From 0e65f8c921f1e98335c74bf09e64748211bc4402 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Sun, 6 Apr 2025 13:08:55 -0400
Subject: [PATCH] check resource id on verify access token

---
 server/auth/verifyResourceAccessToken.ts           | 11 ++++++++++-
 server/routers/badger/verifySession.ts             |  6 ++++--
 src/app/auth/resource/[resourceId]/AccessToken.tsx |  6 ++----
 src/app/auth/resource/[resourceId]/page.tsx        |  1 -
 4 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/server/auth/verifyResourceAccessToken.ts b/server/auth/verifyResourceAccessToken.ts
index 3f5a17de..8ddb5018 100644
--- a/server/auth/verifyResourceAccessToken.ts
+++ b/server/auth/verifyResourceAccessToken.ts
@@ -13,10 +13,12 @@ import { sha256 } from "@oslojs/crypto/sha2";
 
 export async function verifyResourceAccessToken({
     accessToken,
-    accessTokenId
+    accessTokenId,
+    resourceId
 }: {
     accessToken: string;
     accessTokenId?: string;
+    resourceId?: number; // IF THIS IS NOT SET, THE TOKEN IS VALID FOR ALL RESOURCES
 }): Promise<{
     valid: boolean;
     error?: string;
@@ -100,6 +102,13 @@ export async function verifyResourceAccessToken({
         };
     }
 
+    if (resourceId && resource.resourceId !== resourceId) {
+        return {
+            valid: false,
+            error: "Resource ID does not match"
+        };
+    }
+
     return {
         valid: true,
         tokenItem,
diff --git a/server/routers/badger/verifySession.ts b/server/routers/badger/verifySession.ts
index e6e31199..0c2e6493 100644
--- a/server/routers/badger/verifySession.ts
+++ b/server/routers/badger/verifySession.ts
@@ -209,7 +209,8 @@ export async function verifyResourceSession(
             const { valid, error, tokenItem } = await verifyResourceAccessToken(
                 {
                     accessToken,
-                    accessTokenId
+                    accessTokenId,
+                    resourceId: resource.resourceId
                 }
             );
 
@@ -244,7 +245,8 @@ export async function verifyResourceSession(
             const { valid, error, tokenItem } = await verifyResourceAccessToken(
                 {
                     accessToken,
-                    accessTokenId
+                    accessTokenId,
+                    resourceId: resource.resourceId
                 }
             );
 
diff --git a/src/app/auth/resource/[resourceId]/AccessToken.tsx b/src/app/auth/resource/[resourceId]/AccessToken.tsx
index 69696e9d..467ea036 100644
--- a/src/app/auth/resource/[resourceId]/AccessToken.tsx
+++ b/src/app/auth/resource/[resourceId]/AccessToken.tsx
@@ -17,13 +17,11 @@ import { useEffect, useState } from "react";
 type AccessTokenProps = {
     token: string;
     resourceId?: number;
-    redirectUrl?: string;
 };
 
 export default function AccessToken({
     token,
-    resourceId,
-    redirectUrl
+    resourceId
 }: AccessTokenProps) {
     const [loading, setLoading] = useState(true);
     const [isValid, setIsValid] = useState(false);
@@ -96,7 +94,7 @@ export default function AccessToken({
                 if (res.data.data.session) {
                     setIsValid(true);
                     window.location.href = appendRequestToken(
-                        redirectUrl!,
+                        res.data.data.redirectUrl!,
                         res.data.data.session
                     );
                 }
diff --git a/src/app/auth/resource/[resourceId]/page.tsx b/src/app/auth/resource/[resourceId]/page.tsx
index 3cf56b10..006faa45 100644
--- a/src/app/auth/resource/[resourceId]/page.tsx
+++ b/src/app/auth/resource/[resourceId]/page.tsx
@@ -123,7 +123,6 @@ export default async function ResourceAuthPage(props: {
                 <AccessToken
                     token={searchParams.token}
                     resourceId={params.resourceId}
-                    redirectUrl={redirectUrl}
                 />
             </div>
         );