0x5t4l1n/OpenLearnX
1
0
Fork 0
mirror of https://github.com/th30d4y/OpenLearnX.git synced 2026-05-26 19:26:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge commit from fork

Browse Source 
Advisory fix 1
This commit is contained in:
Stalin
2026-05-08 12:09:38 +05:30
committed by GitHub
parent 2f9d94d29d c00f2dcde7
commit f63ba0ef11
11 changed files with 1048 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CHANGELOG.md
+32
View File
@@ -0,0 +1,32 @@
# Changelog
All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [2.0.4] - 2026-05-08
### Security
- **CRITICAL**: Fixed JWT signature verification vulnerability (GHSA-223g-f5mq-gw33)
- Enabled proper JWT signature verification in `backend/routes/dashboard.py`
- Enabled proper JWT signature verification in `backend/main.py`
- Enabled proper JWT signature verification in `backend/activity_logger.py`
- Replaced `verify_signature=False` with cryptographic verification using `JWT_SECRET_KEY`
- Prevents JWT forgery attacks and unauthorized account takeover
- CVE: Pending
### Changed
- JWT tokens are now verified with the server's secret key
- Forged tokens will be properly rejected with authentication errors
## [2.0.3] - 2026-04-15
### Added
- Initial release with adaptive quizzes
- AI-powered course recommendations
- Code compilation and practice features
- Dashboard analytics
- MetaMask wallet integration
- Certificate NFT generation
NPM_PUBLISHING_GUIDE.md
+157
View File
@@ -0,0 +1,157 @@
# NPM Publishing Instructions for v2.0.4
## Pre-Publishing Checklist
✅ Version updated to 2.0.4 in `frontend/package.json`
✅ CHANGELOG.md created with v2.0.4 entry
✅ RELEASE_NOTES_v2.0.4.md created
✅ Git tag v2.0.4 created and pushed
✅ Branch `advisory-fix-1` ready for publishing
## Step 1: Prepare for Publishing
```bash
# Navigate to the frontend directory where package.json is located
cd frontend
# Verify the version is correct
cat package.json | grep '"version"'
