From 6114416b8b3f9fab70ea137103a515594613bf19 Mon Sep 17 00:00:00 2001
From: sherl <sherl@7o7.cx>
Date: Tue, 27 Jan 2026 12:52:21 +0100
Subject: [PATCH] fix: check for JWT validity when attempting to decode it

---
 src/controllers/linkController.ts | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/controllers/linkController.ts b/src/controllers/linkController.ts
index f89d076..ebf1a03 100644
--- a/src/controllers/linkController.ts
+++ b/src/controllers/linkController.ts
@@ -94,7 +94,10 @@ export async function createLinkHandler(
 ) {
 
 	// Using locals to retrieve decoded user JWT.
-	const decodedUser: jwt.JwtDecoded | undefined = res.locals.user?.decoded;
+	// jwt.JwtDecoded when JWT is supplied
+	// undefined if not
+	// null if is invalid (expired)
+	const decodedUser: jwt.JwtDecoded | undefined | null = res.locals.user?.decoded;
 	const linkService = new LinkService();
 	const subdomainsAllowed: boolean = env.getBool('useSubdomains', true)!;
 	const rewriteStrings: env.RewriteStrings = env.getRewriteStrings();
@@ -114,7 +117,7 @@ export async function createLinkHandler(
 	}
 
 	let user: User | null = null;
-	if (decodedUser !== undefined) {
+	if (decodedUser !== undefined && decodedUser !== null) {
 		// If user is logged in, retrieve the account.
 		const userService = new UserService();
 		user = await userService.findById(decodedUser.sub);