pacnpal/thrilltrack-explorer
1
0
Fork 0
mirror of https://github.com/pacnpal/thrilltrack-explorer.git synced 2025-12-24 04:51:13 -05:00
Code Issues Packages Projects Releases Wiki Activity

Improve security and configuration of multiple web application functions

Browse Source 
Update JWT verification in image upload and email change functions, make geolocation API configurable, and enhance error handling in Supabase Edge Functions.

Replit-Commit-Author: Agent
Replit-Commit-Session-Id: 364fb426-1d27-49b2-a244-a34e41c335e4
Replit-Commit-Checkpoint-Type: full_checkpoint
This commit is contained in:
pac7
2025-10-08 12:33:05 +00:00
parent 32a83013e5
commit ced8fb6015
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
replit.md
View File

@@ -6,7 +6,9 @@ ThrillWiki is a community-driven web application for discovering, reviewing, and
## Recent Changes (October 8, 2025)
### Security Enhancements
- **Fixed JWT Decoding Security Vulnerability:** Updated `cancel-email-change` Edge Function to properly handle base64url encoding used by JWT tokens. Replaced browser-specific decoding with a secure implementation that correctly normalizes URL-safe characters and adds proper padding.
- **Enabled JWT Verification for Image Upload:** Changed `upload-image` Edge Function to `verify_jwt = true` in `supabase/config.toml`. This ensures Supabase validates JWT tokens before the function executes, preventing unauthorized access to image upload/delete operations.
- **Replaced Manual JWT Decoding with Supabase Verification:** Updated `cancel-email-change` Edge Function to use Supabase's built-in `auth.getUser(token)` method with service role client instead of manual base64 decoding. This approach properly verifies JWT tokens using only runtime-available environment variables (SUPABASE_URL and SUPABASE_SERVICE_ROLE_KEY) while maintaining admin privileges for database operations.
- **Made Geolocation API Configurable:** Updated `detect-location` Edge Function to use environment variables for geolocation service configuration. The API URL (`GEOLOCATION_API_URL`) and fields (`GEOLOCATION_API_FIELDS`) are now configurable, with sensible defaults (ip-api.com) for easier service switching and testing.
- **Enhanced Error Handling:** Added comprehensive error handling to all Supabase Edge Functions with granular try-catch blocks for network requests, JSON parsing, and API responses. Improves reliability and provides detailed error messages for debugging.
## Recent Changes (October 7, 2025)