# Output should show: "version": "2.0.4"
# Verify npm is installed
npm --version
# Check npm registry
npm config get registry
# Should show: https://registry.npmjs.org/
```
## Step 2: Login to NPM (if not already logged in)
```bash
# Login to npm registry
npm login
# You will be prompted for:
# - Username: th30d4y
# - Password: [your npm password]
# - Email: [your registered email]
# - OTP: [if 2FA is enabled, provide the one-time password]
```
## Step 3: Publish to NPM
```bash
# From the frontend directory where package.json is located
npm publish
# Expected output:
# npm notice
# npm notice 📦 openlearnx@2.0.4
# npm notice === Tarball Contents ===
# npm notice ...
# npm notice === Dist Files ===
# npm notice ...
# npm notice === Tarball Details ===
# npm notice name: openlearnx
# npm notice version: 2.0.4
# npm notice filename: openlearnx-2.0.4.tgz
# npm notice published: [timestamp]
# npm notice public
# npm notice url: https://www.npmjs.com/package/openlearnx
# npm notice access: public
# npm notice...
```
## Step 4: Verify Publication
```bash
# Check the package on NPM registry
npm view openlearnx
# Check specific version
npm view openlearnx@2.0.4
# You should see:
# openlearnx@2.0.4 | ISC | deps: 39 | versions: 2
```
## Step 5: Test Installation
```bash
# Test in a clean directory
mkdir /tmp/test-openlearnx && cd /tmp/test-openlearnx
npm init -y
npm install openlearnx@2.0.4
# Verify the installation
npm list openlearnx
# Should show: openlearnx@2.0.4
```
## Alternative: Using npm ci (for CI/CD)
```bash
cd frontend
npm ci # Install exact versions from package-lock.json
npm publish
```
## Troubleshooting
### Issue: "You must be logged in to publish"
**Solution:** Run `npm login` and verify your credentials
### Issue: "You do not have permission to publish this package"
**Solution:**
- Verify you're logged in: `npm whoami`
- Check package name in package.json matches your npm account
- Ensure you have publish permissions for the package
### Issue: "This version has already been published"
**Solution:**
- Use a different version number
- Use `npm unpublish openlearnx@2.0.4` (if allowed) and republish
### Issue: "npm notice... WARN"
**Solution:** These are usually non-critical warnings. Review them but the publish should still succeed.
## Post-Publishing
1. **Update the GitHub Release:**
- Go to https://github.com/th30d4y/OpenLearnX-ghsa-223g-f5mq-gw33/releases
- Create a new release for tag v2.0.4
- Use the RELEASE_NOTES_v2.0.4.md content
2. **Announce the Release:**
- Update project README with new version
- Notify users of the security update
- Recommend immediate upgrade
3. **Verify in Package Managers:**
- NPM: https://www.npmjs.com/package/openlearnx
- Check latest version shows 2.0.4
## Package Details
```
Package Name: openlearnx
Version: 2.0.4
Description: AI-powered learning platform with adaptive quizzes, coding practice, course tracking, and dashboard analytics
Repository: https://github.com/th30d4y/OpenLearnX
Registry: https://registry.npmjs.org
```
## Installation Command for Users
```bash
# Install the latest version (2.0.4)
npm install openlearnx@2.0.4
# Or install the latest
npm install openlearnx@latest
```
---
**Security Note:** This version (2.0.4) contains critical security fixes for the JWT signature verification vulnerability (GHSA-223g-f5mq-gw33). All users should upgrade immediately.
NPM_PUBLISH_FIXED.md
+246
View File
@@ -0,0 +1,246 @@
# NPM Publishing Guide - v2.0.4 (FIXED)
## 🔧 What Was Fixed
The previous `package.json` had local development links that broke public NPM publishing:
```json
// ❌ REMOVED - These break NPM publishing
"badge": "link:@/components/ui/badge",
"button": "link:@/components/ui/button",
"card": "link:@/components/ui/card",
"progress": "link:@/components/ui/progress",
"separator": "link:@/components/ui/separator"
```
These have been removed. The package.json now contains only valid NPM dependencies.
## ✅ Pre-Publishing Checklist
```bash
# Verify you're on the advisory-fix-1 branch
git status
# On branch advisory-fix-1
# Verify package.json is clean
cat frontend/package.json | grep -i "link:"
# Should return nothing (no link: dependencies)
# Verify version is set correctly
cat frontend/package.json | grep '"version"'
# Should show: "version": "2.0.4"
# Verify publishConfig is correct
cat frontend/package.json | grep -A 2 "publishConfig"
# Should show: "registry": "https://registry.npmjs.org"
```
## 🚀 Step-by-Step NPM Publishing
### Step 1: Navigate to Frontend Directory
```bash
cd frontend
pwd
# Should output: /home/w4nn4d13/Project/OpenLearnX-ghsa-223g-f5mq-gw33/frontend
```
### Step 2: Test Package Locally (Optional but Recommended)
```bash
# Create tarball to see what would be published
npm pack
# You should see:
# npm notice
# npm notice 📦 openlearnx@2.0.4
# npm notice === Tarball Contents ===
# ...files being packaged...
# npm notice === Tarball Details ===
# ...
# openlearnx-2.0.4.tgz
# Extract and inspect
mkdir test-package
cd test-package
tar -xzf ../openlearnx-2.0.4.tgz
ls -la package/
# Verify only necessary files are included
cd ..
