Skip to content

chore(backend): verify requireAuth rejects tokens with missing subject/user id#293

Merged
greatest0fallt1me merged 2 commits intoCalloraOrg:mainfrom
gidadoabdullateef5:test/auth-missing-subject
Apr 25, 2026
Merged

chore(backend): verify requireAuth rejects tokens with missing subject/user id#293
greatest0fallt1me merged 2 commits intoCalloraOrg:mainfrom
gidadoabdullateef5:test/auth-missing-subject

Conversation

@gidadoabdullateef5
Copy link
Copy Markdown
Contributor

@gidadoabdullateef5 gidadoabdullateef5 commented Apr 24, 2026
edited
Loading

Closes #217

This Pull Request addresses issue #217 by hardening the requireAuth middleware to ensure it strictly validates the presence of a user identifier in JWT tokens. It also resolves a critical syntax bug in the global error handler that was blocking proper error reporting.

Changes

  • src/middleware/requireAuth.ts:
    • Updated JWT payload validation to check for both userId and sub (standard JWT subject) claims.
    • Implemented a fallback mechanism where userId is prioritized, but sub is accepted if userId is missing.
    • Strictly rejects requests with a 401 Unauthorized (MISSING_CLAIMS) if neither claim is a valid, non-empty string.
  • src/middleware/errorHandler.ts:
    • Fixed a SyntaxError caused by a duplicate declaration of the message variable.
    • Resolved an undefined reference to isKnownError by replacing it with the correct isAppError(err) check.
  • tests/integration/auth.test.ts:
    • Added a comprehensive integration test suite for the requireAuth middleware.
    • Covered failure modes: missing identifiers, empty userId, and empty sub.
    • Covered success modes: valid userId and valid sub fallback.

Security & Data Integrity

The updated logic ensures that authorization is never granted to tokens that do not explicitly identify a subject. By supporting the standard sub claim alongside the internal userId, we improve compatibility with standard JWT issuers while maintaining strict security boundaries.

Test Results Summary

PASS tests/integration/auth.test.ts
  POST /auth/wallet
    √ returns 200 and JWT when signature is valid
    √ returns 401 when signature is invalid
    √ returns 400 when fields are missing
    √ returns same user on second login with same wallet
  requireAuth middleware integration
    √ rejects token with missing both userId and sub
    √ rejects token with empty userId
    √ rejects token with empty sub
    √ accepts token with userId
    √ accepts token with sub (subject) as fallback

@gidadoabdullateef5
Copy link
Copy Markdown
Contributor Author

gidadoabdullateef5 commented Apr 24, 2026

Hello @maintainer, Kindly review my PR and merge so the issue can be closed

@greatest0fallt1me greatest0fallt1me merged commit ecb7268 into CalloraOrg:main Apr 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Auth: verify requireAuth rejects tokens with missing subject/user id

3 participants

@gidadoabdullateef5 @greatest0fallt1me @ironhood