brian2509
commented
1 year ago This should never happen in production since users cannot be deleted from the database, so it would add unnecessary overhead to that endpoint. Thoughts?
Closed MKuijpers closed 1 year ago
brian2509
commented
1 year ago This should never happen in production since users cannot be deleted from the database, so it would add unnecessary overhead to that endpoint. Thoughts?
MKuijpers
commented
1 year ago Probably yeah. I don't see it happening in production. Just wanted to notify that this is something that does exist. Maybe not necessary to fix.
We can close and mark the issue as wontfix if you agree?
If you have a non-expired local JWT token, the server will always return 200 for
/auth/authenticated. Even if the user does not exist in the database. Resulting in the user logging in to the app in some sort of limbo state for a non-existing user.I found this bug by logging in to an account, thus having a local JWT token stored on the device. Then reloading the app to a local server without any users in the DB. This logged me in to the app and led me to the Sticker Packs screen where I could not do anything.
Proposed solution: On top of checking whether the token is not expired, the
/auth/authenticatedendpoint should also check whether the user is actually a user in the database. And return a Not Authorized response if the user is not found.