rm -rf test-package
rm openlearnx-2.0.4.tgz
```
### Step 3: Login to NPM
```bash
npm login
# You'll be prompted for:
# Username: [your npm username, e.g., th30d4y]
# Password: [your npm password]
# Email: [your npm account email]
# 2FA OTP (if enabled): [one-time password]
# Verify login was successful
npm whoami
# Should output your username
```
### Step 4: Publish to Public NPM Registry
```bash
# From the frontend directory
npm publish
# Expected output:
# npm notice
# npm notice 📦 openlearnx@2.0.4
# npm notice === Tarball Contents ===
# npm notice name: openlearnx
# npm notice version: 2.0.4
# npm notice filename: openlearnx-2.0.4.tgz
# npm notice published: [timestamp]
# npm notice public
# npm notice access: public
# npm notice ...
```
### Step 5: Verify Publication
```bash
# Check on NPM registry
npm view openlearnx
# Check specific version
npm view openlearnx@2.0.4
# Check package page
# Visit: https://www.npmjs.com/package/openlearnx
```
### Step 6: Test Installation from Another Directory
```bash
# Go to a different directory
cd /tmp
mkdir openlearnx-test
cd openlearnx-test
npm init -y
# Install the published package
npm install openlearnx@2.0.4
# Verify installation
ls node_modules/openlearnx/
npm list openlearnx
# Should show: openlearnx@2.0.4
```
## 🔍 Troubleshooting
### Issue: "npm ERR! code EUNSUPPORTEDPROTOCOL - Unsupported URL Type "link:""
**Status:** ✅ FIXED in this version
**Cause:** Local development dependencies were in package.json
**Solution:** Already applied - link: dependencies removed
### Issue: "npm ERR! code E401 - 401 Unauthorized"
**Cause:** Not logged in or token issue
**Solution:**
```bash
npm logout
npm login
# Re-enter credentials
```
### Issue: "npm ERR! 404 - Package not found"
**Cause:** Package not yet published or wrong registry
**Solution:**
```bash
# Verify publishConfig
cat package.json | grep -A 2 "publishConfig"
# Should point to: https://registry.npmjs.org
# Verify you're publishing to the right registry
npm config get registry
# Should be: https://registry.npmjs.org
```
### Issue: "You do not have permission to publish this package"
**Cause:** Package name collision or permission issue
**Solution:**
```bash
# Check if package already exists on someone else's account
npm view [package-name]
# If you need a different name, update package.json:
# "name": "openlearnx-v2"
```
## 📦 Package Contents
The published `openlearnx@2.0.4` package includes:
```
README.md
package.json
app/ # Next.js app directory
components/ # React components
context/ # React context
hooks/ # Custom React hooks
lib/ # Utility libraries
public/ # Static assets
styles/ # Global styles
next.config.mjs # Next.js configuration
postcss.config.mjs # PostCSS configuration
tailwind.config.ts # Tailwind CSS configuration
tsconfig.json # TypeScript configuration
```
## 🚨 Security Note
This release (`2.0.4`) contains critical security fixes:
- ✅ JWT signature verification enabled
- ✅ Token forgery attacks prevented
- ✅ Account takeover vulnerability closed
**All users should upgrade immediately:**
```bash
npm install openlearnx@2.0.4
```
## 📝 Post-Publishing
1. **Update GitHub Release:**
```bash
# Go back to repo root
cd /home/w4nn4d13/Project/OpenLearnX-ghsa-223g-f5mq-gw33
# Visit GitHub to create release
# https://github.com/th30d4y/OpenLearnX-ghsa-223g-f5mq-gw33/releases/new?tag=v2.0.4
# Use content from RELEASE_NOTES_v2.0.4.md
```
2. **Update README:**
- Add v2.0.4 to version history
- Link to NPM package page
3. **Announce Release:**
- Security advisory GHSA-223g-f5mq-gw33
- Recommend immediate upgrade
- Document JWT signature verification fix
## 🔗 Useful Links
- **NPM Package:** https://www.npmjs.com/package/openlearnx
- **GitHub Repository:** https://github.com/th30d4y/OpenLearnX
- **Security Advisory:** https://github.com/th30d4y/OpenLearnX/security/advisories/GHSA-223g-f5mq-gw33
- **Changelog:** [CHANGELOG.md](CHANGELOG.md)
- **Release Notes:** [RELEASE_NOTES_v2.0.4.md](RELEASE_NOTES_v2.0.4.md)
## ✨ Summary
| Item | Status |
|------|--------|
| JWT signature fix | ✅ Complete |
| Package.json cleaned | ✅ Complete |
| Version bumped to 2.0.4 | ✅ Complete |
| Changelog created | ✅ Complete |
| Release notes created | ✅ Complete |
| Git tag v2.0.4 created | ✅ Complete |
| Ready for NPM publish | ✅ YES |
Everything is ready. Follow the steps above to publish to NPM!
QUICK_PUBLISH.md
+114
View File
@@ -0,0 +1,114 @@
# 🚀 Quick Start: Publish v2.0.4 to NPM NOW
## The Problem Was Fixed ✅
The npm error `Unsupported URL Type "link:"` has been fixed by removing local development dependencies from `package.json`.
