* Resolves userId from a verified internal JWT token. * Only trusts the userId embedded in the JWT payload — never from user-controlled sources.
(
verificationUserId: string | null,
options: { requireWorkflowId?: boolean }
)
| 44 | * Only trusts the userId embedded in the JWT payload — never from user-controlled sources. |
| 45 | */ |
| 46 | function resolveUserFromJwt( |
| 47 | verificationUserId: string | null, |
| 48 | options: { requireWorkflowId?: boolean } |
| 49 | ): AuthResult { |
| 50 | if (verificationUserId) { |
| 51 | return { success: true, userId: verificationUserId, authType: AuthType.INTERNAL_JWT } |
| 52 | } |
| 53 | |
| 54 | if (options.requireWorkflowId !== false) { |
| 55 | return { success: false, error: 'userId required but not present in JWT' } |
| 56 | } |
| 57 | |
| 58 | return { success: true, authType: AuthType.INTERNAL_JWT } |
| 59 | } |
| 60 | |
| 61 | /** |
| 62 | * Check for internal JWT authentication only. |
no outgoing calls
no test coverage detected