From 8a99dd5c4b74a4ea2ce715aed5e517022621f05c Mon Sep 17 00:00:00 2001
From: Fuwn <contact@fuwn.net>
Date: Sat, 28 Mar 2026 06:02:54 +0000
Subject: fix(auth): ignore malformed user cookies

---
 src/graphql/user/resolvers.ts | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

(limited to 'src/graphql/user')

diff --git a/src/graphql/user/resolvers.ts b/src/graphql/user/resolvers.ts
index dfbaa927..360d622b 100644
--- a/src/graphql/user/resolvers.ts
+++ b/src/graphql/user/resolvers.ts
@@ -1,4 +1,7 @@
-import { userIdentity, type UserIdentity } from "$lib/Data/AniList/identity";
+import {
+	safeUserIdentity,
+	type UserIdentity,
+} from "$lib/Data/AniList/identity";
 import {
 	addUserBadge,
 	getUserBadges,
@@ -24,7 +27,7 @@ import {
 	type UserPreferences,
 } from "$lib/Database/SB/User/preferences";
 import privilegedUser from "$lib/Utility/privilegedUser";
-import { decodeAuthCookieOrThrow } from "$lib/Effect/authCookie";
+import { decodeAuthCookieOrNull } from "$lib/Effect/authCookie";
 
 type Context = RequestEvent<Partial<Record<string, string>>, string | null>;
 type UserResolvers = Pick<
@@ -52,9 +55,11 @@ const auth = async (context: Context) => {
 
 	if (!userCookie) return Error("Unauthorised");
 
-	const user = decodeAuthCookieOrThrow(userCookie);
+	const user = decodeAuthCookieOrNull(userCookie);
+
+	if (!user) return Error("Unauthorised");
 
-	return await userIdentity(user);
+	return (await safeUserIdentity(user)) ?? Error("Unauthorised");
 };
 
 const authenticatedBadgesOperation = async (
-- 
cgit v1.2.3