Summary
The /reauth and /share endpoints check for the presence of OSC_ACCESS_TOKEN but do not validate its format. A misconfigured or truncated token would pass the check and allow requests to proceed against the OSC API with an invalid credential.
Location
src/api_re_auth.ts line ~4src/api_share.ts line ~31
Current Check
if (!OSC_ACCESS_TOKEN) {
reply.status(500).send({ error: 'OSC_ACCESS_TOKEN not configured' });
return;
}
// token used as-is without format validationRecommended Fix
Add a minimal format check (OSC tokens are JWTs):
const isValidJwt = (token: string) =>
/^[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]*$/.test(token);
if (!OSC_ACCESS_TOKEN || !isValidJwt(OSC_ACCESS_TOKEN)) {
reply.status(500).send({ error: 'OSC_ACCESS_TOKEN is missing or malformed' });
return;
}This catches copy-paste errors and partial token values before they reach the OSC API.
Priority: MEDIUM
Summary
The
/reauthand/shareendpoints check for the presence ofOSC_ACCESS_TOKENbut do not validate its format. A misconfigured or truncated token would pass the check and allow requests to proceed against the OSC API with an invalid credential.Location
src/api_re_auth.tsline ~4src/api_share.tsline ~31Current Check
Recommended Fix
Add a minimal format check (OSC tokens are JWTs):
This catches copy-paste errors and partial token values before they reach the OSC API.
Priority: MEDIUM