Updated frameworks.

backend/src/core/plugins/auth.plugin.ts

@@ -19,6 +19,11 @@ declare module 'fastify' {
 }
 
 const authPlugin: FastifyPluginAsync = async (fastify) => {
+  // Security validation: ensure AUTH0_DOMAIN is properly configured
+  if (!env.AUTH0_DOMAIN || !env.AUTH0_DOMAIN.includes('.auth0.com')) {
+    throw new Error('AUTH0_DOMAIN must be a valid Auth0 domain');
+  }
+
   // Initialize JWKS client for Auth0 public key retrieval
   const getJwks = buildGetJwks({
     ttl: 60 * 60 * 1000, // 1 hour cache
@@ -31,14 +36,18 @@ const authPlugin: FastifyPluginAsync = async (fastify) => {
       try {
         const { header: { kid, alg }, payload: { iss } } = token;
         
-        // Validate issuer matches Auth0 domain
+        // Validate issuer matches Auth0 domain (security: prevent issuer spoofing)
         const expectedIssuer = `https://${env.AUTH0_DOMAIN}/`;
         if (iss !== expectedIssuer) {
           throw new Error(`Invalid issuer: ${iss}`);
         }
 
-        // Get public key from Auth0 JWKS endpoint
-        return getJwks.getPublicKey({ kid, domain: env.AUTH0_DOMAIN, alg });
+        // Get public key from Auth0 JWKS endpoint (security: uses full HTTPS URL)
+        return getJwks.getPublicKey({ 
+          kid, 
+          domain: expectedIssuer, // Use validated issuer as domain 
+          alg 
+        });
       } catch (error) {
         logger.error('JWKS key retrieval failed', { 
           error: error instanceof Error ? error.message : 'Unknown error',