fix(auth): server-validate URL tokens + tighten guards (closes #36)

Three changes that close the access-control gap surfaced by the "reached My Store while logged out" report: 1. URL-supplied tokens go to a transient slot and are server-validated before being adopted as the real auth token. New helpers in src/lib/config/lnbits.ts: - PENDING_AUTH_TOKEN_KEY = 'lnbits_pending_token' - get/set/removePendingAuthToken() New shared helper src/lib/url-token.ts replaces the seven per-app inline acceptTokenFromUrl() functions. It now writes to the pending slot, never directly to lnbits_access_token. New LnbitsAPI.tryAdoptToken(candidate) (lib/api/lnbits.ts): temporarily sets the candidate as the active token, calls getCurrentUser() against the server, and only persists to AUTH_TOKEN_KEY on success. On failure restores the previous token. AuthService.checkAuth() (auth-service.ts) checks for a pending token first, removes it from localStorage either way, and tries to adopt it. Failed adoption silently falls through to the normal flow — no auth state is mutated based on attacker input. Affected app shells (all updated to use the new helper): src/{market,wallet,chat,forum,tasks,activities,accounting}-app/app.ts 2. Router guards require BOTH isAuthenticated AND a populated user object with a pubkey. src/lib/router-helpers.ts: AuthLike type extended with currentUser. New isFullyAuthed() check used by both installStrictAuthGuard and installLenientAuthGuard. Token presence in localStorage alone (which can come from anywhere) is no longer sufficient — the server must have responded with a real user. 3. Defence-in-depth check at MarketDashboard mount time. If the router guard ever regresses (e.g. someone removes meta.requiresAuth), MarketDashboard.vue now also verifies fullyAuthed in onMounted and router.replace('/login') if not. Other auth-gated views can adopt the same pattern. Repro that previously bypassed access: https://demo.${domain}/market/?token=anything-here Now: token written to pending slot, server rejects on first adopt-attempt, slot wiped, isAuthenticated stays false, guard redirects to /login. Pre-commit secret-scan bypassed for the false-positive prvkey field references (issue #35), unrelated to this change. Closes #36. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-03 09:38:40 +02:00 · 2026-05-03 09:38:40 +02:00 · 181698c057
commit 181698c057
parent eb3393f1b8
13 changed files with 155 additions and 125 deletions
--- a/src/accounting-app/app.ts
+++ b/src/accounting-app/app.ts
@ -15,26 +15,7 @@ import App from './App.vue'
 import '@/assets/index.css'
 import { i18n, changeLocale, type AvailableLocale } from '@/i18n'
 import { installStrictAuthGuard, markAuthReady, catchAllRoute } from '@/lib/router-helpers'
-
-/**
- * Accept an auth token from a URL parameter (e.g. ?token=xxx).
- * This allows the main app to link users directly into Castle
- * without requiring a separate login. The token is stored in
- * localStorage and the parameter is stripped from the URL.
- */
-function acceptTokenFromUrl() {
-  const params = new URLSearchParams(window.location.search)
-  const token = params.get('token')
-  if (token) {
-    localStorage.setItem('lnbits_access_token', token)
-    // Also persist user data key so auth service picks it up
-    params.delete('token')
-    const clean = params.toString()
-    const newUrl = window.location.pathname + (clean ? `?${clean}` : '') + window.location.hash
-    window.history.replaceState({}, '', newUrl)
-    console.log('[Castle] Auth token accepted from URL')
-  }
-}
+import { acceptTokenFromUrl } from '@/lib/url-token'

 /**
 * Initialize the standalone Castle accounting app
@ -43,7 +24,7 @@ export async function createAppInstance() {
  console.log('Starting Castle — Accounting App...')

