From ec7a4da9bced17bf14d7cc6d4f1c3c0ec4f8a8f6 Mon Sep 17 00:00:00 2001
From: David Neal <dneal@plaid.com>
Date: Tue, 5 May 2026 11:13:28 -0400
Subject: [PATCH 1/9] feat(api): add FDX error helper, asyncHandler, scope+auth
 utilities

Introduce small per-app helpers that the route refactors depend on:

- utils/errors.ts: FDX-compliant error builder + curated set of
  reusable error responses ({ code, message, debugMessage? }).
- utils/asyncHandler.ts: wraps async route handlers so rejected
  promises propagate to Express's error handler.
- utils/auth.ts: AuthenticatedRequest type, getSubject helper, and
  requireScope middleware for selectively enforcing OAuth scopes
  per-route. Augments Express's Request via global declaration so
  req.user is typed everywhere without per-route casts.
---
 apps/api/src/utils/asyncHandler.ts | 19 ++++++++
 apps/api/src/utils/auth.ts         | 75 ++++++++++++++++++++++++++++++
 apps/api/src/utils/errors.ts       | 53 +++++++++++++++++++++
 3 files changed, 147 insertions(+)
 create mode 100644 apps/api/src/utils/asyncHandler.ts
 create mode 100644 apps/api/src/utils/auth.ts
 create mode 100644 apps/api/src/utils/errors.ts

diff --git a/apps/api/src/utils/asyncHandler.ts b/apps/api/src/utils/asyncHandler.ts
new file mode 100644
index 0000000..2edff05
--- /dev/null
+++ b/apps/api/src/utils/asyncHandler.ts
@@ -0,0 +1,19 @@
+import type { Request, Response, NextFunction, RequestHandler } from "express";
+
+/**
+ * Wrap an async Express route handler so any rejected promise is forwarded
+ * to Express's error handling middleware via `next(err)` instead of bubbling
+ * up as an unhandled rejection.
+ *
+ * The generic parameters allow callers to use narrower request/response
+ * types (for example `AuthenticatedRequest<{ accountId: string }>`) while
+ * still producing a standard Express `RequestHandler`.
+ */
+export function asyncHandler<R extends Request = Request, S extends Response = Response>(
+	// eslint-disable-next-line no-unused-vars
+	fn: ( req: R, res: S, next: NextFunction ) => Promise<unknown>
+): RequestHandler {
+	return ( req, res, next ) => {
+		Promise.resolve( fn( req as R, res as S, next ) ).catch( next );
+	};
+}
diff --git a/apps/api/src/utils/auth.ts b/apps/api/src/utils/auth.ts
new file mode 100644
index 0000000..b4f9aa2
--- /dev/null
+++ b/apps/api/src/utils/auth.ts
@@ -0,0 +1,75 @@
+import type { Request, Response, NextFunction, RequestHandler } from "express";
+import type { JWTPayload } from "jose";
+import { FDXErrors } from "./errors.js";
+
+/**
+ * Augment Express's `Request` so route handlers can read the verified JWT
+ * payload at `req.user` without per-route casts. Populated by the JWT
+ * verification middleware in apps/api/src/index.ts.
+ */
+declare global {
+	namespace Express {
+		interface Request {
+			user?: JWTPayload;
+		}
+	}
+}
+
+/**
+ * Convenience alias for handlers that require an authenticated request.
+ * Uses Express's standard generics so it remains assignable to plain
+ * `RequestHandler` parameters and to `asyncHandler`.
+ */
+export type AuthenticatedRequest<
+	P = Record<string, string>,
+	ResBody = unknown,
+	ReqBody = unknown,
+	// Use `any` (matching express-serve-static-core's defaults) so this type
+	// remains assignable wherever a plain `Request` is expected without
+	// triggering ParsedQs incompatibilities.
+	// eslint-disable-next-line @typescript-eslint/no-explicit-any
+	ReqQuery = any
+> = Request<P, ResBody, ReqBody, ReqQuery> & { user?: JWTPayload };
+
+/**
+ * Extract the authenticated subject (user id) from the verified JWT payload.
+ * Returns null when no user is attached or `sub` is missing.
+ */
+export function getSubject( req: Request ): string | null {
+	const user = req.user;
+	return typeof user?.sub === "string" && user.sub.length > 0 ? user.sub : null;
+}
+
+/**
+ * Parse the space-separated `scope` claim from a verified JWT into a Set.
+ */
+function parseScopes( scopeClaim: unknown ): Set<string> {
+	if ( typeof scopeClaim !== "string" ) return new Set();
+	return new Set( scopeClaim.split( " " ).filter( Boolean ) );
+}
+
+/**
+ * Express middleware factory that requires the authenticated token's `scope`
+ * claim to contain every scope in `requiredScopes`. Responds with HTTP 403
+ * and an FDX error body when scopes are missing.
+ *
+ * Must run after the JWT-verification middleware that attaches `req.user`.
+ */
+export function requireScope( ...requiredScopes: string[] ): RequestHandler {
+	return ( req: Request, res: Response, next: NextFunction ) => {
+		const user = req.user;
+		if ( !user ) {
+			return res.status( 401 ).json( FDXErrors.insufficientScope( "Missing authentication context" ) );
+		}
+
+		const grantedScopes = parseScopes( user.scope );
+		const missing = requiredScopes.filter( ( s ) => !grantedScopes.has( s ) );
+		if ( missing.length > 0 ) {
+			return res.status( 403 ).json(
+				FDXErrors.forbidden( `Missing required scope(s): ${ missing.join( " " ) }` )
+			);
+		}
+
+		return next();
+	};
+}
diff --git a/apps/api/src/utils/errors.ts b/apps/api/src/utils/errors.ts
new file mode 100644
index 0000000..816a9c5
--- /dev/null
+++ b/apps/api/src/utils/errors.ts
@@ -0,0 +1,53 @@
+/**
+ * FDX-compliant error response helpers.
+ *
+ * Per the FDX spec error responses must contain a numeric `code` and a
+ * `message`, and may optionally include a `debugMessage`. The `code` is the
+ * FDX error code (long-term persistent identifier) and is allowed to differ
+ * from the HTTP status code.
+ */
+
+export interface FDXError {
+	code: number;
+	message: string;
+	debugMessage?: string;
+}
+
+/**
+ * Build an FDX-compliant error body.
+ */
+export function fdxError( code: number, message: string, debugMessage?: string ): FDXError {
+	const body: FDXError = { code, message };
+	if ( debugMessage ) body.debugMessage = debugMessage;
+	return body;
+}
+
+/**
+ * Common FDX errors used across routes.
+ *
+ * Codes loosely follow the FDX spec ranges:
+ *   - 6xx: customer / authorization-related errors
+ *   - 7xx: account / data-related errors
+ */
+export const FDXErrors = {
+	insufficientScope: ( debugMessage?: string ): FDXError =>
+		fdxError( 401, "Insufficient scope for this operation", debugMessage ),
+
+	forbidden: ( debugMessage?: string ): FDXError =>
+		fdxError( 403, "Forbidden", debugMessage ),
+
+	customerNotFound: ( debugMessage?: string ): FDXError =>
+		fdxError( 601, "A customer with the provided customer ID could not be found", debugMessage ),
+
+	accountNotFound: ( debugMessage?: string ): FDXError =>
+		fdxError( 701, "An account with the provided account ID could not be found", debugMessage ),
+
+	statementNotFound: ( debugMessage?: string ): FDXError =>
+		fdxError( 702, "A statement with the provided statement ID could not be found", debugMessage ),
+
+	validationFailed: ( debugMessage?: string ): FDXError =>
+		fdxError( 400, "Validation failed", debugMessage ),
+
+	internalError: ( debugMessage?: string ): FDXError =>
+		fdxError( 500, "Internal server error", debugMessage )
+};

From eaee56b6c0781049735a5f73c778567c775b139b Mon Sep 17 00:00:00 2001
From: David Neal <dneal@plaid.com>
Date: Tue, 5 May 2026 11:13:38 -0400
Subject: [PATCH 2/9] fix(api): replace customer-123 hardcode with
 authenticated subject lookup

getCurrentCustomer now requires the authenticated user's id (the JWT
sub claim) instead of always returning the first record. This removes
the cross-customer data leak where any authenticated user resolved to
"customer-123" regardless of identity.

The first customer fixture is updated so its customerId matches the
demo user's sub ("user_123" - see apps/auth/src/index.ts USERS map),
allowing the demo flow to continue working end-to-end after the lookup
becomes identity-driven.
---
 apps/api/src/data/customers.ts           | 13 +++++++++----
 apps/api/src/data/customersRepository.ts | 13 +++++++------
 2 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/apps/api/src/data/customers.ts b/apps/api/src/data/customers.ts
index 7b78bec..5484b4d 100644
--- a/apps/api/src/data/customers.ts
+++ b/apps/api/src/data/customers.ts
@@ -1,9 +1,14 @@
-// Mock customer data
+// Mock customer data.
+//
+// The first record's `customerId` is intentionally set to the demo user's
+// OIDC `sub` claim ("user_123" — see apps/auth/src/index.ts USERS map) so the
+// resource server can resolve an authenticated user to their customer record
+// using the JWT subject directly.
 export const customers = [
 	{
-		customerId: "customer-123",
-		name: "Current Customer",
-		email: "customer@example.com",
+		customerId: "user_123",
+		name: "Dev User",
+		email: "user@example.test",
 		status: "active",
 		createdDate: "2021-05-15",
 		preferences: {
diff --git a/apps/api/src/data/customersRepository.ts b/apps/api/src/data/customersRepository.ts
index 518750e..9bf6d09 100644
--- a/apps/api/src/data/customersRepository.ts
+++ b/apps/api/src/data/customersRepository.ts
@@ -20,16 +20,17 @@ interface CustomerFilters {
 }
 
 /**
- * Get the current customer (simulating a logged-in user)
+ * Get the current customer for an authenticated user.
+ *
+ * The `userId` argument should be the verified JWT subject (`sub` claim) of
+ * the authenticated request. The repository looks up the customer record
+ * keyed on this id; never trust unauthenticated input here.
  */
-export async function getCurrentCustomer(): Promise<Customer | null> {
-	// In a real implementation, this would use authentication context
-	// For now, we'll just return the first customer as the "current" one
-
+export async function getCurrentCustomer( userId: string ): Promise<Customer | null> {
 	// Simulate database query delay
 	return new Promise<Customer | null>( ( resolve ) => {
 		setTimeout( () => {
-			const currentCustomer = customers.find( ( c: Customer ) => c.customerId === "customer-123" );
+			const currentCustomer = customers.find( ( c: Customer ) => c.customerId === userId );
 			resolve( currentCustomer || null );
 		}, 75 ); // Simulate 75ms delay
 	} );

From a8f4c3d2c185b011a3c4ea9deef4c06cf25d4cff Mon Sep 17 00:00:00 2001
From: David Neal <dneal@plaid.com>
Date: Tue, 5 May 2026 11:13:48 -0400
Subject: [PATCH 3/9] fix(api): scope account lookups by owning customer (IDOR
 fix)

Add a customerId field to every account record and update the
repository so account access is always scoped by the authenticated
user. getAccounts now requires a customerId and filters to that
customer; getAccountForCustomer pairs a lookup with an ownership
check and treats not-owned identically to not-found so we don't leak
the existence of other customers' accounts.

All demo accounts are assigned to the demo user ("user_123") so the
existing happy-path flow keeps working after the route handlers move
to the ownership-aware repository helpers.
---
 apps/api/src/data/accounts.ts           | 20 +++++++++++-
 apps/api/src/data/accountsRepository.ts | 41 ++++++++++++++++++++++---
 2 files changed, 56 insertions(+), 5 deletions(-)

