server: strictly validate auth token payload

server/config/passport.ts

@@ -3,27 +3,28 @@ import {Strategy} from 'passport-jwt';
 import type {PassportStatic} from 'passport';
 import type {Request} from 'express';
 
+import {authTokenSchema} from '@shared/schema/Auth';
+
 import config from '../../config';
 import Users from '../models/Users';
 
 // Setup work and export for the JWT passport strategy.
 export default (passport: PassportStatic) => {
   const options = {
-    jwtFromRequest: (req: Request) => {
-      let token = null;
-
-      if (req && req.cookies) {
-        token = req.cookies.jwt;
-      }
-
-      return token;
-    },
+    jwtFromRequest: (req: Request) => req?.cookies?.jwt,
     secretOrKey: config.secret,
   };
 
   passport.use(
-    new Strategy(options, (jwtPayload, callback) => {
-      Users.lookupUser(jwtPayload.username).then(
+    new Strategy(options, (payload, callback) => {
+      const parsedResult = authTokenSchema.safeParse(payload);
+
+      if (!parsedResult.success) {
+        callback(parsedResult.error, false);
+        return;
+      }
+
+      Users.lookupUser(parsedResult.data.username).then(
         (user) => {
           callback(null, user);
         },

shared/schema/Auth.ts

@@ -1,4 +1,4 @@
-import {literal, nativeEnum, object, string, union} from 'zod';
+import {literal, nativeEnum, number, object, string, union} from 'zod';
 import type {infer as zodInfer} from 'zod';
 
 import {AccessLevel} from './constants/Auth';
@@ -18,3 +18,13 @@ export const credentialsSchema = object({
 export type Credentials = zodInfer<typeof credentialsSchema>;
 
 export type UserInDatabase = Required<Credentials> & {_id: string};
+
+export const authTokenSchema = object({
+  username: string(),
+  // issued at
+  iat: number(),
+  // expiration
+  exp: number(),
+});
+
+export type AuthToken = zodInfer<typeof authTokenSchema>;