check resource id on verify access token

2026-02-10 20:02:26 +00:00 · 2025-04-06 13:08:55 -04:00
parent 5a6a035d30
commit 0e65f8c921
4 changed files with 16 additions and 8 deletions
--- a/server/auth/verifyResourceAccessToken.ts
+++ b/server/auth/verifyResourceAccessToken.ts
@@ -13,10 +13,12 @@ import { sha256 } from "@oslojs/crypto/sha2";

 export async function verifyResourceAccessToken({
    accessToken,
-    accessTokenId
+    accessTokenId,
+    resourceId
 }: {
    accessToken: string;
    accessTokenId?: string;
+    resourceId?: number; // IF THIS IS NOT SET, THE TOKEN IS VALID FOR ALL RESOURCES
 }): Promise<{
    valid: boolean;
    error?: string;
@@ -100,6 +102,13 @@ export async function verifyResourceAccessToken({
        };
    }

+    if (resourceId && resource.resourceId !== resourceId) {
+        return {
+            valid: false,
+            error: "Resource ID does not match"
+        };
+    }
+
    return {
        valid: true,
        tokenItem,
--- a/server/routers/badger/verifySession.ts
+++ b/server/routers/badger/verifySession.ts
@@ -209,7 +209,8 @@ export async function verifyResourceSession(
            const { valid, error, tokenItem } = await verifyResourceAccessToken(
                {
                    accessToken,
-                    accessTokenId
+                    accessTokenId,
+                    resourceId: resource.resourceId
                }
            );

@@ -244,7 +245,8 @@ export async function verifyResourceSession(
            const { valid, error, tokenItem } = await verifyResourceAccessToken(
                {
                    accessToken,
-                    accessTokenId
+                    accessTokenId,
+                    resourceId: resource.resourceId
                }
            );