From 6bae1f1a8970a2e2342dcb6471ed1d29308242d8 Mon Sep 17 00:00:00 2001 From: ekzyis Date: Wed, 20 Nov 2024 14:05:42 +0100 Subject: [PATCH] Fix account switching anon login (#1618) * Always switch to user we just logged in as If we're logged in and switch to anon and then use login to get into our previous account instead of using 'switch accounts', we only updated the JWT but we didn't switch to the user. * Fix getToken unaware of multi-auth middleware If we use login with new credentials while switched to anon (multi_auth.user-id === 'anonymous'), we updated the pubkey because getToken wasn't aware of the switch and thus believed we're logged in as a user. This is fixed by applying the middleware before calling getToken. --- pages/api/auth/[...nextauth].js | 8 +++++--- pages/api/graphql.js | 2 +- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/pages/api/auth/[...nextauth].js b/pages/api/auth/[...nextauth].js index 56b9cfdd..2d1160ab 100644 --- a/pages/api/auth/[...nextauth].js +++ b/pages/api/auth/[...nextauth].js @@ -14,6 +14,7 @@ import { schnorr } from '@noble/curves/secp256k1' import { notifyReferral } from '@/lib/webPush' import { hashEmail } from '@/lib/crypto' import * as cookie from 'cookie' +import { multiAuthMiddleware } from '@/pages/api/graphql' /** * Stores userIds in user table @@ -132,6 +133,9 @@ function setMultiAuthCookies (req, res, { id, jwt, name, photoId }) { // add JWT to **httpOnly** cookie res.appendHeader('Set-Cookie', cookie.serialize(`multi_auth.${id}`, jwt, cookieOptions)) + // switch to user we just added + res.appendHeader('Set-Cookie', cookie.serialize('multi_auth.user-id', id, { ...cookieOptions, httpOnly: false })) + let newMultiAuth = [{ id, name, photoId }] if (req.cookies.multi_auth) { const oldMultiAuth = b64Decode(req.cookies.multi_auth) @@ -140,9 +144,6 @@ function setMultiAuthCookies (req, res, { id, jwt, name, photoId }) { newMultiAuth = [...oldMultiAuth, ...newMultiAuth] } res.appendHeader('Set-Cookie', cookie.serialize('multi_auth', b64Encode(newMultiAuth), { ...cookieOptions, httpOnly: false })) - - // switch to user we just added - res.appendHeader('Set-Cookie', cookie.serialize('multi_auth.user-id', id, { ...cookieOptions, httpOnly: false })) } async function pubkeyAuth (credentials, req, res, pubkeyColumnName) { @@ -165,6 +166,7 @@ async function pubkeyAuth (credentials, req, res, pubkeyColumnName) { let user = await prisma.user.findUnique({ where: { [pubkeyColumnName]: pubkey } }) // get token if it exists + req = multiAuthMiddleware(req) const token = await getToken({ req }) if (!user) { // we have not seen this pubkey before diff --git a/pages/api/graphql.js b/pages/api/graphql.js index 7d41ee57..9d6626e9 100644 --- a/pages/api/graphql.js +++ b/pages/api/graphql.js @@ -82,7 +82,7 @@ export default startServerAndCreateNextHandler(apolloServer, { } }) -function multiAuthMiddleware (request) { +export function multiAuthMiddleware (request) { // switch next-auth session cookie with multi_auth cookie if cookie pointer present // is there a cookie pointer?