fix: pin JWT algorithm to HS256 and harden token security

- Add { algorithms: ['HS256'] } to all jwt.verify() calls to prevent
  algorithm confusion attacks (including the 'none' algorithm)
- Add { algorithm: 'HS256' } to all jwt.sign() calls for consistency
- Reduce OIDC token payload to only { id } (was leaking username, email, role)
- Validate OIDC redirect URI against APP_URL env var when configured
- Add startup warning when JWT_SECRET is auto-generated

https://claude.ai/code/session_01SoQKcF5Rz9Y8Nzo4PzkxY8

server/src/config.ts

@@ -23,4 +23,6 @@ if (!JWT_SECRET) {
   }
 }
 
-export { JWT_SECRET };
+const JWT_SECRET_IS_GENERATED = !process.env.JWT_SECRET;
+
+export { JWT_SECRET, JWT_SECRET_IS_GENERATED };

server/src/mcp/index.ts

@@ -90,7 +90,7 @@ function verifyToken(authHeader: string | undefined): User | null {
 
   // Short-lived JWT
   try {
-    const decoded = jwt.verify(token, JWT_SECRET) as { id: number };
+    const decoded = jwt.verify(token, JWT_SECRET, { algorithms: ['HS256'] }) as { id: number };
     const user = db.prepare(
       'SELECT id, username, email, role FROM users WHERE id = ?'
     ).get(decoded.id) as User | undefined;

server/src/middleware/auth.ts

@@ -14,7 +14,7 @@ const authenticate = (req: Request, res: Response, next: NextFunction): void =>
   }
 
   try {
-    const decoded = jwt.verify(token, JWT_SECRET) as { id: number };
+    const decoded = jwt.verify(token, JWT_SECRET, { algorithms: ['HS256'] }) as { id: number };
     const user = db.prepare(
       'SELECT id, username, email, role FROM users WHERE id = ?'
     ).get(decoded.id) as User | undefined;
@@ -39,7 +39,7 @@ const optionalAuth = (req: Request, res: Response, next: NextFunction): void =>
   }
 
   try {
-    const decoded = jwt.verify(token, JWT_SECRET) as { id: number };
+    const decoded = jwt.verify(token, JWT_SECRET, { algorithms: ['HS256'] }) as { id: number };
     const user = db.prepare(
       'SELECT id, username, email, role FROM users WHERE id = ?'
     ).get(decoded.id) as User | undefined;

server/src/middleware/mfaPolicy.ts

@@ -51,7 +51,7 @@ export function enforceGlobalMfaPolicy(req: Request, res: Response, next: NextFu
 
   let userId: number;
   try {
-    const decoded = jwt.verify(token, JWT_SECRET) as { id: number };
+    const decoded = jwt.verify(token, JWT_SECRET, { algorithms: ['HS256'] }) as { id: number };
     userId = decoded.id;
   } catch {
     next();

server/src/routes/auth.ts

@@ -158,7 +158,7 @@ function generateToken(user: { id: number | bigint }) {
   return jwt.sign(
     { id: user.id },
     JWT_SECRET,
-    { expiresIn: '24h' }
+    { expiresIn: '24h', algorithm: 'HS256' }
   );
 }
 
@@ -315,7 +315,7 @@ router.post('/login', authLimiter, (req: Request, res: Response) => {
     const mfa_token = jwt.sign(
       { id: Number(user.id), purpose: 'mfa_login' },
       JWT_SECRET,
-      { expiresIn: '5m' }
+      { expiresIn: '5m', algorithm: 'HS256' }
     );
     return res.json({ mfa_required: true, mfa_token });
   }
@@ -686,7 +686,7 @@ router.post('/mfa/verify-login', authLimiter, (req: Request, res: Response) => {
     return res.status(400).json({ error: 'Verification token and code are required' });
   }
   try {
-    const decoded = jwt.verify(mfa_token, JWT_SECRET) as { id: number; purpose?: string };
+    const decoded = jwt.verify(mfa_token, JWT_SECRET, { algorithms: ['HS256'] }) as { id: number; purpose?: string };
     if (decoded.purpose !== 'mfa_login') {
       return res.status(401).json({ error: 'Invalid verification token' });
     }

server/src/routes/oidc.ts

@@ -80,11 +80,11 @@ async function discover(issuer: string) {
   return doc;
 }
 
-function generateToken(user: { id: number; username: string; email: string; role: string }) {
+function generateToken(user: { id: number }) {
   return jwt.sign(
-    { id: user.id, username: user.username, email: user.email, role: user.role },
+    { id: user.id },
     JWT_SECRET,
-    { expiresIn: '24h' }
+    { expiresIn: '24h', algorithm: 'HS256' }
   );
 }
 
