akanealw/caddy-proxy-manager
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
447dbcedde984e334abcfcd8ba54f627548f3a70
caddy-proxy-manager/app/(auth)/link-account/page.tsx
fuomag9 75044c8d9b fix: harden security post-review (JWT exposure, rate limiter, token expiry, timing) 
- Raw JWT never sent to browser: page.tsx uses peekLinkingToken (read-only),
  client sends opaque linkingId, API calls retrieveLinkingToken server-side
- link-account rate limiter now uses isRateLimited/registerFailedAttempt/
  resetAttempts correctly (count only failures, reset on success)
- linking_tokens gains expiresAt column (indexed) + opportunistic expiry
  purge on insert to prevent unbounded table growth
- secureTokenCompare fixed: pad+slice to expected length so timing is
  constant regardless of submitted token length (no length leak)
- autoLinkOAuth uses config.oauth.allowAutoLinking (boolean) instead of
  process.env truthy check that mishandles OAUTH_ALLOW_AUTO_LINKING=false
- Add Permissions-Policy header; restore X-Frame-Options for legacy UAs

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-25 20:58:21 +01:00

53 lines
1.5 KiB
TypeScript
Raw Blame History

import { redirect } from "next/navigation";
import { auth } from "@/src/lib/auth";
import { peekLinkingToken, verifyLinkingToken } from "@/src/lib/services/account-linking";
import LinkAccountClient from "./LinkAccountClient";
interface LinkAccountPageProps {
searchParams: {
error?: string;
};
}
export default async function LinkAccountPage({ searchParams }: LinkAccountPageProps) {
const session = await auth();
// Already authenticated - redirect
if (session) {
redirect("/");
}
// Get linking ID from error parameter (NextAuth redirects with error param)
const errorParam = searchParams.error || "";
if (!errorParam.startsWith("LINKING_REQUIRED:")) {
redirect("/login?error=Invalid linking request");
}
const linkingId = errorParam.replace("LINKING_REQUIRED:", "");
// Peek at the raw JWT to decode display info (provider, email) without consuming it.
// The API endpoint will consume (retrieve + delete) the token during password verification.
const rawToken = await peekLinkingToken(linkingId);
if (!rawToken) {
redirect("/login?error=Linking token expired or invalid");
}
// Verify token and decode for display purposes only
const tokenPayload = await verifyLinkingToken(rawToken);
if (!tokenPayload) {
redirect("/login?error=Linking token expired or invalid");
}
// Pass only the opaque linkingId to the client — the raw JWT never leaves the server
return (
<LinkAccountClient
provider={tokenPayload.provider}
email={tokenPayload.email}
linkingId={linkingId}
/>
);
}
Reference in New Issue View Git Blame Copy Permalink