@zodic/shared 0.0.101 → 0.0.103

package/middleware/index.ts

@@ -12,27 +12,35 @@ export const jwtMiddleware = async (c: AuthCtx, next: () => Promise<void>) => {
   }
 
   if (!token) {
-    token = getCookie(c, 'authToken');
+    token = getCookie(c, 'sessionToken') || getCookie(c, 'authToken');
     if (token) {
       console.log('Token extracted from cookie:', token);
     }
   }
 
   if (!token) {
-    console.warn('Unauthorized: No token provided');
+    console.warn('🔴 Unauthorized: No token provided');
     return c.json({ error: 'Unauthorized: No token provided' }, 401);
   }
 
   try {
-    console.log('Verifying token...');
+    console.log('🔄 Verifying token...');
     const payload = await verifyToken(c, token);
 
-    console.log('Token verified successfully. Payload:', payload);
-    c.set('jwtPayload', payload);
+    console.log('✅ Token verified successfully. Payload:', payload);
+
+    // Ensure userId exists
+    const userId = payload.userId;
+    if (!userId) {
+      console.error('❌ Missing userId in JWT payload:', payload);
+      return c.json({ error: 'Unauthorized: Invalid token payload' }, 401);
+    }
+
+    c.set('jwtPayload', { userId });
 
     await next();
   } catch (err: any) {
-    console.error('Token verification failed:', err.message);
+    console.error('❌ Token verification failed:', err.message);
     return c.json({ error: 'Unauthorized: Invalid or expired token' }, 401);
   }
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zodic/shared",
-  "version": "0.0.101",
+  "version": "0.0.103",
   "module": "index.ts",
   "type": "module",
   "publishConfig": {

package/types/scopes/generic.ts

@@ -268,6 +268,7 @@ export interface OAuthCompleteBody {
   longitude: number;
   instagramUsername?: string | null;
   tiktokUsername?: string | null;
+  birthLocation: string;
 }
 
 export interface SignupBody {
@@ -281,5 +282,18 @@ export interface SignupBody {
   longitude: number;
   birthDate: string; // Expected format: "YYYY-MM-DD"
   birthTime?: string | null; // Optional, format: "HH:mm" or null
+  birthLocation: string;
 }
 
+export interface JWK {
+  kid: string; // Key ID
+  kty: string; // Key Type (e.g., "RSA")
+  alg: string; // Algorithm (e.g., "RS256")
+  use: string; // Usage (e.g., "sig" for signature verification)
+  n: string; // Public Modulus (Base64url-encoded)
+  e: string; // Exponent (Base64url-encoded)
+}
+
+export interface JWKS {
+  keys: JWK[];
+}

package/utils/index.ts

@@ -1,32 +1,74 @@
 import { jwtVerify } from 'jose';
-import { AuthCtx, Gender, VALID_GENDERS_ARRAY } from '../types';
+import { webcrypto } from 'node:crypto';
+import { AuthCtx, Gender, JWKS, VALID_GENDERS_ARRAY } from '../types';
 
 export const verifyToken = async (
   c: AuthCtx,
   token: string
 ): Promise<{ userId: string; email?: string; roles?: string[] }> => {
   const jwtSecret = c.env.JWT_SECRET;
-  const audience = c.env.CLOUDFLARE_ACCOUNT_ID;
-  const issuer = c.env.ISSUER;
+  const audience = c.env.GOOGLE_OAUTH_CLIENT_ID;
+  const issuer = 'https://accounts.google.com';
 
-  if (!jwtSecret)
-    throw new Error('Jwt Secret is not defined in the environment');
-  if (!audience) throw new Error('Audience is not defined in the environment');
-  if (!issuer) throw new Error('Issuer is not defined in the environment');
-
-  const secret = new TextEncoder().encode(jwtSecret);
+  if (!jwtSecret) throw new Error('JWT Secret is not defined in the environment');
 
   try {
-    const { payload } = await jwtVerify(token, secret, {
-      audience,
-      issuer,
-    });
+    // ✅ Detect if token is from Google OAuth (ID Token)
+    const decodedHeader = JSON.parse(
+      Buffer.from(token.split('.')[0], 'base64').toString('utf8')
+    );
 
-    if (payload.exp && payload.exp * 1000 < Date.now()) {
-      throw new Error('Token has expired');
-    }
+    if (decodedHeader.alg.startsWith('RS')) {
+      // 🔹 Google OAuth Token Detected → Verify with Google Public Keys
+      const kid = decodedHeader.kid;
+
+      const googleKeysResponse = await fetch(
+        'https://www.googleapis.com/oauth2/v3/certs'
+      );
+      const googleKeys = (await googleKeysResponse.json()) as JWKS;
+
+      const key = googleKeys.keys.find((k: any) => k.kid === kid);
+      if (!key) throw new Error('Google public key not found');
+
+      const publicKey = await webcrypto.subtle.importKey(
+        'jwk',
+        key,
+        { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' },
+        false,
+        ['verify']
+      );
+
+      const { payload } = await jwtVerify(token, publicKey, {
+        audience,
+        issuer,
+      });
 
-    return payload as { userId: string; email?: string; roles?: string[] };
+      if (!payload.sub) {
+        throw new Error('Google token is missing required "sub" claim');
+      }
+
+      return {
+        userId: payload.sub, // Google User ID
+        email: payload.email as string || undefined, // Email might be missing, so fallback to undefined
+      };
+    } else {
+      // 🔹 Regular User Token → Verify with JWT_SECRET
+      const secret = new TextEncoder().encode(jwtSecret);
+      const { payload } = await jwtVerify(token, secret, {
+        audience: c.env.CLOUDFLARE_ACCOUNT_ID,
+        issuer: c.env.ISSUER,
+      });
+
+      if (!payload.userId) {
+        throw new Error('JWT is missing required claims (userId)');
+      }
+
+      if (payload.exp && payload.exp * 1000 < Date.now()) {
+        throw new Error('Token has expired');
+      }
+
+      return payload as { userId: string; email?: string; roles?: string[] };
+    }
   } catch (err) {
     throw new Error('Invalid or expired token');
   }