fix(web): prevent JWT session fixation via crafted URL fragments

[karaktaka]

Summary

• Restricts JWT token extraction from URL fragments to to.path === "/" only — the sole legitimate OAuth callback target
• Prevents session fixation attacks where an attacker crafts /login#token=ATTACKER_JWT to overwrite a victim's session
• Extracts TOKEN_HASH_PREFIX constant to eliminate the duplicated "#token=" magic string

Security context

The backend OAuth callback always redirects to /#token=<jwt>. Token extraction on any other path is illegitimate. Before this fix, visiting /login#token=ATTACKER_JWT would silently store the attacker's JWT before the public-route check could short-circuit.

Test plan

• npm run build --prefix web/frontend passes (type-check + build)
• OAuth flow (/api/auth/callback → /#token=... → /guilds) still works end-to-end
• Visiting /login#token=fake no longer stores the token in the auth store

🤖 Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes
  • JWT token extraction is now restricted to the root path only and requires a specific token hash prefix. This prevents unintended token processing in other application areas, enhancing security.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 108a6530-d525-4478-9943-52b249790d1f

📥 Commits

Reviewing files that changed from the base of the PR and between 1bd8d4c and 831ce23.

📒 Files selected for processing (1)

• web/frontend/src/router/index.ts

---

📝 Walkthrough

Walkthrough

Restricts JWT token extraction from URL hashes to the root path ("/") only, introducing a TOKEN_HASH_PREFIX constant for pattern matching. Previously, token extraction occurred anywhere in the application when "#token=" appeared in the hash; now it's gated behind the root-path condition.

Changes

Cohort / File(s)	Summary
JWT Token Extraction Restriction web/frontend/src/router/index.ts	Introduces TOKEN_HASH_PREFIX constant and restricts JWT token extraction to root path ("/") with hash prefix validation. Token extraction and hash-clearing redirect now gated behind root-path condition.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and accurately summarizes the main security fix: preventing JWT session fixation attacks via malicious URL fragments.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/jwt-session-fixation

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}