check resource id on verify access token

server/auth/verifyResourceAccessToken.ts

@@ -13,10 +13,12 @@ import { sha256 } from "@oslojs/crypto/sha2";
 
 export async function verifyResourceAccessToken({
     accessToken,
-    accessTokenId
+    accessTokenId,
+    resourceId
 }: {
     accessToken: string;
     accessTokenId?: string;
+    resourceId?: number; // IF THIS IS NOT SET, THE TOKEN IS VALID FOR ALL RESOURCES
 }): Promise<{
     valid: boolean;
     error?: string;
@@ -100,6 +102,13 @@ export async function verifyResourceAccessToken({
         };
     }
 
+    if (resourceId && resource.resourceId !== resourceId) {
+        return {
+            valid: false,
+            error: "Resource ID does not match"
+        };
+    }
+
     return {
         valid: true,
         tokenItem,

server/routers/badger/verifySession.ts

@@ -209,7 +209,8 @@ export async function verifyResourceSession(
             const { valid, error, tokenItem } = await verifyResourceAccessToken(
                 {
                     accessToken,
-                    accessTokenId
+                    accessTokenId,
+                    resourceId: resource.resourceId
                 }
             );
 
@@ -244,7 +245,8 @@ export async function verifyResourceSession(
             const { valid, error, tokenItem } = await verifyResourceAccessToken(
                 {
                     accessToken,
-                    accessTokenId
+                    accessTokenId,
+                    resourceId: resource.resourceId
                 }
             );
 

src/app/auth/resource/[resourceId]/AccessToken.tsx

@@ -17,13 +17,11 @@ import { useEffect, useState } from "react";
 type AccessTokenProps = {
     token: string;
     resourceId?: number;
-    redirectUrl?: string;
 };
 
 export default function AccessToken({
     token,
-    resourceId,
+    resourceId
-    redirectUrl
 }: AccessTokenProps) {
     const [loading, setLoading] = useState(true);
     const [isValid, setIsValid] = useState(false);
@@ -96,7 +94,7 @@ export default function AccessToken({
                 if (res.data.data.session) {
                     setIsValid(true);
                     window.location.href = appendRequestToken(
-                        redirectUrl!,
+                        res.data.data.redirectUrl!,
                         res.data.data.session
                     );
                 }

src/app/auth/resource/[resourceId]/page.tsx

@@ -123,7 +123,6 @@ export default async function ResourceAuthPage(props: {
                 <AccessToken
                     token={searchParams.token}
                     resourceId={params.resourceId}
-                    redirectUrl={redirectUrl}
                 />
             </div>
         );