Skip to content

Verify avatar auth tokens#103

Merged
ralyodio merged 1 commit into
profullstack:masterfrom
phucnguyen1707:fix-upload-avatar-auth
Jun 15, 2026
Merged

Verify avatar auth tokens#103
ralyodio merged 1 commit into
profullstack:masterfrom
phucnguyen1707:fix-upload-avatar-auth

Conversation

@phucnguyen1707

@phucnguyen1707 phucnguyen1707 commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Summary

  • replace manual avatar JWT payload decoding with Supabase auth token verification
  • keep service-role storage/database work behind a verified user id
  • add regression coverage for forged bearer tokens on upload and delete

Fixes #90

Verification

  • pnpm vitest run --config /tmp/vitest-qryptchat-api.config.js src/app/api/auth/upload-avatar/route.test.js
  • pnpm exec oxlint src/app/api/auth/upload-avatar/route.js src/app/api/auth/upload-avatar/route.test.js

@ralyodio ralyodio merged commit a55f5ca into profullstack:master Jun 15, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug: upload-avatar endpoint trusts JWT payload without verifying signature

2 participants

@phucnguyen1707 @ralyodio