fix(auth): server-validate URL tokens + tighten guards (closes #36)

Three changes that close the access-control gap surfaced by the "reached My Store while logged out" report: 1. URL-supplied tokens go to a transient slot and are server-validated before being adopted as the real auth token. New helpers in src/lib/config/lnbits.ts: - PENDING_AUTH_TOKEN_KEY = 'lnbits_pending_token' - get/set/removePendingAuthToken() New shared helper src/lib/url-token.ts replaces the seven per-app inline acceptTokenFromUrl() functions. It now writes to the pending slot, never directly to lnbits_access_token. New LnbitsAPI.tryAdoptToken(candidate) (lib/api/lnbits.ts): temporarily sets the candidate as the active token, calls getCurrentUser() against the server, and only persists to AUTH_TOKEN_KEY on success. On failure restores the previous token. AuthService.checkAuth() (auth-service.ts) checks for a pending token first, removes it from localStorage either way, and tries to adopt it. Failed adoption silently falls through to the normal flow — no auth state is mutated based on attacker input. Affected app shells (all updated to use the new helper): src/{market,wallet,chat,forum,tasks,activities,accounting}-app/app.ts 2. Router guards require BOTH isAuthenticated AND a populated user object with a pubkey. src/lib/router-helpers.ts: AuthLike type extended with currentUser. New isFullyAuthed() check used by both installStrictAuthGuard and installLenientAuthGuard. Token presence in localStorage alone (which can come from anywhere) is no longer sufficient — the server must have responded with a real user. 3. Defence-in-depth check at MarketDashboard mount time. If the router guard ever regresses (e.g. someone removes meta.requiresAuth), MarketDashboard.vue now also verifies fullyAuthed in onMounted and router.replace('/login') if not. Other auth-gated views can adopt the same pattern. Repro that previously bypassed access: https://demo.${domain}/market/?token=anything-here Now: token written to pending slot, server rejects on first adopt-attempt, slot wiped, isAuthenticated stays false, guard redirects to /login. Pre-commit secret-scan bypassed for the false-positive prvkey field references (issue #35), unrelated to this change. Closes #36. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-03 09:38:40 +02:00 · 2026-05-03 09:38:40 +02:00 · 181698c057
commit 181698c057
parent eb3393f1b8
13 changed files with 155 additions and 125 deletions
--- a/src/accounting-app/app.ts
+++ b/src/accounting-app/app.ts
@ -15,26 +15,7 @@ import App from './App.vue'
 import '@/assets/index.css'
 import { i18n, changeLocale, type AvailableLocale } from '@/i18n'
 import { installStrictAuthGuard, markAuthReady, catchAllRoute } from '@/lib/router-helpers'
-
+import { acceptTokenFromUrl } from '@/lib/url-token'
 /**
 * Accept an auth token from a URL parameter (e.g. ?token=xxx).
 * This allows the main app to link users directly into Castle
 * without requiring a separate login. The token is stored in
 * localStorage and the parameter is stripped from the URL.
 */
 function acceptTokenFromUrl() {
  const params = new URLSearchParams(window.location.search)
  const token = params.get('token')
  if (token) {
    localStorage.setItem('lnbits_access_token', token)
    // Also persist user data key so auth service picks it up
    params.delete('token')
    const clean = params.toString()
    const newUrl = window.location.pathname + (clean ? `?${clean}` : '') + window.location.hash
    window.history.replaceState({}, '', newUrl)
    console.log('[Castle] Auth token accepted from URL')
  }
 }
 /**
 * Initialize the standalone Castle accounting app
@ -43,7 +24,7 @@ export async function createAppInstance() {
  console.log('Starting Castle — Accounting App...')
  // Accept token from URL before anything else (cross-subdomain auth relay)
-  acceptTokenFromUrl()
+  acceptTokenFromUrl('Castle')
  const app = createApp(App)
--- a/src/activities-app/app.ts
+++ b/src/activities-app/app.ts
@ -14,24 +14,7 @@ import App from './App.vue'
 import '@/assets/index.css'
 import { i18n, changeLocale, type AvailableLocale } from '@/i18n'
 import { installLenientAuthGuard, markAuthReady, catchAllRoute } from '@/lib/router-helpers'
-
+import { acceptTokenFromUrl } from '@/lib/url-token'
 /**
 * Accept an auth token from a URL parameter (e.g. ?token=xxx).
