This is a bounty to fix a specific bug in a Node.js authentication service. The `registerUser` function generates a user ID twice, leading to potential inconsistencies between the returned ID and the JWT subject claim. The fix requires ensuring the user ID is generated once and reused.
A starter prompt for Claude Code, what you'll need, and how to reach them.
You are a senior Node.js developer. I need you to implement a fix for a specific bug in the `SecureBananaLabs/bug-bounty` repository. The issue is described as 'Bug: registerUser signs token with a different generated user id' (issue #1758). Your task is to modify `apps/api/src/services/authService.js`. The core problem is that the `registerUser` service generates a timestamp-based user ID twice (`Date.now()`) for the returned `id` and for the JWT `sub` claim. This can lead to a mismatch if the two calls occur at different milliseconds. Implement a fix that generates the user ID once and reuses that single value for both the response object's `id` and the JWT's `sub` claim. Assume a standard Node.js/Express environment. Provide only the modified `authService.js` file and a brief explanation of the changes. The MVP is a correct, isolated fix for this specific bug. Verify the fix by ensuring the generated user ID is used consistently across the response and the JWT.
Standard for any GitHub-based project.
Bounty (amount on the issue). ## Description The `registerUser` service currently generates a timestamp-based user ID twice: once for the returned `id` and once for the JWT `sub` claim. If the two `Date.now()` calls land on different milliseconds, the API can return a user whose token points at a different subject. ## Impact - The returned registration response can contain an `id` that does not match the token subject. - Authentication middleware or downstream lookups that trust `sub` may not match the newly-created user. - The service creates an inconsistent auth state before persistence is implemented. ## Expected behavior Generate the user ID once and reuse that same value for both the response object and the signed access token subject. ## File `apps/api/src/services/authService.js` Related to #743 This issue is limited only to the creator of this issue. This means that only the issue author can attempt to solve this issue. If you would like to work on it, please create another issue with the same contents and refer to issue #743 for more information.
Familiarity with Node.js and JavaScript.
Version control.
Comment on the GitHub issue #1758, mentioning that you'd like to attempt the bounty and request permission, referencing issue #743.
“I've reviewed issue #1758 and understand the root cause of the inconsistent user ID generation. I've already prepared a local fix generating the ID once and reusing it consistently for both the response and JWT `sub`. Could I get permission to submit a PR to resolve this bounty, as per the note about 'limited only to the creator of this issue' and #743?”
Open the original ↗