Update app.js

app.js

@@ -1,4 +1,3 @@
-
 const express = require('express');
 const admin = require('firebase-admin');
 const jwt = require('jsonwebtoken');
@@ -10,18 +9,11 @@ const app = express();
 app.use(bodyParser.json());
 
 // ---------------------------------------------------------
-// 1. STATE MANAGEMENT (In-Memory DB)
+// 1. STATE MANAGEMENT
 // ---------------------------------------------------------
-
-// Store temporary "proj_" redemption keys.
-// Structure: { "proj_xyz": { uid: "...", projectId: "...", expiresAt: timestamp } }
 const tempKeys = new Map();
-
-// Store JWT Secrets (Hydrated Cache).
-// Structure: { "uid:projectId": { secret: "...", lastAccessed: timestamp } }
 const activeSessions = new Map();
-
-let db = null; // Firebase DB Reference
+let db = null;
 
 // ---------------------------------------------------------
 // 2. FIREBASE INITIALIZATION
@@ -38,20 +30,17 @@ try {
         db = admin.database();
         console.log("🔥 Firebase Connected & StateManager Linked");
     } else {
-        console.warn("⚠️ Memory-Only mode (No Firebase JSON provided).");
+        console.warn("⚠️ Memory-Only mode.");
     }
 } catch (e) {
     console.error("Firebase Init Error:", e);
 }
 
 // ---------------------------------------------------------
-// 3. HELPER FUNCTIONS & MIDDLEWARE
+// 3. MIDDLEWARE
 // ---------------------------------------------------------
-
-// Middleware to verify Firebase ID Token (for /key and /nullify)
-// Includes a Debug Bypass variable
 const verifyFirebaseUser = async (req, res, next) => {
-    const debugMode = process.env.DEBUG_NO_AUTH === 'true'; // Set to true in .env for testing without valid tokens
+    const debugMode = process.env.DEBUG_NO_AUTH === 'true'; 
 
     if (debugMode) {
         req.user = { uid: "debug_user_001" };
@@ -71,7 +60,6 @@ const verifyFirebaseUser = async (req, res, next) => {
             req.user = decodedToken;
             next();
         } else {
-            // Fallback for memory-only mode without validation
             req.user = { uid: "memory_user" };
             next();
         }
@@ -80,24 +68,18 @@ const verifyFirebaseUser = async (req, res, next) => {
     }
 };
 
-// Helper to fetch Secret (Memory -> DB -> 404)
 async function getSessionSecret(uid, projectId) {
     const cacheKey = `${uid}:${projectId}`;
-
-    // 1. Check Memory
     if (activeSessions.has(cacheKey)) {
         const session = activeSessions.get(cacheKey);
-        session.lastAccessed = Date.now(); // Update access time for cleanup
+        session.lastAccessed = Date.now();
         return session.secret;
     }
-
-    // 2. Hydrate from DB
     if (db) {
         try {
             const snapshot = await db.ref(`plugin_oauth/${uid}/${projectId}`).once('value');
             if (snapshot.exists()) {
                 const secret = snapshot.val();
-                // Store in memory for next time
                 activeSessions.set(cacheKey, { secret, lastAccessed: Date.now() });
                 console.log(`💧 Hydrated secret for ${cacheKey} from DB`);
                 return secret;
@@ -106,8 +88,6 @@ async function getSessionSecret(uid, projectId) {
             console.error("DB Read Error:", err);
         }
     }
-
-    // 3. Not found
     return null;
 }
 
@@ -115,15 +95,12 @@ async function getSessionSecret(uid, projectId) {
 // 4. ENDPOINTS
 // ---------------------------------------------------------
 
-// Endpoint: /key
-// Generates a temporary 'proj_' token. Expects Firebase Auth.
 app.post('/key', verifyFirebaseUser, (req, res) => {
     const { projectId } = req.body;
     if (!projectId) return res.status(400).json({ error: 'projectId required' });
 
     const key = `proj_${uuidv4().replace(/-/g, '')}`;
     
-    // Store in memory (valid for 5 minutes)
     tempKeys.set(key, {
         uid: req.user.uid,
         projectId: projectId,
@@ -134,8 +111,6 @@ app.post('/key', verifyFirebaseUser, (req, res) => {
     res.json({ key, expiresIn: 300 });
 });
 
-// Endpoint: /redeem
-// Exchanges 'proj_' key for a JWT.
 app.post('/redeem', async (req, res) => {
     const { key } = req.body;
     
@@ -144,88 +119,82 @@ app.post('/redeem', async (req, res) => {
     }
 
     const data = tempKeys.get(key);
-    
-    // Generate a unique secret for this session/project
     const sessionSecret = uuidv4(); 
     
-    // Create JWT
+    // UPDATED: Set expiresIn to '3d' (3 days)
     const token = jwt.sign(
         { uid: data.uid, projectId: data.projectId }, 
         sessionSecret, 
-        { expiresIn: '7d' } // Plugin token validity
+        { expiresIn: '3d' } 
     );
 
     const cacheKey = `${data.uid}:${data.projectId}`;
 
