From 04a40920904ef357ff0ef65fa57ad5783598aa99 Mon Sep 17 00:00:00 2001
From: ekzyis <ek@stacker.news>
Date: Tue, 25 Mar 2025 12:25:37 -0500
Subject: [PATCH] Reset if pointer is not a number or JWT cannot be decoded
 (#2021)

---
 lib/auth.js | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/lib/auth.js b/lib/auth.js
index de1384b6..44673c20 100644
--- a/lib/auth.js
+++ b/lib/auth.js
@@ -91,14 +91,24 @@ function switchSessionCookie (request) {
   return request
 }
 
-export function checkMultiAuthCookies (req, res) {
+async function checkMultiAuthCookies (req, res) {
   if (!req.cookies[MULTI_AUTH_LIST] || !req.cookies[MULTI_AUTH_POINTER]) {
     return false
   }
 
+  const pointer = req.cookies[MULTI_AUTH_POINTER]
+  if (isNaN(Number(pointer)) && pointer !== MULTI_AUTH_ANON) {
+    return false
+  }
+
   const accounts = b64Decode(req.cookies[MULTI_AUTH_LIST])
   for (const account of accounts) {
-    if (!req.cookies[MULTI_AUTH_JWT(account.id)]) {
+    const jwt = req.cookies[MULTI_AUTH_JWT(account.id)]
+    if (!jwt) return false
+
+    try {
+      await decodeJWT({ token: jwt, secret: process.env.NEXTAUTH_SECRET })
+    } catch (err) {
       return false
     }
   }
@@ -158,7 +168,7 @@ export async function multiAuthMiddleware (req, res) {
     req = new NodeNextRequest(req)
   }
 
-  const ok = checkMultiAuthCookies(req, res)
+  const ok = await checkMultiAuthCookies(req, res)
   if (!ok) {
     resetMultiAuthCookies(req, res)
     return switchSessionCookie(req)