Fix refresh token allowing access

Suwayomi · Aug 19, 2023 · bf43902 · bf43902
1 parent 729f91d
commit bf43902
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/server/src/main/kotlin/suwayomi/tachidesk/global/impl/util/Jwt.kt b/server/src/main/kotlin/suwayomi/tachidesk/global/impl/util/Jwt.kt
@@ -66,6 +66,10 @@ object Jwt {
         try {
             val decodedJWT = verifier.verify(jwt)
 
+            require(decodedJWT.getClaim("token_type").asString() == "access") {
+                "Cannot use refresh token to access"
+            }
+
             val user = decodedJWT.subject.toInt()
             val roles: List<String> = decodedJWT.getClaim("roles").asList(String::class.java)
             val permissions: List<String> = decodedJWT.getClaim("permissions").asList(String::class.java)