fix: Middleware should not throw ERR_JWE_INVALID (#2546)

Author: Piyush-85

src/server/cookies.test.ts

@@ -43,6 +43,20 @@ describe("encrypt/decrypt", async () => {
     expect(decrypted).toBeNull();
   });
 
+  it("should fail to decrypt a tampered payload", async () => {
+    const payload = { key: "value" };
+    const maxAge = 60 * 60; // 1 hour in seconds
+    const expiration = Math.floor(Date.now() / 1000 + maxAge);
+    const encrypted = await encrypt(payload, secret, expiration);
+
+    // Tamper with the encrypted payload by shifting the first character
+    const tampered =
+      String.fromCharCode(encrypted.charCodeAt(0) + 1) + encrypted.slice(1);
+
+    const decrypted = await decrypt(tampered, secret);
+    expect(decrypted).toBeNull();
+  });
+
   it("should fail to encrypt if a secret is not provided", async () => {
     const payload = { key: "value" };
     const maxAge = 60 * 60; // 1 hour in seconds

src/server/cookies.ts

@@ -68,7 +68,8 @@ export async function decrypt<T>(
     // When the JWE can not be decrypted or has expired, return null to indicate an invalid cookie and treat it as non-existent.
     if (
       e.code === "ERR_JWE_DECRYPTION_FAILED" ||
-      e.code === "ERR_JWT_EXPIRED"
+      e.code === "ERR_JWT_EXPIRED" ||
+      e.code === "ERR_JWE_INVALID"
     ) {
       return null;
     }

src/server/session/stateful-session-store.ts

@@ -74,7 +74,9 @@ export class StatefulSessionStore extends AbstractSessionStore {
     try {
       const sessionCookie = await cookies.decrypt<SessionCookieValue>(
         cookie.value,
-        this.secret
+        this.secret,
+        undefined,
+        true // throwOnJWEErrors: allow catching ERR_JWE_INVALID to handle legacy sessions
       );
 
       if (sessionCookie === null) {