diff --git a/apps/api/src/data/accounts.ts b/apps/api/src/data/accounts.ts
index 3633fca..2a38bc0 100644
--- a/apps/api/src/data/accounts.ts
+++ b/apps/api/src/data/accounts.ts
@@ -1,7 +1,15 @@
-// Mock data for accounts
+// Mock data for accounts.
+//
+// Every account carries a `customerId` referencing the owning customer. This
+// is used by the resource server to enforce account-ownership checks on
+// authenticated requests so a user can only access accounts they own.
+//
+// For the demo flow all accounts are assigned to the demo user (sub
+// "user_123"; see apps/auth/src/index.ts USERS map and apps/api/src/data/customers.ts).
 export const accounts = [
 	{
 		accountCategory: "DEPOSIT_ACCOUNT",
+		customerId: "user_123",
 		accountId: "account-123",
 		accountNumberDisplay: "0123",
 		nickname: "My Checking",
@@ -16,6 +24,7 @@ export const accounts = [
 	},
 	{
 		accountCategory: "DEPOSIT_ACCOUNT",
+		customerId: "user_123",
 		accountId: "account-456",
 		accountNumberDisplay: "0456",
 		nickname: "Emergency Fund",
@@ -30,6 +39,7 @@ export const accounts = [
 	},
 	{
 		accountCategory: "DEPOSIT_ACCOUNT",
+		customerId: "user_123",
 		accountId: "account-789",
 		accountNumberDisplay: "0789",
 		nickname: "House Down Payment",
@@ -44,6 +54,7 @@ export const accounts = [
 	},
 	{
 		accountCategory: "DEPOSIT_ACCOUNT",
+		customerId: "user_123",
 		accountId: "account-101",
 		accountNumberDisplay: "0101",
 		nickname: "Home Escrow",
@@ -58,6 +69,7 @@ export const accounts = [
 	},
 	{
 		accountCategory: "DEPOSIT_ACCOUNT",
+		customerId: "user_123",
 		accountId: "account-202",
 		accountNumberDisplay: "0202",
 		nickname: "Investment Buffer",
@@ -72,6 +84,7 @@ export const accounts = [
 	},
 	{
 		accountCategory: "DEPOSIT_ACCOUNT",
+		customerId: "user_123",
 		accountId: "account-303",
 		accountNumberDisplay: "0303",
 		nickname: "Rainy Day Fund",
@@ -86,6 +99,7 @@ export const accounts = [
 	},
 	{
 		accountCategory: "DEPOSIT_ACCOUNT",
+		customerId: "user_123",
 		accountId: "account-404",
 		accountNumberDisplay: "0404",
 		nickname: "Dream Home",
@@ -100,6 +114,7 @@ export const accounts = [
 	},
 	{
 		accountCategory: "DEPOSIT_ACCOUNT",
+		customerId: "user_123",
 		accountId: "account-505",
 		accountNumberDisplay: "0505",
 		nickname: "Vacation Club",
@@ -114,6 +129,7 @@ export const accounts = [
 	},
 	{
 		accountCategory: "LOC_ACCOUNT",
+		customerId: "user_123",
 		accountId: "account-601",
 		accountNumberDisplay: "4532",
 		nickname: "Rewards Card",
@@ -129,6 +145,7 @@ export const accounts = [
 	},
 	{
 		accountCategory: "LOAN_ACCOUNT",
+		customerId: "user_123",
 		accountId: "account-602",
 		accountNumberDisplay: "9876",
 		nickname: "Home Loan",
@@ -148,6 +165,7 @@ export const accounts = [
 	},
 	{
 		accountCategory: "LOAN_ACCOUNT",
+		customerId: "user_123",
 		accountId: "account-603",
 		accountNumberDisplay: "1234",
 		nickname: "Car Payment",
diff --git a/apps/api/src/data/accountsRepository.ts b/apps/api/src/data/accountsRepository.ts
index 819ebfa..0414ed8 100644
--- a/apps/api/src/data/accountsRepository.ts
+++ b/apps/api/src/data/accountsRepository.ts
@@ -8,6 +8,9 @@ interface Currency {
 interface Account {
 	accountCategory: string;
 	accountId: string;
+	// Owning customer - used for authorization checks. Must equal the
+	// authenticated user's `sub` claim for the user to access this account.
+	customerId: string;
 	accountNumberDisplay: string;
 	productName: string;
 	status: string;
@@ -136,21 +139,33 @@ interface PaginatedAssetTransferNetworksResult {
 // Simulating async database operations with promises
 
 /**
- * Get all accounts with pagination support
+ * Get all accounts owned by a specific customer with pagination support.
+ *
+ * Always scope account lookups by the authenticated user's customer id to
+ * prevent cross-customer data leakage.
  */
-export async function getAccounts( offset = 0, limit = 10 ): Promise<PaginatedAccountsResult> {
+export async function getAccounts( customerId: string, offset = 0, limit = 10 ): Promise<PaginatedAccountsResult> {
 	// Simulate database query delay
 	return new Promise<PaginatedAccountsResult>( ( resolve ) => {
 		setTimeout( () => {
-			const paginatedAccounts = accounts.slice( offset, offset + limit );
+			const owned = accounts.filter( ( acc: Account ) => acc.customerId === customerId );
+			const paginatedAccounts = owned.slice( offset, offset + limit );
 			resolve( {
 				accounts: paginatedAccounts,
-				total: accounts.length
+				total: owned.length
 			} );
 		}, 100 ); // Simulate 100ms delay
 	} );
 }
 
+/**
+ * Look up an account by id without applying ownership filtering.
+ *
+ * Callers in route handlers MUST verify `account.customerId` matches the
+ * authenticated user before returning the record. Prefer
+ * `getAccountForCustomer` when you have a customer id available - it
+ * collapses the lookup + ownership check into a single repository call.
+ */
 export async function getAccountById( accountId: string ): Promise<Account | null> {
 	// Simulate database query delay
 	return new Promise<Account | null>( ( resolve ) => {
@@ -161,6 +176,24 @@ export async function getAccountById( accountId: string ): Promise<Account | nul
 	} );
 }
 
+/**
+ * Look up an account by id and verify it belongs to the supplied customer.
+ *
+ * Returns the account when both the account exists and is owned by
+ * `customerId`; returns null otherwise. Treats not-found and not-owned
+ * identically so we don't leak the existence of accounts owned by other
+ * customers.
+ */
+export async function getAccountForCustomer(
+	accountId: string,
+	customerId: string
+): Promise<Account | null> {
+	const account = await getAccountById( accountId );
+	if ( !account ) return null;
+	if ( account.customerId !== customerId ) return null;
+	return account;
+}
+
 /**
  * Get account contact information by account ID
  */

From 8a22e06dd4dfe669f8c15e5e43a66188b9223db4 Mon Sep 17 00:00:00 2001
From: David Neal <dneal@plaid.com>
Date: Tue, 5 May 2026 11:14:11 -0400
Subject: [PATCH 4/9] fix(auth): add CSRF, login rate limiting, and remove
 `any` types

P0: protect all interaction POST routes (login/confirm/cancel) with the
maintained `csrf-csrf` double-submit cookie middleware and embed a hidden
CSRF token in every interaction form. The CSRF session is bound to the
interaction UID so each login flow gets a uniquely-scoped token.

P1: rate-limit POST /interaction/:uid/login at 10 attempts per 15 minutes
per IP via `express-rate-limit`. The limiter renders a friendly EJS error
in production and exposes `LOGIN_RATE_LIMIT_*` env vars for tuning.

P1: replace the five eslint-disabled `any` annotations in apps/auth with
narrow types from a new minimal `oidc-provider` module declaration, and
swap the response interception body/chunk over to `unknown` with a typed
parser.

P1: hide the development credential block in views/interaction.ejs unless
NODE_ENV !== 'production' (exposed via `app.locals.isProduction`).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 apps/auth/package.json           |   4 +
 apps/auth/public/styles.css      |   5 +-
 apps/auth/src/index.ts           | 289 +++++++++++++++++++++++++------
 apps/auth/src/oidc-provider.d.ts |  78 ++++++++-
 apps/auth/views/interaction.ejs  |   5 +
 pnpm-lock.yaml                   |  36 ++++
 6 files changed, 363 insertions(+), 54 deletions(-)

diff --git a/apps/auth/package.json b/apps/auth/package.json
index a231386..402d49e 100644
--- a/apps/auth/package.json
+++ b/apps/auth/package.json
@@ -12,15 +12,19 @@
   },
   "dependencies": {
     "@apps/shared": "workspace:*",
+    "cookie-parser": "^1.4.7",
+    "csrf-csrf": "^4.0.3",
     "dotenv": "^17.4.2",
     "ejs": "^5.0.2",
     "express": "^5.2.1",
+    "express-rate-limit": "^8.5.0",
     "oidc-provider": "^9.8.3",
     "pino": "^10.3.1",
     "pino-pretty": "^13.1.3"
   },
   "devDependencies": {
     "@tailwindcss/cli": "^4.2.4",
+    "@types/cookie-parser": "^1.4.10",
     "@types/ejs": "^3.1.5",
     "@types/express": "^5.0.6",
     "@types/node": "^25.6.0",
diff --git a/apps/auth/public/styles.css b/apps/auth/public/styles.css
index 69d0929..923e1c2 100644
--- a/apps/auth/public/styles.css
+++ b/apps/auth/public/styles.css
@@ -1,4 +1,4 @@
-/*! tailwindcss v4.2.2 | MIT License | https://tailwindcss.com */
+/*! tailwindcss v4.2.4 | MIT License | https://tailwindcss.com */
 @layer properties;
 @layer theme, base, components, utilities;
 @layer theme {
@@ -231,6 +231,9 @@
   .flex {
     display: flex;
   }
+  .hidden {
+    display: none;
+  }
   .h-5 {
     height: calc(var(--spacing) * 5);
   }
diff --git a/apps/auth/src/index.ts b/apps/auth/src/index.ts
index 57b0ec1..9f06a69 100644
--- a/apps/auth/src/index.ts
+++ b/apps/auth/src/index.ts
@@ -1,6 +1,14 @@
 import "dotenv/config";
-import express, { Request, Response } from "express";
-import { Provider, errors } from "oidc-provider";
+import express, { Request, Response, NextFunction } from "express";
+import {
+	Provider,
+	errors,
+	type OIDCAuthorizationCode,
+	type OIDCClient
+} from "oidc-provider";
+import cookieParser from "cookie-parser";
+import { doubleCsrf } from "csrf-csrf";
+import rateLimit from "express-rate-limit";
 import { readFileSync, existsSync } from "fs";
 import { resolve } from "path";
 import {
@@ -155,6 +163,12 @@ setupBasicExpress( app );
 // Security headers
 app.use( createWebSecurityHeaders() );
 
+// Cookie parser - required for csrf-csrf double-submit cookie pattern.
+// The `COOKIE_SECRET` is also reused below as the CSRF HMAC secret when
+// `CSRF_SECRET` is not separately configured.
+const COOKIE_SECRET = getRequiredEnv( "COOKIE_SECRET", "dev-cookie-secret-CHANGE-ME" );
+app.use( cookieParser( COOKIE_SECRET ) );
+
 // Body parsers (needed to log token request parameters)
 app.use( express.urlencoded( { extended: false } ) );
 app.use( express.json() );
@@ -162,9 +176,148 @@ app.use( express.json() );
 // Template engine
 setupEJSTemplates( app, new URL( "../views", import.meta.url ).pathname );
 
+// Expose NODE_ENV-derived flags to all templates so views can gate
+// development-only UI (e.g. demo credentials) without re-checking env vars.
+app.locals.isProduction = process.env.NODE_ENV === "production";
+
 // Serve static files (CSS, etc.)
 app.use( "/public", express.static( new URL( "../public", import.meta.url ).pathname ) );
 
+// ---------------------------------------------------------------------------
+// CSRF protection (double-submit cookie via csrf-csrf, the maintained
+// replacement for the deprecated `csurf` middleware).
+//
+// Tokens are bound to the interaction UID when present so each user's
+// interaction has its own CSRF binding; for non-interaction routes the
+// session identifier falls back to a stable cookie value or the request IP.
+// ---------------------------------------------------------------------------
+const CSRF_SECRET = process.env.CSRF_SECRET || COOKIE_SECRET;
+const IS_PRODUCTION = process.env.NODE_ENV === "production";
+
+const {
+	generateCsrfToken,
+	doubleCsrfProtection
+} = doubleCsrf( {
+	getSecret: () => CSRF_SECRET,
+	getSessionIdentifier: ( req ) => {
+		// Prefer the per-interaction UID so tokens are scoped to a single login flow.
+		const uidParam = ( req.params as { uid?: string } | undefined )?.uid;
+		if ( typeof uidParam === "string" && uidParam.length > 0 ) {
+			return uidParam;
+		}
+		// Fallback to a stable per-client identifier so non-interaction routes
+		// still receive a deterministic session id.
+		return req.ip ?? "anonymous";
+	},
+	cookieName: IS_PRODUCTION ? "__Host-psifi.x-csrf-token" : "x-csrf-token",
+	cookieOptions: {
+		httpOnly: true,
+		sameSite: "lax",
+		secure: IS_PRODUCTION,
+		path: "/"
+	},
+	getCsrfTokenFromRequest: ( req ) => {
+		const headerToken = req.headers[ "x-csrf-token" ];
+		if ( typeof headerToken === "string" && headerToken.length > 0 ) {
+			return headerToken;
+		}
+		const bodyToken = ( req.body as { _csrf?: unknown } | undefined )?._csrf;
+		return typeof bodyToken === "string" ? bodyToken : undefined;
+	}
+} );
+
+// ---------------------------------------------------------------------------
+// Login rate limiting
+//
+// 10 attempts per 15 minutes per IP balances normal user retries (typo'd
+// password, autofill mishaps) against brute-force probing. Adjust via the
+// `LOGIN_RATE_LIMIT_*` env vars if a deployment needs a different ceiling.
+// ---------------------------------------------------------------------------
+const LOGIN_RATE_LIMIT_WINDOW_MS = Number( process.env.LOGIN_RATE_LIMIT_WINDOW_MS ?? 15 * 60 * 1000 );
+const LOGIN_RATE_LIMIT_MAX = Number( process.env.LOGIN_RATE_LIMIT_MAX ?? 10 );
+
+const loginRateLimiter = rateLimit( {
+	windowMs: LOGIN_RATE_LIMIT_WINDOW_MS,
+	max: LOGIN_RATE_LIMIT_MAX,
+	standardHeaders: true,
+	legacyHeaders: false,
+	handler: ( req: Request, res: Response ) => {
+		logger.warn( {
+			path: req.path,
+			ip: req.ip,
+			uid: req.params?.uid
+		}, "Login rate limit exceeded" );
+
+		const uidParam = req.params?.uid;
+		const uid = typeof uidParam === "string" ? uidParam : "";
+
+		let csrfToken = "";
+		try {
+			csrfToken = generateCsrfToken( req, res );
+		} catch {
+			// non-fatal; render without a fresh token
+		}
+
+		try {
+			return res.status( 429 ).render( "interaction", {
+				uid,
+				prompt: "login",
+				scopes: [],
+				error: "Too many login attempts. Please wait a few minutes and try again.",
+				email: undefined,
+				csrfToken
+			} );
+		} catch {
+			return res.status( 429 ).json( {
+				error: "too_many_requests",
+				error_description: "Too many login attempts. Please try again later."
+			} );
+		}
+	}
+} );
+
+/**
+ * Wraps `doubleCsrfProtection` with a friendly EJS error page when the token
+ * fails to validate. Without this users would see a raw 403 JSON/HTML body.
+ */
+function csrfProtection( req: Request, res: Response, next: NextFunction ): void {
+	doubleCsrfProtection( req, res, ( err ) => {
+		if ( err ) {
+			logger.warn( {
+				path: req.path,
+				ip: req.ip,
+				error: err instanceof Error ? err.message : String( err )
+			}, "CSRF validation failed" );
+
+			const uidParam = req.params?.uid;
+			const uid = typeof uidParam === "string" ? uidParam : "";
+
+			// Try to render the interaction page with a friendly error. If the
+			// view fails to render (e.g. on non-interaction routes), fall back
+			// to a plain 403.
+			try {
+				let csrfToken = "";
+				try {
+					csrfToken = generateCsrfToken( req, res );
+				} catch {
+					// ignore - we'll render without a fresh token
+				}
+				return res.status( 403 ).render( "interaction", {
+					uid,
+					prompt: "login",
+					scopes: [],
+					error: "Your session expired or the request could not be verified. Please try again.",
+					email: undefined,
+					csrfToken
+				} );
+			} catch {
+				return res.status( 403 ).json( { error: "invalid_csrf_token" } );
+			}
+		}
+		return next();
+	} );
+}
+
 // Very minimal in-memory user store
 const USERS = new Map<
 	string,
@@ -225,8 +378,10 @@ function validateInteractionUid( uid: string | string[] ): { success: true; data
 	return { success: true, data: result.data };
 }
 
