Fix token verification and clean up comments

[ordo-chao]

This pull request improves the verifyToken middleware in Middleware/jwt_token_verification.js by strengthening JWT verification, adding better error handling, and clarifying error messages. The changes make the authentication process more robust and informative for both developers and API consumers.

Error handling and validation improvements:

• Added a check to ensure JWT_SECRET is configured, returning a 500 error if not set.
• Improved error responses for missing or malformed authorization headers, missing tokens, and invalid token formats.
• Switched from jwt.decode to jwt.verify for actual signature verification and restricted to the HS256 algorithm.
• Added checks for the presence and structure of the decoded token payload, specifically requiring a sub property.
• Added granular error handling for expired tokens, invalid tokens, and unexpected verification errors, with appropriate HTTP status codes and logging.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3c019171-5ce6-43e4-ad95-c78b22ffd66e

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-token-verifications

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This pull request hardens the verifyToken Express middleware by performing real JWT signature verification and improving error handling around missing/malformed credentials.

Changes:

• Add a server-side configuration guard to ensure JWT_SECRET is set before attempting verification.
• Validate/parse the Authorization header and token more explicitly, with clearer failure messages.
• Replace jwt.decode with jwt.verify (HS256-restricted) and validate the decoded payload contains sub.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

jsonwebtoken can throw NotBeforeError (token used before nbf). Currently that case would fall through to the generic 500 handler, making a client/token issue look like a server error. Consider handling NotBeforeError explicitly (likely as 401) alongside the other JWT error branches.

Suggested change

	if (err.name === 'NotBeforeError') {
	return res.status(401).json('Token not active');
	}

[Copilot]

Error responses in this middleware are returned as JSON strings (e.g., res.status(...).json('...')), but the rest of the API appears to consistently return objects like { message: ... } / { error: ... } (see e.g. Controllers/OrganizerDashboard.controller.js:47 and Middleware/paginate.js:6). Returning plain strings can make client-side error handling inconsistent; consider standardizing these responses to the same object shape used elsewhere.

[Copilot]

There are existing middleware unit tests (e.g. tests/middlewares/paginate.test.js), but no coverage for this updated token-verification behavior. Adding tests for the main branches (missing header, malformed Bearer scheme, expired token, invalid signature, valid token payload w/ sub) would help prevent regressions.

[Eugene600]

@ordo-chao please review comments from coderabbit

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This middleware returns raw strings via res.json(...) (e.g., on 500 here). Elsewhere in the codebase responses are consistently JSON objects with message/error fields (e.g., Middleware/paginate.js:6, Middleware/upload.js:72). Consider returning a structured object here as well (and applying the same shape to the other error returns in this middleware) to keep the API response schema consistent for clients.

[Copilot]

authHeader.trim().split(/\s+/, 2) will accept headers with extra segments (e.g., "Bearer <token> extra") by silently ignoring everything after the token. Consider parsing into all parts and requiring exactly 2 segments (Bearer + token) to avoid accepting malformed Authorization headers.

[Copilot]

This will console.error on every request when JWT_SECRET is unset, which can flood logs under load. Consider failing fast at process startup (preferred) or at least reading/caching the secret at module load and logging once, while still returning 500 for requests.

[Copilot]

The verification logic and expanded error cases are now more complex (config missing, malformed header, missing token, expired token, invalid token, invalid payload). The repo already has middleware unit tests (e.g., tests/middlewares/paginate.test.js), but there are no tests covering verifyToken. Consider adding unit tests for the main branches to prevent regressions.

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.