🛂 security: fix auth token validation flow

2026-02-17 21:32:27 +07:00
parent 5eb7f753a5
commit 4fc87b7134
5 changed files with 24 additions and 22 deletions
--- a/app/(safe-mode-page)/auth/logout/page.tsx
+++ b/app/(safe-mode-page)/auth/logout/page.tsx
@ -0,0 +1,9 @@
+import { cookies } from "next/headers";
+import { redirect } from "next/navigation";
+
+const page = async () => {
+  (await cookies()).delete("auth_token");
+  redirect("/");
+};
+
+export default page;
--- a/app/(session)/(clean)/auth/providers/[name]/callback/page.tsx
+++ b/app/(session)/(clean)/auth/providers/[name]/callback/page.tsx
--- a/shared/helpers/backendFetch.ts
+++ b/shared/helpers/backendFetch.ts
@ -5,6 +5,7 @@ import { UAParser } from "ua-parser-js";

 export interface BackendResponse<T = unknown> {
  success: boolean;
+  status: number;
  message: string;
  data?: T;
  error?: unknown;
@ -34,16 +35,11 @@ export const backendFetch = async (path: string, options: RequestInit = {}) => {
        ...options.headers,
      },
      cache: "default",
-    });
+    }).then((response) => response.json());

-    const resJson = (await res.json()) as BackendResponse;
-
-    if (!res.ok) {
-      throw new Error(`Elysia error: ${resJson.error}`);
-    }
-
-    return resJson;
-  } catch {
+    return res as BackendResponse;
+  } catch (res) {
+    if (process.env.NODE_ENV === "development") return res;
    redirect("/status?reason=backend-unreachable");
  }
 };
--- a/shared/models/auth/logout.ts
+++ b/shared/models/auth/logout.ts
@ -1,12 +1,12 @@
 "use server";

-import { backendFetch } from "@/shared/helpers/backendFetch";
+import { backendFetch, BackendResponse } from "@/shared/helpers/backendFetch";
 import { cookies } from "next/headers";

 export const logout = async () => {
-  const res = await backendFetch("auth/logout", {
+  const res = (await backendFetch("auth/logout", {
    method: "POST",
-  });
+  })) as BackendResponse;

  if (res.success) {
    (await cookies()).delete("auth_token");
--- a/shared/models/auth/validateAndDecodeJWT.ts
+++ b/shared/models/auth/validateAndDecodeJWT.ts
@ -1,6 +1,7 @@
 "use server";

 import { backendFetch, BackendResponse } from "@/shared/helpers/backendFetch";
+import { redirect } from "next/navigation";
 import { cookies } from "next/headers";

 export interface UserSession {
@ -30,18 +31,14 @@ export interface UserSession {
 }

 export const validateAndDecodeJWT = async (): Promise<UserSession | null> => {
-  const cookieHeader = (await cookies()).get("auth_token")?.value;
-
-  if (!cookieHeader) {
-    return null;
-  }
-
+  "use server";
  const res = (await backendFetch("auth/token/validate", {
    method: "POST",
-    body: JSON.stringify({
-      token: cookieHeader,
-    }),
  })) as BackendResponse<UserSession>;

-  return res.data!;
+  if (res.status === 403) {
+    redirect("/auth/logout");
+  }
+
+  return res.data ?? null;
 };