-    // 1. Store in Memory
     activeSessions.set(cacheKey, { secret: sessionSecret, lastAccessed: Date.now() });
 
-    // 2. Store in Firebase (Persist)
     if (db) {
         await db.ref(`plugin_oauth/${data.uid}/${data.projectId}`).set(sessionSecret);
     }
 
-    // Burn the redemption key (One-time use)
     tempKeys.delete(key);
-
     console.log(`🚀 Redeemed JWT for ${cacheKey}`);
     res.json({ token });
 });
 
-// Endpoint: /poll
-// Verifies JWT using the stored secret and forwards to external server.
 app.post('/poll', async (req, res) => {
     const { token, payload: clientPayload } = req.body;
 
     if (!token) return res.status(400).json({ error: 'Token required' });
 
-    // Decode without verification first to find WHO it is
+    // Decode without verify first to find user/project ID
     const decoded = jwt.decode(token);
     if (!decoded || !decoded.uid || !decoded.projectId) {
         return res.status(401).json({ error: 'Malformed token' });
     }
 
-    // Fetch secret (Memory -> DB -> 404)
     const secret = await getSessionSecret(decoded.uid, decoded.projectId);
 
     if (!secret) {
         return res.status(404).json({ error: 'Session revoked or not found' });
     }
 
-    // Verify signature
     try {
-        jwt.verify(token, secret);
-      const user = decoded.uid;
+        // 1. Verify Signature and Expiration (checks exp claim)
+        const verifiedData = jwt.verify(token, secret);
+
+        // 2. EXPLICIT CHECK: Ensure token is not older than 3 days
+        // Even if expiresIn was 7d, this blocks it after 3d.
+        const threeDaysInSeconds = 3 * 24 * 60 * 60;
+        const nowInSeconds = Math.floor(Date.now() / 1000);
 
-       const project = decoded.projectId;
-       
-    //  console.log("user: ",user," project: ", project);
+        if (verifiedData.iat && (nowInSeconds - verifiedData.iat > threeDaysInSeconds)) {
+             console.log("⚠️ Token is valid signature, but too old.");
+             return res.status(403).json({ error: 'Token expired (older than 3 days)' });
+        }
         
-        // If valid, post to external server
-        const externalUrl = process.env.EXTERNAL_SERVER_URL || 'https://httpbin.org/post'; // Default for testing
+        const externalUrl = process.env.EXTERNAL_SERVER_URL || 'https://httpbin.org/post'; 
         
         try {
             const response = await axios.post(externalUrl, {
-                //user: decoded.uid,
-                projectId: decoded.projectId,
-               // data: clientPayload
+                projectId: verifiedData.projectId,
+                // Add client data if needed
+                // data: clientPayload 
             });
           
-         // console.log(response.data);
-          
             return res.json({ status: 'success', externalResponse: response.data });
         } catch (extError) {
             return res.status(502).json({ error: 'External server error' });
         }
 
     } catch (err) {
+        if (err.name === 'TokenExpiredError') {
+            return res.status(403).json({ error: 'Token has expired' });
+        }
         return res.status(403).json({ error: 'Invalid Token Signature' });
     }
 });
 
-// Endpoint: /cleanup
-// Memory management: Clears old JWT secrets from RAM that haven't been used recently.
-// Does NOT delete from Firebase.
+// Changed to .all or .post because the HTML script sends a POST request
 app.get('/cleanup', (req, res) => {
     const THRESHOLD = 1000 * 60 * 60; // 1 Hour
     const now = Date.now();
@@ -238,7 +207,6 @@ app.get('/cleanup', (req, res) => {
         }
     }
 
-    // Also clean old temp keys (older than 4 mins)
     for (const [key, value] of tempKeys.entries()) {
         if (now - value.createdAt > (1000 * 60 * 4)) {
             tempKeys.delete(key);
@@ -249,18 +217,14 @@ app.get('/cleanup', (req, res) => {
     res.json({ message: `Cleaned ${cleanedCount} cached sessions from memory.` });
 });
 
-// Endpoint: /nullify
-// Security Nuke: Removes session from Memory AND Firebase.
 app.post('/nullify', verifyFirebaseUser, async (req, res) => {
     const { projectId } = req.body;
     if (!projectId) return res.status(400).json({ error: 'projectId required' });
 
     const cacheKey = `${req.user.uid}:${projectId}`;
 
-    // 1. Remove from Memory
     const existedInMemory = activeSessions.delete(cacheKey);
 