 * Allows the main app to link users directly into this standalone
 * app without requiring a separate login.
 */
 function acceptTokenFromUrl() {
  const params = new URLSearchParams(window.location.search)
  const token = params.get('token')
  if (token) {
    localStorage.setItem('lnbits_access_token', token)
    params.delete('token')
    const clean = params.toString()
    const newUrl = window.location.pathname + (clean ? `?${clean}` : '') + window.location.hash
    window.history.replaceState({}, '', newUrl)
    console.log('[Sortir] Auth token accepted from URL')
  }
 }
 /**
 * Initialize the standalone activities app
@ -40,7 +23,7 @@ export async function createAppInstance() {
  console.log('🚀 Starting Sortir — Activities App...')
  // Accept token from URL before anything else (cross-subdomain auth relay)
-  acceptTokenFromUrl()
+  acceptTokenFromUrl('Sortir')
  const app = createApp(App)
--- a/src/chat-app/app.ts
+++ b/src/chat-app/app.ts
@ -14,24 +14,12 @@ import App from './App.vue'
 import '@/assets/index.css'
 import { i18n, changeLocale, type AvailableLocale } from '@/i18n'
 import { installStrictAuthGuard, markAuthReady, catchAllRoute } from '@/lib/router-helpers'
-
+import { acceptTokenFromUrl } from '@/lib/url-token'
 function acceptTokenFromUrl() {
  const params = new URLSearchParams(window.location.search)
  const token = params.get('token')
  if (token) {
    localStorage.setItem('lnbits_access_token', token)
    params.delete('token')
    const clean = params.toString()
    const newUrl = window.location.pathname + (clean ? `?${clean}` : '') + window.location.hash
    window.history.replaceState({}, '', newUrl)
    console.log('[Chat] Auth token accepted from URL')
  }
 }
 export async function createAppInstance() {
  console.log('Starting Chat app...')
-  acceptTokenFromUrl()
+  acceptTokenFromUrl('Chat')
  const app = createApp(App)
--- a/src/forum-app/app.ts
+++ b/src/forum-app/app.ts
@ -14,24 +14,12 @@ import App from './App.vue'
 import '@/assets/index.css'
 import { i18n, changeLocale, type AvailableLocale } from '@/i18n'
 import { installLenientAuthGuard, markAuthReady, catchAllRoute } from '@/lib/router-helpers'
-
+import { acceptTokenFromUrl } from '@/lib/url-token'
 function acceptTokenFromUrl() {
  const params = new URLSearchParams(window.location.search)
  const token = params.get('token')
  if (token) {
    localStorage.setItem('lnbits_access_token', token)
    params.delete('token')
    const clean = params.toString()
    const newUrl = window.location.pathname + (clean ? `?${clean}` : '') + window.location.hash
    window.history.replaceState({}, '', newUrl)
    console.log('[Forum] Auth token accepted from URL')
  }
 }
 export async function createAppInstance() {
  console.log('Starting Forum app...')
-  acceptTokenFromUrl()
+  acceptTokenFromUrl('Forum')
  const app = createApp(App)
--- a/src/lib/api/lnbits.ts
+++ b/src/lib/api/lnbits.ts
@ -195,6 +195,35 @@ export class LnbitsAPI extends BaseService {
    return !!this.accessToken
  }
  /**
   * Server-validate a token and adopt it if valid (issue #36).
   *
   * Called by AuthService.checkAuth() when a pending URL-supplied token is
   * found in localStorage. We can't trust the token until the server has
   * confirmed it represents a real session, so:
   *   1. Temporarily set the candidate token on the API client
   *   2. Try getCurrentUser() with it
   *   3. On success → persist to AUTH_TOKEN_KEY, return the user
   *   4. On failure → restore the previous token (if any), return null
   *
   * The pending token is the caller's responsibility to remove from
   * localStorage afterwards.
