feat: Refresh Token for improved Session Security (#927)

* feat(api): refresh token logic

* feat(client): refresh token logic

* feat(data-provider): refresh token logic

* fix: SSE uses esm

* chore: add default refresh token expiry to AuthService, add message about env var not set when generating a token

* chore: update scripts to more compatible bun methods, ran bun install again

* chore: update env.example and playwright workflow with JWT_REFRESH_SECRET

* chore: update breaking changes docs

* chore: add timeout to url visit

* chore: add default SESSION_EXPIRY in generateToken logic, add act script for testing github actions

* fix(e2e): refresh automatically in development environment to pass e2e tests

api/models/Session.js

@@ -0,0 +1,59 @@
+const mongoose = require('mongoose');
+const crypto = require('crypto');
+const jwt = require('jsonwebtoken');
+const { REFRESH_TOKEN_EXPIRY } = process.env ?? {};
+const expires = eval(REFRESH_TOKEN_EXPIRY) ?? 1000 * 60 * 60 * 24 * 7;
+
+const sessionSchema = mongoose.Schema({
+  refreshTokenHash: {
+    type: String,
+    required: true,
+  },
+  expiration: {
+    type: Date,
+    required: true,
+    expires: 0,
+  },
+  user: {
+    type: mongoose.Schema.Types.ObjectId,
+    ref: 'User',
+    required: true,
+  },
+});
+
+sessionSchema.methods.generateRefreshToken = async function () {
+  try {
+    let expiresIn;
+    if (this.expiration) {
+      expiresIn = this.expiration.getTime();
+    } else {
+      expiresIn = Date.now() + expires;
+      this.expiration = new Date(expiresIn);
+    }
+
+    const refreshToken = jwt.sign(
+      {
+        id: this.user,
+      },
+      process.env.JWT_REFRESH_SECRET,
+      { expiresIn: Math.floor((expiresIn - Date.now()) / 1000) },
+    );
+
+    const hash = crypto.createHash('sha256');
+    this.refreshTokenHash = hash.update(refreshToken).digest('hex');
+
+    await this.save();
+
+    return refreshToken;
+  } catch (error) {
+    console.error(
+      'Error generating refresh token. Have you set a JWT_REFRESH_SECRET in the .env file?\n\n',
+      error,
+    );
+    throw error;
+  }
+};
+
+const Session = mongoose.model('Session', sessionSchema);
+
+module.exports = Session;

api/models/User.js

@@ -4,20 +4,14 @@ const jwt = require('jsonwebtoken');
 const Joi = require('joi');
 const DebugControl = require('../utils/debug.js');
 const userSchema = require('./schema/userSchema.js');
+const { SESSION_EXPIRY } = process.env ?? {};
+const expires = eval(SESSION_EXPIRY) ?? 1000 * 60 * 15;
 
 function log({ title, parameters }) {
   DebugControl.log.functionName(title);
   DebugControl.log.parameters(parameters);
 }
 
-//Remove refreshToken from the response
-userSchema.set('toJSON', {
-  transform: function (_doc, ret) {
-    delete ret.refreshToken;
-    return ret;
-  },
-});
-
 userSchema.methods.toJSON = function () {
   return {
     id: this._id,
@@ -43,25 +37,11 @@ userSchema.methods.generateToken = function () {
       email: this.email,
     },
     process.env.JWT_SECRET,
-    { expiresIn: eval(process.env.SESSION_EXPIRY) },
+    { expiresIn: expires / 1000 },
   );
   return token;
 };
 
-userSchema.methods.generateRefreshToken = function () {
-  const refreshToken = jwt.sign(
-    {
-      id: this._id,
-      username: this.username,
-      provider: this.provider,
-      email: this.email,
-    },
-    process.env.JWT_REFRESH_SECRET,
-    { expiresIn: eval(process.env.REFRESH_TOKEN_EXPIRY) },
-  );
-  return refreshToken;
-};
-
 userSchema.methods.comparePassword = function (candidatePassword, callback) {
   bcrypt.compare(candidatePassword, this.password, (err, isMatch) => {
     if (err) {