fix: check for JWT validity when attempting to decode it

fix: add robots.txt to forbidden url schemas
2026-01-27 12:52:21 +01:00 · 2026-01-27 12:51:49 +01:00
2 changed files with 6 additions and 3 deletions
--- a/src/controllers/linkController.ts
+++ b/src/controllers/linkController.ts
@@ -94,7 +94,10 @@ export async function createLinkHandler(
 ) {

 	// Using locals to retrieve decoded user JWT.
-	const decodedUser: jwt.JwtDecoded | undefined = res.locals.user?.decoded;
+	// jwt.JwtDecoded when JWT is supplied
+	// undefined if not
+	// null if is invalid (expired)
+	const decodedUser: jwt.JwtDecoded | undefined | null = res.locals.user?.decoded;
 	const linkService = new LinkService();
 	const subdomainsAllowed: boolean = env.getBool('useSubdomains', true)!;
 	const rewriteStrings: env.RewriteStrings = env.getRewriteStrings();
@@ -114,7 +117,7 @@ export async function createLinkHandler(
 	}

 	let user: User | null = null;
-	if (decodedUser !== undefined) {
+	if (decodedUser !== undefined && decodedUser !== null) {
 		// If user is logged in, retrieve the account.
 		const userService = new UserService();
 		user = await userService.findById(decodedUser.sub);
--- a/src/schemas/miscSchema.ts
+++ b/src/schemas/miscSchema.ts
@@ -29,4 +29,4 @@ export type ErrorDTO = {
 // Used to check against reserved names.
 export const disallowedUriSchema = z
 	.string()
-	.regex(/^(about|assets|healthcheck|kttydocs|panel)/);
+	.regex(/^(about|assets|healthcheck|kttydocs|panel|robots\.txt)/);
Author	SHA1	Message	Date
sherl	6114416b8b	fix: check for JWT validity when attempting to decode it All checks were successful Update changelog / changelog (push) Successful in 26s Details	2026-01-27 12:52:21 +01:00
sherl	5771a182fe	fix: add robots.txt to forbidden url schemas	2026-01-27 12:51:49 +01:00