Skip to content

fix(security): replace unvalidated user-role cookie with JWT verifica…#851

Merged
RUKAYAT-CODER merged 1 commit into
rinafcode:mainfrom
mubking:my-feature
Jun 29, 2026
Merged

fix(security): replace unvalidated user-role cookie with JWT verifica…#851
RUKAYAT-CODER merged 1 commit into
rinafcode:mainfrom
mubking:my-feature

Conversation

@mubking

@mubking mubking commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

…tion in RBAC middleware

  • Create src/lib/auth/jwt.ts with Edge-compatible Web Crypto JWT verification
  • Remove request.cookies.get('user-role') from src/middleware.ts
  • Extract role from cryptographically verified JWT payload instead
  • Redirect to /login on missing/invalid token, /unauthorized on insufficient role
  • Add middleware tests covering role-elevation attempts (6 tests passing)

Closes #716

Description

Brief description of changes

Related Issue

Closes #

Type of Change

  • Bug fix
  • New feature
  • Breaking change
  • Documentation update

Checklist

  • Code follows project style guidelines
  • Self-review completed
  • No console errors
  • Uses Lucide icons consistently
  • Responsive design implemented
  • Starknet best practices followed

@mubking
fix(security): replace unvalidated user-role cookie with JWT verifica…
2c02b9e 
…tion in RBAC middleware

- Create src/lib/auth/jwt.ts with Edge-compatible Web Crypto JWT verification
- Remove request.cookies.get('user-role') from src/middleware.ts
- Extract role from cryptographically verified JWT payload instead
- Redirect to /login on missing/invalid token, /unauthorized on insufficient role
- Add middleware tests covering role-elevation attempts (6 tests passing)

Closes rinafcode#716
@drips-wave

drips-wave Bot commented Jun 29, 2026

Copy link
Copy Markdown

@mubking Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

@RUKAYAT-CODER

RUKAYAT-CODER commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Thank you for contributing to the project.

@RUKAYAT-CODER RUKAYAT-CODER merged commit 13e07aa into rinafcode:main Jun 29, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Security] RBAC middleware reads user role from an unvalidated cookie — trivially bypassable

2 participants

@mubking @RUKAYAT-CODER