From ef8c738582d02ae128738046dd655cac4c93be91 Mon Sep 17 00:00:00 2001 From: ekzyis Date: Tue, 25 Mar 2025 18:59:26 -0500 Subject: [PATCH] Reset multi_auth to initial state on error (#2007) * Reset multi auth to initial state * Also check if next-auth.session-token exists --------- Co-authored-by: Keyan <34140557+huumn@users.noreply.github.com> --- lib/auth.js | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/lib/auth.js b/lib/auth.js index fa4d97f4..eae26197 100644 --- a/lib/auth.js +++ b/lib/auth.js @@ -92,7 +92,7 @@ function switchSessionCookie (request) { } async function checkMultiAuthCookies (req, res) { - if (!req.cookies[MULTI_AUTH_LIST] || !req.cookies[MULTI_AUTH_POINTER]) { + if (!req.cookies[MULTI_AUTH_LIST] || !req.cookies[MULTI_AUTH_POINTER] || !req.cookies[SESSION_COOKIE]) { return false } @@ -116,15 +116,23 @@ async function checkMultiAuthCookies (req, res) { return true } -function resetMultiAuthCookies (req, res) { +async function resetMultiAuthCookies (req, res) { const httpOnlyOptions = cookieOptions({ expires: 0, maxAge: 0 }) const jsOptions = { ...httpOnlyOptions, httpOnly: false } + // remove all multi_auth cookies ... for (const key of Object.keys(req.cookies)) { if (!MULTI_AUTH_REGEXP.test(key)) continue const options = MULTI_AUTH_JWT_REGEXP.test(key) ? httpOnlyOptions : jsOptions res.appendHeader('Set-Cookie', cookie.serialize(key, '', options)) } + + // ... and reset to initial state if they are logged in + const token = req.cookies[SESSION_COOKIE] + if (!token) return + + const decoded = await decodeJWT({ token, secret: process.env.NEXTAUTH_SECRET }) + setMultiAuthCookies(req, res, { ...decoded, jwt: token }) } async function refreshMultiAuthCookies (req, res) { @@ -170,7 +178,7 @@ export async function multiAuthMiddleware (req, res) { const ok = await checkMultiAuthCookies(req, res) if (!ok) { - resetMultiAuthCookies(req, res) + await resetMultiAuthCookies(req, res) return switchSessionCookie(req) }