From 1a723fe4c23152505413db321f30e293b88a270a Mon Sep 17 00:00:00 2001 From: Zac Gaetano Date: Wed, 27 May 2026 14:04:15 -0400 Subject: [PATCH] =?UTF-8?q?fix(mam-api):=20requireAuth=20=E2=80=94=20stamp?= =?UTF-8?q?=20last=5Fseen=5Fat=20after=20user=20confirmation?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Code-review feedback: writing last_seen_at = now before loadUser() lets the stamp persist if the lookup throws (resave:false still writes when modified), extending the idle window without confirming the user exists. Also clarify DEV_USER_ID is a specific placeholder, not a generic sentinel. --- services/mam-api/src/middleware/auth.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/services/mam-api/src/middleware/auth.js b/services/mam-api/src/middleware/auth.js index 234c364..d0bdec2 100644 --- a/services/mam-api/src/middleware/auth.js +++ b/services/mam-api/src/middleware/auth.js @@ -2,6 +2,7 @@ import pool from '../db/pool.js'; import { parseBearer, hashToken } from '../auth/tokens.js'; // Stable UUID matching migration 023's seeded dev user. +/** UUID of the seeded dev-mode placeholder. NOT a sentinel for "any unauthenticated user". */ export const DEV_USER_ID = '00000000-0000-4000-8000-000000000dev'; export const DEV_USER = { id: DEV_USER_ID, username: 'dev', display_name: 'Dev (AUTH_ENABLED=false)' }; @@ -35,9 +36,9 @@ export async function requireAuth(req, res, next) { const last = req.session.last_seen_at || 0; if (now - first > ABSOLUTE_MS) return destroyAnd401(req, res); if (now - last > IDLE_MS) return destroyAnd401(req, res); - req.session.last_seen_at = now; const u = await loadUser(req.session.user_id); if (!u) return destroyAnd401(req, res); + req.session.last_seen_at = now; // stamp only after user is confirmed; avoids extending idle window if loadUser throws or the user was deleted req.user = u; return next(); }