CalloraOrg · greatest0fallt1me · Apr 25, 2026 · Apr 24, 2026 · Apr 24, 2026
diff --git a/src/middleware/errorHandler.ts b/src/middleware/errorHandler.ts
@@ -49,9 +49,7 @@ export function errorHandler(
 
   // Security: In production, mask the message for unexpected (non-AppError) errors
   let finalMessage = message;
-  const isKnownError = isAppError(err) || statusCode < 500;
-
-  if (isProduction && !isKnownError) {
+  if (isProduction && !isAppError(err)) {
     finalMessage = 'Internal server error';
   }
 

diff --git a/src/middleware/requireAuth.ts b/src/middleware/requireAuth.ts
@@ -49,9 +49,11 @@ export const requireAuth = (
           return;
         }
 
-        const uid = (decoded as Record<string, unknown>).userId;
+        const payload = decoded as Record<string, unknown>;
+        const uid = payload.userId || payload.sub;
+
         if (typeof uid !== "string" || uid.trim() === "") {
-          logger.warn("[requireAuth] Token missing required userId claim");
+          logger.warn("[requireAuth] Token missing required userId or sub claim");
           next(
             new UnauthorizedError(
               "Token missing required claims",

diff --git a/tests/integration/auth.test.ts b/tests/integration/auth.test.ts
@@ -3,7 +3,9 @@ import request from 'supertest';
 import express from 'express';
 import jwt from 'jsonwebtoken';
 import { createTestDb } from '../helpers/db.js';
-import { TEST_JWT_SECRET } from '../helpers/jwt.js';
+import { TEST_JWT_SECRET, signTokenMissingClaims } from '../helpers/jwt.js';
+import { requireAuth } from '../../src/middleware/requireAuth.js';
+import { errorHandler } from '../../src/middleware/errorHandler.js';
 
 const mockVerifySignature = jest.fn();
 
@@ -41,6 +43,12 @@ function buildAuthApp(pool: any) {
     return res.status(200).json({ token, user });
   });
 
+  app.get('/protected', requireAuth, (req, res) => {
+    res.status(200).json({ message: 'Success', user: res.locals.authenticatedUser });
+  });
+
+  app.use(errorHandler);
+
   return app;
 }
 
@@ -105,3 +113,68 @@ describe('POST /auth/wallet', () => {
     expect(res1.body.user.id).toBe(res2.body.user.id);
   });
 });
+
+describe('requireAuth middleware integration', () => {
+  let db: any;
+  let app: express.Express;
+
+  beforeEach(() => {
+    db = createTestDb();
+    app = buildAuthApp(db.pool);
+    process.env.JWT_SECRET = TEST_JWT_SECRET;
+  });
+
+  afterEach(async () => {
+    await db.end();
+  });
+
+  it('rejects token with missing both userId and sub', async () => {
+    const token = signTokenMissingClaims({ foo: 'bar' });
+    const res = await request(app)
+      .get('/protected')
+      .set('Authorization', `Bearer ${token}`);
+
+    expect(res.status).toBe(401);
+    expect(res.body.code).toBe('MISSING_CLAIMS');
+  });
+
+  it('rejects token with empty userId', async () => {
+    const token = signTokenMissingClaims({ userId: '' });
+    const res = await request(app)
+      .get('/protected')
+      .set('Authorization', `Bearer ${token}`);
+
+    expect(res.status).toBe(401);
+    expect(res.body.code).toBe('MISSING_CLAIMS');
+  });
+
+  it('rejects token with empty sub', async () => {
+    const token = signTokenMissingClaims({ sub: '' });
+    const res = await request(app)
+      .get('/protected')
+      .set('Authorization', `Bearer ${token}`);
+
+    expect(res.status).toBe(401);
+    expect(res.body.code).toBe('MISSING_CLAIMS');
+  });
+
+  it('accepts token with userId', async () => {
+    const token = signTokenMissingClaims({ userId: 'user-123' });
+    const res = await request(app)
+      .get('/protected')
+      .set('Authorization', `Bearer ${token}`);
+
+    expect(res.status).toBe(200);
+    expect(res.body.user.id).toBe('user-123');
+  });
+
+  it('accepts token with sub (subject) as fallback', async () => {
+    const token = signTokenMissingClaims({ sub: 'user-456' });
+    const res = await request(app)
+      .get('/protected')
+      .set('Authorization', `Bearer ${token}`);
+
+    expect(res.status).toBe(200);
+    expect(res.body.user.id).toBe('user-456');
+  });
+});