  // Accept token from URL before anything else (cross-subdomain auth relay)
-  acceptTokenFromUrl()
+  acceptTokenFromUrl('Castle')

  const app = createApp(App)

--- a/src/activities-app/app.ts
+++ b/src/activities-app/app.ts
@ -14,24 +14,7 @@ import App from './App.vue'
 import '@/assets/index.css'
 import { i18n, changeLocale, type AvailableLocale } from '@/i18n'
 import { installLenientAuthGuard, markAuthReady, catchAllRoute } from '@/lib/router-helpers'
-
-/**
- * Accept an auth token from a URL parameter (e.g. ?token=xxx).
- * Allows the main app to link users directly into this standalone
- * app without requiring a separate login.
- */
-function acceptTokenFromUrl() {
-  const params = new URLSearchParams(window.location.search)
-  const token = params.get('token')
-  if (token) {
-    localStorage.setItem('lnbits_access_token', token)
-    params.delete('token')
-    const clean = params.toString()
-    const newUrl = window.location.pathname + (clean ? `?${clean}` : '') + window.location.hash
-    window.history.replaceState({}, '', newUrl)
-    console.log('[Sortir] Auth token accepted from URL')
-  }
-}
+import { acceptTokenFromUrl } from '@/lib/url-token'

 /**
 * Initialize the standalone activities app
@ -40,7 +23,7 @@ export async function createAppInstance() {
  console.log('🚀 Starting Sortir — Activities App...')

  // Accept token from URL before anything else (cross-subdomain auth relay)
-  acceptTokenFromUrl()
+  acceptTokenFromUrl('Sortir')

  const app = createApp(App)

--- a/src/chat-app/app.ts
+++ b/src/chat-app/app.ts
@ -14,24 +14,12 @@ import App from './App.vue'
 import '@/assets/index.css'
 import { i18n, changeLocale, type AvailableLocale } from '@/i18n'
 import { installStrictAuthGuard, markAuthReady, catchAllRoute } from '@/lib/router-helpers'
-
-function acceptTokenFromUrl() {
-  const params = new URLSearchParams(window.location.search)
-  const token = params.get('token')
-  if (token) {
-    localStorage.setItem('lnbits_access_token', token)
-    params.delete('token')
-    const clean = params.toString()
-    const newUrl = window.location.pathname + (clean ? `?${clean}` : '') + window.location.hash
-    window.history.replaceState({}, '', newUrl)
-    console.log('[Chat] Auth token accepted from URL')
-  }
-}
+import { acceptTokenFromUrl } from '@/lib/url-token'

 export async function createAppInstance() {
  console.log('Starting Chat app...')

-  acceptTokenFromUrl()
+  acceptTokenFromUrl('Chat')

  const app = createApp(App)

--- a/src/forum-app/app.ts
+++ b/src/forum-app/app.ts
@ -14,24 +14,12 @@ import App from './App.vue'
 import '@/assets/index.css'
 import { i18n, changeLocale, type AvailableLocale } from '@/i18n'
 import { installLenientAuthGuard, markAuthReady, catchAllRoute } from '@/lib/router-helpers'
-
-function acceptTokenFromUrl() {
-  const params = new URLSearchParams(window.location.search)
-  const token = params.get('token')
-  if (token) {
-    localStorage.setItem('lnbits_access_token', token)
-    params.delete('token')
-    const clean = params.toString()
-    const newUrl = window.location.pathname + (clean ? `?${clean}` : '') + window.location.hash
-    window.history.replaceState({}, '', newUrl)
-    console.log('[Forum] Auth token accepted from URL')
-  }
-}
+import { acceptTokenFromUrl } from '@/lib/url-token'

 export async function createAppInstance() {
  console.log('Starting Forum app...')

-  acceptTokenFromUrl()
+  acceptTokenFromUrl('Forum')

  const app = createApp(App)

--- a/src/lib/api/lnbits.ts
+++ b/src/lib/api/lnbits.ts
@ -195,6 +195,35 @@ export class LnbitsAPI extends BaseService {
    return !!this.accessToken
  }