-// eslint-disable-next-line @typescript-eslint/no-explicit-any
-const configuration: any = {
+// `oidc-provider` does not ship a complete public Configuration type, so we
+// type our config object structurally. The provider validates the shape at
+// runtime; we only need TypeScript to keep the values we set well-typed.
+const configuration = {
 	clients: SANITIZED_CLIENTS,
 	// Use custom JWKS if provided, otherwise oidc-provider generates ephemeral keys
 	...( JWKS ? { jwks: JWKS } : {} ),
@@ -245,8 +400,7 @@ const configuration: any = {
 		IdToken: 60 * 60,              // 1 hour
 		RefreshToken: 14 * 24 * 60 * 60 // 14 days
 	},
-	// eslint-disable-next-line @typescript-eslint/no-explicit-any
-	issueRefreshToken: async ( _ctx: unknown, client: any, code: any ) => {
+	issueRefreshToken: async ( _ctx: unknown, client: OIDCClient, code: OIDCAuthorizationCode ) => {
 		// Issue refresh token if client supports refresh_token grant and either:
 		// - offline_access scope is requested (standard behavior), or
 		// - client has force_refresh_token flag set in .env.clients.json
@@ -367,8 +521,7 @@ const configuration: any = {
 		};
 	},
 	interactions: {
-		// eslint-disable-next-line @typescript-eslint/no-explicit-any
-		url: ( _ctx: unknown, interaction: any ) => `/interaction/${ interaction.uid }`
+		url: ( _ctx: unknown, interaction: { uid: string } ) => `/interaction/${ interaction.uid }`
 	}
 };
 
@@ -472,12 +625,15 @@ async function main() {
 				session: details.session
 			}, "GET /interaction/:uid - Interaction details loaded" );
 
+			const csrfToken = generateCsrfToken( req, res );
+
 			res.render( "interaction", {
 				uid,
 				prompt,
 				scopes: requestedScopes,
 				error: undefined,
-				email: undefined
+				email: undefined,
+				csrfToken
 			} );
 		} catch ( error ) {
 			logError( logger, error, { context: "GET /interaction/:uid" } );
@@ -501,6 +657,8 @@ async function main() {
 	app.post(
 		"/interaction/:uid/login",
 		express.urlencoded( { extended: false } ),
+		loginRateLimiter,
+		csrfProtection,
 		async ( req: Request, res: Response ) => {
 			try {
 				// Validate interaction UID path parameter
@@ -523,12 +681,14 @@ async function main() {
 						.filter( Boolean );
 
 					// Re-render login form with validation error
+					const csrfToken = generateCsrfToken( req, res );
 					return res.render( "interaction", {
 						uid,
 						prompt: "login",
 						scopes: requestedScopes,
 						error: "Invalid email or password format.",
-						email: String( req.body?.email || "" ).slice( 0, 254 )  // Preserve truncated email
+						email: String( req.body?.email || "" ).slice( 0, 254 ),  // Preserve truncated email
+						csrfToken
 					} );
 				}
 
@@ -552,12 +712,14 @@ async function main() {
 						.filter( Boolean );
 
 					// Re-render login form with error message
+					const csrfToken = generateCsrfToken( req, res );
 					return res.render( "interaction", {
 						uid,
 						prompt: "login",
 						scopes: requestedScopes,
 						error: "Invalid email or password. Please try again.",
-						email  // Preserve the email field
+						email,  // Preserve the email field
+						csrfToken
 					} );
 				}
 
@@ -633,6 +795,7 @@ async function main() {
 	app.post(
 		"/interaction/:uid/confirm",
 		express.urlencoded( { extended: false } ),
+		csrfProtection,
 		async ( req: Request, res: Response ) => {
 			try {
 				// Validate interaction UID path parameter
@@ -750,6 +913,7 @@ async function main() {
 	app.post(
 		"/interaction/:uid/cancel",
 		express.urlencoded( { extended: false } ),
+		csrfProtection,
 		async ( req: Request, res: Response ) => {
 			// Validate interaction UID path parameter
 			const uidResult = validateInteractionUid( req.params.uid );
@@ -814,15 +978,38 @@ async function main() {
 			}, "GET /auth - Authorization request received" );
 		}
 
-		// Intercept response to log token response
-		const originalSend = res.send.bind( res );
-		const originalEnd = res.end.bind( res );
+		// Intercept response to log token response. Use Response['send']/['end']
+		// directly so the wrappers preserve Express's overloaded signatures.
+		const originalSend = res.send.bind( res ) as Response[ "send" ];
+		const originalEnd = res.end.bind( res ) as Response[ "end" ];
+
+		interface TokenResponseBody {
+			access_token?: string;
+			id_token?: string;
+			refresh_token?: string;
+			token_type?: string;
+			expires_in?: number;
+			scope?: string;
+		}
+
+		const parseTokenBody = ( value: unknown ): TokenResponseBody | null => {
+			if ( typeof value === "string" ) {
+				try {
+					return JSON.parse( value ) as TokenResponseBody;
+				} catch {
+					return null;
+				}
+			}
+			if ( value && typeof value === "object" ) {
+				return value as TokenResponseBody;
+			}
+			return null;
+		};
 
-		// eslint-disable-next-line @typescript-eslint/no-explicit-any
-		res.send = function ( body: any ) {
+		res.send = function ( body: unknown ) {
 			if ( req.path === "/token" && req.method === "POST" ) {
-				try {
-					const parsed = typeof body === "string" ? JSON.parse( body ) : body;
+				const parsed = parseTokenBody( body );
+				if ( parsed ) {
 					logger.debug( {
 						path: req.path,
 						accessTokenIssued: !!parsed.access_token,
@@ -832,48 +1019,46 @@ async function main() {
 						expiresIn: parsed.expires_in,
 						scope: parsed.scope
 					}, "POST /token - Token response sent (via send)" );
-				} catch {
+				} else {
 					logger.debug( { path: req.path }, "POST /token - Response sent (could not parse)" );
 				}
 			}
 			return originalSend( body );
-		};
+		} as Response[ "send" ];
 
-		// eslint-disable-next-line @typescript-eslint/no-explicit-any
-		res.end = function ( chunk?: any, ...args: any[] ) {
+		res.end = function ( chunk?: unknown, ...args: unknown[] ) {
 			if ( req.path === "/token" && req.method === "POST" && chunk ) {
-				try {
-					const parsed = typeof chunk === "string" ? JSON.parse( chunk ) : chunk;
-					if ( parsed.access_token ) {
-						// Count dots to determine JWT format (should have 2 dots = 3 parts)
-						const accessTokenParts = parsed.access_token ? parsed.access_token.split( "." ).length : 0;
-						const idTokenParts = parsed.id_token ? parsed.id_token.split( "." ).length : 0;
-						const refreshTokenParts = parsed.refresh_token ? parsed.refresh_token.split( "." ).length : 0;
-
-						logger.debug( {
-							path: req.path,
-							accessTokenIssued: !!parsed.access_token,
-							accessTokenLength: parsed.access_token ? parsed.access_token.length : 0,
-							accessTokenParts,
-							accessTokenPrefix: parsed.access_token ? parsed.access_token.substring( 0, 20 ) : "",
-							idTokenIssued: !!parsed.id_token,
-							idTokenLength: parsed.id_token ? parsed.id_token.length : 0,
-							idTokenParts,
-							refreshTokenIssued: !!parsed.refresh_token,
-							refreshTokenLength: parsed.refresh_token ? parsed.refresh_token.length : 0,
-							refreshTokenParts,
-							refreshTokenPrefix: parsed.refresh_token ? parsed.refresh_token.substring( 0, 20 ) : "",
-							tokenType: parsed.token_type,
-							expiresIn: parsed.expires_in,
-							scope: parsed.scope
-						}, "POST /token - Token response sent (via end)" );
-					}
-				} catch {
-					// Ignore parsing errors
+				const parsed = parseTokenBody( chunk );
+				if ( parsed?.access_token ) {
+					// Count dots to determine JWT format (should have 2 dots = 3 parts)
+					const accessTokenParts = parsed.access_token.split( "." ).length;
+					const idTokenParts = parsed.id_token ? parsed.id_token.split( "." ).length : 0;
+					const refreshTokenParts = parsed.refresh_token ? parsed.refresh_token.split( "." ).length : 0;
+
+					logger.debug( {
+						path: req.path,
+						accessTokenIssued: !!parsed.access_token,
+						accessTokenLength: parsed.access_token.length,
+						accessTokenParts,
+						accessTokenPrefix: parsed.access_token.substring( 0, 20 ),
+						idTokenIssued: !!parsed.id_token,
+						idTokenLength: parsed.id_token ? parsed.id_token.length : 0,
+						idTokenParts,
+						refreshTokenIssued: !!parsed.refresh_token,
+						refreshTokenLength: parsed.refresh_token ? parsed.refresh_token.length : 0,
+						refreshTokenParts,
+						refreshTokenPrefix: parsed.refresh_token ? parsed.refresh_token.substring( 0, 20 ) : "",
+						tokenType: parsed.token_type,
+						expiresIn: parsed.expires_in,
+						scope: parsed.scope
+					}, "POST /token - Token response sent (via end)" );
 				}
 			}
-			return originalEnd( chunk, ...args );
-		};
+			// Express's `end` is heavily overloaded; we delegate to the original
+			// implementation via Reflect.apply so we don't have to enumerate
+			// every overload in our types.
+			return Reflect.apply( originalEnd, res, [ chunk, ...args ] );
+		} as Response[ "end" ];
 
 		next();
 	} );
diff --git a/apps/auth/src/oidc-provider.d.ts b/apps/auth/src/oidc-provider.d.ts
index ffee34c..1f2cfce 100644
--- a/apps/auth/src/oidc-provider.d.ts
+++ b/apps/auth/src/oidc-provider.d.ts
@@ -1 +1,77 @@
-declare module "oidc-provider";
+/**
+ * Minimal type declarations for `oidc-provider` v9.x.
+ *
+ * The upstream package does not currently ship its own types, and the
+ * community-maintained `@types/oidc-provider` only covers v8 APIs that no
+ * longer match what we use. We declare narrow shapes for just the pieces of
+ * the provider surface that this app actually touches so we can avoid
+ * `any` while keeping the declaration footprint small.
+ *
+ * Parameter names below are documentation-only (declarations have no body),
+ * so silence the unused-name lint that would otherwise fire on every method.
+ */
+/* eslint-disable no-unused-vars */
+declare module "oidc-provider" {
+	import type { IncomingMessage, ServerResponse } from "http";
+
+	export interface OIDCInteractionPrompt {
+		name: string;
+		details?: Record<string, unknown>;
+	}
+
+	export interface OIDCInteractionDetails {
+		uid: string;
+		prompt: OIDCInteractionPrompt;
+		params: Record<string, unknown>;
+		session?: { accountId?: string };
+		grantId?: string;
+	}
+
+	export interface OIDCInteractionResult {
+		login?: { accountId: string };
+		consent?: { grantId: string };
+	}
+
+	export interface OIDCGrantInstance {
+		addOIDCScope( scope: string ): void;
+		addOIDCClaims( claims: string[] ): void;
+		addResourceScope( resource: string, scope: string ): void;
+		save(): Promise<string>;
+	}
+
+	export interface OIDCGrantConstructor {
+		new ( props: { accountId: string; clientId: string } ): OIDCGrantInstance;
+		find( grantId: string ): Promise<OIDCGrantInstance>;
+	}
+
+	export interface OIDCClient {
+		clientId: string;
+		client_id?: string;
+		grantTypeAllowed( grantType: string ): boolean;
+	}
+
+	export interface OIDCAuthorizationCode {
+		scopes: Set<string>;
+	}
+
+	export class Provider {
+		constructor( issuer: string, configuration?: unknown );
+		proxy: boolean;
+		// `callback()` returns a Node.js style request handler that works both
+		// as Express middleware and when invoked directly with (req, res).
+		callback(): ( req: IncomingMessage, res: ServerResponse, next?: ( err?: unknown ) => void ) => void;
+		interactionDetails( req: IncomingMessage, res: ServerResponse ): Promise<OIDCInteractionDetails>;
+		interactionResult(
+			req: IncomingMessage,
+			res: ServerResponse,
+			result: OIDCInteractionResult,
+			options?: { mergeWithLastSubmission?: boolean }
+		): Promise<string>;
+		Grant: OIDCGrantConstructor;
+	}
+
+	export const errors: {
+		OIDCProviderError: ErrorConstructor;
+		[key: string]: ErrorConstructor;
+	};
+}
diff --git a/apps/auth/views/interaction.ejs b/apps/auth/views/interaction.ejs
index 9c73e0c..43ee48e 100644
--- a/apps/auth/views/interaction.ejs
+++ b/apps/auth/views/interaction.ejs
@@ -43,6 +43,7 @@
           <% } %>
 
