diff --git a/.env.test b/.env.test
index fa09bedff2..6f4a218869 100644
--- a/.env.test
+++ b/.env.test
@@ -30,3 +30,8 @@ RATE_LIMITER_ENABLED=false
 
 FILE_STORAGE=local
 FILE_STORAGE_LOCAL_ROOT_DIR=/tmp
+
+URL=http://localhost:3000
+COLLABORATION_URL=
+REDIS_URL=redis://localhost:6379
+UTILS_SECRET=test-utils-secret
diff --git a/server/routes/auth/index.test.ts b/server/routes/auth/index.test.ts
index f0aef1adfb..d25cd53a0d 100644
--- a/server/routes/auth/index.test.ts
+++ b/server/routes/auth/index.test.ts
@@ -32,4 +32,15 @@ describe("auth/redirect", () => {
     expect(res.headers.get("location")).not.toBeNull();
     expect(res.headers.get("location")!.endsWith(collection.url)).toBeTruthy();
   });
+
+  it("should prevent token extension by rejecting JWT tokens", async () => {
+    const user = await buildUser();
+    const jwtToken = user.getJwtToken();
+
+    const res = await server.get(`/auth/redirect?token=${jwtToken}`, {
+      redirect: "manual",
+    });
+
+    expect(res.status).toEqual(401);
+  });
 });
diff --git a/server/routes/auth/index.ts b/server/routes/auth/index.ts
index 552f5e5a22..146f2e4961 100644
--- a/server/routes/auth/index.ts
+++ b/server/routes/auth/index.ts
@@ -30,7 +30,7 @@ router.get("/redirect", authMiddleware(), async (ctx: APIContext) => {
   const { user } = ctx.state.auth;
   const jwtToken = user.getJwtToken();
 
-  if (jwtToken === ctx.params.token) {
+  if (jwtToken === ctx.state.auth.token) {
     throw AuthenticationError("Cannot extend token");
   }