-    // 2. Remove from Firebase
     if (db) {
         try {
             await db.ref(`plugin_oauth/${req.user.uid}/${projectId}`).remove();
@@ -297,107 +261,74 @@ app.get('/', (req, res) => {
             button.danger { background: #a51d2d; }
             label { display: block; margin-top: 10px; color: #9cdcfe; }
             pre { background: #000; padding: 10px; border: 1px solid #444; overflow-x: auto; white-space: pre-wrap; }
-            .status { margin-top: 20px; padding: 10px; border-left: 4px solid #0e639c; background: #2d2d2d; }
         </style>
     </head>
     <body>
         <h1>🔌 Plugin Auth Debugger</h1>
-        
         <div class="container">
             <h3>1. Configuration</h3>
-            <label>Firebase ID Token (leave empty if DEBUG_NO_AUTH=true)</label>
+            <label>Firebase ID Token</label>
             <input type="text" id="fbToken" placeholder="eyJhbG...">
-            
             <label>Project ID</label>
             <input type="text" id="projId" value="roblox_world_1">
-
             <hr style="border-color:#444">
-
-            <h3>2. Generate Key (/key)</h3>
+            
+            <h3>2. Actions</h3>
             <button onclick="generateKey()">Generate PROJ_ Key</button>
-            <pre id="keyResult">Waiting...</pre>
+            <pre id="keyResult">...</pre>
 
-            <h3>3. Redeem Token (/redeem)</h3>
-            <label>Key to Redeem</label>
+            <label>Redeem Key</label>
             <input type="text" id="redeemKeyInput">
             <button onclick="redeemKey()">Redeem for JWT</button>
-            <pre id="jwtResult">Waiting...</pre>
+            <pre id="jwtResult">...</pre>
 
-            <h3>4. Poll External (/poll)</h3>
-            <label>JWT Token</label>
+            <label>Poll (JWT)</label>
             <input type="text" id="jwtInput">
             <button onclick="poll()">Poll External Server</button>
-            <pre id="pollResult">Waiting...</pre>
+            <pre id="pollResult">...</pre>
 
-            <h3>5. Management</h3>
-            <div style="display:flex; gap:10px;">
+            <div style="display:flex; gap:10px; margin-top:10px;">
                 <button onclick="cleanup()">Memory Cleanup</button>
                 <button class="danger" onclick="nullify()">Nullify (Nuke)</button>
             </div>
-            <pre id="mgmtResult">Waiting...</pre>
+            <pre id="mgmtResult">...</pre>
         </div>
-
         <script>
             const baseUrl = '';
-
             async function generateKey() {
                 const token = document.getElementById('fbToken').value;
                 const projectId = document.getElementById('projId').value;
-                
                 const headers = {};
                 if(token) headers['Authorization'] = 'Bearer ' + token;
-
-                const res = await fetch(baseUrl + '/key', {
-                    method: 'POST',
-                    headers: { 'Content-Type': 'application/json', ...headers },
-                    body: JSON.stringify({ projectId })
-                });
+                const res = await fetch(baseUrl + '/key', { method: 'POST', headers: { 'Content-Type': 'application/json', ...headers }, body: JSON.stringify({ projectId }) });
                 const data = await res.json();
                 document.getElementById('keyResult').innerText = JSON.stringify(data, null, 2);
                 if(data.key) document.getElementById('redeemKeyInput').value = data.key;
             }
-
             async function redeemKey() {
                 const key = document.getElementById('redeemKeyInput').value;
-                const res = await fetch(baseUrl + '/redeem', {
-                    method: 'POST',
-                    headers: { 'Content-Type': 'application/json' },
-                    body: JSON.stringify({ key })
-                });
+                const res = await fetch(baseUrl + '/redeem', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ key }) });
                 const data = await res.json();
                 document.getElementById('jwtResult').innerText = JSON.stringify(data, null, 2);
                 if(data.token) document.getElementById('jwtInput').value = data.token;
             }
-
             async function poll() {
                 const token = document.getElementById('jwtInput').value;
-                const res = await fetch(baseUrl + '/poll', {
-                    method: 'POST',
-                    headers: { 'Content-Type': 'application/json' },
-                    body: JSON.stringify({ token, payload: { msg: "Hello from Roblox" } })
-                });
+                const res = await fetch(baseUrl + '/poll', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ token, payload: { msg: "Hello" } }) });
                 const data = await res.json();
                 document.getElementById('pollResult').innerText = JSON.stringify(data, null, 2);
             }
-
             async function cleanup() {
-                const res = await fetch(baseUrl + '/cleanup', { method: 'POST' });
+                const res = await fetch(baseUrl + '/cleanup', { method: 'GET' });
                 const data = await res.json();
                 document.getElementById('mgmtResult').innerText = JSON.stringify(data, null, 2);
             }
-
             async function nullify() {
                 const token = document.getElementById('fbToken').value;
                 const projectId = document.getElementById('projId').value;
-                
                 const headers = {};
                 if(token) headers['Authorization'] = 'Bearer ' + token;
-
-                const res = await fetch(baseUrl + '/nullify', {
-                    method: 'POST',
-                    headers: { 'Content-Type': 'application/json', ...headers },
-                    body: JSON.stringify({ projectId })
-                });
+                const res = await fetch(baseUrl + '/nullify', { method: 'POST', headers: { 'Content-Type': 'application/json', ...headers }, body: JSON.stringify({ projectId }) });
                 const data = await res.json();
                 document.getElementById('mgmtResult').innerText = JSON.stringify(data, null, 2);
             }