Prevent reuse of frontend-origin wildcard matching as a JWT trust root to stop attacker-controlled preview hosts from serving JWKS for arbitrary iss values.
Make the internal-dashboard JWT issuer check rely only on an explicit JWKS issuer allowlist rather than isDashboardOrigin CORS-style heuristics.
Description
Removed the isDashboardOrigin shortcut from the internal-dashboard JWT issuer check in apps/apollo/src/pages/api/internal-dashboard/_middleware/dashboard_auth.ts and instead call a dedicated allowlist helper.
Added apps/apollo/src/pages/api/internal-dashboard/_middleware/issuer_allowlist.ts which extracts the issuer hostname and accepts it only when listed in DASHBOARD_JWKS_ALLOWED_DOMAINS.
Added unit tests apps/apollo/src/pages/api/internal-dashboard/_middleware/issuer_allowlist.unit.test.ts that assert explicitly configured JWKS domains are accepted and preview/vercel/localhost wildcard origins are rejected.
Kept JWKS lookup and signature verification behavior unchanged; this change only tightens which iss values are treated as acceptable before fetching /.well-known/jwks.json.
Testing
Built the helper library with pnpm --filter @composio/lib build, which succeeded.
Ran code formatting with pnpm format and static lint checks for the modified files via the repo lint tooling (node tooling/oxlint/...) which completed with only a single unrelated warning for the touched files.
Added a unit test and attempted to run it with cd apps/apollo && pnpm with-env vitest run src/pages/api/internal-dashboard/_middleware/issuer_allowlist.unit.test.ts --no-isolate, but the test run was blocked by environment and generated-artifact dependencies (missing Doppler secrets / environment variables, missing generated Prisma client .prisma/client/default), so the unit test execution failed in this environment.
Attempts to run type generation / Prisma generation (cd packages/db && CI=true pnpm db:generate) failed because the Prisma engine download was blocked (403), so full pnpm check-types and test runs are currently blocked by missing generated artifacts.
@kaavee315checks…codex/propose-fix-for-jwt-issuer-vulnerability → master3 files · +78 −41review: @sohamganatrareview: @abir-taheerreview: @anshugarg15updated 2d ago