@plusscommunities/pluss-core-aws 2.0.21 → 2.0.22

package/helper/auth/checkTokenBlacklist.js

@@ -0,0 +1,25 @@
+const crypto = require("crypto");
+const { getRef } = require("../../db/common/getRef");
+
+module.exports = async (token) => {
+  if (!token) return false;
+
+  try {
+    // Create hash of token for TokenId lookup
+    const tokenHash = crypto.createHash("sha256").update(token).digest("hex");
+
+    // Check if token exists in blacklist
+    const blacklistedToken = await getRef(
+      "invalidTokens",
+      "TokenId",
+      tokenHash
+    );
+
+    // Return true if found (blacklisted), false if not found
+    return !!blacklistedToken;
+  } catch (error) {
+    // If error occurs during lookup, assume token is not blacklisted
+    // This ensures authentication doesn't fail due to blacklist issues
+    return false;
+  }
+};

package/helper/auth/getSessionUser.js

@@ -1,9 +1,21 @@
 const https = require("https");
 const jose = require("node-jose");
 const { getConfig } = require("../../config");
+const checkTokenBlacklist = require("./checkTokenBlacklist");
 
 module.exports = async (token) => {
-  return new Promise((resolve, reject) => {
+  return new Promise(async (resolve, reject) => {
+    if (!token) {
+      return resolve(null);
+    }
+
+    // Check if token is blacklisted before expensive verification
+    const isBlacklisted = await checkTokenBlacklist(token);
+    if (isBlacklisted) {
+      reject("Token has been invalidated");
+      return;
+    }
+
     var sections = token.split(".");
     // get the kid from the headers prior to verification
     var header = jose.util.base64url.decode(sections[0]);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@plusscommunities/pluss-core-aws",
-  "version": "2.0.21",
+  "version": "2.0.22",
   "description": "Core extension package for Pluss Communities platform",
   "scripts": {
     "betapatch": "npm version prepatch --preid=beta",