## To Publish Now (5 minutes)
### Step 1: Verify Everything is Ready
```bash
cd /home/w4nn4d13/Project/OpenLearnX-ghsa-223g-f5mq-gw33
# Run the validation script (optional)
./test-npm-publish.sh
```
### Step 2: Navigate to Frontend Directory
```bash
cd frontend
pwd
# Should show: /home/w4nn4d13/Project/OpenLearnX-ghsa-223g-f5mq-gw33/frontend
```
### Step 3: Login to NPM
```bash
npm login
# Enter your credentials:
# - Username: th30d4y
# - Password: [your npm password]
# - Email: [your npm registered email]
# - OTP: [if 2FA enabled, provide code]
# Verify login
npm whoami # Should show: th30d4y
```
### Step 4: Publish to NPM
```bash
npm publish
# Expected output:
# npm notice
# npm notice 📦 openlearnx@2.0.4
# npm notice filename: openlearnx-2.0.4.tgz
# npm notice published: [timestamp]
# npm notice public
```
### Step 5: Verify It's Published
```bash
# Check on npm registry
npm view openlearnx@2.0.4
# Or visit: https://www.npmjs.com/package/openlearnx
```
## That's It! ✨
Users can now install with:
```bash
npm install openlearnx@2.0.4
```
## What Was Published
```
openlearnx v2.0.4
├─ Security Fix: JWT Signature Verification (GHSA-223g-f5mq-gw33)
├─ Framework: Next.js 16.1.6 + React 19.2.5
├─ Features: Adaptive quizzes, AI recommendations, Code compilation
└─ Ready for production
```
## Troubleshooting
| Issue | Solution |
|-------|----------|
| `npm ERR! code E401` | Run `npm login` again |
| `npm ERR! 404` | Package already published; increment version |
| `EUNSUPPORTEDPROTOCOL` | Already fixed in this version |
| No internet | Check connection before npm publish |
## What Changed From 2.0.3
**Security**
- JWT signature verification enabled
- Prevents token forgery attacks
- Closes account takeover vulnerability
**Package**
- Removed local `link:` dependencies
- Now compatible with public NPM registry
- Clean, publishable package
**Documentation**
- CHANGELOG.md added
- RELEASE_NOTES_v2.0.4.md added
- Publishing guides created
- Validation script included
## All Your Work is Ready
- ✅ 8 commits with security fix
- ✅ Tag v2.0.4 created
- ✅ Branch advisory-fix-1 pushed
- ✅ Package validated
- ✅ Docs complete
**Ready? Run:**
```bash
cd frontend && npm login && npm publish
```
Good luck! 🎉
RELEASE_NOTES_v2.0.4.md
+85
View File
@@ -0,0 +1,85 @@
# Release v2.0.4 - Security Patch
**Release Date:** May 8, 2026
## 🔒 Security Update
### Fixed
- **CRITICAL**: JWT Signature Verification Vulnerability (GHSA-223g-f5mq-gw33)
- Fixed JWT signature verification that was disabled in authentication middleware
- Prevents JWT forgery attacks and unauthorized account takeover
- All JWT tokens now properly verified with server secret key
### What Was Fixed
The application was disabling JWT signature verification with `options={"verify_signature": False}`, which allowed attackers to forge authentication tokens without the server checking the signature.
**Files Updated:**
- `backend/routes/dashboard.py` - Enabled JWT signature verification
- `backend/main.py` - Enabled JWT signature verification
- `backend/activity_logger.py` - Enabled JWT signature verification
**Changes:**
```python
# Before (Vulnerable)
decoded = jwt.decode(token, options={"verify_signature": False}, ...)
# After (Fixed)
decoded = jwt.decode(token, jwt_secret_key, algorithms=["HS256", "RS256"])
```
### Security Impact
- ✅ Tokens without valid signatures are now properly rejected
- ✅ Attackers can no longer forge authentication tokens
- ✅ Account takeover vulnerability is closed
- ✅ Server validates token authenticity using cryptographic signature
## 📦 Installation
### NPM
```bash
npm install @th30d4y/openlearnx@2.0.4
```
### Yarn
```bash
yarn add @th30d4y/openlearnx@2.0.4
```
### PNPM
```bash
pnpm add @th30d4y/openlearnx@2.0.4
