damanukyan/cryptowallet
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: round 3 hardening (CSRF double-submit, TRX MITM, container hardening)

Browse Source
This commit is contained in:
ZOMBIIIIIII
2026-05-12 01:47:58 +03:00
parent c8bc40af97
commit 8dc0855827
37 changed files with 1852 additions and 318 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
apps/api/src/services/jwt.service.ts
View File

@@ -127,8 +127,13 @@ export async function verifyAccessToken(token: string): Promise<AuthContext> {
throw Object.assign(new Error('Invalid token type'), { status: 401 });
}
if (!payload.sub || !payload.sid) {
throw Object.assign(new Error('Missing token claims'), { status: 401 });
// Строгая валидация sub/sid — иначе number/__proto__/10MB строки попадают в PG / в req.auth.
const SUB_RE = /^[A-Za-z0-9_-]{1,64}$/;
if (typeof payload.sub !== 'string' || !SUB_RE.test(payload.sub)) {
throw Object.assign(new Error('Invalid sub claim'), { status: 401 });
}
if (typeof payload.sid !== 'string' || !SUB_RE.test(payload.sid)) {
throw Object.assign(new Error('Invalid sid claim'), { status: 401 });
}
return {