Reset multi_auth to initial state on error (#2007)

* Reset multi auth to initial state * Also check if next-auth.session-token exists --------- Co-authored-by: Keyan <34140557+huumn@users.noreply.github.com>
2025-03-25 18:59:26 -05:00 · 2025-03-25 18:59:26 -05:00 · ef8c738582
commit ef8c738582
parent 8a6b825659
1 changed files with 11 additions and 3 deletions
--- a/lib/auth.js
+++ b/lib/auth.js
@ -92,7 +92,7 @@ function switchSessionCookie (request) {
 }

 async function checkMultiAuthCookies (req, res) {
-  if (!req.cookies[MULTI_AUTH_LIST] || !req.cookies[MULTI_AUTH_POINTER]) {
+  if (!req.cookies[MULTI_AUTH_LIST] || !req.cookies[MULTI_AUTH_POINTER] || !req.cookies[SESSION_COOKIE]) {
    return false
  }

@ -116,15 +116,23 @@ async function checkMultiAuthCookies (req, res) {
  return true
 }

-function resetMultiAuthCookies (req, res) {
+async function resetMultiAuthCookies (req, res) {
  const httpOnlyOptions = cookieOptions({ expires: 0, maxAge: 0 })
  const jsOptions = { ...httpOnlyOptions, httpOnly: false }

+  // remove all multi_auth cookies ...
  for (const key of Object.keys(req.cookies)) {
    if (!MULTI_AUTH_REGEXP.test(key)) continue
    const options = MULTI_AUTH_JWT_REGEXP.test(key) ? httpOnlyOptions : jsOptions
    res.appendHeader('Set-Cookie', cookie.serialize(key, '', options))
  }
+
+  // ... and reset to initial state if they are logged in
+  const token = req.cookies[SESSION_COOKIE]
+  if (!token) return
+
+  const decoded = await decodeJWT({ token, secret: process.env.NEXTAUTH_SECRET })
+  setMultiAuthCookies(req, res, { ...decoded, jwt: token })
 }

 async function refreshMultiAuthCookies (req, res) {
@ -170,7 +178,7 @@ export async function multiAuthMiddleware (req, res) {

  const ok = await checkMultiAuthCookies(req, res)
  if (!ok) {
-    resetMultiAuthCookies(req, res)
+    await resetMultiAuthCookies(req, res)
    return switchSessionCookie(req)
  }