csrf token handling, two jwt tokens

2025-11-26 14:25:49 -05:00
parent f3a356d64b
commit 8b10103ae4
8 changed files with 114 additions and 76 deletions
--- a/backend/routes/messages.js
+++ b/backend/routes/messages.js
@@ -392,7 +392,8 @@ router.get('/images/:filename',
  helmet.crossOriginResourcePolicy({ policy: "cross-origin" }),
  async (req, res) => {
  try {
-    const { filename } = req.params;
+    // Sanitize filename to prevent path traversal attacks
+    const filename = path.basename(req.params.filename);

    // Verify user is sender or receiver of a message with this image
    const message = await Message.findOne({