jeffemmett
/
rspace-online
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix JWT verify calls for Hono 4.11.10 — add required 'HS256' alg 

Hono 4.11.10 made the `alg` parameter required in `verify()`. All 6
verify() calls were failing with "JWT verification requires alg option
to be specified", causing every token verification to return 401. This
broke space creation and all authenticated operations.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jeff Emmett 2026-02-19 02:07:51 +00:00
parent 9050298c6f
commit 7fcef2c2b2
1 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/encryptid/server.ts
View File

@ -499,7 +499,7 @@ app.get('/api/session/verify', async (c) => {
const token = authHeader.slice(7);
try {
const payload = await verify(token, CONFIG.jwtSecret);
const payload = await verify(token, CONFIG.jwtSecret, 'HS256');
return c.json({
valid: true,
userId: payload.sub,
@ -519,7 +519,7 @@ app.post('/api/session/verify', async (c) => {
}
try {
const payload = await verify(token, CONFIG.jwtSecret);
const payload = await verify(token, CONFIG.jwtSecret, 'HS256');
return c.json({
valid: true,
claims: payload,
@ -545,7 +545,7 @@ app.post('/api/session/refresh', async (c) => {
const token = authHeader.slice(7);
try {
const payload = await verify(token, CONFIG.jwtSecret, { clockTolerance: 60 * 60 }); // Allow 1 hour expired
const payload = await verify(token, CONFIG.jwtSecret, { alg: 'HS256', exp: false }); // Allow expired tokens for refresh
// Issue new token
const newToken = await generateSessionToken(
@ -575,7 +575,7 @@ app.get('/api/user/credentials', async (c) => {
const token = authHeader.slice(7);
try {
const payload = await verify(token, CONFIG.jwtSecret);
const payload = await verify(token, CONFIG.jwtSecret, 'HS256');
const userId = payload.sub as string;
const creds = await getUserCredentials(userId);
@ -606,7 +606,7 @@ app.post('/api/recovery/email/set', async (c) => {
}
try {
const payload = await verify(authHeader.slice(7), CONFIG.jwtSecret);
const payload = await verify(authHeader.slice(7), CONFIG.jwtSecret, 'HS256');
const { email } = await c.req.json();
if (!email || !/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)) {
@ -907,7 +907,7 @@ async function verifyTokenFromRequest(authorization: string | undefined): Promis
if (!authorization?.startsWith('Bearer ')) return null;
const token = authorization.slice(7);
try {
const payload = await verify(token, CONFIG.jwtSecret);
const payload = await verify(token, CONFIG.jwtSecret, 'HS256');
return payload as { sub: string; did?: string; username?: string };
} catch {
return null;