Merge pull request #2326 from omnivore-app/fix/jsonwebtoken

fix invalid token by storing token in cookie instead of authorization header because gcp overrides it
2023-06-07 14:27:44 +08:00
parent c0872939a7 b698029972
commit 404363ee31
2 changed files with 18 additions and 8 deletions
--- a/packages/api/src/utils/createTask.ts
+++ b/packages/api/src/utils/createTask.ts
@ -511,8 +511,8 @@ export const enqueueThumbnailTask = async (
    content,
  }

-  const requestHeaders = {
-    Authorization: generateVerificationToken(userId),
+  const headers = {
+    Cookie: `auth=${generateVerificationToken(userId)}`,
  }

  // If there is no Google Cloud Project Id exposed, it means that we are in local environment
@ -521,7 +521,7 @@ export const enqueueThumbnailTask = async (
    setTimeout(() => {
      axios
        .post(env.queue.thumbnailTaskHandlerUrl, payload, {
-          headers: requestHeaders,
+          headers,
        })
        .catch((error) => {
          console.error(error)
@ -533,7 +533,7 @@ export const enqueueThumbnailTask = async (
  const createdTasks = await createHttpTaskWithToken({
    payload,
    taskHandlerUrl: env.queue.thumbnailTaskHandlerUrl,
-    requestHeaders,
+    requestHeaders: headers,
  })

  if (!createdTasks || !createdTasks[0].name) {
--- a/packages/thumbnail-handler/src/index.ts
+++ b/packages/thumbnail-handler/src/index.ts
@ -228,14 +228,24 @@ export const findThumbnail = async (

 export const thumbnailHandler = Sentry.GCPFunction.wrapHttpFunction(
  async (req, res) => {
-    const token = req.headers?.authorization
+    if (!process.env.JWT_SECRET) {
+      console.error('JWT_SECRET not exists')
+      return res.status(500).send('JWT_SECRET_NOT_EXISTS')
+    }
+
+    const token = req.headers.cookie?.split('auth=')[1]
    if (!token) {
      console.debug('no token')
      return res.status(401).send('UNAUTHORIZED')
    }
-    const { uid } = jwt.decode(token) as { uid: string }
-    if (!uid) {
-      console.debug('no uid')
+    let uid = ''
+    try {
+      const decoded = jwt.verify(token, process.env.JWT_SECRET) as {
+        uid: string
+      }
+      uid = decoded.uid
+    } catch (e) {
+      console.debug(e)
      return res.status(401).send('UNAUTHORIZED')
    }