From 8188b5c3815519d9d373a0e6f27faebb53aace67 Mon Sep 17 00:00:00 2001 From: Chamika J <75464293+chamikaJ@users.noreply.github.com> Date: Mon, 4 Aug 2025 12:44:34 +0530 Subject: [PATCH] feat(auth): enhance Google authentication validation - Added validation for token audience, issuer, and expiry in the `googleMobileAuth` method of `AuthController`. - Improved error handling for invalid tokens and expired sessions, ensuring robust authentication flow. --- .../src/controllers/auth-controller.ts | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/worklenz-backend/src/controllers/auth-controller.ts b/worklenz-backend/src/controllers/auth-controller.ts index ed6705c3..70056b47 100644 --- a/worklenz-backend/src/controllers/auth-controller.ts +++ b/worklenz-backend/src/controllers/auth-controller.ts @@ -194,6 +194,21 @@ export default class AuthController extends WorklenzControllerBase { const response = await axios.get(`https://oauth2.googleapis.com/tokeninfo?id_token=${idToken}`); const profile = response.data; + // Validate token audience (client ID) + if (profile.aud !== process.env.GOOGLE_CLIENT_ID) { + return res.status(400).send(new ServerResponse(false, null, "Invalid token audience")); + } + + // Validate token issuer + if (!['https://accounts.google.com', 'accounts.google.com'].includes(profile.iss)) { + return res.status(400).send(new ServerResponse(false, null, "Invalid token issuer")); + } + + // Check token expiry + if (Date.now() >= profile.exp * 1000) { + return res.status(400).send(new ServerResponse(false, null, "Token expired")); + } + if (!profile.email_verified) { return res.status(400).send(new ServerResponse(false, null, "Email not verified")); } @@ -210,7 +225,7 @@ export default class AuthController extends WorklenzControllerBase { [profile.sub, profile.email] ); - let user; + let user: any; if (userResult.rowCount) { // Existing user - login user = userResult.rows[0];