BillTracker/services
null 2a07e762a2 fix: four review-confirmed regressions in auth + OIDC flows
All found by the multi-angle /code-review over the branch and verified
against the installed libraries:

- 401 discriminator: the session-expiry redirect keyed off a path prefix
  (!/auth/*) and falsely logged users out on /profile/change-password
  with a wrong current password. requireAuth's no-session 401 now carries
  the distinct AUTH_REQUIRED code — the only signal api.ts dispatches
  auth:expired on; wrong-credential 401s keep AUTH_ERROR on any path.
  Test updated to pin the code-based contract on both directions.
- OIDC RFC 9207: exchangeAndVerifyTokens rebuilt the callback URL with
  only code+state, dropping the iss parameter openid-client v6 validates
  when the provider advertises support (authentik does) — every OIDC
  login would fail post-upgrade. The full callback query is now forwarded.
- OIDC http issuers: v6 enforces HTTPS on discovery/endpoints (v5
  didn't) — breaking internal http:// providers on Docker networks.
  OIDC_ALLOW_INSECURE_HTTP=true opts back in (documented in .env.example).
- 2FA downgrade: authService's webauthn fallback caught ANY challenge
  error and silently downgraded to password-only login; now only the
  stale-flag 'No registered WebAuthn credentials' case falls through,
  everything else rethrows.
- Burned-challenge retry: the server consumes the single-use 2FA
  challenge before verifying (anti-replay), so after a server rejection
  a retry can only ever return 'Challenge expired'. LoginPage now resets
  to sign-in on server failure (WebAuthn AND the pre-existing TOTP trap);
  a browser-prompt cancel keeps retry (token still live). Also lazy-loads
  @simplewebauthn/browser out of the entry bundle, matching ProfilePage.

Server 252/252, client 52/52, OIDC smoke 44/44, probe 33/33, e2e 27.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-10 22:57:07 -05:00
..
advisoryFilterService.cts style: apply Prettier across client + server (no behavior change) 2026-07-06 14:23:53 -05:00
amountSuggestionService.cts style: apply Prettier across client + server (no behavior change) 2026-07-06 14:23:53 -05:00
analyticsService.cts style: apply Prettier across client + server (no behavior change) 2026-07-06 14:23:53 -05:00
aprService.cts style: apply Prettier across client + server (no behavior change) 2026-07-06 14:23:53 -05:00
auditService.cts feat(logging): redacted, level-gated logger; migrate all server console.* (Pillar D) 2026-07-06 16:05:18 -05:00
authService.cts fix: four review-confirmed regressions in auth + OIDC flows 2026-07-10 22:57:07 -05:00
backupScheduler.cts feat(logging): redacted, level-gated logger; migrate all server console.* (Pillar D) 2026-07-06 16:05:18 -05:00
backupService.cts style: apply Prettier across client + server (no behavior change) 2026-07-06 14:23:53 -05:00
bankSyncConfigService.cts style: apply Prettier across client + server (no behavior change) 2026-07-06 14:23:53 -05:00
bankSyncService.cts feat(logging): redacted, level-gated logger; migrate all server console.* (Pillar D) 2026-07-06 16:05:18 -05:00
bankSyncWorker.cts feat(logging): redacted, level-gated logger; migrate all server console.* (Pillar D) 2026-07-06 16:05:18 -05:00
billMerchantRuleService.cts feat(logging): redacted, level-gated logger; migrate all server console.* (Pillar D) 2026-07-06 16:05:18 -05:00
billsService.cts style: apply Prettier across client + server (no behavior change) 2026-07-06 14:23:53 -05:00
calendarFeedService.cts style: apply Prettier across client + server (no behavior change) 2026-07-06 14:23:53 -05:00
cleanupService.cts feat(logging): redacted, level-gated logger; migrate all server console.* (Pillar D) 2026-07-06 16:05:18 -05:00
csvTransactionImportService.cts style: apply Prettier across client + server (no behavior change) 2026-07-06 14:23:53 -05:00
driftService.cts feat(logging): redacted, level-gated logger; migrate all server console.* (Pillar D) 2026-07-06 16:05:18 -05:00
encryptionService.cts feat(logging): redacted, level-gated logger; migrate all server console.* (Pillar D) 2026-07-06 16:05:18 -05:00
loginFingerprint.cts style: apply Prettier across client + server (no behavior change) 2026-07-06 14:23:53 -05:00
matchSuggestionService.cts style: apply Prettier across client + server (no behavior change) 2026-07-06 14:23:53 -05:00
merchantStoreMatchService.cts style: apply Prettier across client + server (no behavior change) 2026-07-06 14:23:53 -05:00
notificationService.cts feat(logging): redacted, level-gated logger; migrate all server console.* (Pillar D) 2026-07-06 16:05:18 -05:00
ofxImportService.cts style: apply Prettier across client + server (no behavior change) 2026-07-06 14:23:53 -05:00
oidcService.cts fix: four review-confirmed regressions in auth + OIDC flows 2026-07-10 22:57:07 -05:00
paymentAccountingService.cts style: apply Prettier across client + server (no behavior change) 2026-07-06 14:23:53 -05:00
paymentValidation.cts feat(server-ts): paymentValidation → .cts, proving the CJS-module path (Phase 2) 2026-07-05 13:51:37 -05:00
simplefinService.cts chore(deps): eslint 10 stack — @eslint/js 10, react-hooks 7, react-refresh 0.5 (4f) 2026-07-10 17:36:50 -05:00
snowballService.cts style: apply Prettier across client + server (no behavior change) 2026-07-06 14:23:53 -05:00
spendingService.cts feat(logging): redacted, level-gated logger; migrate all server console.* (Pillar D) 2026-07-06 16:05:18 -05:00
spreadsheetImportService.cts feat(logging): redacted, level-gated logger; migrate all server console.* (Pillar D) 2026-07-06 16:05:18 -05:00
statusRuntime.cts style: apply Prettier across client + server (no behavior change) 2026-07-06 14:23:53 -05:00
statusService.cts style: apply Prettier across client + server (no behavior change) 2026-07-06 14:23:53 -05:00
subscriptionService.cts style: apply Prettier across client + server (no behavior change) 2026-07-06 14:23:53 -05:00
totpService.cts style: apply Prettier across client + server (no behavior change) 2026-07-06 14:23:53 -05:00
trackerService.cts feat(logging): redacted, level-gated logger; migrate all server console.* (Pillar D) 2026-07-06 16:05:18 -05:00
transactionMatchService.cts style: apply Prettier across client + server (no behavior change) 2026-07-06 14:23:53 -05:00
transactionMatchState.cts style: apply Prettier across client + server (no behavior change) 2026-07-06 14:23:53 -05:00
transactionService.cts style: apply Prettier across client + server (no behavior change) 2026-07-06 14:23:53 -05:00
updateCheckService.cts style: apply Prettier across client + server (no behavior change) 2026-07-06 14:23:53 -05:00
userDataService.cts style: apply Prettier across client + server (no behavior change) 2026-07-06 14:23:53 -05:00
userDbImportService.cts style: apply Prettier across client + server (no behavior change) 2026-07-06 14:23:53 -05:00
userSettings.cts style: apply Prettier across client + server (no behavior change) 2026-07-06 14:23:53 -05:00
webauthnService.cts feat(auth): passkey / security-key UI — WebAuthn ships end to end 2026-07-10 17:30:14 -05:00