k1nq/TREK
1
0
Fork 0
mirror of https://github.com/mauriceboe/TREK.git synced 2026-06-21 14:21:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: pin JWT algorithm to HS256 and harden token security

Browse Source 
- Add { algorithms: ['HS256'] } to all jwt.verify() calls to prevent
  algorithm confusion attacks (including the 'none' algorithm)
- Add { algorithm: 'HS256' } to all jwt.sign() calls for consistency
- Reduce OIDC token payload to only { id } (was leaking username, email, role)
- Validate OIDC redirect URI against APP_URL env var when configured
- Add startup warning when JWT_SECRET is auto-generated

https://claude.ai/code/session_01SoQKcF5Rz9Y8Nzo4PzkxY8
This commit is contained in:
Claude
2026-03-30 23:34:47 +00:00
parent 5f07bdaaf1
commit fedd559fd6
7 changed files with 63 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files
server/src/routes/oidc.ts
+12 -6
View File
@@ -80,11 +80,11 @@ async function discover(issuer: string) {
return doc;
}
function generateToken(user: { id: number; username: string; email: string; role: string }) {
function generateToken(user: { id: number }) {
return jwt.sign(
{ id: user.id, username: user.username, email: user.email, role: user.role },
{ id: user.id },
JWT_SECRET,
{ expiresIn: '24h' }
{ expiresIn: '24h', algorithm: 'HS256' }
);
}
@@ -121,9 +121,15 @@ router.get('/login', async (req: Request, res: Response) => {
try {
const doc = await discover(config.issuer);
const state = crypto.randomBytes(32).toString('hex');
const proto = (req.headers['x-forwarded-proto'] as string) || req.protocol;
const host = (req.headers['x-forwarded-host'] as string) || req.headers.host;
const redirectUri = `${proto}://${host}/api/auth/oidc/callback`;
const appUrl = process.env.APP_URL || (db.prepare("SELECT value FROM app_settings WHERE key = 'app_url'").get() as { value: string } | undefined)?.value;
let redirectUri: string;
if (appUrl) {
redirectUri = `${appUrl.replace(/\/+$/, '')}/api/auth/oidc/callback`;
} else {
const proto = (req.headers['x-forwarded-proto'] as string) || req.protocol;
const host = (req.headers['x-forwarded-host'] as string) || req.headers.host;
redirectUri = `${proto}://${host}/api/auth/oidc/callback`;
}
const inviteToken = req.query.invite as string | undefined;
pendingStates.set(state, { createdAt: Date.now(), redirectUri, inviteToken });