fix: check for JWT validity when attempting to decode it

.dockerignore

@@ -1,3 +1,4 @@
 .env
 */.env
-*.md
+build
+node_modules

.env.default

@@ -1,6 +1,6 @@
 # Server config
-ACCESS_TOKEN_PRIVATE_KEY=CHANGE_ME_TO_SOMETHING_RANDOM # Used to generate user tokens. Make sure this is pretty random.
+ACCESS_TOKEN_PRIVATE_KEY=CHANGE_ME_TO_SOMETHING_RANDOM      # Used to generate user tokens. Make sure this is pretty random.
-TRUSTED_ORIGINS=http://localhost:6568                  # Comma separated list of trusted origins. Make sure to include your PUBLIC_URL here.
+TRUSTED_ORIGINS=http://localhost:6568,http://127.0.0.1:6568 # Comma separated list of trusted origins. Make sure to include your PUBLIC_URL here.
 
 # TypeORM specific
 # Please make sure these match with docker-compose.yml, or your own postgres server.

Dockerfile

@@ -4,7 +4,7 @@ FROM node:24-trixie-slim AS builder
 
 WORKDIR /app
 COPY package*.json ./
-RUN npm ci --only=production && npm cache clean --force
+RUN npm ci && npm cache clean --force
 COPY . .
 
 FROM node:24-trixie-slim AS production

README.md

@@ -26,10 +26,14 @@ Running the back-end is as simple as:
 		npm ci
 		```
 - Copying the .env.default file to .env, and customizing it to own preferences.
+
 	**Example:** Say, you want to add a domain to the trusted CORS origins list. To do so, your .env file in your editor of choice and append a comma (`,`) with the origin you want to add (say, `http://example.com`). Your .env file might then look as follows: `TRUSTED_ORIGINS=http://localhost:6568,http://example.com`.
+
 	**Important:** Make sure to change the `ACCESS_TOKEN_PRIVATE_KEY` variable to something secure, as this secret value will be used to generate user sessions. **Setting a weak key will allow attackers to potentially bruteforce your secret and forge user tokens!**
 - Pasting your wordlist file into `src/tools/wordlist.ts`.
+
 	No wordlist file exists by default in `src/tools/wordlist.ts`. This is because wordlists were meant to be as modular as possible (with the philosophy of "bring your own wordlist"). If you leave that as-is, you'll run into runtime errors.
+	
 	However, if you don't want to provide your own wordlist, and just want to get up and running as fast as possible, you're free to use the provided sample `wordlist.example-large.ts` file. Just copy it into `src/tools/wordlist.ts`:
 	```sh
 	cp wordlist.example-large.ts src/tools/wordlist.ts

package.json

@@ -1,6 +1,6 @@
 {
     "name": "kittyBE",
-    "version": "0.0.2",
+    "version": "0.0.3",
     "description": "Your go-to place for short and memorable URLs.",
     "type": "commonjs",
     "devDependencies": {

src/app.ts

@@ -91,7 +91,7 @@ AppDataSource.initialize().then(async () => {
 		
 		// Retrieve url, subdomain from request.
 		let uri: string = req.url.slice(1); // discards / from /abc, /abc -> abc
-		let subdomain: string | null = req.headers.host!.replace(rs.fqdn, '') || null;
+		let subdomain: string | null = req.headers.host!.replace(rs.fqdn, '').slice(0, -1) || null; // slice() to remove trailing dot
 
 		// Try to lookup the url in DB
 		const reversedLink: Link | null = await linkService.lookupUriWithExpiryValidation(uri, subdomain);

src/controllers/linkController.ts

@@ -94,7 +94,10 @@ export async function createLinkHandler(
 ) {
 
 	// Using locals to retrieve decoded user JWT.
-	const decodedUser: jwt.JwtDecoded | undefined = res.locals.user?.decoded;
+	// jwt.JwtDecoded when JWT is supplied
+	// undefined if not
+	// null if is invalid (expired)
+	const decodedUser: jwt.JwtDecoded | undefined | null = res.locals.user?.decoded;
 	const linkService = new LinkService();
 	const subdomainsAllowed: boolean = env.getBool('useSubdomains', true)!;
 	const rewriteStrings: env.RewriteStrings = env.getRewriteStrings();
@@ -114,7 +117,7 @@ export async function createLinkHandler(
 	}
 
 	let user: User | null = null;
-	if (decodedUser !== undefined) {
+	if (decodedUser !== undefined && decodedUser !== null) {
 		// If user is logged in, retrieve the account.
 		const userService = new UserService();
 		user = await userService.findById(decodedUser.sub);

src/schemas/miscSchema.ts

@@ -29,4 +29,4 @@ export type ErrorDTO = {
 // Used to check against reserved names.
 export const disallowedUriSchema = z
 	.string()
-	.regex(/^(about|assets|healthcheck|kttydocs|panel)/);
+	.regex(/^(about|assets|healthcheck|kttydocs|panel|robots\.txt)/);