Buriburizaemon/nodewarden
1
0
Fork 0
mirror of https://github.com/shuaiplus/nodewarden.git synced 2026-06-20 21:00:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: enhance send file download token with JTI for improved validation

Browse Source
This commit is contained in:
shuaiplus
2026-03-05 01:31:02 +08:00
parent 12024203be
commit 9db92d13ab
2 changed files with 19 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/handlers/sends.ts
+8 -1
View File
@@ -1195,11 +1195,19 @@ export async function handleDownloadSendFile(
return errorResponse('Token mismatch', 401);
}
const storage = new StorageService(env.DB);
const object = await env.ATTACHMENTS.get(getSendFilePath(sendId, fileId));
if (!object) {
return errorResponse('Send file not found', 404);
}
// Reuse the existing one-time token store used by attachment downloads.
// Prefix avoids accidental cross-domain JTI collisions.
const firstUse = await storage.consumeAttachmentDownloadToken(`send:${claims.jti}`, claims.exp);
if (!firstUse) {
return errorResponse('Invalid or expired token', 401);
}
return new Response(object.body, {
headers: {
'Content-Type': 'application/octet-stream',
@@ -1287,4 +1295,3 @@ export async function issueSendAccessToken(
const token = await createSendAccessToken(send.id, jwt.secret);
return { token };
}