This bounty describes a critical security vulnerability in a 'refresh' authentication endpoint: it mints new access tokens without validating the provided refresh token, allowing unauthenticated access. The task is to implement proper token validation, ensure the request body contains a token, and add regression tests. This is a clear, paid deliverable for a specific issue.
A starter prompt for Claude Code, what you'll need, and how to reach them.
You are an expert full-stack developer specializing in secure API development. The task is to fix a critical bug in an existing Node.js/TypeScript (likely Express-based) API's authentication refresh endpoint. The current `/api/auth/refresh` endpoint mints new access tokens for a hard-coded user without validating the refresh token provided in the request body. Implement the following: 1. Modify the `POST /api/auth/refresh` endpoint to require a `token` field in the request body, returning a 400 if missing. 2. Implement robust validation of the provided refresh token. This should include verifying its signature, checking for expiration, and ensuring it's a valid, unrevoked token. Return a 401 if the token is invalid or expired. 3. Upon successful validation, extract the `sub` (subject/user ID) and `role` claims from the *valid* refresh token. 4. Use these extracted `sub` and `role` values to mint a *new* access token, ensuring the new token reflects the original user's identity and permissions. 5. Write comprehensive regression tests for this endpoint, covering cases for a missing token, an invalid/expired token, and a valid token, asserting the correct HTTP status codes (400, 401, 200) and response payloads. Focus on clear, secure code and thorough testing. The target stack is Node.js, TypeScript, likely Express or similar framework, and JWT for tokens. Assume the project uses a standard JWT library like `jsonwebtoken`. Provide the necessary code changes and new test files. MVP: Get the basic token validation and new token minting working for a valid token.
Bounty (amount on the issue). ### Bug Description `POST /api/auth/refresh` currently ignores the request body and calls `refreshToken()` without validating any supplied refresh token. The service then returns a new access token for the hard-coded `usr_existing` user, so an unauthenticated caller can mint a fresh client token without presenting any credential. ### Expected Behavior The refresh endpoint should require a token in the request body, reject missing or invalid tokens, and only issue a replacement access token for the subject and role contained in a valid token. ### Reproduction 1. Start the API. 2. Send `POST /api/auth/refresh` with `{}` or no token. 3. Observe that the current code path mints a successful token instead of returning a 400/401 response. ### Proposed Fix - Add a refresh request schema requiring `token`. - Verify the supplied token before refreshing. - Preserve the decoded `sub` and `role` when issuing the replacement access token. - Add regression tests for missing, invalid, and valid token refresh requests. This issue is limited only to the creator of this issue. This means that only the issue author can attempt to solve this issue. If you would like to wo
Standard for any GitHub-based project.
Standard for JavaScript/TypeScript development.
Core skill for the operator.
Familiarity with JWT creation and verification is essential.
Create a new issue on the SecureBananaLabs/bug-bounty repository with the same contents as #1750, explicitly stating your intent to work on it and referencing #1750 as per their instruction.
“I've reviewed the bug in issue #1750 and have identified a clear path to resolution, including proper token validation and regression tests. I've set up a new issue to track my work and will prepare a PR with a robust fix and tests. Happy to discuss further.”
Open the original ↗