Unauthorized Access via Exposed JWT Token in /server/middleware/auth.ts

[BrackRat]

I have found that the JWT token is leaked in /server/middleware/auth.ts, which can bypass authentication and allow direct modification of information.

By the way,In the backend page /violet, Article and Friends information can be directly accessed by default, potentially leading to unauthorized viewing.

Prove:

[lnbiuc]

Thank you for reminding me that I shouldn't submit the SECRET_KEY to a public repository. Now the SECRET_KEY will be introduced as an environment variable.

As for the second issue, in SSR mode, if permission verification for accessing receipt interfaces is added to the /violet/articles page and /violet/friends page, it will cause errors because the JWT cannot be obtained on the server side. More operations are needed to ensure that there are no errors, such as using cookies. However, this is not necessary for me. Whether direct access to this data is possible is not very important; ensuring that data additions, updates, and deletions are verified is sufficient.