             <form method="post" action="/interaction/<%= uid %>/login" class="space-y-6">
+              <input type="hidden" name="_csrf" value="<%= typeof csrfToken !== 'undefined' ? csrfToken : '' %>" />
               <div>
                 <label for="email" class="block text-sm font-medium text-plaid-dark-gray mb-2">
                   Email Address
@@ -67,6 +68,7 @@
               </button>
             </form>
 
+            <% if (!isProduction) { %>
             <div class="mt-4 text-xs text-plaid-gray text-center">
               <p><strong>Development credentials:</strong></p>
               <p class="mt-2">Authorized user:</p>
@@ -76,6 +78,7 @@
               <p>Email: blocked@example.test</p>
               <p>Password: passw0rd!</p>
             </div>
+            <% } %>
             <% } else { %>
               <div class="bg-plaid-mint-200 border border-plaid-mint-200 rounded-md p-4 mb-6">
                 <div class="flex">
@@ -109,6 +112,7 @@
               </div>
 
               <form method="post" action="/interaction/<%= uid %>/confirm">
+                <input type="hidden" name="_csrf" value="<%= typeof csrfToken !== 'undefined' ? csrfToken : '' %>" />
                 <button type="submit"
                   class="w-full flex justify-center py-2 px-4 border border-transparent rounded-md shadow-sm text-sm font-medium text-plaid-black bg-plaid-credit-lime-400 hover:bg-plaid-gold-standard-400 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-plaid-mint-400 transition-colors">
                   Approve Access
@@ -116,6 +120,7 @@
               </form>
 
               <form method="post" action="/interaction/<%= uid %>/cancel" class="mt-3">
+                <input type="hidden" name="_csrf" value="<%= typeof csrfToken !== 'undefined' ? csrfToken : '' %>" />
                 <button type="submit"
                   class="w-full flex justify-center py-2 px-4 border border-plaid-blue-sky-200 rounded-md shadow-sm text-sm font-medium text-plaid-dark-gray bg-white hover:bg-plaid-light-gray focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-plaid-gray transition-colors">
                   Cancel
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 7e665f2..8224c92 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -140,6 +140,12 @@ importers:
       '@apps/shared':
         specifier: workspace:*
         version: link:../shared
+      cookie-parser:
+        specifier: ^1.4.7
+        version: 1.4.7
+      csrf-csrf:
+        specifier: ^4.0.3
+        version: 4.0.3
       dotenv:
         specifier: ^17.4.2
         version: 17.4.2
@@ -149,6 +155,9 @@ importers:
       express:
         specifier: ^5.2.1
         version: 5.2.1
+      express-rate-limit:
+        specifier: ^8.5.0
+        version: 8.5.0(express@5.2.1)
       oidc-provider:
         specifier: ^9.8.3
         version: 9.8.3
@@ -162,6 +171,9 @@ importers:
       '@tailwindcss/cli':
         specifier: ^4.2.4
         version: 4.2.4
+      '@types/cookie-parser':
+        specifier: ^1.4.10
+        version: 1.4.10(@types/express@5.0.6)
       '@types/ejs':
         specifier: ^3.1.5
         version: 3.1.5
@@ -870,6 +882,9 @@ packages:
     resolution: {integrity: sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA==}
     engines: {node: '>= 8'}
 
+  csrf-csrf@4.0.3:
+    resolution: {integrity: sha512-DaygOzelL4Qo1pHwI9LPyZL+X2456/OzpT596kNeZGiTSqKVDOk/9PPJ+FjzZacjMUEusOHw3WJKe1RW4iUhrw==}
+
   dateformat@4.6.3:
     resolution: {integrity: sha512-2P0p0pFGzHS5EMnhdxQi7aJN+iMheud0UhG4dlE1DLAlvL8JHjJJTX/CSm4JXwV0Ka5nGk3zC5mcb5bUQUxxMA==}
 
@@ -1023,6 +1038,12 @@ packages:
     resolution: {integrity: sha512-aIL5Fx7mawVa300al2BnEE4iNvo1qETxLrPI/o05L7z6go7fCw1J6EQmbK4FmJ2AS7kgVF/KEZWufBfdClMcPg==}
     engines: {node: '>= 0.6'}
 
+  express-rate-limit@8.5.0:
+    resolution: {integrity: sha512-XKhFohWaSBdVJNTi5TaHziqnPkv04I9UQV6q1Wy7Ui6GGQZVW12ojDFwqer14EvCXxjvPG0CyWXx7cAXpALB4Q==}
+    engines: {node: '>= 16'}
+    peerDependencies:
+      express: '>= 4.11'
+
   express@5.2.1:
     resolution: {integrity: sha512-hIS4idWWai69NezIdRt2xFVofaF4j+6INOpJlVOLDO8zXGpUVEVzIYk12UUi2JzjEzWL3IOAxcTubgz9Po0yXw==}
     engines: {node: '>= 18'}
@@ -1175,6 +1196,10 @@ packages:
   inherits@2.0.4:
     resolution: {integrity: sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==}
 
+  ip-address@10.1.0:
+    resolution: {integrity: sha512-XXADHxXmvT9+CRxhXg56LJovE+bmWnEWB78LB83VZTprKTmaC5QfruXocxzTZ2Kl0DNwKuBdlIhjL8LeY8Sf8Q==}
+    engines: {node: '>= 12'}
+
   ipaddr.js@1.9.1:
     resolution: {integrity: sha512-0KI/607xoxSToH7GjN1FfSbLoU0+btTicjsQSWQlh/hZykN8KpmMf7uYwPW3R+akZ6R/w18ZlXSHBYXiYUPO3g==}
     engines: {node: '>= 0.10'}
@@ -2280,6 +2305,10 @@ snapshots:
       shebang-command: 2.0.0
       which: 2.0.2
 
+  csrf-csrf@4.0.3:
+    dependencies:
+      http-errors: 2.0.1
+
   dateformat@4.6.3: {}
 
   debug@4.4.3:
@@ -2446,6 +2475,11 @@ snapshots:
 
   etag@1.8.1: {}
 
+  express-rate-limit@8.5.0(express@5.2.1):
+    dependencies:
+      express: 5.2.1
+      ip-address: 10.1.0
+
   express@5.2.1:
     dependencies:
       accepts: 2.0.0
@@ -2612,6 +2646,8 @@ snapshots:
 
   inherits@2.0.4: {}
 
+  ip-address@10.1.0: {}
+
   ipaddr.js@1.9.1: {}
 
   is-extglob@2.1.1: {}

From f8fc7544e64203b57bcadc905c37c02439f826a0 Mon Sep 17 00:00:00 2001
From: David Neal <dneal@plaid.com>
Date: Tue, 5 May 2026 11:14:26 -0400
Subject: [PATCH 5/9] fix(api): enforce ownership and standardize FDX errors in
 routes

Route handlers now derive the caller from req.user.sub and reject
account access where the caller does not own the account, fixing the
IDOR on every /accounts/:accountId, /contact, /statements,
/statements/:statementId, /transactions, /payment-networks, and
/asset-transfer-networks endpoint. The list endpoint is filtered to
the authenticated user.

Also:
- Wrap every async handler in asyncHandler so rejected promises
  propagate to Express's error middleware instead of falling through
  silently.
- Replace the ad-hoc { error, details } and mixed { code, error }
  shapes with the centralized FDX { code, message, debugMessage? }
  helpers so all routes return a consistent error contract.
- Type handlers as AuthenticatedRequest instead of bare Request.
---
 apps/api/src/routes/accounts.ts  | 356 +++++++++++++++----------------
 apps/api/src/routes/customers.ts |  44 ++--
 2 files changed, 186 insertions(+), 214 deletions(-)

diff --git a/apps/api/src/routes/accounts.ts b/apps/api/src/routes/accounts.ts
index 6972ee6..2cf8fbc 100644
--- a/apps/api/src/routes/accounts.ts
+++ b/apps/api/src/routes/accounts.ts
@@ -1,6 +1,14 @@
-import express, { Request, Response } from "express";
-import { getAccounts, getAccountById, getAccountContactById, getAccountStatements, getAccountStatementById, getAccountTransactions, getPaymentNetworks, getAssetTransferNetworks } from "../data/accountsRepository.js";
-import pino from "pino";
+import express, { Response } from "express";
+import {
+	getAccounts,
+	getAccountForCustomer,
+	getAccountContactById,
+	getAccountStatements,
+	getAccountStatementById,
+	getAccountTransactions,
+	getPaymentNetworks,
+	getAssetTransferNetworks
+} from "../data/accountsRepository.js";
 import {
 	paginationSchema,
 	dateRangePaginationSchema,
@@ -11,15 +19,12 @@ import {
 	type PaginationParams,
 	type DateRangePaginationParams
 } from "@apps/shared/validation";
+import { createLogger } from "@apps/shared";
+import { asyncHandler } from "../utils/asyncHandler.js";
+import { AuthenticatedRequest, getSubject } from "../utils/auth.js";
+import { FDXErrors } from "../utils/errors.js";
 
-const logger = pino( {
-	transport: {
-		target: "pino-pretty",
-		options: {
-			colorize: true
-		}
-	}
-} );
+const logger = createLogger( "api:accounts" );
 
 const router = express.Router();
 
@@ -72,158 +77,152 @@ function validateStatementId( statementId: string ): { success: true; data: stri
 	return { success: true, data: result.data };
 }
 
-// Shared helper to validate account existence and send appropriate HTTP responses
-// Returns the account object if found; otherwise handles the response and returns null
-async function verifyAccount( accountId: string, res: Response, notFoundCode = 701 ) {
-	try {
-		const account = await getAccountById( accountId );
-		if ( !account ) {
-			res.status( 404 ).json( { code: notFoundCode, error: "An account with the provided account ID could not be found" } );
-			return null;
-		}
-		return account;
-	} catch ( error ) {
-		logger.error( error, "Error validating account" );
-		res.status( 500 ).json( { error: "Internal server error" } );
+/**
+ * Resolve and authorize an account against the authenticated user.
+ *
+ * Returns the account when (a) the user is authenticated, (b) the account
+ * exists, and (c) the account is owned by the authenticated user. Otherwise
+ * writes the appropriate FDX error response and returns null. Treats
+ * not-owned identically to not-found (404) so we don't leak existence of
+ * other customers' accounts.
+ */
+async function resolveOwnedAccount(
+	req: AuthenticatedRequest<{ accountId: string }>,
+	res: Response,
+	accountId: string
+) {
+	const userId = getSubject( req );
+	if ( !userId ) {
+		res.status( 401 ).json( FDXErrors.insufficientScope( "Missing authenticated subject" ) );
 		return null;
 	}
+
+	const account = await getAccountForCustomer( accountId, userId );
+	if ( !account ) {
+		res.status( 404 ).json( FDXErrors.accountNotFound() );
+		return null;
+	}
+	return account;
 }
 
-// GET /accounts with pagination support
-router.get( "/accounts", async ( req: Request, res: Response ) => {
-	// Validate and extract pagination parameters with bounds checking
-	const { offset, limit } = validatePagination( req.query );
+// GET /accounts - lists accounts owned by the authenticated user only
+router.get(
+	"/accounts",
+	asyncHandler( async ( req: AuthenticatedRequest, res: Response ) => {
+		const userId = getSubject( req );
+		if ( !userId ) {
+			return res.status( 401 ).json( FDXErrors.insufficientScope( "Missing authenticated subject" ) );
+		}
+
+		const { offset, limit } = validatePagination( req.query );
 
-	try {
-		// Get accounts using the repository
-		const result = await getAccounts( offset, limit );
+		const result = await getAccounts( userId, offset, limit );
 
 		// Calculate pagination metadata
 		const hasMore = offset + limit < result.total;
 		const page = hasMore ? { nextOffset: String( offset + limit ) } : {};
 