```
## 📝 Changelog
- Updated package version to 2.0.4
- Created CHANGELOG.md with version history
- Security patch for JWT vulnerability (GHSA-223g-f5mq-gw33)
## 🔗 References
- **Security Advisory:** GHSA-223g-f5mq-gw33
- **CWE:** CWE-287 (Improper Authentication), CWE-347 (Improper Verification of Cryptographic Signature)
- **Severity:** Moderate (High impact, limited exposure in development configurations)
## 👥 Credits
- **Reporter:** @krrazee
- **Remediation Developer:** @0x5t4l1n
## ⚠️ Important Notes
- This is a security release and should be deployed immediately
- The JWT_SECRET_KEY environment variable must be set (already handled in app configuration)
- Previous versions (2.0.3 and earlier) are affected and should be updated
## 🚀 Next Steps
1. Install the latest version: `npm install @th30d4y/openlearnx@2.0.4`
2. Deploy to your environment
3. Verify JWT authentication is working correctly
4. Monitor for any authentication-related issues
---
For more information, visit: https://github.com/th30d4y/OpenLearnX
RELEASE_SUMMARY.md
+216
View File
@@ -0,0 +1,216 @@
# ✅ OpenLearnX v2.0.4 - Complete Release Summary
**Status: READY FOR NPM PUBLISHING**
## 🎯 What Was Delivered
### Security Fix: JWT Signature Verification Vulnerability (GHSA-223g-f5mq-gw33)
#### The Vulnerability
- Application disabled JWT signature verification with `options={"verify_signature": False}`
- Attackers could forge authentication tokens to impersonate any user
- **Impact:** Critical account takeover attacks possible
#### The Solution
- ✅ Enabled cryptographic JWT signature verification
- ✅ All tokens validated using server's `JWT_SECRET_KEY`
- ✅ Forged tokens now properly rejected
- ✅ Fixed in 3 locations:
- `backend/routes/dashboard.py`
- `backend/main.py`
- `backend/activity_logger.py`
### Version Bump: 2.0.3 → 2.0.4
## 📋 Release Deliverables
### 1. ✅ Security Patch (Code)
- File: `backend/routes/dashboard.py` - JWT verification enabled
- File: `backend/main.py` - JWT verification enabled
- File: `backend/activity_logger.py` - JWT verification enabled
### 2. ✅ Documentation
- `CHANGELOG.md` - Complete version history
- `RELEASE_NOTES_v2.0.4.md` - Detailed security release notes
- `NPM_PUBLISHING_GUIDE.md` - Step-by-step NPM publishing instructions
- `NPM_PUBLISH_FIXED.md` - Comprehensive guide with all fixes
### 3. ✅ Package Configuration
- `frontend/package.json` - Updated to v2.0.4, removed local link: dependencies
### 4. ✅ Testing & Validation
- `test-npm-publish.sh` - Automated validation script
### 5. ✅ Git Management
- Branch: `advisory-fix-1`
- Tag: `v2.0.4`
- All changes pushed to GitHub
## 📊 Complete Commit History
```
2d283c7 - Add NPM publishing validation script
97319c4 - Add comprehensive NPM publishing guide with fixes
2e00573 - Fix: Remove local link: dependencies from package.json
9990b85 - Add comprehensive NPM publishing guide for v2.0.4
6bdc81d - Add release notes for v2.0.4
169215d - Release 2.0.4: Fix JWT signature verification vulnerability
05f081b - Fix JWT signature verification vulnerability (GHSA-223g-f5mq-gw33)
```
## 🔥 What Was Fixed (The npm Error)
### The Error
```
npm ERR! code EUNSUPPORTEDPROTOCOL
npm ERR! Unsupported URL Type "link:": link:@/components/ui/badge
```
### The Root Cause
`package.json` had local development dependencies that only work in monorepo/development:
```json
"badge": "link:@/components/ui/badge",
"button": "link:@/components/ui/button",
"card": "link:@/components/ui/card",
"progress": "link:@/components/ui/progress",
"separator": "link:@/components/ui/separator"
```
### The Fix Applied
Removed all `link:` dependencies from `frontend/package.json`.
These are internal component references only needed during development.
