From 7a4a3a1f17022ed6e1117cd55b28ece1140a86bf Mon Sep 17 00:00:00 2001
From: Scott Anderson <scottanderson@users.noreply.github.com>
Date: Sat, 24 May 2025 23:06:30 -0400
Subject: [PATCH] Update zod to 3.25 (#872)

## Description:

Update to zod 3.25, and use zod's built in JWT validator.

## Please complete the following:

- [x] I have added screenshots for all UI updates
- [x] I confirm I have thoroughly tested these changes and take full
responsibility for any bugs introduced
- [x] I understand that submitting code with bugs that could have been
caught through manual testing blocks releases and new features for all
contributors

Co-authored-by: Scott Anderson <662325+scottanderson@users.noreply.github.com>
Co-authored-by: evanpelle <evanpelle@gmail.com>
---
 package-lock.json   |  8 ++++----
 package.json        |  2 +-
 src/core/Schemas.ts | 33 +++++++++------------------------
 3 files changed, 14 insertions(+), 29 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 562345cd6..642cf039e 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -72,7 +72,7 @@
         "winston": "^3.17.0",
         "winston-transport": "^4.9.0",
         "ws": "^8.18.0",
-        "zod": "^3.23.8"
+        "zod": "^3.25.28"
       },
       "devDependencies": {
         "@babel/core": "^7.25.2",
@@ -21416,9 +21416,9 @@
       }
     },
     "node_modules/zod": {
-      "version": "3.23.8",
-      "resolved": "https://registry.npmjs.org/zod/-/zod-3.23.8.tgz",
-      "integrity": "sha512-XBx9AXhXktjUqnepgTiE5flcKIYWi/rme0Eaj+5Y0lftuGBq+jyRu/md4WnuxqgP1ubdpNCsYEYPxrzVHD8d6g==",
+      "version": "3.25.28",
+      "resolved": "https://registry.npmjs.org/zod/-/zod-3.25.28.tgz",
+      "integrity": "sha512-/nt/67WYKnr5by3YS7LroZJbtcCBurDKKPBPWWzaxvVCGuG/NOsiKkrjoOhI8mJ+SQUXEbUzeB3S+6XDUEEj7Q==",
       "license": "MIT",
       "funding": {
         "url": "https://github.com/sponsors/colinhacks"
diff --git a/package.json b/package.json
index a21f588ec..2e2d02381 100644
--- a/package.json
+++ b/package.json
@@ -143,7 +143,7 @@
     "winston": "^3.17.0",
     "winston-transport": "^4.9.0",
     "ws": "^8.18.0",
-    "zod": "^3.23.8"
+    "zod": "^3.25.28"
   },
   "type": "module"
 }
diff --git a/src/core/Schemas.ts b/src/core/Schemas.ts
index 5d681040e..0b6a6bd4a 100644
--- a/src/core/Schemas.ts
+++ b/src/core/Schemas.ts
@@ -136,33 +136,18 @@ const SafeString = z
   )
   .max(1000);
 
-const jwtRegex = /^[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]*$/;
-// Copied from zod, modified to remove their erroneous `typ` header requirement
-function isValidJWT(jwt: string, alg?: string): boolean {
-  if (!jwtRegex.test(jwt)) return false;
-  try {
-    const [header] = jwt.split(".");
-    // Convert base64url to base64
-    const base64 = header
-      .replace(/-/g, "+")
-      .replace(/_/g, "/")
-      .padEnd(header.length + ((4 - (header.length % 4)) % 4), "=");
-    const decoded = JSON.parse(atob(base64));
-    if (typeof decoded !== "object" || decoded === null) return false;
-    if (!decoded.alg) return false;
-    if (alg && decoded.alg !== alg) return false;
-    return true;
-  } catch {
-    return false;
-  }
-}
-
 const PersistentIdSchema = z.string().uuid();
+const JwtTokenSchema = z.string().jwt();
 const TokenSchema = z
   .string()
-  .refine((v) => PersistentIdSchema.safeParse(v).success || isValidJWT(v), {
-    message: "Token must be a valid UUID or JWT",
-  });
+  .refine(
+    (v) =>
+      PersistentIdSchema.safeParse(v).success ||
+      JwtTokenSchema.safeParse(v).success,
+    {
+      message: "Token must be a valid UUID or JWT",
+    },
+  );
 
 const EmojiSchema = z
   .number()