Reject extra session token segments (#18)

Autowebassat-blip · web-flow · commit d558554da395 · 2026-06-11T21:04:25.000-07:00
diff --git a/apps/logicsrc-web/contract/logicsrc-web.contract.test.ts b/apps/logicsrc-web/contract/logicsrc-web.contract.test.ts
@@ -376,7 +376,8 @@ describe("session signing", () => {
     process.env.LOGICSRC_SESSION_SECRET = "session_secret_for_tests";
     const token = signSession({ provider: "coinpay", sub: "merchant-123" });
     expect(verifySession(token)).toMatchObject({ provider: "coinpay", sub: "merchant-123" });
-    expect(verifySession(`${token}tampered`)).toBeNull();
+    expect(verifySession(`tampered`)).toBeNull();
+    expect(verifySession(`.extra`)).toBeNull();
   });
 });
 
diff --git a/apps/logicsrc-web/src/lib/coinpay.ts b/apps/logicsrc-web/src/lib/coinpay.ts
@@ -160,7 +160,9 @@ export function signSession(payload: Record<string, unknown>): string {
 }
 
 export function verifySession(value: string): Record<string, unknown> | null {
-  const [encoded, signature] = value.split(".");
+  const parts = value.split(".");
+  if (parts.length !== 2) return null;
+  const [encoded, signature] = parts;
   if (!encoded || !signature) return null;
 
   const expected = createHmac("sha256", getSessionSecret()).update(encoded).digest("base64url");

Original file line number	Diff line number	Diff line change
`@@ -160,7 +160,9 @@ export function signSession(payload: Record<string, unknown>): string {`
`160`	`160`	`}`
`161`	`161`
`162`	`162`	`export function verifySession(value: string): Record<string, unknown> \| null {`
`163`		`- const [encoded, signature] = value.split(".");`
	`163`	`+ const parts = value.split(".");`
	`164`	`+ if (parts.length !== 2) return null;`
	`165`	`+ const [encoded, signature] = parts;`
`164`	`166`	`if (!encoded \|\| !signature) return null;`
`165`	`167`
`166`	`168`	`const expected = createHmac("sha256", getSessionSecret()).update(encoded).digest("base64url");`