This repository was archived by the owner on Mar 13, 2025. It is now read-only.
This repository was archived by the owner on Mar 13, 2025. It is now read-only.
[$250] Priority - Validate v3jwt token #136
Description
@ThomasKranitsas - In src/app.js, we use the given cookie for the tcv3jwt token:
actions.push((req, res, next) => {
const v3jwt = _.get(req.cookies, constants.JWT_V3_NAME);
if (v3jwt) {
const decoded = jwtDecode(v3jwt);
req.currentUser = {
handle: decoded.handle.toLowerCase(),
roles: decoded.roles,
};
}
req.signature = `${def.controller}#${def.method}`;
next();
});
The problem is we aren't VALIDATING the JWT. This means that a user can login on x.topcoder-dev.com, change the domain for the token, and gain access to x.topcoder.com, which is obviously very, very bad.
I have taken down x.topcoder.com while we add JWT validation.
Let's do the following:
- Add a new config value for JWT_SIGNATURE that allows us to set the JWT signature to use to validate
- Using the signature, add code to validate the JWT before we use it anywhere on the site.
Dev and prod have different signatures for the JWT, so that should fix the problem.
Please use the code linked below https://github.com/appirio-tech/tc-core-library-js