Update app.js

app.js

@@ -121,7 +121,7 @@ app.post('/redeem', async (req, res) => {
     const data = tempKeys.get(key);
     const sessionSecret = uuidv4(); 
     
-    // UPDATED: Set expiresIn to '3d' (3 days)
+    // Set expiresIn to '3d' (3 days)
     const token = jwt.sign(
         { uid: data.uid, projectId: data.projectId }, 
         sessionSecret, 
@@ -141,12 +141,42 @@ app.post('/redeem', async (req, res) => {
     res.json({ token });
 });
 
+// --- NEW ENDPOINT: Simple Verification Check ---
+app.post('/verify', async (req, res) => {
+    const { token } = req.body;
+    if (!token) return res.status(400).json({ valid: false, error: 'Token required' });
+
+    const decoded = jwt.decode(token);
+    if (!decoded || !decoded.uid || !decoded.projectId) {
+        return res.status(401).json({ valid: false, error: 'Malformed token' });
+    }
+
+    const secret = await getSessionSecret(decoded.uid, decoded.projectId);
+
+    if (!secret) {
+        return res.status(401).json({ valid: false, error: 'Session revoked' });
+    }
+
+    try {
+        jwt.verify(token, secret);
+        // Explicitly check 3 day max age
+        const threeDaysInSeconds = 3 * 24 * 60 * 60;
+        const nowInSeconds = Math.floor(Date.now() / 1000);
+        if (decoded.iat && (nowInSeconds - decoded.iat > threeDaysInSeconds)) {
+             return res.status(403).json({ valid: false, error: 'Expired' });
+        }
+
+        return res.json({ valid: true });
+    } catch (err) {
+        return res.status(403).json({ valid: false, error: 'Invalid signature' });
+    }
+});
+
 app.post('/poll', async (req, res) => {
     const { token, payload: clientPayload } = req.body;
 
     if (!token) return res.status(400).json({ error: 'Token required' });
 
-    // Decode without verify first to find user/project ID
     const decoded = jwt.decode(token);
     if (!decoded || !decoded.uid || !decoded.projectId) {
         return res.status(401).json({ error: 'Malformed token' });
@@ -159,11 +189,8 @@ app.post('/poll', async (req, res) => {
     }
 
     try {
-        // 1. Verify Signature and Expiration (checks exp claim)
         const verifiedData = jwt.verify(token, secret);
 
-        // 2. EXPLICIT CHECK: Ensure token is not older than 3 days
-        // Even if expiresIn was 7d, this blocks it after 3d.
         const threeDaysInSeconds = 3 * 24 * 60 * 60;
         const nowInSeconds = Math.floor(Date.now() / 1000);
 
@@ -177,7 +204,6 @@ app.post('/poll', async (req, res) => {
         try {
             const response = await axios.post(externalUrl, {
                 projectId: verifiedData.projectId,
-                // Add client data if needed
                 // data: clientPayload 
             });
           
@@ -194,9 +220,8 @@ app.post('/poll', async (req, res) => {
     }
 });
 
-// Changed to .all or .post because the HTML script sends a POST request
 app.get('/cleanup', (req, res) => {
-    const THRESHOLD = 4 * 1000 * 60 * 60; // 4 Hours
+    const THRESHOLD = 1000 * 60 * 60; // 1 Hour
     const now = Date.now();
     let cleanedCount = 0;
 
@@ -212,8 +237,6 @@ app.get('/cleanup', (req, res) => {
             tempKeys.delete(key);
         }
     }
-
-    // console.log(`🧹 Garbage Collection: Removed ${cleanedCount} cached sessions.`);
     res.json({ message: `Cleaned ${cleanedCount} cached sessions from memory.` });
 });
 
@@ -223,10 +246,8 @@ app.post('/nullify', verifyFirebaseUser, async (req, res) => {
 
     const cacheKey = `${req.user.uid}:${projectId}`;
 
-    // 1. Remove Active Session (JWT secret)
     const existedInMemory = activeSessions.delete(cacheKey);
 
-    // 2. Remove Temporal Tokens (Pending Keys)
     let deletedTempKeys = 0;
     for (const [tKey, tData] of tempKeys.entries()) {
         if (tData.uid === req.user.uid && tData.projectId === projectId) {
@@ -235,7 +256,6 @@ app.post('/nullify', verifyFirebaseUser, async (req, res) => {
         }
     }
 
-    // 3. Remove from DB
     if (db) {
         try {
             await db.ref(`plugin_oauth/${req.user.uid}/${projectId}`).remove();
@@ -253,101 +273,8 @@ app.post('/nullify', verifyFirebaseUser, async (req, res) => {
     });
 });
 
