From 7fcef2c2b2a9d4a2dd0d97690ee1cd60ac266679 Mon Sep 17 00:00:00 2001
From: Jeff Emmett <jeff@jeffemmett.com>
Date: Thu, 19 Feb 2026 02:07:51 +0000
Subject: [PATCH] =?UTF-8?q?Fix=20JWT=20verify=20calls=20for=20Hono=204.11.?=
 =?UTF-8?q?10=20=E2=80=94=20add=20required=20'HS256'=20alg?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Hono 4.11.10 made the `alg` parameter required in `verify()`. All 6
verify() calls were failing with "JWT verification requires alg option
to be specified", causing every token verification to return 401. This
broke space creation and all authenticated operations.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 src/encryptid/server.ts | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/encryptid/server.ts b/src/encryptid/server.ts
index fe03c16..19f5f56 100644
--- a/src/encryptid/server.ts
+++ b/src/encryptid/server.ts
@@ -499,7 +499,7 @@ app.get('/api/session/verify', async (c) => {
   const token = authHeader.slice(7);
 
   try {
-    const payload = await verify(token, CONFIG.jwtSecret);
+    const payload = await verify(token, CONFIG.jwtSecret, 'HS256');
     return c.json({
       valid: true,
       userId: payload.sub,
@@ -519,7 +519,7 @@ app.post('/api/session/verify', async (c) => {
   }
 
   try {
-    const payload = await verify(token, CONFIG.jwtSecret);
+    const payload = await verify(token, CONFIG.jwtSecret, 'HS256');
     return c.json({
       valid: true,
       claims: payload,
@@ -545,7 +545,7 @@ app.post('/api/session/refresh', async (c) => {
   const token = authHeader.slice(7);
 
   try {
-    const payload = await verify(token, CONFIG.jwtSecret, { clockTolerance: 60 * 60 });  // Allow 1 hour expired
+    const payload = await verify(token, CONFIG.jwtSecret, { alg: 'HS256', exp: false });  // Allow expired tokens for refresh
 
     // Issue new token
     const newToken = await generateSessionToken(
@@ -575,7 +575,7 @@ app.get('/api/user/credentials', async (c) => {
   const token = authHeader.slice(7);
 
   try {
-    const payload = await verify(token, CONFIG.jwtSecret);
+    const payload = await verify(token, CONFIG.jwtSecret, 'HS256');
     const userId = payload.sub as string;
 
     const creds = await getUserCredentials(userId);
@@ -606,7 +606,7 @@ app.post('/api/recovery/email/set', async (c) => {
   }
 
   try {
-    const payload = await verify(authHeader.slice(7), CONFIG.jwtSecret);
+    const payload = await verify(authHeader.slice(7), CONFIG.jwtSecret, 'HS256');
     const { email } = await c.req.json();
 
     if (!email || !/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)) {
@@ -907,7 +907,7 @@ async function verifyTokenFromRequest(authorization: string | undefined): Promis
   if (!authorization?.startsWith('Bearer ')) return null;
   const token = authorization.slice(7);
   try {
-    const payload = await verify(token, CONFIG.jwtSecret);
+    const payload = await verify(token, CONFIG.jwtSecret, 'HS256');
     return payload as { sub: string; did?: string; username?: string };
   } catch {
     return null;