Skip to content

fix: require authentication before issuing refreshed tokens#9031

Open
Yzgaming005 wants to merge 3 commits into
SecureBananaLabs:mainfrom
Yzgaming005:fix/refresh-auth-required
Open

fix: require authentication before issuing refreshed tokens#9031
Yzgaming005 wants to merge 3 commits into
SecureBananaLabs:mainfrom
Yzgaming005:fix/refresh-auth-required

Conversation

@Yzgaming005

@Yzgaming005 Yzgaming005 commented Jun 27, 2026

Copy link
Copy Markdown

/claim #9030

Summary

  • Protected POST /api/auth/refresh route with authMiddleware (bearer token required)
  • Updated refreshToken service to accept subject and role parameters instead of hardcoded values
  • Updated refresh controller to pass authenticated user's sub and role from req.user
  • Added regression tests:
    • Unauthenticated request → 401
    • Invalid token → 401
    • Valid token → 200 with new token containing same subject and role

Test Results

# tests 9
# pass 9
# fail 0

Validation

git diff --check: passed
npm test: all 9 tests pass

Ref: #743

Yusrizal Ahmad added 3 commits June 27, 2026 12:43
fix: return 400 for malformed JSON and Zod validation errors
01d7757 
- Updated errorHandler to recognize body-parser parse errors (entity.parse.failed)
  and return HTTP 400 with { success: false, message } shape
- Added ZodError recognition in errorHandler returning 400 with structured issues
- Added catchAsync utility to forward async errors to Express error handler
- Wrapped auth and job route handlers with catchAsync
- Added regression tests for malformed JSON, invalid registration, and missing fields

Closes SecureBananaLabs#9020
Closes SecureBananaLabs#9018
Ref: SecureBananaLabs#743
fix: limit upload file size and return 413 on oversized files
c8cf7a1 
- Added 5 MB file size limit to Multer configuration
- Updated errorHandler to recognize LIMIT_FILE_SIZE errors and return HTTP 413
- Wrapped upload route with catchAsync for proper error forwarding
- Added regression tests for small (accepted) and oversized (rejected) uploads

Closes SecureBananaLabs#9028
Ref: SecureBananaLabs#743
fix: require authentication before issuing refreshed tokens
dd76ab9 
- Protected /api/auth/refresh route with authMiddleware
- Updated refreshToken service to accept subject and role parameters
- Updated refresh controller to pass authenticated user's sub and role
- Added regression tests for unauthenticated rejection and identity preservation

Closes SecureBananaLabs#9030
Ref: SecureBananaLabs#743
github-actions Bot added a commit that referenced this pull request Jun 27, 2026
@github-actions
chore: update leaderboard for PR #9031
88c58d2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Yzgaming005