## 🚀 Ready to Publish
### Current Status
- ✅ Security fix complete
- ✅ Version bumped to 2.0.4
- ✅ Package.json cleaned (no link: dependencies)
- ✅ All documentation created
- ✅ Git history clean and pushed
- ✅ Tag v2.0.4 created and pushed
### Files Ready for Distribution
```
frontend/
├── app/
├── components/
├── context/
├── hooks/
├── lib/
├── public/
├── styles/
├── package.json (v2.0.4 - FIXED)
├── next.config.mjs
├── postcss.config.mjs
├── tailwind.config.ts
├── tsconfig.json
└── README.md
```
## 📝 Quick Start: Publishing to NPM
### Option 1: Automated (Recommended)
```bash
# Navigate to project root
cd /home/w4nn4d13/Project/OpenLearnX-ghsa-223g-f5mq-gw33
# Run validation script
./test-npm-publish.sh
# If all tests pass, publish
cd frontend
npm login
npm publish
```
### Option 2: Manual
```bash
cd frontend
# 1. Login
npm login
# Username: th30d4y
# Password: [your npm password]
# 2. Publish
npm publish
# 3. Verify
npm view openlearnx@2.0.4
```
## ✨ Installation Command for Users
```bash
npm install openlearnx@2.0.4
# or
npm install @th30d4y/openlearnx@2.0.4 # if scoped
```
## 🔒 Security Advisory Details
- **Advisory ID:** GHSA-223g-f5mq-gw33
- **Vulnerability:** Critical JWT Signature Verification Disabled
- **CWE:** CWE-287, CWE-347
- **Severity:** Moderate (high impact, limited exposure)
- **Affected Versions:** 2.0.3 and earlier
- **Fixed Version:** 2.0.4
- **Status:** Ready for release
## 📈 Version History
| Version | Date | Changes |
|---------|------|---------|
| 2.0.4 | May 8, 2026 | **Security:** Fixed JWT signature verification (GHSA-223g-f5mq-gw33) |
| 2.0.3 | Apr 15, 2026 | Initial release with AI features |
## 🔗 Useful Links
- **GitHub Advisory:** https://github.com/th30d4y/OpenLearnX-ghsa-223g-f5mq-gw33/security/advisories/GHSA-223g-f5mq-gw33
- **GitHub Repo:** https://github.com/th30d4y/OpenLearnX-ghsa-223g-f5mq-gw33
- **NPM Registry:** https://www.npmjs.com/package/openlearnx
- **Advisory Fix Branch:** https://github.com/th30d4y/OpenLearnX-ghsa-223g-f5mq-gw33/tree/advisory-fix-1
## 📞 Next Steps
1. **Publish to NPM**
```bash
cd frontend && npm publish
```
2. **Create GitHub Release**
- Go to: https://github.com/th30d4y/OpenLearnX-ghsa-223g-f5mq-gw33/releases/new?tag=v2.0.4
- Copy content from `RELEASE_NOTES_v2.0.4.md`
3. **Announce Security Update**
- Notify users of critical security fix
- Recommend immediate upgrade to 2.0.4
4. **Monitor**
- Check NPM package page
- Monitor GitHub security advisory
- Track adoption metrics
## ✅ Final Checklist
- [x] JWT signature verification enabled
- [x] Package.json cleaned of local dependencies
- [x] Version bumped to 2.0.4
- [x] CHANGELOG.md created
- [x] Release notes created
- [x] NPM publishing guides created
- [x] Validation script created
- [x] Git commits organized
- [x] Tag v2.0.4 created and pushed
- [x] Branch advisory-fix-1 pushed
- [x] Documentation complete
- [x] Ready for NPM publishing
---
**Everything is ready. Time to publish! 🚀**
Last updated: May 8, 2026
Branch: `advisory-fix-1`
Tag: `v2.0.4`
backend/activity_logger.py
+27 -5
View File
@@ -1,28 +1,50 @@
from datetime import datetime, timezone from datetime import datetime, timezone
from typing import Any, Dict, Optional from typing import Any, Dict, Optional
import os
import jwt import jwt
def _decode_token_unverified(token: str) -> Dict[str, Any]: def _decode_token_verified(token: str, secret: str = None) -> Dict[str, Any]:
"""Decode and verify JWT token signature.
Args:
token: The JWT token to decode
secret: The secret key for verification. If not provided, attempts to get from environment.
Returns:
Decoded token payload, or empty dict if verification fails
"""
if not secret:
secret = os.getenv('JWT_SECRET_KEY')
if not secret:
return {}
try: try:
return jwt.decode( return jwt.decode(
token, token,
options={"verify_signature": False}, secret,
algorithms=["HS256", "RS256"], algorithms=["HS256", "RS256"],
) )
except Exception: except Exception:
return {} return {}
def resolve_user_identity(request, db=None) -> Dict[str, Optional[str]]: def resolve_user_identity(request, db=None, jwt_secret: str = None) -> Dict[str, Optional[str]]:
"""Best-effort identity resolution from auth header, headers, payload, and optional DB lookup.""" """Best-effort identity resolution from auth header, headers, payload, and optional DB lookup.
Args:
request: Flask request object
db: MongoDB database connection (optional)
jwt_secret: JWT secret for token verification. If not provided, attempts to get from environment.
