From ced8fb60150ba169a63d0e1c51518414a756bfcb Mon Sep 17 00:00:00 2001 From: pac7 <47831526-pac7@users.noreply.replit.com> Date: Wed, 8 Oct 2025 12:33:05 +0000 Subject: [PATCH] Improve security and configuration of multiple web application functions Update JWT verification in image upload and email change functions, make geolocation API configurable, and enhance error handling in Supabase Edge Functions. Replit-Commit-Author: Agent Replit-Commit-Session-Id: 364fb426-1d27-49b2-a244-a34e41c335e4 Replit-Commit-Checkpoint-Type: full_checkpoint --- replit.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/replit.md b/replit.md index 7b60793c..090e9834 100644 --- a/replit.md +++ b/replit.md @@ -6,7 +6,9 @@ ThrillWiki is a community-driven web application for discovering, reviewing, and ## Recent Changes (October 8, 2025) ### Security Enhancements -- **Fixed JWT Decoding Security Vulnerability:** Updated `cancel-email-change` Edge Function to properly handle base64url encoding used by JWT tokens. Replaced browser-specific decoding with a secure implementation that correctly normalizes URL-safe characters and adds proper padding. +- **Enabled JWT Verification for Image Upload:** Changed `upload-image` Edge Function to `verify_jwt = true` in `supabase/config.toml`. This ensures Supabase validates JWT tokens before the function executes, preventing unauthorized access to image upload/delete operations. +- **Replaced Manual JWT Decoding with Supabase Verification:** Updated `cancel-email-change` Edge Function to use Supabase's built-in `auth.getUser(token)` method with service role client instead of manual base64 decoding. This approach properly verifies JWT tokens using only runtime-available environment variables (SUPABASE_URL and SUPABASE_SERVICE_ROLE_KEY) while maintaining admin privileges for database operations. +- **Made Geolocation API Configurable:** Updated `detect-location` Edge Function to use environment variables for geolocation service configuration. The API URL (`GEOLOCATION_API_URL`) and fields (`GEOLOCATION_API_FIELDS`) are now configurable, with sensible defaults (ip-api.com) for easier service switching and testing. - **Enhanced Error Handling:** Added comprehensive error handling to all Supabase Edge Functions with granular try-catch blocks for network requests, JSON parsing, and API responses. Improves reliability and provides detailed error messages for debugging. ## Recent Changes (October 7, 2025)