From 8a99dd5c4b74a4ea2ce715aed5e517022621f05c Mon Sep 17 00:00:00 2001
From: Fuwn <contact@fuwn.net>
Date: Sat, 28 Mar 2026 06:02:54 +0000
Subject: fix(auth): ignore malformed user cookies

---
 src/routes/api/badges/+server.ts | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

(limited to 'src/routes/api/badges')

diff --git a/src/routes/api/badges/+server.ts b/src/routes/api/badges/+server.ts
index 8a86b468..476fb264 100644
--- a/src/routes/api/badges/+server.ts
+++ b/src/routes/api/badges/+server.ts
@@ -1,5 +1,5 @@
-import { userIdentity } from "$lib/Data/AniList/identity";
-import { decodeAuthCookieOrThrow } from "$lib/Effect/authCookie";
+import { safeUserIdentity } from "$lib/Data/AniList/identity";
+import { decodeAuthCookieOrNull } from "$lib/Effect/authCookie";
 import { decodeRequestJsonOrThrow } from "$lib/Effect/requestBody";
 import {
 	removeAllUserBadges,
@@ -35,8 +35,13 @@ export const DELETE = async ({ url, cookies }) => {
 
 	if (!userCookie) return unauthorised;
 
-	const user = decodeAuthCookieOrThrow(userCookie);
-	const identity = await userIdentity(user);
+	const user = decodeAuthCookieOrNull(userCookie);
+
+	if (!user) return unauthorised;
+
+	const identity = await safeUserIdentity(user);
+
+	if (!identity) return unauthorised;
 
 	if ((url.searchParams.get("prune") || 0) === "true") {
 		await removeAllUserBadges(identity.id);
@@ -60,8 +65,13 @@ export const PUT = async ({ cookies, url, request }) => {
 
 	if (!userCookie) return unauthorised;
 
-	const user = decodeAuthCookieOrThrow(userCookie);
-	const identity = await userIdentity(user);
+	const user = decodeAuthCookieOrNull(userCookie);
+
+	if (!user) return unauthorised;
+
+	const identity = await safeUserIdentity(user);
+
+	if (!identity) return unauthorised;
 	const authorised = privilegedUser(identity.id);
 
 	if (url.searchParams.get("shadowHide"))
-- 
cgit v1.2.3