fix: pin JWT algorithm to HS256 and harden token security

- Add { algorithms: ['HS256'] } to all jwt.verify() calls to prevent
  algorithm confusion attacks (including the 'none' algorithm)
- Add { algorithm: 'HS256' } to all jwt.sign() calls for consistency
- Reduce OIDC token payload to only { id } (was leaking username, email, role)
- Validate OIDC redirect URI against APP_URL env var when configured
- Add startup warning when JWT_SECRET is auto-generated

https://claude.ai/code/session_01SoQKcF5Rz9Y8Nzo4PzkxY8

server/src/routes/auth.ts

@@ -158,7 +158,7 @@ function generateToken(user: { id: number | bigint }) {
   return jwt.sign(
     { id: user.id },
     JWT_SECRET,
-    { expiresIn: '24h' }
+    { expiresIn: '24h', algorithm: 'HS256' }
   );
 }
 
@@ -315,7 +315,7 @@ router.post('/login', authLimiter, (req: Request, res: Response) => {
     const mfa_token = jwt.sign(
       { id: Number(user.id), purpose: 'mfa_login' },
       JWT_SECRET,
-      { expiresIn: '5m' }
+      { expiresIn: '5m', algorithm: 'HS256' }
     );
     return res.json({ mfa_required: true, mfa_token });
   }
@@ -686,7 +686,7 @@ router.post('/mfa/verify-login', authLimiter, (req: Request, res: Response) => {
     return res.status(400).json({ error: 'Verification token and code are required' });
   }
   try {
-    const decoded = jwt.verify(mfa_token, JWT_SECRET) as { id: number; purpose?: string };
+    const decoded = jwt.verify(mfa_token, JWT_SECRET, { algorithms: ['HS256'] }) as { id: number; purpose?: string };
     if (decoded.purpose !== 'mfa_login') {
       return res.status(401).json({ error: 'Invalid verification token' });
     }

server/src/routes/oidc.ts

@@ -80,11 +80,11 @@ async function discover(issuer: string) {
   return doc;
 }
 
-function generateToken(user: { id: number; username: string; email: string; role: string }) {
+function generateToken(user: { id: number }) {
   return jwt.sign(
-    { id: user.id, username: user.username, email: user.email, role: user.role },
+    { id: user.id },
     JWT_SECRET,
-    { expiresIn: '24h' }
+    { expiresIn: '24h', algorithm: 'HS256' }
   );
 }
 
@@ -121,9 +121,15 @@ router.get('/login', async (req: Request, res: Response) => {
   try {
     const doc = await discover(config.issuer);
     const state = crypto.randomBytes(32).toString('hex');
-    const proto = (req.headers['x-forwarded-proto'] as string) || req.protocol;
-    const host = (req.headers['x-forwarded-host'] as string) || req.headers.host;
-    const redirectUri = `${proto}://${host}/api/auth/oidc/callback`;
+    const appUrl = process.env.APP_URL || (db.prepare("SELECT value FROM app_settings WHERE key = 'app_url'").get() as { value: string } | undefined)?.value;
+    let redirectUri: string;
+    if (appUrl) {
+      redirectUri = `${appUrl.replace(/\/+$/, '')}/api/auth/oidc/callback`;
+    } else {
+      const proto = (req.headers['x-forwarded-proto'] as string) || req.protocol;
+      const host = (req.headers['x-forwarded-host'] as string) || req.headers.host;
+      redirectUri = `${proto}://${host}/api/auth/oidc/callback`;
+    }
     const inviteToken = req.query.invite as string | undefined;
 
     pendingStates.set(state, { createdAt: Date.now(), redirectUri, inviteToken });