This is a bounty to fix a specific bug in a Node.js API's authentication service. The bug causes a mismatch between the user ID returned during registration and the subject claim in the JWT token due to two separate timestamp generations. The task involves refactoring the code to generate the ID once and ensuring consistency across the response and the JWT, plus adding a unit test.
A starter prompt for Claude Code, what you'll need, and how to reach them.
You are an expert Node.js developer. The task is to fix a bug in the `SecureBananaLabs/bug-bounty` repository, specifically issue #2768. The bug is in `apps/api/src/services/authService.js` where the user ID is generated twice using `Date.now()`, once for the `id` field in the registration response and again for the JWT `sub` claim. This can lead to a mismatch if a millisecond boundary is crossed. Your goal is to generate the user ID only once, store it, and ensure that this single ID is consistently used for both the registration response and the JWT `sub` claim. Additionally, you need to add a focused unit test to prove that the decoded token subject matches the `result.id`. Here's the plan: 1. Fork the `SecureBananaLabs/bug-bounty` repository from GitHub. Focus on the `apps/api` directory. 2. In `apps/api/src/services/authService.js`, identify the existing logic for user ID generation during registration. Refactor it to call `Date.now()` only once to create the user ID. 3. Ensure this single user ID variable is used for both the `id` property in the registration successful response and as the `sub` claim when signing the JWT token. 4. Create a new test file or add a test case to an existing relevant test file within the `apps/api` project (e.g., `apps/api/src/services/__tests__/authService.test.js` if it exists, or create `apps/api/src/services/__tests__/registration.test.js`). 5. The test should simulate a user registration, then decode the returned JWT token, and assert that the `sub` claim in the decoded token exactly matches the `id` returned in the registration response. 6. Provide the refactored `authService.js` code and the new/modified test code. Ensure all existing tests pass and the new test case also passes.
Bounty (amount on the issue). Parent bounty: #743 ## Bug `apps/api/src/services/authService.js` generates a timestamp-based user id twice during registration: once for the returned `id` field and once for the JWT `sub` claim. Current behavior can return one user id while signing the token for a different `sub` if the two `Date.now()` calls cross a millisecond boundary. ## Expected - Generate the user id once. - Return that same id in the registration response. - Sign the access token with that same id as the `sub` claim. - Add focused service coverage proving the decoded token subject matches `result.id`. Related reissue: #2674
Standard for any development work.
Standard for JavaScript/TypeScript development.
Package manager for Node.js projects.
Version control for repository operations.
Likely testing framework used in the project; common for Node.js.
Comment directly on GitHub issue #2768, then open a draft pull request referencing the issue.
“I've identified the root cause of issue #2768 and have a working solution that generates the user ID once, ensuring consistency between the registration response and the JWT 'sub' claim, along with a focused unit test. I'll open a draft PR shortly for review.”
Open the original ↗