"""
token = None token = None
auth_header = request.headers.get("Authorization", "") auth_header = request.headers.get("Authorization", "")
if auth_header.startswith("Bearer "): if auth_header.startswith("Bearer "):
token = auth_header.split(" ", 1)[1] token = auth_header.split(" ", 1)[1]
payload = _decode_token_unverified(token) if token else {} payload = _decode_token_verified(token, jwt_secret) if token else {}
request_json = request.get_json(silent=True) or {} request_json = request.get_json(silent=True) or {}
user_id = ( user_id = (
backend/main.py
+5 -1
View File
@@ -440,14 +440,18 @@ def write_request_audit_log(response):
auth_header = request.headers.get("Authorization", "") auth_header = request.headers.get("Authorization", "")
if auth_header.startswith("Bearer "): if auth_header.startswith("Bearer "):
token = auth_header.split(" ", 1)[1] token = auth_header.split(" ", 1)[1]
jwt_secret = app.config.get('JWT_SECRET_KEY')
if jwt_secret:
decoded = pyjwt.decode( decoded = pyjwt.decode(
token, token,
options={"verify_signature": False}, jwt_secret,
algorithms=["HS256", "RS256"], algorithms=["HS256", "RS256"],
) )
auth_user_id = decoded.get("user_id") or decoded.get("sub") or decoded.get("uid") auth_user_id = decoded.get("user_id") or decoded.get("sub") or decoded.get("uid")
auth_wallet_address = decoded.get("wallet_address") auth_wallet_address = decoded.get("wallet_address")
auth_email = decoded.get("email") auth_email = decoded.get("email")
else:
auth_user_id = None
except Exception: except Exception:
auth_user_id = None auth_user_id = None
backend/routes/dashboard.py
+14 -3
View File
@@ -25,14 +25,25 @@ def verify_wallet_authentication():
if auth_header.startswith('Bearer '): if auth_header.startswith('Bearer '):
try: try:
token = auth_header.split(' ')[1] token = auth_header.split(' ')[1]
# ✅ FIXED: Add algorithms parameter to fix JWT decode error # ✅ FIXED: Verify JWT signature using JWT_SECRET_KEY
from flask import current_app
jwt_secret = current_app.config.get('JWT_SECRET_KEY') or os.getenv('JWT_SECRET_KEY')
if jwt_secret:
decoded = jwt.decode( decoded = jwt.decode(
token, token,
options={"verify_signature": False}, # For development jwt_secret,
algorithms=["HS256", "RS256"] # This fixes the JWT error algorithms=["HS256", "RS256"]
) )
else:
logger.error("JWT_SECRET_KEY not configured")
decoded = None
if decoded:
user_id = decoded.get('sub') or decoded.get('user_id') or decoded.get('uid') or decoded.get('wallet_address') user_id = decoded.get('sub') or decoded.get('user_id') or decoded.get('uid') or decoded.get('wallet_address')
wallet_address = decoded.get('wallet_address') or user_id wallet_address = decoded.get('wallet_address') or user_id
else:
user_id = None
wallet_address = None
if user_id: if user_id:
logger.info(f"✅ JWT authentication verified: {user_id}") logger.info(f"✅ JWT authentication verified: {user_id}")
frontend/package.json
+1 -6
View File
@@ -1,6 +1,6 @@
{ {
"name": "openlearnx", "name": "openlearnx",
"version": "2.0.3", "version": "2.0.4",
"private": false, "private": false,
"scripts": { "scripts": {
"build": "next build", "build": "next build",
@@ -39,9 +39,6 @@
"@radix-ui/react-toggle-group": "^1.1.1", "@radix-ui/react-toggle-group": "^1.1.1",
"@radix-ui/react-tooltip": "^1.1.6", "@radix-ui/react-tooltip": "^1.1.6",
"axios": "^1.12.0", "axios": "^1.12.0",
"badge": "link:@/components/ui/badge",
"button": "link:@/components/ui/button",
"card": "link:@/components/ui/card",
"class-variance-authority": "^0.7.1", "class-variance-authority": "^0.7.1",
"clsx": "^2.1.1", "clsx": "^2.1.1",
"cmdk": "^1.1.1", "cmdk": "^1.1.1",
@@ -55,7 +52,6 @@
"lucide-react": "^0.454.0", "lucide-react": "^0.454.0",
"next": "^16.1.6", "next": "^16.1.6",
"next-themes": "^0.4.6", "next-themes": "^0.4.6",
"progress": "link:@/components/ui/progress",
"react": "^19.2.5", "react": "^19.2.5",
