From 6fd9371c29d8cfcaab6386e978806e76bc841ab5 Mon Sep 17 00:00:00 2001
From: Autowebassat-blip <autowebassat@gmail.com>
Date: Fri, 12 Jun 2026 05:19:10 +0200
Subject: [PATCH] Reject extra session token segments

---
 apps/logicsrc-web/contract/logicsrc-web.contract.test.ts | 3 ++-
 apps/logicsrc-web/src/lib/coinpay.ts                     | 4 +++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/apps/logicsrc-web/contract/logicsrc-web.contract.test.ts b/apps/logicsrc-web/contract/logicsrc-web.contract.test.ts
index ad12321..897f806 100644
--- a/apps/logicsrc-web/contract/logicsrc-web.contract.test.ts
+++ b/apps/logicsrc-web/contract/logicsrc-web.contract.test.ts
@@ -376,7 +376,8 @@ describe("session signing", () => {
     process.env.LOGICSRC_SESSION_SECRET = "session_secret_for_tests";
     const token = signSession({ provider: "coinpay", sub: "merchant-123" });
     expect(verifySession(token)).toMatchObject({ provider: "coinpay", sub: "merchant-123" });
-    expect(verifySession(`${token}tampered`)).toBeNull();
+    expect(verifySession(`tampered`)).toBeNull();
+    expect(verifySession(`.extra`)).toBeNull();
   });
 });
 
diff --git a/apps/logicsrc-web/src/lib/coinpay.ts b/apps/logicsrc-web/src/lib/coinpay.ts
index aaa9fb9..0bfec17 100644
--- a/apps/logicsrc-web/src/lib/coinpay.ts
+++ b/apps/logicsrc-web/src/lib/coinpay.ts
@@ -160,7 +160,9 @@ export function signSession(payload: Record<string, unknown>): string {
 }
 
 export function verifySession(value: string): Record<string, unknown> | null {
-  const [encoded, signature] = value.split(".");
+  const parts = value.split(".");
+  if (parts.length !== 2) return null;
+  const [encoded, signature] = parts;
   if (!encoded || !signature) return null;
 
   const expected = createHmac("sha256", getSessionSecret()).update(encoded).digest("base64url");