fix(audit): mobile critique + sécurité mobile + verifyMobileToken async
Mobile fixes (CRITIQUE): - theme.ts: C.surface + emerald/blue/amber/purple ajoutés (crash Révision fix) - note/[id].tsx: édition préserve le HTML (titre seulement, contenu read-only) + message explicatif 'utilisez la version web' - store.ts: logout appelle POST /api/mobile/auth/logout avant clearToken Mobile auth (SÉCURITÉ): - Nouvelle route /api/mobile/auth/logout — blacklist Redis du token (TTL 90j) - verifyMobileToken devient async + check Redis blacklist - getMobileUserId devient async Note: Publication IA mode + templates déjà dans note-editor-toolbar.tsx (pas manquant) Note: Structured Views Wizard déjà branché via StructuredViewsIntro (pas orphelin)
This commit is contained in:
@@ -19,8 +19,15 @@ export function createMobileToken(userId: string): string {
|
||||
return Buffer.from(`${payload}:${sig}`).toString('base64url')
|
||||
}
|
||||
|
||||
export function verifyMobileToken(token: string): string | null {
|
||||
export async function verifyMobileToken(token: string): Promise<string | null> {
|
||||
try {
|
||||
// Check Redis blacklist first (non-blocking — if Redis is down, allow)
|
||||
try {
|
||||
const { redis } = await import('@/lib/redis')
|
||||
const revoked = await redis.get(`mobile:revoked:${token}`)
|
||||
if (revoked) return null
|
||||
} catch {}
|
||||
|
||||
const decoded = Buffer.from(token, 'base64url').toString('utf-8')
|
||||
const lastColon = decoded.lastIndexOf(':')
|
||||
if (lastColon === -1) return null
|
||||
@@ -41,7 +48,7 @@ export function verifyMobileToken(token: string): string | null {
|
||||
}
|
||||
}
|
||||
|
||||
export function getMobileUserId(request: Request): string | null {
|
||||
export async function getMobileUserId(request: Request): Promise<string | null> {
|
||||
const auth = request.headers.get('Authorization')
|
||||
if (!auth?.startsWith('Bearer ')) return null
|
||||
return verifyMobileToken(auth.slice(7))
|
||||
|
||||
Reference in New Issue
Block a user