From a233e04221a106d7e3854560ec1bd830ca088832 Mon Sep 17 00:00:00 2001 From: Litezy Date: Mon, 29 Jun 2026 20:54:14 +0100 Subject: [PATCH 1/2] changes --- frontend/src/hooks/useStreamEvents.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/frontend/src/hooks/useStreamEvents.ts b/frontend/src/hooks/useStreamEvents.ts index 8bf1b7fa..f782c158 100644 --- a/frontend/src/hooks/useStreamEvents.ts +++ b/frontend/src/hooks/useStreamEvents.ts @@ -28,6 +28,7 @@ export function useStreamEvents( ): UseStreamEventsReturn { const { streamIds = [], + // userPublicKeys = [], subscribeToAll = false, autoReconnect = true, maxRetryDelay = 30000, From 9935dc8e4abf897a8a69cdee0c0f55bd8f813b5e Mon Sep 17 00:00:00 2001 From: Litezy Date: Mon, 29 Jun 2026 21:04:12 +0100 Subject: [PATCH 2/2] fix: enforce explicit JSON body limit and reject JWTs missing exp claim --- backend/src/app.ts | 2 +- backend/src/middleware/auth.ts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/backend/src/app.ts b/backend/src/app.ts index 582ccc02..3faa6f29 100644 --- a/backend/src/app.ts +++ b/backend/src/app.ts @@ -72,7 +72,7 @@ app.use((err: unknown, req: Request, res: Response, next: NextFunction) => { } next(err); }); -app.use(express.json()); +app.use(express.json({ limit: '1mb' })); // Sandbox mode detection (before versioning) app.use(sandboxMiddleware); diff --git a/backend/src/middleware/auth.ts b/backend/src/middleware/auth.ts index b9694d12..1b32bf7e 100644 --- a/backend/src/middleware/auth.ts +++ b/backend/src/middleware/auth.ts @@ -104,7 +104,7 @@ export function verifyJwt(token: string): { publicKey: string } | null { .digest(); if (!crypto.timingSafeEqual(Buffer.from(sig, 'base64url'), expected)) return null; const payload = JSON.parse(Buffer.from(body, 'base64url').toString()); - if (payload.exp < Math.floor(Date.now() / 1000)) return null; + if (typeof payload.exp !== 'number' || payload.exp < Math.floor(Date.now() / 1000)) return null; return { publicKey: payload.sub }; } catch { return null;