-		// Construct response
-		const response = {
+		return res.json( {
 			page,
 			accounts: result.accounts
-		};
-
-		res.json( response );
-	} catch ( error ) {
-		logger.error( error, "Error retrieving accounts" );
-		res.status( 500 ).json( { error: "Internal server error" } );
-	}
-} );
+		} );
+	} )
+);
+
+router.get(
+	"/accounts/:accountId",
+	asyncHandler( async ( req: AuthenticatedRequest<{ accountId: string }>, res: Response ) => {
+		const accountIdResult = validateAccountId( req.params.accountId );
+		if ( !accountIdResult.success ) {
+			return res.status( 400 ).json( FDXErrors.validationFailed( accountIdResult.error ) );
+		}
+		const accountId = accountIdResult.data;
 
-router.get( "/accounts/:accountId", async ( req: Request<{ accountId: string }>, res: Response ) => {
-	// Validate accountId path parameter
-	const accountIdResult = validateAccountId( req.params.accountId );
-	if ( !accountIdResult.success ) {
-		return res.status( 400 ).json( { error: "Validation failed", details: accountIdResult.error } );
-	}
-	const accountId = accountIdResult.data;
+		const account = await resolveOwnedAccount( req, res, accountId );
+		if ( !account ) return;
 
-	try {
-		const account = await getAccountById( accountId );
+		return res.json( account );
+	} )
+);
 
-		if ( !account ) {
-			return res.status( 404 ).json( { code: 701, error: "An account with the provided account ID could not be found" } );
+router.get(
+	"/accounts/:accountId/contact",
+	asyncHandler( async ( req: AuthenticatedRequest<{ accountId: string }>, res: Response ) => {
+		const accountIdResult = validateAccountId( req.params.accountId );
+		if ( !accountIdResult.success ) {
+			return res.status( 400 ).json( FDXErrors.validationFailed( accountIdResult.error ) );
 		}
+		const accountId = accountIdResult.data;
 
-		res.json( account );
-	} catch {
-		logger.error( { accountId: sanitizeForLogging( accountId ) }, "Error retrieving account" );
-		res.status( 500 ).json( { error: "Internal server error" } );
-	}
-} );
-
-router.get( "/accounts/:accountId/contact", async ( req: Request<{ accountId: string }>, res: Response ) => {
-	// Validate accountId path parameter
-	const accountIdResult = validateAccountId( req.params.accountId );
-	if ( !accountIdResult.success ) {
-		return res.status( 400 ).json( { error: "Validation failed", details: accountIdResult.error } );
-	}
-	const accountId = accountIdResult.data;
-
-	const account = await verifyAccount( accountId, res, 701 );
-	if ( !account ) return;
+		const account = await resolveOwnedAccount( req, res, accountId );
+		if ( !account ) return;
 
-	try {
 		const contact = await getAccountContactById( accountId );
-
 		if ( !contact ) {
-			return res.status( 404 ).json( { code: 601, error: "An account with the provided account ID could not be found" } );
+			return res.status( 404 ).json( FDXErrors.accountNotFound() );
 		}
 
-		res.json( contact );
-	} catch {
-		logger.error( { accountId: sanitizeForLogging( accountId ) }, "Error retrieving account contact" );
-		res.status( 500 ).json( { error: "Internal server error" } );
-	}
-} );
+		return res.json( contact );
+	} )
+);
 
 // GET /accounts/:accountId/statements with pagination support
-router.get( "/accounts/:accountId/statements", async ( req: Request<{ accountId: string }>, res: Response ) => {
-	// Validate accountId path parameter
-	const accountIdResult = validateAccountId( req.params.accountId );
-	if ( !accountIdResult.success ) {
-		return res.status( 400 ).json( { error: "Validation failed", details: accountIdResult.error } );
-	}
-	const accountId = accountIdResult.data;
+router.get(
+	"/accounts/:accountId/statements",
+	asyncHandler( async ( req: AuthenticatedRequest<{ accountId: string }>, res: Response ) => {
+		const accountIdResult = validateAccountId( req.params.accountId );
+		if ( !accountIdResult.success ) {
+			return res.status( 400 ).json( FDXErrors.validationFailed( accountIdResult.error ) );
+		}
+		const accountId = accountIdResult.data;
 
-	// Validate query parameters including date range and pagination
-	const queryResult = validateDateRangePagination( req.query );
-	if ( !queryResult.success ) {
-		return res.status( 400 ).json( { error: "Validation failed", details: queryResult.error } );
-	}
-	const { offset, limit, startTime, endTime } = queryResult.data;
+		const queryResult = validateDateRangePagination( req.query );
+		if ( !queryResult.success ) {
+			return res.status( 400 ).json( FDXErrors.validationFailed( queryResult.error ) );
+		}
+		const { offset, limit, startTime, endTime } = queryResult.data;
 
-	const account = await verifyAccount( accountId, res, 701 );
-	if ( !account ) return;
+		const account = await resolveOwnedAccount( req, res, accountId );
+		if ( !account ) return;
 
-	try {
 		const result = await getAccountStatements( accountId, offset, limit, startTime || "", endTime || "" );
 
-		// Calculate pagination metadata
 		const hasMore = offset + limit < result.total;
 		const page = hasMore ? { nextOffset: String( offset + limit ) } : {};
 
-		// Construct response
-		const response = {
+		return res.json( {
 			page,
 			statements: result.statements
-		};
-
-		res.json( response );
-	} catch {
-		logger.error( { accountId: sanitizeForLogging( accountId ) }, "Error retrieving statements" );
-		res.status( 500 ).json( { error: "Internal server error" } );
-	}
-} );
+		} );
+	} )
+);
 
 // GET /accounts/:accountId/statements/:statementId - simulate returning a PDF
-router.get( "/accounts/:accountId/statements/:statementId", async ( req: Request<{ accountId: string; statementId: string }>, res: Response ) => {
-	// Validate accountId path parameter
-	const accountIdResult = validateAccountId( req.params.accountId );
-	if ( !accountIdResult.success ) {
-		return res.status( 400 ).json( { error: "Validation failed", details: accountIdResult.error } );
-	}
-	const accountId = accountIdResult.data;
+router.get(
+	"/accounts/:accountId/statements/:statementId",
+	asyncHandler( async ( req: AuthenticatedRequest<{ accountId: string; statementId: string }>, res: Response ) => {
+		const accountIdResult = validateAccountId( req.params.accountId );
+		if ( !accountIdResult.success ) {
+			return res.status( 400 ).json( FDXErrors.validationFailed( accountIdResult.error ) );
+		}
+		const accountId = accountIdResult.data;
 
-	// Validate statementId path parameter
-	const statementIdResult = validateStatementId( req.params.statementId );
-	if ( !statementIdResult.success ) {
-		return res.status( 400 ).json( { error: "Validation failed", details: statementIdResult.error } );
-	}
-	const statementId = statementIdResult.data;
+		const statementIdResult = validateStatementId( req.params.statementId );
+		if ( !statementIdResult.success ) {
+			return res.status( 400 ).json( FDXErrors.validationFailed( statementIdResult.error ) );
+		}
+		const statementId = statementIdResult.data;
 
-	try {
-		const account = await verifyAccount( accountId, res, 701 );
+		const account = await resolveOwnedAccount( req, res, accountId );
 		if ( !account ) return;
 
 		const statement = await getAccountStatementById( accountId, statementId );
 		if ( !statement ) {
-			return res.status( 404 ).json( { code: 601, error: "Statement not found for the provided accountId/statementId" } );
+			logger.debug( {
+				accountId: sanitizeForLogging( accountId ),
+				statementId: sanitizeForLogging( statementId )
+			}, "Statement not found for account" );
+			return res.status( 404 ).json( FDXErrors.statementNotFound() );
 		}
 
 		// Minimal valid PDF bytes: %PDF-1.4 ... %%EOF
@@ -234,32 +233,28 @@ router.get( "/accounts/:accountId/statements/:statementId", async ( req: Request
 		res.setHeader( "Content-Disposition", `inline; filename=statement-${ statementId }.pdf` );
 		res.setHeader( "Content-Length", buffer.length.toString() );
 		return res.status( 200 ).send( buffer );
-	} catch {
-		logger.error( { accountId: sanitizeForLogging( accountId ), statementId: sanitizeForLogging( statementId ) }, "Error retrieving statement PDF" );
-		return res.status( 500 ).json( { error: "Internal server error" } );
-	}
-} );
+	} )
+);
 
 // GET /accounts/:accountId/transactions with pagination support
-router.get( "/accounts/:accountId/transactions", async ( req: Request<{ accountId: string }>, res: Response ) => {
-	// Validate accountId path parameter
-	const accountIdResult = validateAccountId( req.params.accountId );
-	if ( !accountIdResult.success ) {
-		return res.status( 400 ).json( { error: "Validation failed", details: accountIdResult.error } );
-	}
-	const accountId = accountIdResult.data;
+router.get(
+	"/accounts/:accountId/transactions",
+	asyncHandler( async ( req: AuthenticatedRequest<{ accountId: string }>, res: Response ) => {
+		const accountIdResult = validateAccountId( req.params.accountId );
+		if ( !accountIdResult.success ) {
+			return res.status( 400 ).json( FDXErrors.validationFailed( accountIdResult.error ) );
+		}
+		const accountId = accountIdResult.data;
 
-	// Validate query parameters including date range and pagination
-	const queryResult = validateDateRangePagination( req.query );
-	if ( !queryResult.success ) {
-		return res.status( 400 ).json( { error: "Validation failed", details: queryResult.error } );
-	}
-	const { offset, limit, startTime, endTime } = queryResult.data;
+		const queryResult = validateDateRangePagination( req.query );
+		if ( !queryResult.success ) {
+			return res.status( 400 ).json( FDXErrors.validationFailed( queryResult.error ) );
+		}
+		const { offset, limit, startTime, endTime } = queryResult.data;
 
-	const account = await verifyAccount( accountId, res, 701 );
-	if ( !account ) return;
+		const account = await resolveOwnedAccount( req, res, accountId );
+		if ( !account ) return;
 
-	try {
 		const result = await getAccountTransactions( accountId, offset, limit, startTime || "", endTime || "" );
 		const hasMore = offset + limit < result.total;
 		const page = hasMore ? { nextOffset: String( offset + limit ) } : {};
@@ -267,64 +262,50 @@ router.get( "/accounts/:accountId/transactions", async ( req: Request<{ accountI
 			page,
 			transactions: result.transactions
 		} );
-	} catch {
-		logger.error( { accountId: sanitizeForLogging( accountId ) }, "Error retrieving transactions" );
-		return res.status( 500 ).json( { error: "Internal server error" } );
-	}
-} );
+	} )
+);
 
 // GET /accounts/:accountId/payment-networks with pagination support
-router.get( "/accounts/:accountId/payment-networks", async ( req: Request<{ accountId: string }>, res: Response ) => {
-	// Validate accountId path parameter
-	const accountIdResult = validateAccountId( req.params.accountId );
-	if ( !accountIdResult.success ) {
-		return res.status( 400 ).json( { error: "Validation failed", details: accountIdResult.error } );
-	}
-	const accountId = accountIdResult.data;
+router.get(
+	"/accounts/:accountId/payment-networks",
+	asyncHandler( async ( req: AuthenticatedRequest<{ accountId: string }>, res: Response ) => {
+		const accountIdResult = validateAccountId( req.params.accountId );
+		if ( !accountIdResult.success ) {
+			return res.status( 400 ).json( FDXErrors.validationFailed( accountIdResult.error ) );
+		}
+		const accountId = accountIdResult.data;
 
-	// Validate pagination parameters with bounds checking
-	const { offset, limit } = validatePagination( req.query );
+		const { offset, limit } = validatePagination( req.query );
 
-	const account = await verifyAccount( accountId, res, 701 );
-	if ( !account ) return;
+		const account = await resolveOwnedAccount( req, res, accountId );
+		if ( !account ) return;
 
-	try {
-		// Get accounts using the repository
 		const result = await getPaymentNetworks( accountId, offset, limit );
-
-		// Calculate pagination metadata
 		const hasMore = offset + limit < result.total;
 		const page = hasMore ? { nextOffset: String( offset + limit ) } : {};
 
-		// Construct response
-		const response = {
+		return res.json( {
 			page,
 			paymentNetworks: result.paymentNetworks
-		};
-
-		res.json( response );
-	} catch {
-		logger.error( { accountId: sanitizeForLogging( accountId ) }, "Error retrieving payment networks" );
-		res.status( 500 ).json( { error: "Internal server error" } );
-	}
-} );
+		} );
+	} )
+);
 
 // GET /accounts/:accountId/asset-transfer-networks with pagination support
-router.get( "/accounts/:accountId/asset-transfer-networks", async ( req: Request<{ accountId: string }>, res: Response ) => {
-	// Validate accountId path parameter
-	const accountIdResult = validateAccountId( req.params.accountId );
-	if ( !accountIdResult.success ) {
-		return res.status( 400 ).json( { error: "Validation failed", details: accountIdResult.error } );
-	}
-	const accountId = accountIdResult.data;
+router.get(
+	"/accounts/:accountId/asset-transfer-networks",
+	asyncHandler( async ( req: AuthenticatedRequest<{ accountId: string }>, res: Response ) => {
+		const accountIdResult = validateAccountId( req.params.accountId );
+		if ( !accountIdResult.success ) {
+			return res.status( 400 ).json( FDXErrors.validationFailed( accountIdResult.error ) );
+		}
+		const accountId = accountIdResult.data;
 
