From 2772de276623e03c7f177e04f18112f5c1e9c571 Mon Sep 17 00:00:00 2001
From: Copilot <198982749+Copilot@users.noreply.github.com>
Date: Sat, 13 Dec 2025 15:02:39 -0500
Subject: [PATCH] Fix security check in /auth/redirect comparing against
 undefined ctx.params.token (#10894)

* Initial plan

* Fix security check in /auth/redirect to use ctx.state.auth.token instead of ctx.params.token

Co-authored-by: tommoor <380914+tommoor@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: tommoor <380914+tommoor@users.noreply.github.com>
---
 .env.test                        |  5 +++++
 server/routes/auth/index.test.ts | 11 +++++++++++
 server/routes/auth/index.ts      |  2 +-
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/.env.test b/.env.test
index fa09bedff2..6f4a218869 100644
--- a/.env.test
+++ b/.env.test
@@ -30,3 +30,8 @@ RATE_LIMITER_ENABLED=false
 
 FILE_STORAGE=local
 FILE_STORAGE_LOCAL_ROOT_DIR=/tmp
+
+URL=http://localhost:3000
+COLLABORATION_URL=
+REDIS_URL=redis://localhost:6379
+UTILS_SECRET=test-utils-secret
diff --git a/server/routes/auth/index.test.ts b/server/routes/auth/index.test.ts
index f0aef1adfb..d25cd53a0d 100644
--- a/server/routes/auth/index.test.ts
+++ b/server/routes/auth/index.test.ts
@@ -32,4 +32,15 @@ describe("auth/redirect", () => {
     expect(res.headers.get("location")).not.toBeNull();
     expect(res.headers.get("location")!.endsWith(collection.url)).toBeTruthy();
   });
+
+  it("should prevent token extension by rejecting JWT tokens", async () => {
+    const user = await buildUser();
+    const jwtToken = user.getJwtToken();
+
+    const res = await server.get(`/auth/redirect?token=${jwtToken}`, {
+      redirect: "manual",
+    });
+
+    expect(res.status).toEqual(401);
+  });
 });
diff --git a/server/routes/auth/index.ts b/server/routes/auth/index.ts
index 552f5e5a22..146f2e4961 100644
--- a/server/routes/auth/index.ts
+++ b/server/routes/auth/index.ts
@@ -30,7 +30,7 @@ router.get("/redirect", authMiddleware(), async (ctx: APIContext) => {
   const { user } = ctx.state.auth;
   const jwtToken = user.getJwtToken();
 
-  if (jwtToken === ctx.params.token) {
+  if (jwtToken === ctx.state.auth.token) {
     throw AuthenticationError("Cannot extend token");
   }