From c3dcf24e5056854c99ec1af7e32863aedf43e50b Mon Sep 17 00:00:00 2001
From: Alexey <alex@oblat.lv>
Date: Wed, 6 Aug 2025 16:36:55 +0300
Subject: [PATCH] improve jwt

---
 com/Auth/DeleteUnit.lua | 5 +++++
 com/Auth/GetAccess.lua  | 6 +++++-
 com/Auth/PutNewUnit.lua | 5 +++++
 3 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/com/Auth/DeleteUnit.lua b/com/Auth/DeleteUnit.lua
index 2d33839..68b5740 100644
--- a/com/Auth/DeleteUnit.lua
+++ b/com/Auth/DeleteUnit.lua
@@ -6,6 +6,7 @@ local log = require("internal.log")
 local session = require("internal.session")
 local crypt = require("internal.crypt.bcrypt")
 local jwt = require("internal.crypt.jwt")
+local sha256 = require("internal.crypt.sha256")
 
 local params = session.request.params.get()
 local token = session.request.headers.get("authorization")
@@ -50,6 +51,10 @@ if data.session_uuid ~= session.id then
   return error_response("Access denied")
 end
 
+if data.key ~= sha256.sum(session.request.address .. session.id .. session.request.headers.get("user-agent", "noagent")) then
+  return error_response("Access denied")
+end
+
 if not params then
   return error_response("no params provided")
 end
diff --git a/com/Auth/GetAccess.lua b/com/Auth/GetAccess.lua
index 2b8bb30..14da4bf 100644
--- a/com/Auth/GetAccess.lua
+++ b/com/Auth/GetAccess.lua
@@ -6,6 +6,7 @@ local log = require("internal.log")
 local session = require("internal.session")
 local crypt = require("internal.crypt.bcrypt")
 local jwt = require("internal.crypt.jwt")
+local sha256 = require("internal.crypt.sha256")
 
 local params = session.request.params.get()
 local secret = require("_config").token()
@@ -61,7 +62,10 @@ end
 
 local token = jwt.encode({
   secret = secret,
-  payload = { session_uuid = session.id, admin_user = params.username },
+  payload = { session_uuid = session.id,
+    admin_user = params.username,
+    key = sha256.sum(session.request.address .. session.id .. session.request.headers.get("user-agent", "noagent"))
+  },
   expires_in = 3600
 })
 
diff --git a/com/Auth/PutNewUnit.lua b/com/Auth/PutNewUnit.lua
index 570ea7e..3a140f4 100644
--- a/com/Auth/PutNewUnit.lua
+++ b/com/Auth/PutNewUnit.lua
@@ -6,6 +6,7 @@ local log = require("internal.log")
 local session = require("internal.session")
 local crypt = require("internal.crypt.bcrypt")
 local jwt = require("internal.crypt.jwt")
+local sha256 = require("internal.crypt.sha256")
 
 local params = session.request.params.get()
 local token = session.request.headers.get("authorization")
@@ -50,6 +51,10 @@ if data.session_uuid ~= session.id then
   return error_response("Access denied")
 end
 
+if data.key ~= sha256.sum(session.request.address .. session.id .. session.request.headers.get("user-agent", "noagent")) then
+  return error_response("Access denied")
+end
+
 if not params then
   return error_response("no params provided")
 end