feat: enhance send file download token with JTI for improved validation

src/handlers/sends.ts

@@ -1195,11 +1195,19 @@ export async function handleDownloadSendFile(
     return errorResponse('Token mismatch', 401);
   }
 
+  const storage = new StorageService(env.DB);
   const object = await env.ATTACHMENTS.get(getSendFilePath(sendId, fileId));
   if (!object) {
     return errorResponse('Send file not found', 404);
   }
 
+  // Reuse the existing one-time token store used by attachment downloads.
+  // Prefix avoids accidental cross-domain JTI collisions.
+  const firstUse = await storage.consumeAttachmentDownloadToken(`send:${claims.jti}`, claims.exp);
+  if (!firstUse) {
+    return errorResponse('Invalid or expired token', 401);
+  }
+
   return new Response(object.body, {
     headers: {
       'Content-Type': 'application/octet-stream',
@@ -1287,4 +1295,3 @@ export async function issueSendAccessToken(
   const token = await createSendAccessToken(send.id, jwt.secret);
   return { token };
 }
-

src/utils/jwt.ts

@@ -181,6 +181,7 @@ export async function verifyFileDownloadToken(
 export interface SendFileDownloadClaims {
   sendId: string;
   fileId: string;
+  jti: string;
   exp: number;
 }
 
@@ -194,6 +195,7 @@ export async function createSendFileDownloadToken(
   const payload: SendFileDownloadClaims = {
     sendId,
     fileId,
+    jti: createRefreshToken(),
     exp: now + LIMITS.auth.fileDownloadTokenTtlSeconds,
   };
 
@@ -240,6 +242,15 @@ export async function verifySendFileDownloadToken(
     if (!valid) return null;
 
     const payload: SendFileDownloadClaims = JSON.parse(new TextDecoder().decode(base64UrlDecode(payloadB64)));
+    if (
+      typeof payload.sendId !== 'string' ||
+      typeof payload.fileId !== 'string' ||
+      typeof payload.jti !== 'string' ||
+      !payload.jti ||
+      typeof payload.exp !== 'number'
+    ) {
+      return null;
+    }
     const now = Math.floor(Date.now() / 1000);
     if (payload.exp < now) return null;