check resource id on verify access token

2025-07-17 17:23:27 +02:00 · 2025-04-06 13:08:55 -04:00 · 2025-04-06 13:08:55 -04:00 · 0e65f8c921
commit 0e65f8c921
parent 5a6a035d30
4 changed files with 16 additions and 8 deletions
--- a/server/auth/verifyResourceAccessToken.ts
+++ b/server/auth/verifyResourceAccessToken.ts
@ -13,10 +13,12 @@ import { sha256 } from "@oslojs/crypto/sha2";

 export async function verifyResourceAccessToken({
    accessToken,
-    accessTokenId
+    accessTokenId,
+    resourceId
 }: {
    accessToken: string;
    accessTokenId?: string;
+    resourceId?: number; // IF THIS IS NOT SET, THE TOKEN IS VALID FOR ALL RESOURCES
 }): Promise<{
    valid: boolean;
    error?: string;
@ -100,6 +102,13 @@ export async function verifyResourceAccessToken({
        };
    }

+    if (resourceId && resource.resourceId !== resourceId) {
+        return {
+            valid: false,
+            error: "Resource ID does not match"
+        };
+    }
+
    return {
        valid: true,
        tokenItem,
--- a/server/routers/badger/verifySession.ts
+++ b/server/routers/badger/verifySession.ts
@ -209,7 +209,8 @@ export async function verifyResourceSession(
            const { valid, error, tokenItem } = await verifyResourceAccessToken(
                {
                    accessToken,
-                    accessTokenId
+                    accessTokenId,
+                    resourceId: resource.resourceId
                }
            );

@ -244,7 +245,8 @@ export async function verifyResourceSession(
            const { valid, error, tokenItem } = await verifyResourceAccessToken(
                {
                    accessToken,
-                    accessTokenId
+                    accessTokenId,
+                    resourceId: resource.resourceId
                }
            );

--- a/src/app/auth/resource/[resourceId]/AccessToken.tsx
+++ b/src/app/auth/resource/[resourceId]/AccessToken.tsx
@ -17,13 +17,11 @@ import { useEffect, useState } from "react";
 type AccessTokenProps = {
    token: string;
    resourceId?: number;
-    redirectUrl?: string;
 };

 export default function AccessToken({
    token,
-    resourceId,
-    redirectUrl
+    resourceId
 }: AccessTokenProps) {
    const [loading, setLoading] = useState(true);
    const [isValid, setIsValid] = useState(false);
@ -96,7 +94,7 @@ export default function AccessToken({
                if (res.data.data.session) {
                    setIsValid(true);
                    window.location.href = appendRequestToken(
-                        redirectUrl!,
+                        res.data.data.redirectUrl!,
                        res.data.data.session
                    );
                }
--- a/src/app/auth/resource/[resourceId]/page.tsx
+++ b/src/app/auth/resource/[resourceId]/page.tsx
@ -123,7 +123,6 @@ export default async function ResourceAuthPage(props: {
                <AccessToken
                    token={searchParams.token}
                    resourceId={params.resourceId}
-                    redirectUrl={redirectUrl}
                />
            </div>
        );