-	// Validate pagination parameters with bounds checking
-	const { offset, limit } = validatePagination( req.query );
+		const { offset, limit } = validatePagination( req.query );
 
-	const account = await verifyAccount( accountId, res, 701 );
-	if ( !account ) return;
+		const account = await resolveOwnedAccount( req, res, accountId );
+		if ( !account ) return;
 
-	try {
 		const result = await getAssetTransferNetworks( accountId, offset, limit );
 		const hasMore = offset + limit < result.total;
 		const page = hasMore ? { nextOffset: String( offset + limit ) } : {};
@@ -332,10 +313,7 @@ router.get( "/accounts/:accountId/asset-transfer-networks", async ( req: Request
 			page,
 			assetTransferNetworks: result.assetTransferNetworks
 		} );
-	} catch {
-		logger.error( { accountId: sanitizeForLogging( accountId ) }, "Error retrieving asset transfer networks" );
-		return res.status( 500 ).json( { error: "Internal server error" } );
-	}
-} );
+	} )
+);
 
 export default router;
diff --git a/apps/api/src/routes/customers.ts b/apps/api/src/routes/customers.ts
index 177e7be..e469b91 100644
--- a/apps/api/src/routes/customers.ts
+++ b/apps/api/src/routes/customers.ts
@@ -1,37 +1,31 @@
-import express, { Request, Response } from "express";
+import express, { Response } from "express";
 import { getCurrentCustomer } from "../data/customersRepository.js";
-import pino from "pino";
+import { asyncHandler } from "../utils/asyncHandler.js";
+import { AuthenticatedRequest, getSubject } from "../utils/auth.js";
+import { FDXErrors } from "../utils/errors.js";
+import { createLogger } from "@apps/shared";
 
-const logger = pino( {
-	transport: {
-		target: "pino-pretty",
-		options: {
-			colorize: true
-		}
-	}
-} );
+const logger = createLogger( "api:customers" );
 
 const router = express.Router();
 
 // Get current customer
-router.get( "/customers/current", async ( req: Request, res: Response ) => {
-	try {
-		// Get current customer using the repository
-		const customer = await getCurrentCustomer();
+router.get(
+	"/customers/current",
+	asyncHandler( async ( req: AuthenticatedRequest, res: Response ) => {
+		const userId = getSubject( req );
+		if ( !userId ) {
+			logger.warn( "GET /customers/current - missing authenticated subject" );
+			return res.status( 401 ).json( FDXErrors.insufficientScope( "Missing authenticated subject" ) );
+		}
 
-		//HTTP status and error code are not always the same, check the API documentation for specifics
+		const customer = await getCurrentCustomer( userId );
 		if ( !customer ) {
-			return res.status( 404 ).json( {
-				code: 601,
-				message: "A customer with the provided customer ID could not be found"
-			} );
+			return res.status( 404 ).json( FDXErrors.customerNotFound() );
 		}
 
-		res.json( customer );
-	} catch ( error ) {
-		logger.error( error, "Error retrieving current customer" );
-		res.status( 500 ).json( { error: "Internal server error" } );
-	}
-} );
+		return res.json( customer );
+	} )
+);
 
 export default router;

From efdfd84daad0fa9cee675a8a792e911159311053 Mon Sep 17 00:00:00 2001
From: David Neal <dneal@plaid.com>
Date: Tue, 5 May 2026 11:14:36 -0400
Subject: [PATCH 6/9] chore(api): wire scope-enforcement middleware in API
 entrypoint

Apply requireScope("accounts:read") in front of the accounts router
so the JWT's scope claim is checked once, centrally, before any
account/data route runs. /customers/current is left without the
extra scope guard because resolving the authenticated user only
needs the openid scope (already implicit in any authenticated
session).

Also small cleanups:
- Pull AuthenticatedRequest in from utils/auth so the JWT middleware
  uses the canonical type and Express Request is augmented globally.
- Rewrite the 404 handler to return the FDX error shape.
- Add the missing NextFunction parameter to the global error handler
  so Express recognizes its 4-arg signature.
---
 apps/api/src/index.ts | 36 +++++++++++++++---------------------
 1 file changed, 15 insertions(+), 21 deletions(-)

diff --git a/apps/api/src/index.ts b/apps/api/src/index.ts
index 50793f9..a1bee4a 100644
--- a/apps/api/src/index.ts
+++ b/apps/api/src/index.ts
@@ -1,6 +1,6 @@
 import "dotenv/config";
 import express, { Request, Response, NextFunction } from "express";
-import { createRemoteJWKSet, jwtVerify, JWTPayload } from "jose";
+import { createRemoteJWKSet, jwtVerify } from "jose";
 import { webcrypto } from "crypto";
 
 // Polyfill for crypto global in Node.js
@@ -20,11 +20,8 @@ import {
 	createApiSecurityHeaders,
 	setupBasicExpress
 } from "@apps/shared";
-
-// Extend Request interface to include user payload
-interface AuthenticatedRequest extends Request {
-	user?: JWTPayload;
-}
+import { AuthenticatedRequest, requireScope } from "./utils/auth.js";
+import { FDXErrors } from "./utils/errors.js";
 
 // Create logger for API service
 const logger = createLogger( "api" );
@@ -119,26 +116,23 @@ app.get( "/public/health", ( _req: Request, res: Response ) =>
 );
 
 // Routes
+//
+// `/customers/current` is mounted without an `accounts:read` scope check
+// because resolving the authenticated user's identity only requires the
+// `openid` scope (already implicit in any authenticated session). All
+// account/data routes require `accounts:read`.
 app.use( "/api/fdx/v6", customersRouter );
-app.use( "/api/fdx/v6", accountsRouter );
-
-// app.get( "/accounts", ( req: Request, res: Response ) => {
-// 	const scope = String( ( req as any ).user?.scope || "" ).split( " " );
-// 	if ( !scope.includes( "accounts:read" ) )
-// 		return res.status( 403 ).json( { error: "insufficient_scope" } );
-// 	return res.json( [ { id: "acc_123", name: "Primary Checking" } ] );
-// } );
+app.use( "/api/fdx/v6", requireScope( "accounts:read" ), accountsRouter );
 
 // 404 route handler for undefined routes
-app.use( ( req, res ) => {
-	res.status( 404 ).json( {
-		error: "not_found",
-		message: "Requested resource not found"
-	} );
+app.use( ( _req: Request, res: Response ) => {
+	res.status( 404 ).json( FDXErrors.accountNotFound( "Requested resource not found" ) );
 } );
 
-// Global error handler
-app.use( ( error: unknown, req: Request, res: Response ) => {
+// Global error handler. The 4-arg signature is required for Express to treat
+// this as an error-handling middleware.
+// eslint-disable-next-line @typescript-eslint/no-unused-vars, no-unused-vars
+app.use( ( error: unknown, req: Request, res: Response, _next: NextFunction ) => {
 	logError( logger, error, { path: req.path, method: req.method } );
 	const sanitized = sanitizeError( error );
 	const statusCode = typeof error === "object" && error !== null && "statusCode" in error

From c64a9ea6cec17f1e818c7279e6863503b5064a9c Mon Sep 17 00:00:00 2001
From: David Neal <dneal@plaid.com>
Date: Tue, 5 May 2026 11:16:04 -0400
Subject: [PATCH 7/9] fix(app): P0/P1 security fixes and add auto-refresh on
 expired tokens

P0 fixes:
* Sign httpOnly cookies (`signed: true`) and read tokens via
  `req.signedCookies`. Cookie-parser was already initialized with
  COOKIE_SECRET; the cookies just weren't being signed.
* Mask access/refresh/id tokens to first/last 4 chars on /debug/tokens
  and gate the route behind `NODE_ENV !== 'production'`. Decoded payload
  is still shown for development debugging.
* Harden the JWKS link in the token inspector: pass an absolute, validated
  URL from the route handler instead of rendering `process.env.OP_ISSUER`
  directly into an `href`. Add `rel="noopener noreferrer"`.

P1 fixes:
* Generate an OIDC `nonce` in /login, persist it alongside state and PKCE
  verifier in the signed `oidc` cookie, and validate it via
  `expectedNonce` on `authorizationCodeGrant` in /callback.
* Replace the local-only logout TODO with proper RP-initiated logout:
  redirect to the auth server's `end_session_endpoint` with
  `id_token_hint`, `client_id`, `state`, and `post_logout_redirect_uri`.
  Local cookies are still cleared up front so the local session is gone
  even if the auth server is unreachable.

Auto-refresh feature:
* New `getValidAccessToken(req, res)` helper:
  - reads tokens from the signed cookie,
  - decodes the access token (`exp` claim) with a 30s clock-skew buffer,
  - if expired, calls openid-client's `refreshTokenGrant` with the
    resource indicator,
  - atomically writes the new token set back to the signed cookie before
    returning the new access token.
* /api-call uses the helper proactively, then falls back to one
  refresh-and-retry when the API returns 401 despite a non-expired token
  (covers clock skew, server-side revocation, etc.).

Verified by:
* `pnpm --filter @apps/app build` and `npx eslint apps/app` both pass.
* Standalone test script for the expiry detection logic confirms
  fresh / stale / within-skew / malformed / no-exp tokens all classify
  correctly.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 apps/app/src/index.ts           | 339 +++++++++++++++++++++++++-------
 apps/app/views/debug-tokens.ejs |  13 +-
 apps/app/views/token.ejs        |   2 +-
 3 files changed, 273 insertions(+), 81 deletions(-)

diff --git a/apps/app/src/index.ts b/apps/app/src/index.ts
index 813411f..7d92fd1 100644
--- a/apps/app/src/index.ts
+++ b/apps/app/src/index.ts
@@ -36,6 +36,7 @@ const logger = createLogger( "app" );
 interface OidcState {
 	state: string;
 	code_verifier: string;
+	nonce: string;
 }
 
 interface TokenSet {
@@ -48,8 +49,21 @@ interface CookieRequest extends Request {
 	cookies: {
 		[key: string]: string;
 	};
+	signedCookies: {
+		[key: string]: string;
+	};
 }
 
+const IS_PRODUCTION = process.env.NODE_ENV === "production";
+
+const SIGNED_COOKIE_OPTIONS = {
+	httpOnly: true,
+	sameSite: "lax",
+	secure: true,
+	signed: true,
+	path: "/"
+} as const;
+
 // Environment configuration
 
 const HOST = getRequiredEnv( "APP_HOST" );
@@ -61,6 +75,18 @@ const REDIRECT_URI = getRequiredEnv( "REDIRECT_URI" );
 const API_BASE_URL = getRequiredEnv( "API_BASE_URL" );
 const API_AUDIENCE = getRequiredEnv( "API_AUDIENCE" );
 const COOKIE_SECRET = getRequiredEnv( "COOKIE_SECRET" );
+const POST_LOGOUT_REDIRECT_URI = process.env.POST_LOGOUT_REDIRECT_URI || HOST;
+
+// Validate ISSUER_URL is an absolute URL — used to build links in views.
+// Throwing here fails fast on misconfiguration rather than rendering an
+// attacker-controlled string into an attribute later.
+const ISSUER_URL_OBJ = ( () => {
+	const url = new URL( ISSUER_URL );
+	if ( url.protocol !== "https:" && url.protocol !== "http:" ) {
+		throw new Error( `OP_ISSUER must be an http(s) URL, got: ${ url.protocol }` );
+	}
+	return url;
+} )();
 
 const app = express();
 setupBasicExpress( app );
@@ -101,22 +127,139 @@ function parseTokensCookie( cookieValue: string | undefined ): TokenSet | null {
  * Returns empty object if parsing fails.
  */
 function parseOidcCookie( cookieValue: string | undefined ): OidcState {
-	if ( !cookieValue ) return {} as OidcState;
+	if ( !cookieValue ) return { state: "", code_verifier: "", nonce: "" };
 