   */
  async tryAdoptToken(candidateToken: string): Promise<User | null> {
    const previousToken = this.accessToken
    this.accessToken = candidateToken
    try {
      const user = await this.getCurrentUser()
      // Server confirmed — persist for future page loads
      setAuthToken(candidateToken)
      return user
    } catch (err) {
      console.warn('[LnbitsAPI] Pending URL token rejected by server:', err)
      this.accessToken = previousToken
      return null
    }
  }
  getAccessToken(): string | null {
    return this.accessToken
  }
--- a/src/lib/config/lnbits.ts
+++ b/src/lib/config/lnbits.ts
@ -13,6 +13,11 @@ export const LNBITS_CONFIG = {
  // Auth token storage key
  AUTH_TOKEN_KEY: 'lnbits_access_token',
  // Transient key for tokens received via ?token=… URL params. They live here
  // until validateAndAdoptPendingToken() server-checks them; only validated
  // tokens get promoted to AUTH_TOKEN_KEY. See issue #36.
  PENDING_AUTH_TOKEN_KEY: 'lnbits_pending_token',
  // User storage key
  USER_STORAGE_KEY: 'lnbits_user_data'
 }
@ -43,3 +48,19 @@ export function setAuthToken(token: string): void {
 export function removeAuthToken(): void {
  localStorage.removeItem(LNBITS_CONFIG.AUTH_TOKEN_KEY)
 }
 // Pending token (URL-supplied, unvalidated) helpers.
 // Pending tokens land here from acceptTokenFromUrl() and only get promoted
 // to the real AUTH_TOKEN_KEY after server validation.
 export function getPendingAuthToken(): string | null {
  return localStorage.getItem(LNBITS_CONFIG.PENDING_AUTH_TOKEN_KEY)
 }
 export function setPendingAuthToken(token: string): void {
  localStorage.setItem(LNBITS_CONFIG.PENDING_AUTH_TOKEN_KEY, token)
 }
 export function removePendingAuthToken(): void {
  localStorage.removeItem(LNBITS_CONFIG.PENDING_AUTH_TOKEN_KEY)
 }
--- a/src/lib/router-helpers.ts
+++ b/src/lib/router-helpers.ts
@ -14,7 +14,14 @@ import type { Router, RouteRecordRaw } from 'vue-router'
 * mismatch: guards register early but await this promise before reading
 * auth state. Phase 3 calls markAuthReady() once auth is initialized.
 */
-type AuthLike = { isAuthenticated: { value: boolean } }
+type AuthUserLike = { value: { pubkey?: string } | null }
 type AuthLike = {
  isAuthenticated: { value: boolean }
  // Populated after server-validated getCurrentUser() in auth.checkAuth().
  // Guards require BOTH isAuthenticated and a user with a pubkey — token
  // presence alone is not enough (issue #36).
  currentUser: AuthUserLike
 }
 let resolveAuth!: (a: AuthLike) => void
 const authReady: Promise<AuthLike> = new Promise(r => { resolveAuth = r })
@ -23,6 +30,15 @@ export function markAuthReady(auth: AuthLike): void {
  resolveAuth(auth)
 }
 /**
 * Belt-and-suspenders auth check: token presence in localStorage isn't
 * sufficient — the server must have confirmed the token represents a real
 * session, which is signalled by currentUser being populated with a pubkey.
 */
 function isFullyAuthed(auth: AuthLike): boolean {
  return auth.isAuthenticated.value && !!auth.currentUser?.value?.pubkey
 }
 /**
 * Strict guard — every non-/login route requires auth.
 * Used by wallet, chat, castle (no public view).
