ekzyis/stacker.news
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Reset if pointer is not a number or JWT cannot be decoded (#2021)

Browse Source
This commit is contained in:
ekzyis 2025-03-25 12:25:37 -05:00 committed by GitHub
parent d7e01d0186
commit 04a4092090
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 13 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
lib/auth.js
View File

@ -91,14 +91,24 @@ function switchSessionCookie (request) {
return request return request
} }
export function checkMultiAuthCookies (req, res) { async function checkMultiAuthCookies (req, res) {
if (!req.cookies[MULTI_AUTH_LIST] || !req.cookies[MULTI_AUTH_POINTER]) { if (!req.cookies[MULTI_AUTH_LIST] || !req.cookies[MULTI_AUTH_POINTER]) {
return false return false
} }
const pointer = req.cookies[MULTI_AUTH_POINTER]
if (isNaN(Number(pointer)) && pointer !== MULTI_AUTH_ANON) {
return false
}
const accounts = b64Decode(req.cookies[MULTI_AUTH_LIST]) const accounts = b64Decode(req.cookies[MULTI_AUTH_LIST])
for (const account of accounts) { for (const account of accounts) {
if (!req.cookies[MULTI_AUTH_JWT(account.id)]) { const jwt = req.cookies[MULTI_AUTH_JWT(account.id)]
if (!jwt) return false
try {
await decodeJWT({ token: jwt, secret: process.env.NEXTAUTH_SECRET })
} catch (err) {
return false return false
} }
} }
@ -158,7 +168,7 @@ export async function multiAuthMiddleware (req, res) {
req = new NodeNextRequest(req) req = new NodeNextRequest(req)
} }
const ok = checkMultiAuthCookies(req, res) const ok = await checkMultiAuthCookies(req, res)
if (!ok) { if (!ok) {
resetMultiAuthCookies(req, res) resetMultiAuthCookies(req, res)
return switchSessionCookie(req) return switchSessionCookie(req)