 	try {
 		const parsed = JSON.parse( cookieValue );
 		// Basic validation for expected fields
 		if ( typeof parsed !== "object" || parsed === null ) {
-			return {} as OidcState;
+			return { state: "", code_verifier: "", nonce: "" };
 		}
 		return {
 			state: typeof parsed.state === "string" ? parsed.state : "",
-			code_verifier: typeof parsed.code_verifier === "string" ? parsed.code_verifier : ""
+			code_verifier: typeof parsed.code_verifier === "string" ? parsed.code_verifier : "",
+			nonce: typeof parsed.nonce === "string" ? parsed.nonce : ""
 		};
 	} catch {
 		logger.warn( "Invalid OIDC state cookie format" );
-		return {} as OidcState;
+		return { state: "", code_verifier: "", nonce: "" };
+	}
+}
+
+/**
+ * Mask a token for display, showing only the first and last 4 characters.
+ */
+function maskToken( token: string | undefined ): string {
+	if ( !token ) return "";
+	if ( token.length <= 8 ) return "***";
+	return `${ token.slice( 0, 4 ) }…${ token.slice( -4 ) }`;
+}
+
+/**
+ * Decode a JWT without verifying its signature.
+ * Returns null if the token is malformed.
+ */
+function decodeJwtPayload( token: string ): Record<string, unknown> | null {
+	try {
+		const parts = token.split( "." );
+		if ( parts.length !== 3 ) return null;
+		return JSON.parse( Buffer.from( parts[1], "base64url" ).toString() );
+	} catch {
+		return null;
+	}
+}
+
+/**
+ * Determine whether an access token is expired (or close to expiring).
+ * Uses a 30 second clock-skew buffer.
+ */
+function isAccessTokenExpired( accessToken: string ): boolean {
+	const payload = decodeJwtPayload( accessToken );
+	if ( !payload || typeof payload.exp !== "number" ) {
+		// If we cannot read the expiry, treat the token as expired and force a refresh.
+		return true;
+	}
+	const nowSec = Math.floor( Date.now() / 1000 );
+	const skewSec = 30;
+	return payload.exp <= ( nowSec + skewSec );
+}
+
+/**
+ * Persist the token set in a signed, httpOnly cookie. Always read existing
+ * tokens via this helper's counterpart `parseTokensCookie( req.signedCookies )`.
+ */
+function writeTokensCookie( res: Response, tokens: TokenSet ): void {
+	res.cookie( "tokens", JSON.stringify( {
+		access_token: tokens.access_token,
+		refresh_token: tokens.refresh_token,
+		id_token: tokens.id_token
+	} ), SIGNED_COOKIE_OPTIONS );
+}
+
+/**
+ * Force a token refresh against the authorization server using the refresh
+ * token from the signed cookie. Persists the new token set back into the
+ * signed cookie and returns the new access token (or `null` when no refresh
+ * token is available).
+ */
+async function refreshTokensAndPersist( req: Request, res: Response ): Promise<string | null> {
+	const tokens = parseTokensCookie( ( req as CookieRequest ).signedCookies["tokens"] );
+	if ( !tokens?.refresh_token ) return null;
+
+	const cfg = await ensureConfig();
+	const refreshed = await client.refreshTokenGrant( cfg, tokens.refresh_token, {
+		resource: API_AUDIENCE
+	} );
+
+	const nextTokens: TokenSet = {
+		access_token: refreshed.access_token,
+		refresh_token: refreshed.refresh_token || tokens.refresh_token,
+		id_token: refreshed.id_token || tokens.id_token
+	};
+
+	writeTokensCookie( res, nextTokens );
+
+	logger.info( {
+		rotated: !!refreshed.refresh_token,
+		expiresIn: refreshed.expiresIn?.()
+	}, "Tokens refreshed and persisted" );
+
+	return nextTokens.access_token;
+}
+
+/**
+ * Returns a valid (non-expired) access token, refreshing it when needed.
+ *
+ * 1. Reads tokens from the signed cookie.
+ * 2. Checks `exp` on the access token (jose decode + 30s skew buffer).
+ * 3. If expired and a refresh token is available, calls the auth server's
+ *    token endpoint via openid-client's refresh helper.
+ * 4. Atomically writes the new tokens back to the signed cookie before
+ *    returning the access token to the caller.
+ *
+ * Throws when no tokens are present or when refresh fails — callers are
+ * expected to map those errors onto an HTTP 401 / re-login flow.
+ */
+async function getValidAccessToken( req: Request, res: Response ): Promise<string> {
+	const tokens = parseTokensCookie( ( req as CookieRequest ).signedCookies["tokens"] );
+	if ( !tokens?.access_token ) {
+		throw new Error( "No access token in cookie" );
 	}
+
+	if ( !isAccessTokenExpired( tokens.access_token ) ) {
+		return tokens.access_token;
+	}
+
+	if ( !tokens.refresh_token ) {
+		throw new Error( "Access token expired and no refresh token available" );
+	}
+
+	logger.debug( "Access token expired — attempting refresh" );
+	const newAccessToken = await refreshTokensAndPersist( req, res );
+	if ( !newAccessToken ) {
+		throw new Error( "Refresh did not return a new access token" );
+	}
+	return newAccessToken;
 }
 
 async function delay( ms: number ) {
@@ -167,7 +310,7 @@ async function ensureConfig(): Promise<client.Configuration> {
 // Discovery is performed lazily on demand by routes via ensureConfig()
 
 app.get( "/", async ( req: Request, res: Response ) => {
-	const tokens = parseTokensCookie( ( req as CookieRequest ).cookies["tokens"] );
+	const tokens = parseTokensCookie( ( req as CookieRequest ).signedCookies["tokens"] );
 	res.render( "index", { tokens } );
 } );
 
@@ -178,13 +321,9 @@ app.get( "/login", async ( _req: Request, res: Response ) => {
 	const state = client.randomState();
 	const code_verifier = client.randomPKCECodeVerifier();
 	const code_challenge = await client.calculatePKCECodeChallenge( code_verifier );
+	const nonce = client.randomNonce();
 
-	res.cookie( "oidc", JSON.stringify( { state, code_verifier } ), {
-		httpOnly: true,
-		sameSite: "lax",
-		secure: true,
-		path: "/"
-	} );
+	res.cookie( "oidc", JSON.stringify( { state, code_verifier, nonce } ), SIGNED_COOKIE_OPTIONS );
 
 	// RFC 8707 - Resource Indicators for OAuth 2.0
 	// The 'resource' parameter specifies the target API (audience) for the access token
@@ -195,6 +334,7 @@ app.get( "/login", async ( _req: Request, res: Response ) => {
 		state,
 		code_challenge,
 		code_challenge_method: "S256",
+		nonce,
 		prompt: "login consent",
 		resource: API_AUDIENCE  // Resource indicator - must be absolute URI without fragment
 	} );
@@ -208,8 +348,8 @@ app.get( "/callback", async ( req: Request, res: Response ) => {
 		// Force HTTPS protocol since we're behind a proxy
 		const currentUrl = new URL( req.originalUrl, `https://${ req.get( "host" ) }` );
 
-		// Safely parse OIDC state cookie
-		const cookieVal = parseOidcCookie( ( req as CookieRequest ).cookies["oidc"] );
+		// Safely parse OIDC state cookie (signed)
+		const cookieVal = parseOidcCookie( ( req as CookieRequest ).signedCookies["oidc"] );
 
 		logger.debug( { currentUrl: currentUrl.href }, "Callback - Current URL" );
 		logger.debug( { redirectUri: REDIRECT_URI }, "Callback - Expected Redirect URI" );
@@ -226,7 +366,7 @@ app.get( "/callback", async ( req: Request, res: Response ) => {
 			logger.info( { error: sanitizeForLogging( error ), errorDescription: sanitizeForLogging( rawErrorDescription ) }, "Callback - OAuth error received" );
 
 			// Clear the OIDC state cookie
-			res.clearCookie( "oidc" );
+			res.clearCookie( "oidc", { path: "/" } );
 
 			return res.status( 400 ).send( `
 				<!DOCTYPE html>
@@ -264,6 +404,9 @@ app.get( "/callback", async ( req: Request, res: Response ) => {
 		if ( !cookieVal.state ) {
 			throw new Error( "Missing state in cookie" );
 		}
+		if ( !cookieVal.nonce ) {
+			throw new Error( "Missing nonce in cookie" );
+		}
 
 		const authCode = currentUrl.searchParams.get( "code" );
 		const receivedState = currentUrl.searchParams.get( "state" );
@@ -311,23 +454,22 @@ app.get( "/callback", async ( req: Request, res: Response ) => {
 			currentUrl,
 			{
 				pkceCodeVerifier: cookieVal.code_verifier,
-				expectedState: cookieVal.state
+				expectedState: cookieVal.state,
+				expectedNonce: cookieVal.nonce  // Validates `nonce` claim in the ID Token
 			},
 			{
 				resource: API_AUDIENCE  // Resource indicator for token exchange (RFC 8707)
 			}
 		);
 
-		// Persist minimal tokens in an httpOnly cookie (for demo only).
-		res.cookie(
-			"tokens",
-			JSON.stringify( {
-				access_token: tokenSet.access_token,
-				refresh_token: tokenSet.refresh_token,
-				id_token: tokenSet.id_token
-			} ),
-			{ httpOnly: true, sameSite: "lax", secure: true, path: "/" }
-		);
+		// Persist minimal tokens in a signed, httpOnly cookie (for demo only).
+		writeTokensCookie( res, {
+			access_token: tokenSet.access_token,
+			refresh_token: tokenSet.refresh_token,
+			id_token: tokenSet.id_token
+		} );
+		// One-shot OIDC state cookie is no longer needed once the code is exchanged.
+		res.clearCookie( "oidc", { path: "/" } );
 		res.redirect( "/api-explorer" );
 	} catch ( error ) {
 		logError( logger, error, { context: "OAuth callback" } );
@@ -338,7 +480,7 @@ app.get( "/callback", async ( req: Request, res: Response ) => {
 
 // Refresh token endpoint - manually trigger a token refresh
 app.post( "/refresh", async ( req: Request, res: Response ) => {
-	const tokens = parseTokensCookie( ( req as CookieRequest ).cookies["tokens"] );
+	const tokens = parseTokensCookie( ( req as CookieRequest ).signedCookies["tokens"] );
 
 	logger.debug( {
 		hasTokens: !!tokens,
@@ -351,7 +493,7 @@ app.post( "/refresh", async ( req: Request, res: Response ) => {
 	}
 
 	try {
-		await ensureConfig();
+		const cfg = await ensureConfig();
 
 		logger.debug( {
 			refreshTokenPrefix: tokens.refresh_token.substring( 0, 10 ),
@@ -360,7 +502,7 @@ app.post( "/refresh", async ( req: Request, res: Response ) => {
 
 		// Use refreshTokenGrant to exchange refresh token for new tokens
 		// The resource parameter must be included here too for the same reasons as above
-		const tokenSet = await client.refreshTokenGrant( config!, tokens.refresh_token, {
+		const tokenSet = await client.refreshTokenGrant( cfg, tokens.refresh_token, {
 			resource: API_AUDIENCE  // Resource indicator for refresh token exchange (RFC 8707)
 		} );
 
@@ -370,16 +512,12 @@ app.post( "/refresh", async ( req: Request, res: Response ) => {
 			newIdTokenIssued: !!tokenSet.id_token
 		}, "POST /refresh - Refresh successful" );
 
-		// Update tokens in cookie
-		res.cookie(
-			"tokens",
-			JSON.stringify( {
-				access_token: tokenSet.access_token,
-				refresh_token: tokenSet.refresh_token || tokens.refresh_token, // Keep old refresh token if no new one
-				id_token: tokenSet.id_token || tokens.id_token // Keep old ID token if no new one
-			} ),
-			{ httpOnly: true, sameSite: "lax", secure: true, path: "/" }
-		);
+		// Update tokens in the signed cookie
+		writeTokensCookie( res, {
+			access_token: tokenSet.access_token,
+			refresh_token: tokenSet.refresh_token || tokens.refresh_token, // Keep old refresh token if no new one
+			id_token: tokenSet.id_token || tokens.id_token // Keep old ID token if no new one
+		} );
 
 		res.json( {
 			success: true,
@@ -400,7 +538,7 @@ app.post( "/refresh", async ( req: Request, res: Response ) => {
 } );
 
 app.get( "/token", async ( req: Request, res: Response ) => {
-	const tokens = parseTokensCookie( ( req as CookieRequest ).cookies["tokens"] );
+	const tokens = parseTokensCookie( ( req as CookieRequest ).signedCookies["tokens"] );
 	if ( !tokens?.access_token || !tokens?.id_token ) return res.redirect( "/login" );
 
 	try {
@@ -504,13 +642,18 @@ app.get( "/token", async ( req: Request, res: Response ) => {
 			annotatedPayload[key] = { value: decodedPayload[key], comment };
 		} );
 
+		// Build a validated absolute JWKS URL up front so the view never has to
+		// touch process.env / unvalidated strings inside an `href` attribute.
+		const jwksUrl = new URL( "/.well-known/jwks.json", ISSUER_URL_OBJ ).href;
+
 		// Render token inspector view with decoded token data
 		return res.render( "token", {
 			tokens,
 			rawToken: tokens.id_token,
 			header: annotatedHeader,
 			payload: annotatedPayload,
-			signature
+			signature,
+			jwksUrl
 		} );
 	} catch ( error ) {
 		logError( logger, error, { context: "ID token verification" } );
@@ -522,14 +665,14 @@ app.get( "/token", async ( req: Request, res: Response ) => {
 } );
 
 app.get( "/api-explorer", async ( req: Request, res: Response ) => {
-	const tokens = parseTokensCookie( ( req as CookieRequest ).cookies["tokens"] );
+	const tokens = parseTokensCookie( ( req as CookieRequest ).signedCookies["tokens"] );
 	if ( !tokens?.access_token ) return res.redirect( "/login" );
 
 	res.render( "api-explorer", { tokens } );
 } );
 
 app.post( "/api-call", express.json(), async ( req: Request, res: Response ) => {
-	const tokens = parseTokensCookie( ( req as CookieRequest ).cookies["tokens"] );
+	const tokens = parseTokensCookie( ( req as CookieRequest ).signedCookies["tokens"] );
 	if ( !tokens?.access_token ) return res.status( 401 ).json( { error: "No access token" } );
 
 	// Validate API call request against allow-list of endpoints and methods
@@ -548,18 +691,44 @@ app.post( "/api-call", express.json(), async ( req: Request, res: Response ) =>
 
 	const { endpoint, method } = validationResult.data;
 