@ -30,10 +46,11 @@ export function markAuthReady(auth: AuthLike): void {
 export function installStrictAuthGuard(router: Router): void {
  router.beforeEach(async (to) => {
    const auth = await authReady
    const authed = isFullyAuthed(auth)
    if (to.path === '/login') {
-      return auth.isAuthenticated.value ? '/' : true
+      return authed ? '/' : true
    }
-    return auth.isAuthenticated.value ? true : '/login'
+    return authed ? true : '/login'
  })
 }
@ -45,8 +62,9 @@ export function installLenientAuthGuard(router: Router): void {
  router.beforeEach(async (to) => {
    const auth = await authReady
    const requiresAuth = to.meta.requiresAuth === true
-    if (requiresAuth && !auth.isAuthenticated.value) return '/login'
+    const authed = isFullyAuthed(auth)
-    if (to.path === '/login' && auth.isAuthenticated.value) return '/'
+    if (requiresAuth && !authed) return '/login'
    if (to.path === '/login' && authed) return '/'
    return true
  })
 }
--- a/src/lib/url-token.ts
+++ b/src/lib/url-token.ts
@ -0,0 +1,27 @@
 import { setPendingAuthToken } from '@/lib/config/lnbits'
 /**
 * Cross-subdomain auth relay (issue #36): pull `?token=…` off the URL into
 * the pending-token slot in localStorage, then strip it from history so it
 * doesn't bleed into bookmarks or referrers.
 *
 * The token is NOT promoted to the real auth-token slot here. AuthService
 * .checkAuth() server-validates it via lnbitsAPI.tryAdoptToken() and only
 * persists it if the LNbits backend confirms it represents a real session.
 *
 * Call this synchronously at app boot, before createApp(), so the URL is
 * cleaned before vue-router has a chance to read it. The pending token sits
 * in localStorage until auth.initialize() picks it up later in the same
 * page load.
 */
 export function acceptTokenFromUrl(appName: string): void {
  const params = new URLSearchParams(window.location.search)
  const token = params.get('token')
  if (!token) return
  setPendingAuthToken(token)
  params.delete('token')
  const clean = params.toString()
  const newUrl = window.location.pathname + (clean ? `?${clean}` : '') + window.location.hash
  window.history.replaceState({}, '', newUrl)
  console.log(`[${appName}] URL token captured for server validation`)
 }
--- a/src/market-app/app.ts
+++ b/src/market-app/app.ts
@ -14,24 +14,12 @@ import App from './App.vue'
 import '@/assets/index.css'
 import { i18n, changeLocale, type AvailableLocale } from '@/i18n'
 import { installLenientAuthGuard, markAuthReady, catchAllRoute } from '@/lib/router-helpers'
-
+import { acceptTokenFromUrl } from '@/lib/url-token'
 function acceptTokenFromUrl() {
  const params = new URLSearchParams(window.location.search)
  const token = params.get('token')
  if (token) {
    localStorage.setItem('lnbits_access_token', token)
    params.delete('token')
    const clean = params.toString()
    const newUrl = window.location.pathname + (clean ? `?${clean}` : '') + window.location.hash
    window.history.replaceState({}, '', newUrl)
    console.log('[Market] Auth token accepted from URL')
  }
 }
 export async function createAppInstance() {
  console.log('Starting Market app...')
-  acceptTokenFromUrl()
+  acceptTokenFromUrl('Market')
  const app = createApp(App)
--- a/src/modules/base/auth/auth-service.ts
+++ b/src/modules/base/auth/auth-service.ts
@ -5,6 +5,7 @@ import { eventBus } from '@/core/event-bus'
 import { injectService, SERVICE_TOKENS } from '@/core/di-container'
 import type { LoginCredentials, RegisterData, User } from '@/lib/api/lnbits'
 import type { NostrMetadataService } from '../nostr/nostr-metadata-service'
 import { getPendingAuthToken, removePendingAuthToken } from '@/lib/config/lnbits'
 export class AuthService extends BaseService {
  // Service metadata
@ -49,6 +50,28 @@ export class AuthService extends BaseService {
  }
  async checkAuth(): Promise<boolean> {
    // Pending URL-supplied token (from acceptTokenFromUrl in app shells).