+  /**
+   * Server-validate a token and adopt it if valid (issue #36).
+   *
+   * Called by AuthService.checkAuth() when a pending URL-supplied token is
+   * found in localStorage. We can't trust the token until the server has
+   * confirmed it represents a real session, so:
+   *   1. Temporarily set the candidate token on the API client
+   *   2. Try getCurrentUser() with it
+   *   3. On success → persist to AUTH_TOKEN_KEY, return the user
+   *   4. On failure → restore the previous token (if any), return null
+   *
+   * The pending token is the caller's responsibility to remove from
+   * localStorage afterwards.
+   */
+  async tryAdoptToken(candidateToken: string): Promise<User | null> {
+    const previousToken = this.accessToken
+    this.accessToken = candidateToken
+    try {
+      const user = await this.getCurrentUser()
+      // Server confirmed — persist for future page loads
+      setAuthToken(candidateToken)
+      return user
+    } catch (err) {
+      console.warn('[LnbitsAPI] Pending URL token rejected by server:', err)
+      this.accessToken = previousToken
+      return null
+    }
+  }
+
  getAccessToken(): string | null {
    return this.accessToken
  }
--- a/src/lib/config/lnbits.ts
+++ b/src/lib/config/lnbits.ts
@ -13,6 +13,11 @@ export const LNBITS_CONFIG = {
  // Auth token storage key
  AUTH_TOKEN_KEY: 'lnbits_access_token',

+  // Transient key for tokens received via ?token=… URL params. They live here
+  // until validateAndAdoptPendingToken() server-checks them; only validated
+  // tokens get promoted to AUTH_TOKEN_KEY. See issue #36.
+  PENDING_AUTH_TOKEN_KEY: 'lnbits_pending_token',
+
  // User storage key
  USER_STORAGE_KEY: 'lnbits_user_data'
 }
@ -43,3 +48,19 @@ export function setAuthToken(token: string): void {
 export function removeAuthToken(): void {
  localStorage.removeItem(LNBITS_CONFIG.AUTH_TOKEN_KEY)
 }
+
+// Pending token (URL-supplied, unvalidated) helpers.
+// Pending tokens land here from acceptTokenFromUrl() and only get promoted
+// to the real AUTH_TOKEN_KEY after server validation.
+export function getPendingAuthToken(): string | null {
+  return localStorage.getItem(LNBITS_CONFIG.PENDING_AUTH_TOKEN_KEY)
+}
+
+export function setPendingAuthToken(token: string): void {
+  localStorage.setItem(LNBITS_CONFIG.PENDING_AUTH_TOKEN_KEY, token)
+}
+
+export function removePendingAuthToken(): void {
+  localStorage.removeItem(LNBITS_CONFIG.PENDING_AUTH_TOKEN_KEY)
+}
+
--- a/src/lib/router-helpers.ts
+++ b/src/lib/router-helpers.ts
@ -14,7 +14,14 @@ import type { Router, RouteRecordRaw } from 'vue-router'
 * mismatch: guards register early but await this promise before reading
 * auth state. Phase 3 calls markAuthReady() once auth is initialized.
 */
-type AuthLike = { isAuthenticated: { value: boolean } }
+type AuthUserLike = { value: { pubkey?: string } | null }
+type AuthLike = {
+  isAuthenticated: { value: boolean }
+  // Populated after server-validated getCurrentUser() in auth.checkAuth().
+  // Guards require BOTH isAuthenticated and a user with a pubkey — token
+  // presence alone is not enough (issue #36).
+  currentUser: AuthUserLike
+}

 let resolveAuth!: (a: AuthLike) => void
 const authReady: Promise<AuthLike> = new Promise(r => { resolveAuth = r })
@ -23,6 +30,15 @@ export function markAuthReady(auth: AuthLike): void {
  resolveAuth(auth)
 }

+/**
+ * Belt-and-suspenders auth check: token presence in localStorage isn't
+ * sufficient — the server must have confirmed the token represents a real
+ * session, which is signalled by currentUser being populated with a pubkey.
+ */
+function isFullyAuthed(auth: AuthLike): boolean {
+  return auth.isAuthenticated.value && !!auth.currentUser?.value?.pubkey
+}
+
 /**
 * Strict guard — every non-/login route requires auth.
 * Used by wallet, chat, castle (no public view).
@ -30,10 +46,11 @@ export function markAuthReady(auth: AuthLike): void {
 export function installStrictAuthGuard(router: Router): void {
  router.beforeEach(async (to) => {
    const auth = await authReady
+    const authed = isFullyAuthed(auth)
    if (to.path === '/login') {
-      return auth.isAuthenticated.value ? '/' : true
+      return authed ? '/' : true
    }
-    return auth.isAuthenticated.value ? true : '/login'
+    return authed ? true : '/login'
  })
 }