"react-day-picker": "^9.14.0", "react-day-picker": "^9.14.0",
"react-dom": "^19.1.0", "react-dom": "^19.1.0",
@@ -64,7 +60,6 @@
"react-markdown": "^10.1.0", "react-markdown": "^10.1.0",
"react-resizable-panels": "^2.1.7", "react-resizable-panels": "^2.1.7",
"recharts": "^2.15.0", "recharts": "^2.15.0",
"separator": "link:@/components/ui/separator",
"sonner": "^1.7.1", "sonner": "^1.7.1",
"tailwind-merge": "^2.5.5", "tailwind-merge": "^2.5.5",
"tailwindcss-animate": "^1.0.7", "tailwindcss-animate": "^1.0.7",
test-npm-publish.sh
Executable
+139
View File
@@ -0,0 +1,139 @@
#!/bin/bash
# OpenLearnX v2.0.4 NPM Publishing Test Script
# This script validates the package before publishing to NPM
set -e
echo "🚀 OpenLearnX v2.0.4 - NPM Publishing Test"
echo "==========================================="
echo ""
# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
# Helper functions
pass() {
echo -e "${GREEN}$1${NC}"
}
fail() {
echo -e "${RED}$1${NC}"
exit 1
}
warn() {
echo -e "${YELLOW}⚠️ $1${NC}"
}
# Test 1: Check if we're in the right directory
echo "📁 Test 1: Checking directory structure..."
if [ -f "frontend/package.json" ]; then
pass "Found frontend/package.json"
else
fail "Not in correct directory. Run from project root."
fi
# Test 2: Verify package.json structure
echo ""
echo "📦 Test 2: Validating package.json..."
cd frontend
if [ ! -f "package.json" ]; then
fail "package.json not found in frontend/"
fi
# Check for required fields
if grep -q '"name": "openlearnx"' package.json; then
pass "Package name is correct: openlearnx"
else
fail "Package name is incorrect or missing"
fi
if grep -q '"version": "2.0.4"' package.json; then
pass "Version is correct: 2.0.4"
else
fail "Version is not 2.0.4"
fi
if grep -q '"private": false' package.json; then
pass "Package is public (private: false)"
else
fail "Package is marked as private"
fi
if grep -q 'https://registry.npmjs.org' package.json; then
pass "Publishing to correct registry: npmjs.org"
else
fail "Publishing registry not configured correctly"
fi
# Test 3: Check for link: dependencies
echo ""
echo "🔗 Test 3: Checking for local link: dependencies..."
if grep -q 'link:' package.json; then
fail "Found link: dependencies that break NPM publishing. Package has been fixed."
else
pass "No link: dependencies found ✅"
fi
# Test 4: Validate JSON
echo ""
echo "🔍 Test 4: Validating JSON syntax..."
if node -e "JSON.parse(require('fs').readFileSync('package.json', 'utf8'))" 2>/dev/null; then
pass "package.json has valid JSON syntax"
else
fail "package.json has invalid JSON syntax"
fi
# Test 5: Check npm is installed
echo ""
echo "📋 Test 5: Checking NPM installation..."
if command -v npm &> /dev/null; then
npm_version=$(npm --version)
pass "npm is installed (version: $npm_version)"
else
fail "npm is not installed"
fi
# Test 6: Verify npm registry access
echo ""
echo "🌐 Test 6: Checking npm registry access..."
if npm ping --registry https://registry.npmjs.org 2>/dev/null; then
pass "Connected to NPM registry"
else
warn "Could not reach NPM registry (might need internet)"
fi
# Test 7: Check npm login status
echo ""
echo "🔐 Test 7: Checking npm authentication..."
if npm whoami 2>/dev/null > /dev/null; then
logged_in_user=$(npm whoami 2>/dev/null)
pass "Logged in as: $logged_in_user"
else
warn "Not logged in to npm. You'll need to run: npm login"
fi
# Test 8: Dry run of package creation
echo ""
echo "📦 Test 8: Testing package creation (dry run)..."
if npm pack --dry-run 2>/dev/null | grep -q "openlearnx@2.0.4"; then
pass "Package would be created successfully"
else
fail "Package creation test failed"
fi
echo ""
echo "==========================================="
echo -e "${GREEN}✅ All tests passed!${NC}"
echo ""
echo "🚀 Ready to publish:"
echo " npm publish"
echo ""
echo "Or test locally first:"
echo " npm pack && tar -tzf openlearnx-2.0.4.tgz | head -20"
echo ""