-// ---------------------------------------------------------
-// 5. EMBEDDED HTML DEBUGGER
-// ---------------------------------------------------------
 app.get('/', (req, res) => {
-    res.send(`
-    <!DOCTYPE html>
-    <html lang="en">
-    <head>
-        <meta charset="UTF-8">
-        <meta name="viewport" content="width=device-width, initial-scale=1.0">
-        <title>Roblox Plugin Auth Server</title>
-        <style>
-            body { font-family: monospace; background: #1e1e1e; color: #d4d4d4; padding: 20px; max-width: 800px; margin: 0 auto; }
-            .container { background: #252526; padding: 20px; border-radius: 8px; border: 1px solid #333; }
-            input, button { padding: 10px; margin: 5px 0; width: 100%; box-sizing: border-box; background: #3c3c3c; border: 1px solid #555; color: white; }
-            button { background: #0e639c; cursor: pointer; font-weight: bold; }
-            button:hover { background: #1177bb; }
-            button.danger { background: #a51d2d; }
-            label { display: block; margin-top: 10px; color: #9cdcfe; }
-            pre { background: #000; padding: 10px; border: 1px solid #444; overflow-x: auto; white-space: pre-wrap; }
-        </style>
-    </head>
-    <body>
-        <h1>🔌 Plugin Auth Debugger</h1>
-        <div class="container">
-            <h3>1. Configuration</h3>
-            <label>Firebase ID Token</label>
-            <input type="text" id="fbToken" placeholder="eyJhbG...">
-            <label>Project ID</label>
-            <input type="text" id="projId" value="roblox_world_1">
-            <hr style="border-color:#444">
-            
-            <h3>2. Actions</h3>
-            <button onclick="generateKey()">Generate PROJ_ Key</button>
-            <pre id="keyResult">...</pre>
-
-            <label>Redeem Key</label>
-            <input type="text" id="redeemKeyInput">
-            <button onclick="redeemKey()">Redeem for JWT</button>
-            <pre id="jwtResult">...</pre>
-
-            <label>Poll (JWT)</label>
-            <input type="text" id="jwtInput">
-            <button onclick="poll()">Poll External Server</button>
-            <pre id="pollResult">...</pre>
-
-            <div style="display:flex; gap:10px; margin-top:10px;">
-                <button onclick="cleanup()">Memory Cleanup</button>
-                <button class="danger" onclick="nullify()">Nullify (Nuke)</button>
-            </div>
-            <pre id="mgmtResult">...</pre>
-        </div>
-        <script>
-            const baseUrl = '';
-            async function generateKey() {
-                const token = document.getElementById('fbToken').value;
-                const projectId = document.getElementById('projId').value;
-                const headers = {};
-                if(token) headers['Authorization'] = 'Bearer ' + token;
-                const res = await fetch(baseUrl + '/key', { method: 'POST', headers: { 'Content-Type': 'application/json', ...headers }, body: JSON.stringify({ projectId }) });
-                const data = await res.json();
-                document.getElementById('keyResult').innerText = JSON.stringify(data, null, 2);
-                if(data.key) document.getElementById('redeemKeyInput').value = data.key;
-            }
-            async function redeemKey() {
-                const key = document.getElementById('redeemKeyInput').value;
-                const res = await fetch(baseUrl + '/redeem', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ key }) });
-                const data = await res.json();
-                document.getElementById('jwtResult').innerText = JSON.stringify(data, null, 2);
-                if(data.token) document.getElementById('jwtInput').value = data.token;
-            }
-            async function poll() {
-                const token = document.getElementById('jwtInput').value;
-                const res = await fetch(baseUrl + '/poll', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ token, payload: { msg: "Hello" } }) });
-                const data = await res.json();
-                document.getElementById('pollResult').innerText = JSON.stringify(data, null, 2);
-            }
-            async function cleanup() {
-                const res = await fetch(baseUrl + '/cleanup', { method: 'GET' });
-                const data = await res.json();
-                document.getElementById('mgmtResult').innerText = JSON.stringify(data, null, 2);
-            }
-            async function nullify() {
-                const token = document.getElementById('fbToken').value;
-                const projectId = document.getElementById('projId').value;
-                const headers = {};
-                if(token) headers['Authorization'] = 'Bearer ' + token;
-                const res = await fetch(baseUrl + '/nullify', { method: 'POST', headers: { 'Content-Type': 'application/json', ...headers }, body: JSON.stringify({ projectId }) });
-                const data = await res.json();
-                document.getElementById('mgmtResult').innerText = JSON.stringify(data, null, 2);
-            }
-        </script>
-    </body>
-    </html>
-    `);
+    res.send('Plugin Auth Server Running');
 });
 
 const PORT = process.env.PORT || 7860;