From b3704f1b403a3274208450df6c30a73ee4d1578f Mon Sep 17 00:00:00 2001 From: chimpdev Date: Wed, 18 Dec 2024 05:25:52 +0300 Subject: [PATCH] fix(auth): update JWT handling to use user ID as subject and remove id from token payload --- server/src/routes/auth/callback.js | 3 +-- server/src/server.js | 16 +++++++++------- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/server/src/routes/auth/callback.js b/server/src/routes/auth/callback.js index 1ed12fa0..75db5a15 100644 --- a/server/src/routes/auth/callback.js +++ b/server/src/routes/auth/callback.js @@ -60,7 +60,6 @@ module.exports = { const token = jwt.sign( { - id: user.id, iat: currentDate.getTime() }, process.env.JWT_SECRET, @@ -68,7 +67,7 @@ module.exports = { expiresIn: '30d', issuer: 'api.discord.place', audience: 'discord.place', - subject: 'user' + subject: user.id } ); diff --git a/server/src/server.js b/server/src/server.js index 772c889d..d9eebb6e 100644 --- a/server/src/server.js +++ b/server/src/server.js @@ -95,21 +95,23 @@ module.exports = class Server { const token = request.cookies.token; try { - const decoded = jwt.verify(token, process.env.JWT_SECRET, { + const decoded = jwt.decode(token, { complete: true }); + if (!decoded || !decoded.payload?.sub) throw new Error('Token invalid.'); + + const verified = jwt.verify(token, process.env.JWT_SECRET, { issuer: 'api.discord.place', audience: 'discord.place', - subject: 'user' + subject: decoded.payload.sub, + complete: true }); - if (!decoded) throw new Error('Token invalid.'); - - const user = await User.findOne({ id: decoded.id }).select('lastLogoutAt').lean(); + const user = await User.findOne({ id: verified.payload.sub }).select('lastLogoutAt').lean(); if (!user) throw new Error('User not found.'); - if (decoded.iat < new Date(user.lastLogoutAt).getTime()) throw new Error('Token expired.'); + if (verified.iat < new Date(user.lastLogoutAt).getTime()) throw new Error('Token expired.'); request.user = { - id: decoded.id + id: verified.payload.sub }; const guild = client.guilds.cache.get(config.guildId);