@@ -121,9 +121,15 @@ router.get('/login', async (req: Request, res: Response) => {
   try {
     const doc = await discover(config.issuer);
     const state = crypto.randomBytes(32).toString('hex');
-    const proto = (req.headers['x-forwarded-proto'] as string) || req.protocol;
+    const appUrl = process.env.APP_URL || (db.prepare("SELECT value FROM app_settings WHERE key = 'app_url'").get() as { value: string } | undefined)?.value;
-    const host = (req.headers['x-forwarded-host'] as string) || req.headers.host;
+    let redirectUri: string;
-    const redirectUri = `${proto}://${host}/api/auth/oidc/callback`;
+    if (appUrl) {
+      redirectUri = `${appUrl.replace(/\/+$/, '')}/api/auth/oidc/callback`;
+    } else {
+      const proto = (req.headers['x-forwarded-proto'] as string) || req.protocol;
+      const host = (req.headers['x-forwarded-host'] as string) || req.headers.host;
+      redirectUri = `${proto}://${host}/api/auth/oidc/callback`;
+    }
     const inviteToken = req.query.invite as string | undefined;
 
     pendingStates.set(state, { createdAt: Date.now(), redirectUri, inviteToken });

server/src/websocket.ts

@@ -24,9 +24,28 @@ let nextSocketId = 1;
 
 let wss: WebSocketServer | null = null;
 
+// Per-connection message rate limiting
+const WS_MSG_LIMIT = 30;        // max messages
+const WS_MSG_WINDOW = 10_000;   // per 10 seconds
+const socketMsgCounts = new WeakMap<NomadWebSocket, { count: number; windowStart: number }>();
+
 /** Attaches a WebSocket server with JWT auth, room-based trip channels, and heartbeat keep-alive. */
 function setupWebSocket(server: http.Server): void {
-  wss = new WebSocketServer({ server, path: '/ws' });
+  const allowedOrigins = process.env.ALLOWED_ORIGINS
+    ? process.env.ALLOWED_ORIGINS.split(',').map(o => o.trim())
+    : null;
+
+  wss = new WebSocketServer({
+    server,
+    path: '/ws',
+    maxPayload: 64 * 1024, // 64 KB max message size
+    verifyClient: allowedOrigins
+      ? ({ origin }, cb) => {
+          if (!origin || allowedOrigins.includes(origin)) cb(true);
+          else cb(false, 403, 'Origin not allowed');
+        }
+      : undefined,
+  });
 
   const HEARTBEAT_INTERVAL = 30000; // 30 seconds
   const heartbeat = setInterval(() => {
@@ -53,7 +72,7 @@ function setupWebSocket(server: http.Server): void {
 
     let user: User | undefined;
     try {
-      const decoded = jwt.verify(token, JWT_SECRET) as { id: number };
+      const decoded = jwt.verify(token, JWT_SECRET, { algorithms: ['HS256'] }) as { id: number };
       user = db.prepare(
         'SELECT id, username, email, role, mfa_enabled FROM users WHERE id = ?'
       ).get(decoded.id) as User | undefined;
@@ -81,14 +100,33 @@ function setupWebSocket(server: http.Server): void {
 
     nws.on('pong', () => { nws.isAlive = true; });
 
+    socketMsgCounts.set(nws, { count: 0, windowStart: Date.now() });
+
     nws.on('message', (data) => {
+      // Rate limiting
+      const rate = socketMsgCounts.get(nws)!;
+      const now = Date.now();
+      if (now - rate.windowStart > WS_MSG_WINDOW) {
+        rate.count = 1;
+        rate.windowStart = now;
+      } else {
+        rate.count++;
+        if (rate.count > WS_MSG_LIMIT) {
+          nws.send(JSON.stringify({ type: 'error', message: 'Rate limit exceeded' }));
+          return;
+        }
+      }
+
       let msg: { type: string; tripId?: number | string };
       try {
         msg = JSON.parse(data.toString());
       } catch {
-        return;
+        return; // Malformed JSON, ignore
       }
 
+      // Basic validation
+      if (!msg || typeof msg !== 'object' || typeof msg.type !== 'string') return;
+
       if (msg.type === 'join' && msg.tripId) {
         const tripId = Number(msg.tripId);
         // Verify the user has access to this trip