fix: check for JWT validity when attempting to decode it

fix: add robots.txt to forbidden url schemas
fix: add a sane default for CORS trusted origins (127.0.0.1)
2026-01-27 12:52:21 +01:00 · 2026-01-27 12:51:49 +01:00 · 2026-01-21 00:57:39 +01:00 · 2026-01-20 22:29:28 +01:00
5 changed files with 11 additions and 7 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,3 +1,4 @@
 .env
 */.env
-*.md
+build
+node_modules
--- a/.env.default
+++ b/.env.default
@@ -1,6 +1,6 @@
 # Server config
-ACCESS_TOKEN_PRIVATE_KEY=CHANGE_ME_TO_SOMETHING_RANDOM # Used to generate user tokens. Make sure this is pretty random.
-TRUSTED_ORIGINS=http://localhost:6568                  # Comma separated list of trusted origins. Make sure to include your PUBLIC_URL here.
+ACCESS_TOKEN_PRIVATE_KEY=CHANGE_ME_TO_SOMETHING_RANDOM      # Used to generate user tokens. Make sure this is pretty random.
+TRUSTED_ORIGINS=http://localhost:6568,http://127.0.0.1:6568 # Comma separated list of trusted origins. Make sure to include your PUBLIC_URL here.

 # TypeORM specific
 # Please make sure these match with docker-compose.yml, or your own postgres server.
--- a/2
+++ b/2
@@ -4,7 +4,7 @@ FROM node:24-trixie-slim AS builder

 WORKDIR /app
 COPY package*.json ./
-RUN npm ci --only=production && npm cache clean --force
+RUN npm ci && npm cache clean --force
 COPY . .

 FROM node:24-trixie-slim AS production
--- a/src/controllers/linkController.ts
+++ b/src/controllers/linkController.ts
@@ -94,7 +94,10 @@ export async function createLinkHandler(
 ) {

 	// Using locals to retrieve decoded user JWT.
-	const decodedUser: jwt.JwtDecoded | undefined = res.locals.user?.decoded;
+	// jwt.JwtDecoded when JWT is supplied
+	// undefined if not
+	// null if is invalid (expired)
+	const decodedUser: jwt.JwtDecoded | undefined | null = res.locals.user?.decoded;
 	const linkService = new LinkService();
 	const subdomainsAllowed: boolean = env.getBool('useSubdomains', true)!;
 	const rewriteStrings: env.RewriteStrings = env.getRewriteStrings();
@@ -114,7 +117,7 @@ export async function createLinkHandler(
 	}

 	let user: User | null = null;
-	if (decodedUser !== undefined) {
+	if (decodedUser !== undefined && decodedUser !== null) {
 		// If user is logged in, retrieve the account.
 		const userService = new UserService();
 		user = await userService.findById(decodedUser.sub);
--- a/src/schemas/miscSchema.ts
+++ b/src/schemas/miscSchema.ts
@@ -29,4 +29,4 @@ export type ErrorDTO = {
 // Used to check against reserved names.
 export const disallowedUriSchema = z
 	.string()
-	.regex(/^(about|assets|healthcheck|kttydocs|panel)/);
+	.regex(/^(about|assets|healthcheck|kttydocs|panel|robots\.txt)/);
Author	SHA1	Message	Date
sherl	6114416b8b	fix: check for JWT validity when attempting to decode it All checks were successful Update changelog / changelog (push) Successful in 26s Details	2026-01-27 12:52:21 +01:00
sherl	5771a182fe	fix: add robots.txt to forbidden url schemas	2026-01-27 12:51:49 +01:00
sherl	dfc3f4cd87	fix: add a sane default for CORS trusted origins (127.0.0.1) All checks were successful Build and push Docker image / build (push) Successful in 2m50s Details Release new version / release (push) Successful in 26s Details Update changelog / changelog (push) Successful in 25s Details	2026-01-21 00:57:39 +01:00
sherl	e0d8849bd1	fix: Docker fixes All checks were successful Build and push Docker image / build (push) Successful in 2m53s Details Release new version / release (push) Successful in 29s Details Update changelog / changelog (push) Successful in 24s Details	2026-01-20 22:29:28 +01:00