Validate issuer & allow unlogged routes

2026-06-03 04:02:34 +00:00 · 2025-03-27 12:03:58 +01:00
parent d0d12cc5f6
commit 65a7f62fd1
4 changed files with 12 additions and 8 deletions
@@ -3,9 +3,12 @@

 KYOO_PREFIX=/api

+
 # either an hard-coded secret to decode jwts or empty to use keibi's public secret.
 # this should only be used in tests
 JWT_SECRET=
+# used to verify who's making the jwt
+JWT_ISSUER=$PUBLIC_URL
 # keibi's server to retrieve the public jwt secret
 AUHT_SERVER=http://auth:4568

@@ -34,10 +34,13 @@ export const auth = new Elysia({ name: "auth" })
 		permissions(perms: string[]) {
 			return {
 				resolve: async ({ headers: { authorization }, error }) => {
+					console.log(process.env.JWT_ISSUER);
 					const bearer = authorization?.slice(7);
 					if (!bearer) return { jwt: false };
 					// @ts-expect-error ts can't understand that there's two overload idk why
-					const { payload } = await jwtVerify(bearer, jwtSecret ?? jwks);
+					const { payload } = await jwtVerify(bearer, jwtSecret ?? jwks, {
+						issuer: process.env.JWT_ISSUER,
+					});
 					// TODO: use perms
 					return { jwt: validator.Decode<typeof Jwt>(payload) };
 				},