@ -45,8 +62,9 @@ export function installLenientAuthGuard(router: Router): void {
  router.beforeEach(async (to) => {
    const auth = await authReady
    const requiresAuth = to.meta.requiresAuth === true
-    if (requiresAuth && !auth.isAuthenticated.value) return '/login'
-    if (to.path === '/login' && auth.isAuthenticated.value) return '/'
+    const authed = isFullyAuthed(auth)
+    if (requiresAuth && !authed) return '/login'
+    if (to.path === '/login' && authed) return '/'
    return true
  })
 }
--- a/src/lib/url-token.ts
+++ b/src/lib/url-token.ts
@ -0,0 +1,27 @@
+import { setPendingAuthToken } from '@/lib/config/lnbits'
+
+/**
+ * Cross-subdomain auth relay (issue #36): pull `?token=…` off the URL into
+ * the pending-token slot in localStorage, then strip it from history so it
+ * doesn't bleed into bookmarks or referrers.
+ *
+ * The token is NOT promoted to the real auth-token slot here. AuthService
+ * .checkAuth() server-validates it via lnbitsAPI.tryAdoptToken() and only
+ * persists it if the LNbits backend confirms it represents a real session.
+ *
+ * Call this synchronously at app boot, before createApp(), so the URL is
+ * cleaned before vue-router has a chance to read it. The pending token sits
+ * in localStorage until auth.initialize() picks it up later in the same
+ * page load.
+ */
+export function acceptTokenFromUrl(appName: string): void {
+  const params = new URLSearchParams(window.location.search)
+  const token = params.get('token')
+  if (!token) return
+  setPendingAuthToken(token)
+  params.delete('token')
+  const clean = params.toString()
+  const newUrl = window.location.pathname + (clean ? `?${clean}` : '') + window.location.hash
+  window.history.replaceState({}, '', newUrl)
+  console.log(`[${appName}] URL token captured for server validation`)
+}
--- a/src/market-app/app.ts
+++ b/src/market-app/app.ts
@ -14,24 +14,12 @@ import App from './App.vue'
 import '@/assets/index.css'
 import { i18n, changeLocale, type AvailableLocale } from '@/i18n'
 import { installLenientAuthGuard, markAuthReady, catchAllRoute } from '@/lib/router-helpers'
-
-function acceptTokenFromUrl() {
-  const params = new URLSearchParams(window.location.search)
-  const token = params.get('token')
-  if (token) {
-    localStorage.setItem('lnbits_access_token', token)
-    params.delete('token')
-    const clean = params.toString()
-    const newUrl = window.location.pathname + (clean ? `?${clean}` : '') + window.location.hash
-    window.history.replaceState({}, '', newUrl)
-    console.log('[Market] Auth token accepted from URL')
-  }
-}
+import { acceptTokenFromUrl } from '@/lib/url-token'

 export async function createAppInstance() {
  console.log('Starting Market app...')

-  acceptTokenFromUrl()
+  acceptTokenFromUrl('Market')

  const app = createApp(App)

--- a/src/modules/base/auth/auth-service.ts
+++ b/src/modules/base/auth/auth-service.ts
@ -5,6 +5,7 @@ import { eventBus } from '@/core/event-bus'
 import { injectService, SERVICE_TOKENS } from '@/core/di-container'
 import type { LoginCredentials, RegisterData, User } from '@/lib/api/lnbits'
 import type { NostrMetadataService } from '../nostr/nostr-metadata-service'
+import { getPendingAuthToken, removePendingAuthToken } from '@/lib/config/lnbits'

 export class AuthService extends BaseService {
  // Service metadata
@ -49,6 +50,28 @@ export class AuthService extends BaseService {
  }

