From dda57860cb6c76b5838c33ebf05e42c08f6b6994 Mon Sep 17 00:00:00 2001 From: Hongbo Wu Date: Wed, 7 Jun 2023 13:08:21 +0800 Subject: [PATCH 1/4] use jsonwebtoken verify instead of decode for older version of the lib --- packages/thumbnail-handler/src/index.ts | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/packages/thumbnail-handler/src/index.ts b/packages/thumbnail-handler/src/index.ts index 41e6ab640..da49bc8e4 100644 --- a/packages/thumbnail-handler/src/index.ts +++ b/packages/thumbnail-handler/src/index.ts @@ -228,14 +228,24 @@ export const findThumbnail = async ( export const thumbnailHandler = Sentry.GCPFunction.wrapHttpFunction( async (req, res) => { + if (!process.env.JWT_SECRET) { + console.error('JWT_SECRET not exists') + return res.status(500).send('JWT_SECRET_NOT_EXISTS') + } + const token = req.headers?.authorization if (!token) { console.debug('no token') return res.status(401).send('UNAUTHORIZED') } - const { uid } = jwt.decode(token) as { uid: string } - if (!uid) { - console.debug('no uid') + let uid = '' + try { + const decoded = jwt.verify(token, process.env.JWT_SECRET) as { + uid: string + } + uid = decoded.uid + } catch (e) { + console.debug('invalid token') return res.status(401).send('UNAUTHORIZED') } From 7cbd374cf31e56e19e3e2c031a16774418cb059e Mon Sep 17 00:00:00 2001 From: Hongbo Wu Date: Wed, 7 Jun 2023 13:37:05 +0800 Subject: [PATCH 2/4] debug --- packages/thumbnail-handler/src/index.ts | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/packages/thumbnail-handler/src/index.ts b/packages/thumbnail-handler/src/index.ts index da49bc8e4..8684acaac 100644 --- a/packages/thumbnail-handler/src/index.ts +++ b/packages/thumbnail-handler/src/index.ts @@ -240,12 +240,13 @@ export const thumbnailHandler = Sentry.GCPFunction.wrapHttpFunction( } let uid = '' try { - const decoded = jwt.verify(token, process.env.JWT_SECRET) as { + jwt.verify(token, process.env.JWT_SECRET) + const decoded = jwt.decode(token) as { uid: string } uid = decoded.uid } catch (e) { - console.debug('invalid token') + console.debug('invalid token', e) return res.status(401).send('UNAUTHORIZED') } From ac43549496c3972e919ceaa7ec63af6b218820c1 Mon Sep 17 00:00:00 2001 From: Hongbo Wu Date: Wed, 7 Jun 2023 13:57:45 +0800 Subject: [PATCH 3/4] debug --- packages/thumbnail-handler/src/index.ts | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/thumbnail-handler/src/index.ts b/packages/thumbnail-handler/src/index.ts index 8684acaac..c89704120 100644 --- a/packages/thumbnail-handler/src/index.ts +++ b/packages/thumbnail-handler/src/index.ts @@ -234,19 +234,19 @@ export const thumbnailHandler = Sentry.GCPFunction.wrapHttpFunction( } const token = req.headers?.authorization + console.debug('token', token) if (!token) { console.debug('no token') return res.status(401).send('UNAUTHORIZED') } let uid = '' try { - jwt.verify(token, process.env.JWT_SECRET) - const decoded = jwt.decode(token) as { + const decoded = jwt.verify(token, process.env.JWT_SECRET) as { uid: string } uid = decoded.uid } catch (e) { - console.debug('invalid token', e) + console.debug(e) return res.status(401).send('UNAUTHORIZED') } From b6980299729fc2a7d509bcbf7ef8920f1306f758 Mon Sep 17 00:00:00 2001 From: Hongbo Wu Date: Wed, 7 Jun 2023 14:24:52 +0800 Subject: [PATCH 4/4] store token in cookie instead of authorization header --- packages/api/src/utils/createTask.ts | 8 ++++---- packages/thumbnail-handler/src/index.ts | 3 +-- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/packages/api/src/utils/createTask.ts b/packages/api/src/utils/createTask.ts index 17dae7831..d6d9f12e5 100644 --- a/packages/api/src/utils/createTask.ts +++ b/packages/api/src/utils/createTask.ts @@ -511,8 +511,8 @@ export const enqueueThumbnailTask = async ( content, } - const requestHeaders = { - Authorization: generateVerificationToken(userId), + const headers = { + Cookie: `auth=${generateVerificationToken(userId)}`, } // If there is no Google Cloud Project Id exposed, it means that we are in local environment @@ -521,7 +521,7 @@ export const enqueueThumbnailTask = async ( setTimeout(() => { axios .post(env.queue.thumbnailTaskHandlerUrl, payload, { - headers: requestHeaders, + headers, }) .catch((error) => { console.error(error) @@ -533,7 +533,7 @@ export const enqueueThumbnailTask = async ( const createdTasks = await createHttpTaskWithToken({ payload, taskHandlerUrl: env.queue.thumbnailTaskHandlerUrl, - requestHeaders, + requestHeaders: headers, }) if (!createdTasks || !createdTasks[0].name) { diff --git a/packages/thumbnail-handler/src/index.ts b/packages/thumbnail-handler/src/index.ts index c89704120..9cd79d7f6 100644 --- a/packages/thumbnail-handler/src/index.ts +++ b/packages/thumbnail-handler/src/index.ts @@ -233,8 +233,7 @@ export const thumbnailHandler = Sentry.GCPFunction.wrapHttpFunction( return res.status(500).send('JWT_SECRET_NOT_EXISTS') } - const token = req.headers?.authorization - console.debug('token', token) + const token = req.headers.cookie?.split('auth=')[1] if (!token) { console.debug('no token') return res.status(401).send('UNAUTHORIZED')