v3: fixed authorization bug with stale tokens, fixed private dump access bug, various small fixes across the app
Some checks failed
Build and Publish Docker Image / build-and-push (push) Failing after 20s

This commit is contained in:
khannurien
2026-06-27 10:40:07 +00:00
parent 73e0114bf7
commit 76de798faf
24 changed files with 236 additions and 194 deletions

View File

@@ -1,10 +1,28 @@
import type { Context } from "@oak/oak";
import { verifyJWT } from "./jwt.ts";
import { APIErrorCode, APIException } from "../model/interfaces.ts";
/** Extracts the userId from an optional Bearer token. Returns null if absent or invalid. */
/**
* Extracts the userId from an optional Bearer token.
*
* Distinguishes *missing* credentials from *invalid* ones:
* - No `Authorization: Bearer …` header (or a placeholder value such as the
* `Bearer undefined` that the client emits when logged out) → anonymous (null).
* - A real token that fails verification (expired / bad signature) → throws 401,
* so a stale client session surfaces as an auth error it can react to, instead
* of being silently downgraded to anonymous (which yields a misleading 404 on
* private resources).
*/
export async function parseOptionalAuth(ctx: Context): Promise<string | null> {
const authHeader = ctx.request.headers.get("Authorization");
if (!authHeader?.startsWith("Bearer ")) return null;
const payload = await verifyJWT(authHeader.substring(7));
return payload?.userId ?? null;
const token = authHeader.substring(7).trim();
if (!token || token === "undefined" || token === "null") return null;
const payload = await verifyJWT(token);
if (!payload) {
throw new APIException(APIErrorCode.UNAUTHORIZED, 401, "Invalid token");
}
return payload.userId;
}

View File

@@ -71,7 +71,7 @@ export async function createJWT(
): Promise<string> {
return await new SignJWT(payload)
.setProtectedHeader({ alg: "HS256" })
.setExpirationTime("24h")
.setExpirationTime("7d")
.sign(JWT_KEY);
}