiaoNPC — thank you!)

• GHSA-pcr3-6647-jh72 (High) — Missing authorization on Immich trip photo routes. Any authenticated user could access or modify another user's trip photos via the Immich integration.
• GHSA-wxx3-84fc-mrx2 (Low) — Unauthenticated access to uploaded photos. The /uploads/photos directory was served without authentication.

Authentication & Token Security

• Migrate JWT storage from localStorage to httpOnly cookies — tokens are no longer accessible to JavaScript (PR #257, thanks @jubnl!)
• Pin JWT algorithm to HS256, decouple at-rest encryption from JWT_SECRET, add JWT rotation support
• Replace JWT tokens in URL query params with short-lived ephemeral tokens
• Add independent rate limiter for MFA verification endpoints
• Enforce consistent password policy across all auth flows (registration, password change, admin reset)

Encryption at Rest (AES-256-GCM)

• Encrypt Immich API keys, SMTP passwords, and OIDC client secrets at rest
• New ENCRYPTION_KEY environment variable (recommended) with backwards-compatible fallback to data/.jwt_secret
• Migration script (scripts/migrate-encryption.ts) for rotating encryption keys

Access Control

• Restrict trip listing and access to own/shared trips only (#250) — admins no longer see all trips by default
• Add canAccessTrip authorization checks to all Immich trip photo and album routes
• Require authentication for file downloads
• Add missing permission checks to file routes and map context menu
• Client-side permission gating on all write-action UIs

Input Validation & Hardening

• Remove RCE vector from admin update endpoint
• Fix XSS in GitHubPanel markdown renderer
• Prevent ICS header injection in calendar export
• Prevent OIDC redirect URI construction from untrusted X-Forwarded-Host
• Prevent OIDC token data leaking to logs
• Validate uploaded backup database before restore
• Add SSRF protection for link preview and Immich URL fetches
• Tighten Content Security Policy, harden PWA caching and client-side auth
• Wrap each DB migration in a transaction and surface swallowed errors

Comprehensive security audit by @shanelord01 (PR #179) — thank you!

🛡️ Configurable Permissions System (PR #238)

• New Admin Panel tab for fine-grained trip permissions (e.g. who can edit places, manage members, create packing items)
• Server-side enforcement with client-side UI gating
• Default permissions tightened: trip_edit and member_manage default to trip owner only
• Thanks @slashwarm!

⚡ Performance

• Major trip planner performance overhaul (#218) — selective Zustand store subscriptions, shared Base64 photo thumbnail service, IntersectionObserver for visible-first image loading, optimized MarkerClusterGroup rendering. Map zooming is now completely fluid even with hundreds of markers.

🔧 Improvements

• Immich: Album linking with auto-sync, test-before-save for connection settings
• Budget: Expense date column + CSV export with localized formatting
• Google Maps List Import: Import places directly from Google Maps saved lists
• Markdown: Render markdown in place descriptions, day notes, and reservations
• Map: Collapsed days now hide their markers on the map (#216)
• Atlas: Searchbar for finding countries (thanks @Akashic101!)
• MCP: New search_place and list_categories tools, improved GPX track views (thanks @M-Enderle!)
• MFA: Admin policy toggle to enforce MFA across all users (#155, thanks @fgbona!)
• Currencies: All supported currencies from exchangerate-api (#229, thanks @Summerfeeling!)
• Trip Reminders: Configurable email/webhook reminders before trip start
• Audit Logging: Enhanced admin action logging with log levels
• Max trip duration: Increased from 90 to 365 days
• Docker: read_only, no-new-privileges, cap_drop: ALL, healthcheck in default compose

🐛 Bug Fixes

• Place inspector too narrow at intermediate window widths (#272)
• Mobile place editing and detail view (#269)
• Allow unauthenticated SMTP by saving empty user/pass fields (#265)
• Add referrerPolicy to TileLayer to fix OSM tile blocking (#264)
• Toggle switches not reflecting state in admin settings
• 12h time format input and display in bookings
• Render Lucide category icons on map markers instead of text/emoji
• Bag modal cut off on small screens
• Show selected map template in settings dropdown
• Atlas: use Nominatim reverse geocoding for accurate country detection
• Archive restore/delete buttons not visible in dark mode
• Note modal hidden behind mobile sidebar
• Day details on mobile not showing
• Accommodation state not updating after create/edit/delete
• Marker tooltip not visible on touch devices when selected
• Duplicate place assignment from drop event bubbling
• MCP tokens tab visible when addon inactive
• Decode multer filename encoding for non-ASCII filenames
• Mobile fixes (thanks @BKSalman!)
• Various improvements (thanks @andreibrebene!)

📖 Documentation

• Comprehensive environment variable documentation in README, docker-compose, and .env.example
• Encryption key rotation guide
• Hardened default docker-compose with security best practices

🙏 Contributors

Full Changelog: v2.7.1...v2.7.2