Clear the auth cookie if it was tampered or JWT secret was changed (k…

…riasoft#1242)
arnigudj · Apr 28, 2017 · 1643db9 · 1643db9
1 parent 9b3d9c8
commit 1643db9
Showing 1 changed file with 12 additions and 1 deletion.
diff --git a/src/server.js b/src/server.js
@@ -11,7 +11,7 @@ import path from 'path';
 import express from 'express';
 import cookieParser from 'cookie-parser';
 import bodyParser from 'body-parser';
-import expressJwt from 'express-jwt';
+import expressJwt, { UnauthorizedError as Jwt401Error } from 'express-jwt';
 import expressGraphQL from 'express-graphql';
 import jwt from 'jsonwebtoken';
 import React from 'react';
@@ -54,6 +54,17 @@ app.use(expressJwt({
   credentialsRequired: false,
   getToken: req => req.cookies.id_token,
 }));
+// Error handler for express-jwt
+app.use((err, req, res, next) => { // eslint-disable-line no-unused-vars
+  if (err instanceof Jwt401Error) {
+    console.error('[express-jwt-error]', req.cookies.id_token);
+    // `clearCookie`, otherwise user can't use web-app until cookie expires
+    res.clearCookie('id_token');
+  } else {
+    next(err);
+  }
+});
+
 app.use(passport.initialize());
 
 if (__DEV__) {