Update app.js

app.js

@@ -35,6 +35,28 @@ app.post('/internal/notify', (req, res) => {
     res.json({ success: false });
 });
 
+// Inside Gateway WebSocket upgrade or API middleware
+async function verifyThrustToken(token) {
+    const decoded = jwt.decode(token);
+    if (!decoded || !decoded.sid) return null;
+
+    // 1. Fetch the secret and verify existence in one go
+    const { data: session } = await supabase
+        .from('user_sessions')
+        .select('session_secret')
+        .eq('id', decoded.sid)
+        .single();
+
+    if (!session) return null; // Session was deleted/revoked
+
+    try {
+        // 2. Verify signature against the stored secret
+        return jwt.verify(token, session.session_secret);
+    } catch (e) {
+        return null;
+    }
+}
+
 // WS Upgrade
 server.on('upgrade', async (request, socket, head) => {
     const url = new URL(request.url, `http://${request.headers.host}`);
@@ -42,9 +64,11 @@ server.on('upgrade', async (request, socket, head) => {
 
     if (!token) { socket.write('HTTP/1.1 401 Unauthorized\r\n\r\n'); socket.destroy(); return; }
 
-    const { data: { user }, error } = await supabase.auth.getUser(token);
-    if (error || !user) { socket.write('HTTP/1.1 403 Forbidden\r\n\r\n'); socket.destroy(); return; }
-
+   //  const { data: { user }, error } = await supabase.auth.getUser(token);
+  const isTrue= verifyThrustToken(token);
+    // if (error || !user) { socket.write('HTTP/1.1 403 Forbidden\r\n\r\n'); socket.destroy(); return; }
+   if (isTrue || isTrue != null) { socket.write('HTTP/1.1 403 Forbidden\r\n\r\n'); socket.destroy(); return; }
+  
     wss.handleUpgrade(request, socket, head, (ws) => {
         wss.emit('connection', ws, request, user);
     });