feat: Refresh Token for improved Session Security (#927)

* feat(api): refresh token logic * feat(client): refresh token logic * feat(data-provider): refresh token logic * fix: SSE uses esm * chore: add default refresh token expiry to AuthService, add message about env var not set when generating a token * chore: update scripts to more compatible bun methods, ran bun install again * chore: update env.example and playwright workflow with JWT_REFRESH_SECRET * chore: update breaking changes docs * chore: add timeout to url visit * chore: add default SESSION_EXPIRY in generateToken logic, add act script for testing github actions * fix(e2e): refresh automatically in development environment to pass e2e tests
2025-12-17 08:50:15 +01:00 · 2023-09-11 13:10:46 -04:00 · 2023-09-11 13:10:46 -04:00 · 33f087d38f
commit 33f087d38f
parent 75be9a3279
31 changed files with 420 additions and 232 deletions
--- a/api/models/Session.js
+++ b/api/models/Session.js
@ -0,0 +1,59 @@
+const mongoose = require('mongoose');
+const crypto = require('crypto');
+const jwt = require('jsonwebtoken');
+const { REFRESH_TOKEN_EXPIRY } = process.env ?? {};
+const expires = eval(REFRESH_TOKEN_EXPIRY) ?? 1000 * 60 * 60 * 24 * 7;
+
+const sessionSchema = mongoose.Schema({
+  refreshTokenHash: {
+    type: String,
+    required: true,
+  },
+  expiration: {
+    type: Date,
+    required: true,
+    expires: 0,
+  },
+  user: {
+    type: mongoose.Schema.Types.ObjectId,
+    ref: 'User',
+    required: true,
+  },
+});
+
+sessionSchema.methods.generateRefreshToken = async function () {
+  try {
+    let expiresIn;
+    if (this.expiration) {
+      expiresIn = this.expiration.getTime();
+    } else {
+      expiresIn = Date.now() + expires;
+      this.expiration = new Date(expiresIn);
+    }
+
+    const refreshToken = jwt.sign(
+      {
+        id: this.user,
+      },
+      process.env.JWT_REFRESH_SECRET,
+      { expiresIn: Math.floor((expiresIn - Date.now()) / 1000) },
+    );
+
+    const hash = crypto.createHash('sha256');
+    this.refreshTokenHash = hash.update(refreshToken).digest('hex');
+
+    await this.save();
+
+    return refreshToken;
+  } catch (error) {
+    console.error(
+      'Error generating refresh token. Have you set a JWT_REFRESH_SECRET in the .env file?\n\n',
+      error,
+    );
+    throw error;
+  }
+};
+
+const Session = mongoose.model('Session', sessionSchema);
+
+module.exports = Session;