bo/worklenz
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(auth): enhance Google authentication validation

Browse Source 
- Added validation for token audience, issuer, and expiry in the `googleMobileAuth` method of `AuthController`.
- Improved error handling for invalid tokens and expired sessions, ensuring robust authentication flow.
This commit is contained in:
Chamika J
2025-08-04 12:44:34 +05:30
parent 0e21eacd52
commit 8188b5c381
1 changed files with 16 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
worklenz-backend/src/controllers/auth-controller.ts
View File

@@ -194,6 +194,21 @@ export default class AuthController extends WorklenzControllerBase {
const response = await axios.get(`https://oauth2.googleapis.com/tokeninfo?id_token=${idToken}`);
const profile = response.data;
// Validate token audience (client ID)
if (profile.aud !== process.env.GOOGLE_CLIENT_ID) {
return res.status(400).send(new ServerResponse(false, null, "Invalid token audience"));
}
// Validate token issuer
if (!['https://accounts.google.com', 'accounts.google.com'].includes(profile.iss)) {
return res.status(400).send(new ServerResponse(false, null, "Invalid token issuer"));
}
// Check token expiry
if (Date.now() >= profile.exp * 1000) {
return res.status(400).send(new ServerResponse(false, null, "Token expired"));
}
if (!profile.email_verified) {
return res.status(400).send(new ServerResponse(false, null, "Email not verified"));
}
@@ -210,7 +225,7 @@ export default class AuthController extends WorklenzControllerBase {
[profile.sub, profile.email]
);
let user;
let user: any;
if (userResult.rowCount) {
// Existing user - login
user = userResult.rows[0];