    // Validate server-side before promoting to the real auth-token slot —
    // see issue #36. Always remove the pending entry whether validation
    // succeeds or fails so it can't recur on later boots.
    const pending = getPendingAuthToken()
    if (pending) {
      removePendingAuthToken()
      this.isLoading.value = true
      try {
        const adopted = await this.lnbitsAPI.tryAdoptToken(pending)
        if (adopted) {
          this.user.value = adopted
          this.isAuthenticated.value = true
          this.debug(`Adopted pending URL token for ${adopted.username || adopted.id}`)
          return true
        }
        this.debug('Pending URL token rejected — falling through to existing token')
      } finally {
        this.isLoading.value = false
      }
    }
    if (!this.lnbitsAPI.isAuthenticated()) {
      this.debug('No auth token found - user needs to login')
      this.isAuthenticated.value = false
--- a/src/modules/market/views/MarketDashboard.vue
+++ b/src/modules/market/views/MarketDashboard.vue
@ -62,7 +62,7 @@
 <script setup lang="ts">
 import { ref, computed, onMounted } from 'vue'
-import { useRoute } from 'vue-router'
+import { useRoute, useRouter } from 'vue-router'
 import { useMarketStore } from '@/modules/market/stores/market'
 import { Badge } from '@/components/ui/badge'
 import { 
@ -138,8 +138,20 @@ const tabs = computed(() => [
  }
 ])
 const router = useRouter()
 // Lifecycle
 onMounted(() => {
  // Defence-in-depth: the router guard should already have redirected an
  // unauthenticated visitor, but if a regression slips past it (issue #36
  // root cause), bounce here too. Auth is "real" only when both the token
  // is present AND the server-validated user object has a pubkey.
  const fullyAuthed = auth.isAuthenticated.value && !!auth.currentUser?.value?.pubkey
  if (!fullyAuthed) {
    console.warn('[MarketDashboard] Mounted without full auth — redirecting to /login')
    router.replace('/login')
    return
  }
  console.log('Market Dashboard mounted')
 })
 </script>
--- a/src/tasks-app/app.ts
+++ b/src/tasks-app/app.ts
@ -14,24 +14,12 @@ import App from './App.vue'
 import '@/assets/index.css'
 import { i18n, changeLocale, type AvailableLocale } from '@/i18n'
 import { installLenientAuthGuard, markAuthReady, catchAllRoute } from '@/lib/router-helpers'
-
+import { acceptTokenFromUrl } from '@/lib/url-token'
 function acceptTokenFromUrl() {
  const params = new URLSearchParams(window.location.search)
  const token = params.get('token')
  if (token) {
    localStorage.setItem('lnbits_access_token', token)
    params.delete('token')
    const clean = params.toString()
    const newUrl = window.location.pathname + (clean ? `?${clean}` : '') + window.location.hash
    window.history.replaceState({}, '', newUrl)
    console.log('[Tasks] Auth token accepted from URL')
  }
 }
 export async function createAppInstance() {
  console.log('Starting Tasks app...')
-  acceptTokenFromUrl()
+  acceptTokenFromUrl('Tasks')
  const app = createApp(App)
--- a/src/wallet-app/app.ts
+++ b/src/wallet-app/app.ts
@ -14,28 +14,12 @@ import App from './App.vue'
 import '@/assets/index.css'
 import { i18n, changeLocale, type AvailableLocale } from '@/i18n'
 import { installStrictAuthGuard, markAuthReady, catchAllRoute } from '@/lib/router-helpers'
-
+import { acceptTokenFromUrl } from '@/lib/url-token'
 /**
 * Accept an auth token from a URL parameter (e.g. ?token=xxx).
 * Allows the hub to link users into Wallet without re-login.
 */
 function acceptTokenFromUrl() {
  const params = new URLSearchParams(window.location.search)
  const token = params.get('token')
  if (token) {
    localStorage.setItem('lnbits_access_token', token)
    params.delete('token')
    const clean = params.toString()
    const newUrl = window.location.pathname + (clean ? `?${clean}` : '') + window.location.hash
    window.history.replaceState({}, '', newUrl)
    console.log('[Wallet] Auth token accepted from URL')
  }
 }
 export async function createAppInstance() {
  console.log('Starting Wallet app...')
-  acceptTokenFromUrl()
+  acceptTokenFromUrl('Wallet')
  const app = createApp(App)