+	// Strip fragment but preserve query string for pagination/filtering
+	const sanitizedEndpoint = endpoint.split( "#" )[0];
+	const upstreamUrl = `${ API_BASE_URL }${ sanitizedEndpoint }`;
+
+	const callApi = async ( accessToken: string ) => fetch( upstreamUrl, {
+		method,
+		headers: {
+			Authorization: `Bearer ${ accessToken }`,
+			"Content-Type": "application/json"
+		}
+	} );
+
 	try {
-		const accessToken = tokens.access_token as string;
-		// Strip fragment but preserve query string for pagination/filtering
-		const sanitizedEndpoint = endpoint.split( "#" )[0];
-
-		const apiResponse = await fetch( `${ API_BASE_URL }${ sanitizedEndpoint }`, {
-			method,
-			headers: {
-				Authorization: `Bearer ${ accessToken }`,
-				"Content-Type": "application/json"
+		// Auto-refresh on expired access tokens (proactive: based on `exp`).
+		let accessToken: string;
+		try {
+			accessToken = await getValidAccessToken( req, res );
+		} catch ( refreshErr ) {
+			logError( logger, refreshErr, { context: "Pre-call token refresh" } );
+			return res.status( 401 ).json( { error: "Session expired — please log in again" } );
+		}
+
+		let apiResponse = await callApi( accessToken );
+
+		// Reactive fallback: the access token looked valid but the API rejected
+		// it (e.g. server clock skew, revoked grant). Try one refresh-and-retry.
+		if ( apiResponse.status === 401 ) {
+			logger.info( "API returned 401 — attempting one refresh-and-retry" );
+			try {
+				const refreshedToken = await refreshTokensAndPersist( req, res );
+				if ( refreshedToken ) {
+					apiResponse = await callApi( refreshedToken );
+				}
+			} catch ( retryErr ) {
+				logError( logger, retryErr, { context: "401 refresh-and-retry" } );
+				// Fall through with the original 401 response
 			}
-		} );
+		}
 
 		const contentType = apiResponse.headers.get( "content-type" );
 		let responseData;
@@ -587,38 +756,44 @@ app.post( "/api-call", express.json(), async ( req: Request, res: Response ) =>
 } );
 
 app.get( "/debug/tokens", async ( req: Request, res: Response ) => {
-	const tokens = parseTokensCookie( ( req as CookieRequest ).cookies["tokens"] );
+	// Gate behind non-production environments — raw tokens (even masked) are
+	// debug-only data and should never be reachable in production.
+	if ( IS_PRODUCTION ) {
+		logger.warn( "GET /debug/tokens - blocked in production" );
+		return res.status( 404 ).send( "Not Found" );
+	}
+
+	const tokens = parseTokensCookie( ( req as CookieRequest ).signedCookies["tokens"] );
 
 	if ( !tokens?.access_token ) {
 		return res.redirect( "/login" );
 	}
 
-	// Decode JWT tokens to show payload
-	const decodeJwt = ( token: string ) => {
-		try {
-			const parts = token.split( "." );
-			if ( parts.length !== 3 ) return null;
-			const payload = JSON.parse( Buffer.from( parts[1], "base64url" ).toString() );
-			return payload;
-		} catch {
-			return null;
-		}
-	};
+	const accessTokenPayload = tokens.access_token ? decodeJwtPayload( tokens.access_token ) : null;
+	const idTokenPayload = tokens.id_token ? decodeJwtPayload( tokens.id_token ) : null;
 
-	const accessTokenPayload = tokens.access_token ? decodeJwt( tokens.access_token ) : null;
-	const idTokenPayload = tokens.id_token ? decodeJwt( tokens.id_token ) : null;
+	// Mask raw token strings so the rendered HTML never contains the actual
+	// access/refresh/id tokens. Decoded payloads are still shown — those are
+	// not credentials on their own.
+	const maskedTokens = {
+		access_token: maskToken( tokens.access_token ),
+		refresh_token: tokens.refresh_token ? maskToken( tokens.refresh_token ) : undefined,
+		id_token: tokens.id_token ? maskToken( tokens.id_token ) : undefined
+	};
 
 	return res.render( "debug-tokens", {
-		tokens,
+		tokens: maskedTokens,
 		accessTokenPayload,
-		idTokenPayload
+		idTokenPayload,
+		// Pass through to the navigation partial so "Authenticated" badge stays correct
+		hasTokens: true
 	} );
 } );
 
 app.get( "/logout", async ( req: Request, res: Response ) => {
 	logger.info( "Logout route called" );
 	const config = await ensureConfig();
-	const tokens = parseTokensCookie( ( req as CookieRequest ).cookies["tokens"] );
+	const tokens = parseTokensCookie( ( req as CookieRequest ).signedCookies["tokens"] );
 
 	logger.debug( { tokensPresent: !!tokens }, "Logout - tokens present" );
 	logger.debug( { idTokenPresent: !!tokens?.id_token }, "Logout - id_token present" );
@@ -630,17 +805,29 @@ app.get( "/logout", async ( req: Request, res: Response ) => {
 		has_end_session: !!serverMetadata.end_session_endpoint
 	}, "Logout - server metadata" );
 
-	// Clear local cookies first
+	// Clear local cookies up front. Even if the RP-initiated logout below
+	// fails, the local session is already gone.
 	res.clearCookie( "tokens", { path: "/" } );
 	res.clearCookie( "oidc", { path: "/" } );
 
-	// For now, skip OIDC logout and just do local logout
-	// The complex OIDC logout flow is having issues with the authorization server
-	// TODO: Fix OIDC logout flow later
-	logger.info( "Logout - performing local logout only" );
+	// RP-initiated logout per OIDC spec:
+	//   <end_session_endpoint>?id_token_hint=…&post_logout_redirect_uri=…&state=…
+	// The auth server clears its session and redirects back to our app, where
+	// `post_logout_redirect_uri` should be a registered URI on the client.
+	const endSessionEndpoint = serverMetadata.end_session_endpoint;
+	if ( endSessionEndpoint && tokens?.id_token ) {
+		const endSessionUrl = new URL( endSessionEndpoint );
+		endSessionUrl.searchParams.set( "id_token_hint", tokens.id_token );
+		endSessionUrl.searchParams.set( "post_logout_redirect_uri", POST_LOGOUT_REDIRECT_URI );
+		endSessionUrl.searchParams.set( "client_id", CLIENT_ID );
+		endSessionUrl.searchParams.set( "state", client.randomState() );
+		logger.info( { endSession: endSessionUrl.origin + endSessionUrl.pathname }, "Logout - redirecting to end_session_endpoint" );
+		return res.redirect( endSessionUrl.href );
+	}
 
-	logger.info( "Logout - falling back to local redirect" );
-	// Fallback to local redirect if no proper logout endpoint
+	// Fallback: no end_session_endpoint (auth server doesn't support RP-initiated logout)
+	// or no id_token to use as a hint. Local logout is the best we can do.
+	logger.info( "Logout - end_session_endpoint or id_token missing, performing local logout only" );
 	res.redirect( "/" );
 } );
 
diff --git a/apps/app/views/debug-tokens.ejs b/apps/app/views/debug-tokens.ejs
index 5596213..527c2a5 100644
--- a/apps/app/views/debug-tokens.ejs
+++ b/apps/app/views/debug-tokens.ejs
@@ -17,13 +17,18 @@
   <div class="max-w-6xl mx-auto px-4 py-8">
     <div class="mb-8">
       <h1 class="text-3xl font-bold text-plaid-black">Token Debug</h1>
-      <p class="text-plaid-dark-gray mt-2">View raw and decoded tokens for debugging</p>
+      <p class="text-plaid-dark-gray mt-2">View masked and decoded tokens for debugging</p>
+      <div class="mt-4 bg-plaid-mint-200 border-l-4 border-plaid-mint-600 p-4 rounded">
+        <p class="text-sm text-plaid-mint-700">
+          <strong>Note:</strong> Tokens are masked (first/last 4 characters only). Full token values are never sent to the browser. This page is disabled in production.
+        </p>
+      </div>
     </div>
 
     <!-- Access Token -->
     <div class="bg-white rounded-lg shadow-sm border border-plaid-blue-sky-200 p-6 mb-6">
       <div class="flex items-center justify-between mb-4">
-        <h2 class="text-lg font-semibold text-plaid-black">Access Token (Raw)</h2>
+        <h2 class="text-lg font-semibold text-plaid-black">Access Token (Masked)</h2>
         <button onclick="copyToClipboard('access-token-raw', this)" class="copy-button" style="float: none;">
           <svg class="w-4 h-4 inline-block mr-1" fill="none" stroke="currentColor" viewBox="0 0 24 24">
             <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
@@ -62,7 +67,7 @@
     <% if (tokens.id_token) { %>
     <div class="bg-white rounded-lg shadow-sm border border-plaid-blue-sky-200 p-6 mb-6">
       <div class="flex items-center justify-between mb-4">
-        <h2 class="text-lg font-semibold text-plaid-black">ID Token (Raw)</h2>
+        <h2 class="text-lg font-semibold text-plaid-black">ID Token (Masked)</h2>
         <button onclick="copyToClipboard('id-token-raw', this)" class="copy-button" style="float: none;">
           <svg class="w-4 h-4 inline-block mr-1" fill="none" stroke="currentColor" viewBox="0 0 24 24">
             <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
@@ -114,7 +119,7 @@
       </div>
       <div class="code-block token-raw" id="refresh-token"><%= tokens.refresh_token %></div>
       <p class="text-sm text-plaid-gray mt-3">
-        Refresh tokens are opaque and cannot be decoded. They are used to obtain new access tokens.
+        Refresh tokens are opaque and cannot be decoded. They are used to obtain new access tokens. (Masked)
       </p>
     </div>
     <% } %>
diff --git a/apps/app/views/token.ejs b/apps/app/views/token.ejs
index e4a87c3..9639a7c 100644
--- a/apps/app/views/token.ejs
+++ b/apps/app/views/token.ejs
@@ -194,7 +194,7 @@
                   <li>The Authorization Server uses its <strong>private key</strong> (from JWKS) to sign the token</li>
                   <li>The signature is created from the header and payload using the RS256 algorithm</li>
                   <li>Anyone can verify the signature using the <strong>public key</strong> from
-                    <a href="<%= process.env.OP_ISSUER %>/.well-known/jwks.json" target="_blank" class="underline hover:text-plaid-mint-700">
+                    <a href="<%= jwksUrl %>" target="_blank" rel="noopener noreferrer" class="underline hover:text-plaid-mint-700">
                       /.well-known/jwks.json
                     </a>
                   </li>

From f9b83d52304a286c853ec84456ad9d18160c2d74 Mon Sep 17 00:00:00 2001
From: David Neal <dneal@plaid.com>
Date: Wed, 6 May 2026 15:44:24 -0400
Subject: [PATCH 8/9] chore: regenerate build artifacts after tailwind bump

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/tsconfig.tsbuildinfo | 2 +-
 apps/app/public/styles.css    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/api/tsconfig.tsbuildinfo b/apps/api/tsconfig.tsbuildinfo
index 26021a1..067cb86 100644
--- a/apps/api/tsconfig.tsbuildinfo
+++ b/apps/api/tsconfig.tsbuildinfo
@@ -1 +1 @@
-{"root":["./src/index.ts","./src/data/accounts.ts","./src/data/accountsrepository.ts","./src/data/customers.ts","./src/data/customersrepository.ts","./src/routes/accounts.ts","./src/routes/customers.ts","./src/utils/validation.ts"],"version":"6.0.2"}
\ No newline at end of file
+{"root":["./src/index.ts","./src/data/accounts.ts","./src/data/accountsrepository.ts","./src/data/customers.ts","./src/data/customersrepository.ts","./src/routes/accounts.ts","./src/routes/customers.ts","./src/utils/asynchandler.ts","./src/utils/auth.ts","./src/utils/errors.ts","./src/utils/validation.ts"],"version":"6.0.3"}
\ No newline at end of file
diff --git a/apps/app/public/styles.css b/apps/app/public/styles.css
index 2ff68ab..e6dfb23 100644
--- a/apps/app/public/styles.css
+++ b/apps/app/public/styles.css
@@ -1,4 +1,4 @@
-/*! tailwindcss v4.2.2 | MIT License | https://tailwindcss.com */
+/*! tailwindcss v4.2.4 | MIT License | https://tailwindcss.com */
 @layer properties;
 @layer theme, base, components, utilities;
 @layer theme {

From 6bc0f3591694cca6315dd2f37a0ea9afc9d63bfe Mon Sep 17 00:00:00 2001
From: David Neal <dneal@plaid.com>
Date: Wed, 6 May 2026 15:45:56 -0400
Subject: [PATCH 9/9] 1.1.0

---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 65b17b5..8af9029 100644
--- a/package.json
+++ b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "core-exchange-node-example",
   "private": true,
-  "version": "1.0.1",
+  "version": "1.1.0",
   "packageManager": "pnpm@10.33.0+sha512.10568bb4a6afb58c9eb3630da90cc9516417abebd3fabbe6739f0ae795728da1491e9db5a544c76ad8eb7570f5c4bb3d6c637b2cb41bfdcdb47fa823c8649319",
   "type": "module",
   "author": "David Neal <dneal@plaid.com> (https://reverentgeek.com)",