This is a bug bounty request to fix a critical security vulnerability in a refresh token endpoint. The current implementation issues a new access token for a hardcoded user without validating the provided refresh token, making the refresh mechanism completely insecure. The task is to modify the `refresh` controller and `refreshToken` service to correctly accept, validate, and use a refresh token from the request body to issue a new access token for the authenticated user.
A starter prompt for Claude Code, what you'll need, and how to reach them.
You are an expert full-stack developer. The task is to fix a critical security bug in a Node.js API. The `POST /api/auth/refresh` endpoint in `apps/api/src/controllers/authController.js` currently calls `refreshToken()` in `apps/api/src/services/authService.js` with no arguments. The `refreshToken()` function then issues a new access token for a hardcoded user ID (`usr_existing`) without validating any refresh token from the request. This allows anyone to get a valid access token. Your goal is to modify these files to correctly accept a refresh token from the request body, validate it, and then issue a new access token for the user associated with that valid refresh token. Assume a simple JWT-based refresh token validation where the token's signature and expiry are checked, and the user ID is extracted from its payload. If the token is invalid or expired, return an appropriate error. If valid, sign a new access token for the extracted user ID. Focus on clean code, security best practices, and ensuring no hardcoded values remain for user identification. The project uses Node.js, Express, and JWT for tokens. Start by outlining the changes needed in both files, then provide the modified code for `authController.js` and `authService.js`. Provide a minimal test case or verification steps.
Bounty (amount on the issue). ## Bug: Refresh Token Not Validated **Description:** The `POST /api/auth/refresh` endpoint calls `refreshToken()` with no arguments. The service function ignores any refresh token from the request body and simply issues a new access token for a hardcoded user ID. **Files:** - `apps/api/src/controllers/authController.js` - `apps/api/src/services/authService.js` **Current code:** ```js export async function refresh(req, res) { const result = await refreshToken(); return ok(res, result); } ``` ```js export async function refreshToken() { return { token: signAccessToken({ sub: "usr_existing", role: "client" }) }; } ``` **Expected behavior:** The endpoint should accept a refresh token from the request body, validate it, and issue a new access token for the correct user. **Impact:** High — token refresh mechanism is completely non-functional; anyone can get a valid access token without a refresh token. This issue is limited only to the creator of this issue. This means that only the issue author can attempt to solve this issue. If you would like to work on it, please create another issue with the same contents and refer to issue #743 for more informati
Standard for any GitHub-based project.
Core technologies for backend development; operator likely familiar.
Review JWT validation and refresh token flows to ensure robust security (~4 hours).
Learn it: Search getting-started ↗
Get set up: Create the account/instance, generate the API key or credentials, and add them to your project's environment variables.
Comment on your newly created GitHub issue, then open a draft Pull Request referencing the original bounty.
“I've created a new issue for this bug and have a working fix implemented locally. I'm preparing a PR with the corrected `refresh` endpoint logic and tests, ensuring proper refresh token validation and secure access token issuance. I can submit a draft PR for review very soon.”
Open the original ↗