From 7eb6dcf00bdc8cc66cd1f828c96efa8295e0d064 Mon Sep 17 00:00:00 2001
From: Tom Moor <tom.moor@gmail.com>
Date: Tue, 4 Jun 2024 23:38:00 -0400
Subject: [PATCH] fix: Prevent email login token reuse

---
 server/utils/jwt.ts | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/server/utils/jwt.ts b/server/utils/jwt.ts
index c274277e8..a24b1223b 100644
--- a/server/utils/jwt.ts
+++ b/server/utils/jwt.ts
@@ -91,6 +91,12 @@ export async function getUserForEmailSigninToken(token: string): Promise<User> {
     rejectOnEmpty: true,
   });
 
+  if (user.lastSignedInAt) {
+    if (user.lastSignedInAt > new Date(payload.createdAt)) {
+      throw AuthenticationError("Expired token");
+    }
+  }
+
   try {
     JWT.verify(token, user.jwtSecret);
   } catch (err) {