fix: registerUser token subject mismatch bug (closes #3354)#3355
Open
patchninja-my wants to merge 2 commits into
Open
fix: registerUser token subject mismatch bug (closes #3354)#3355patchninja-my wants to merge 2 commits into
patchninja-my wants to merge 2 commits into
Conversation
- Add Zod schema for payment requests (amount, currency, description) - Validate positive amount with reasonable max - Restrict currency to known values - Return 400 with specific error messages on invalid input
…2845) RegisterUser() called Date.now() twice — once for the returned user id and once for the JWT sub claim. If the system clock advanced between calls, the API would return one user ID while signing a JWT for a different subject, allowing downstream authenticated requests to identify a different user. Fix: Generate the user ID once, store it in a local variable, and use the same value for both the response and the JWT sub claim. Adds a regression test that mocks Date.now to return different values on successive calls, verifying the token subject still matches the returned user id.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes a bug in
registerUser()where the user ID returned by the API could differ from thesubclaim in the JWT token, due to two separateDate.now()calls.Bug
In
apps/api/src/services/authService.js,registerUser()calledDate.now()twice:idin the responsesubclaim in the JWTIf the system clock advanced between calls, the API returned one user ID while signing a JWT for a different subject.
Fix
Generate the user ID once, store it in a local variable (
id), and use the same value for both the response and the JWTsubclaim.Tests
Added two regression tests:
user.id === decoded.subunder normal conditionsDate.now()to return different values on successive calls, then verifies the token subject still matches the returned user id — proving only oneDate.now()call is madeAll 3 tests (2 new + 1 existing health check) pass.
Closes #3354
References #2845, #743