Fix security check in /auth/redirect comparing against undefined ctx.params.token (#10894)

* Initial plan * Fix security check in /auth/redirect to use ctx.state.auth.token instead of ctx.params.token Co-authored-by: tommoor <380914+tommoor@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: tommoor <380914+tommoor@users.noreply.github.com>
2025-12-16 16:24:46 -06:00 · 2025-12-13 15:02:39 -05:00
parent 44b754884f
commit 2772de2766
3 changed files with 17 additions and 1 deletions
--- a/.env.test
+++ b/.env.test
@@ -30,3 +30,8 @@ RATE_LIMITER_ENABLED=false

 FILE_STORAGE=local
 FILE_STORAGE_LOCAL_ROOT_DIR=/tmp
+
+URL=http://localhost:3000
+COLLABORATION_URL=
+REDIS_URL=redis://localhost:6379
+UTILS_SECRET=test-utils-secret
--- a/server/routes/auth/index.test.ts
+++ b/server/routes/auth/index.test.ts
@@ -32,4 +32,15 @@ describe("auth/redirect", () => {
    expect(res.headers.get("location")).not.toBeNull();
    expect(res.headers.get("location")!.endsWith(collection.url)).toBeTruthy();
  });
+
+  it("should prevent token extension by rejecting JWT tokens", async () => {
+    const user = await buildUser();
+    const jwtToken = user.getJwtToken();
+
+    const res = await server.get(`/auth/redirect?token=${jwtToken}`, {
+      redirect: "manual",
+    });
+
+    expect(res.status).toEqual(401);
+  });
 });
--- a/server/routes/auth/index.ts
+++ b/server/routes/auth/index.ts
@@ -30,7 +30,7 @@ router.get("/redirect", authMiddleware(), async (ctx: APIContext) => {
  const { user } = ctx.state.auth;
  const jwtToken = user.getJwtToken();

-  if (jwtToken === ctx.params.token) {
+  if (jwtToken === ctx.state.auth.token) {
    throw AuthenticationError("Cannot extend token");
  }