refactor: centralize JWT verification

j4w8n · Apr 9, 2024 · dfe2383 · dfe2383
1 parent 1973105
commit dfe2383
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 20 deletions.
diff --git a/src/hooks.server.ts b/src/hooks.server.ts
@@ -1,6 +1,8 @@
 import { PUBLIC_SUPABASE_URL, PUBLIC_SUPABASE_ANON_KEY } from '$env/static/public'
 import { createServerClient } from '@supabase/ssr'
 import type { Handle } from '@sveltejs/kit'
+import { JWT_SECRET } from '$env/static/private'
+import jwt from 'jsonwebtoken'
 
 export const handle: Handle = async ({ event, resolve }) => {
   event.locals.supabase = createServerClient(
@@ -27,6 +29,17 @@ export const handle: Handle = async ({ event, resolve }) => {
     const {
       data: { session },
     } = await event.locals.supabase.auth.getSession()
+
+    if (!session) return null
+
+    /* Ensures the session is valid. See README Security section for details. */
+    try {
+      jwt.verify(session.access_token, JWT_SECRET, (err) => { 
+        if (err) throw new Error()
+      })
+    } catch (err) {
+      return null
+    }
 
     return session
   }

diff --git a/src/routes/(authenticated)/+layout.server.ts b/src/routes/(authenticated)/+layout.server.ts
@@ -1,12 +1,7 @@
-import { JWT_SECRET } from '$env/static/private'
 import { redirect } from '@sveltejs/kit'
-import jwt from 'jsonwebtoken'
 
 export const load = async ({ locals: { getSession } }) => {
   const session = await getSession()
 
   if (!session) redirect(307, '/auth')
-
-  /* Ensures the session, sourced from a cookie, is not fake. See README for details. */
-  jwt.verify(session.access_token, JWT_SECRET, (err) => { if (err) redirect(307, '/auth') })
 }
diff --git a/src/routes/(authenticated)/admin/+page.server.ts b/src/routes/(authenticated)/admin/+page.server.ts
@@ -1,14 +1,9 @@
-import { JWT_SECRET } from '$env/static/private'
 import { redirect } from '@sveltejs/kit'
-import jwt from 'jsonwebtoken'
 
 export const load = async ({ locals: { getSession } }) => {
   const session = await getSession()
 
   if (!session) redirect(307, '/auth')
 
-  /* Ensures the session, sourced from a cookie, is not fake. See README for details. */
-  jwt.verify(session.access_token, JWT_SECRET, (err) => { if (err) redirect(307, '/auth') })
-
   return { session }
 }
diff --git a/src/routes/(authenticated)/app/+page.server.ts b/src/routes/(authenticated)/app/+page.server.ts
@@ -1,12 +1,7 @@
-import { JWT_SECRET } from '$env/static/private'
 import { redirect } from '@sveltejs/kit'
-import jwt from 'jsonwebtoken'
 
 export const load = async ({ locals: { getSession } }) => {
   const session = await getSession()
 
   if (!session) redirect(307, '/auth')
-
-  /* Ensures the session, sourced from a cookie, is not fake. See README for details. */
-  jwt.verify(session.access_token, JWT_SECRET, (err) => { if (err) redirect(307, '/auth') })
 }
diff --git a/src/routes/+layout.server.ts b/src/routes/+layout.server.ts
@@ -1,14 +1,9 @@
-import { JWT_SECRET } from '$env/static/private'
 import { redirect } from '@sveltejs/kit'
-import jwt from 'jsonwebtoken'
 
 export const load = async ({ locals: { getSession } }) => {
   const session = await getSession()
 
   if (!session) redirect(307, '/auth')
 
-  /* Ensures the session, sourced from a cookie, is not fake. See README for details. */
-  jwt.verify(session.access_token, JWT_SECRET, (err) => { if (err) redirect(307, '/auth') })
-
   return { session }
 }