some improvements from claude

2025-04-06 16:20:42 +02:00
parent 467d27834c
commit 4dfdb17b1e
7 changed files with 288 additions and 26 deletions
--- a/middleware/authMiddleware.js
+++ b/middleware/authMiddleware.js
@ -6,6 +6,12 @@ require('dotenv').config();

 const JWT_SECRET = process.env.JWT_SECRET;

+// Security measure - add token expiration check
+const tokenIsExpired = (exp) => {
+  const currentTime = Math.floor(Date.now() / 1000);
+  return exp < currentTime;
+};
+
 const authenticateToken = (req, res, next) => {
  // Get token from the 'token' cookie
  const token = req.cookies.token;
@ -41,17 +47,31 @@ const authenticateToken = (req, res, next) => {
  jwt.verify(token, JWT_SECRET, (err, user) => {
    if (err) {
      console.error('JWT Verification Error:', err.message, err.name);
-      // If token is invalid or expired
-      if (isApiRequest) {
-          // Clear the invalid cookie and return 403 Forbidden for API requests
-          res.clearCookie('token');
-          return res.status(403).json({ message: 'Token ungültig oder abgelaufen.' });
-      }
-      // Clear the invalid cookie and redirect to login for page requests
      res.clearCookie('token');
+      
+      if (err.name === 'TokenExpiredError') {
+        if (isApiRequest) {
+          return res.status(401).json({ message: 'Sitzung abgelaufen. Bitte melden Sie sich erneut an.' });
+        }
+        return res.redirect('/login?expired=true');
+      }
+      
+      if (isApiRequest) {
+        return res.status(403).json({ message: 'Token ungültig oder abgelaufen.' });
+      }
      return res.redirect('/login');
    }

+    // Additional check for token expiration as a security measure
+    if (user.exp && tokenIsExpired(user.exp)) {
+      console.warn('Token expired but not caught by jwt.verify');
+      res.clearCookie('token');
+      if (isApiRequest) {
+        return res.status(401).json({ message: 'Sitzung abgelaufen. Bitte melden Sie sich erneut an.' });
+      }
+      return res.redirect('/login?expired=true');
+    }
+
    // If token is valid, attach the decoded user information (payload) to the request object
    req.user = user;
    // Add debug logging for successful auth