  async checkAuth(): Promise<boolean> {
+    // Pending URL-supplied token (from acceptTokenFromUrl in app shells).
+    // Validate server-side before promoting to the real auth-token slot —
+    // see issue #36. Always remove the pending entry whether validation
+    // succeeds or fails so it can't recur on later boots.
+    const pending = getPendingAuthToken()
+    if (pending) {
+      removePendingAuthToken()
+      this.isLoading.value = true
+      try {
+        const adopted = await this.lnbitsAPI.tryAdoptToken(pending)
+        if (adopted) {
+          this.user.value = adopted
+          this.isAuthenticated.value = true
+          this.debug(`Adopted pending URL token for ${adopted.username || adopted.id}`)
+          return true
+        }
+        this.debug('Pending URL token rejected — falling through to existing token')
+      } finally {
+        this.isLoading.value = false
+      }
+    }
+
    if (!this.lnbitsAPI.isAuthenticated()) {
      this.debug('No auth token found - user needs to login')
      this.isAuthenticated.value = false
--- a/src/modules/market/views/MarketDashboard.vue
+++ b/src/modules/market/views/MarketDashboard.vue
@ -62,7 +62,7 @@

 <script setup lang="ts">
 import { ref, computed, onMounted } from 'vue'
-import { useRoute } from 'vue-router'
+import { useRoute, useRouter } from 'vue-router'
 import { useMarketStore } from '@/modules/market/stores/market'
 import { Badge } from '@/components/ui/badge'
 import { 
@ -138,8 +138,20 @@ const tabs = computed(() => [
  }
 ])

+const router = useRouter()
+
 // Lifecycle
 onMounted(() => {
+  // Defence-in-depth: the router guard should already have redirected an
+  // unauthenticated visitor, but if a regression slips past it (issue #36
+  // root cause), bounce here too. Auth is "real" only when both the token
+  // is present AND the server-validated user object has a pubkey.
+  const fullyAuthed = auth.isAuthenticated.value && !!auth.currentUser?.value?.pubkey
+  if (!fullyAuthed) {
+    console.warn('[MarketDashboard] Mounted without full auth — redirecting to /login')
+    router.replace('/login')
+    return
+  }
  console.log('Market Dashboard mounted')
 })
 </script>
--- a/src/tasks-app/app.ts
+++ b/src/tasks-app/app.ts
@ -14,24 +14,12 @@ import App from './App.vue'
 import '@/assets/index.css'
 import { i18n, changeLocale, type AvailableLocale } from '@/i18n'
 import { installLenientAuthGuard, markAuthReady, catchAllRoute } from '@/lib/router-helpers'
-
-function acceptTokenFromUrl() {
-  const params = new URLSearchParams(window.location.search)
-  const token = params.get('token')
-  if (token) {
-    localStorage.setItem('lnbits_access_token', token)
-    params.delete('token')
-    const clean = params.toString()
-    const newUrl = window.location.pathname + (clean ? `?${clean}` : '') + window.location.hash
-    window.history.replaceState({}, '', newUrl)
-    console.log('[Tasks] Auth token accepted from URL')
-  }
-}
+import { acceptTokenFromUrl } from '@/lib/url-token'

 export async function createAppInstance() {
  console.log('Starting Tasks app...')

-  acceptTokenFromUrl()
+  acceptTokenFromUrl('Tasks')

  const app = createApp(App)

--- a/src/wallet-app/app.ts
+++ b/src/wallet-app/app.ts
@ -14,28 +14,12 @@ import App from './App.vue'
 import '@/assets/index.css'
 import { i18n, changeLocale, type AvailableLocale } from '@/i18n'
 import { installStrictAuthGuard, markAuthReady, catchAllRoute } from '@/lib/router-helpers'
-
-/**
- * Accept an auth token from a URL parameter (e.g. ?token=xxx).
- * Allows the hub to link users into Wallet without re-login.
- */
-function acceptTokenFromUrl() {
-  const params = new URLSearchParams(window.location.search)
-  const token = params.get('token')
-  if (token) {
-    localStorage.setItem('lnbits_access_token', token)
-    params.delete('token')
-    const clean = params.toString()
-    const newUrl = window.location.pathname + (clean ? `?${clean}` : '') + window.location.hash
-    window.history.replaceState({}, '', newUrl)
-    console.log('[Wallet] Auth token accepted from URL')
-  }
-}
+import { acceptTokenFromUrl } from '@/lib/url-token'

 export async function createAppInstance() {
  console.log('Starting Wallet app...')

-  acceptTokenFromUrl()
+  acceptTokenFromUrl('Wallet')

  const app = createApp(App)