feat: Refresh Token for improved Session Security (#927)

* feat(api): refresh token logic * feat(client): refresh token logic * feat(data-provider): refresh token logic * fix: SSE uses esm * chore: add default refresh token expiry to AuthService, add message about env var not set when generating a token * chore: update scripts to more compatible bun methods, ran bun install again * chore: update env.example and playwright workflow with JWT_REFRESH_SECRET * chore: update breaking changes docs * chore: add timeout to url visit * chore: add default SESSION_EXPIRY in generateToken logic, add act script for testing github actions * fix(e2e): refresh automatically in development environment to pass e2e tests
2025-09-22 08:12:00 +02:00 · 2023-09-11 13:10:46 -04:00 · 2023-09-11 13:10:46 -04:00 · 33f087d38f
commit 33f087d38f
parent 75be9a3279
31 changed files with 420 additions and 232 deletions
--- a/api/server/controllers/AuthController.js
+++ b/api/server/controllers/AuthController.js
@ -1,19 +1,27 @@
-const { registerUser, requestPasswordReset, resetPassword } = require('../services/AuthService');
-
-const isProduction = process.env.NODE_ENV === 'production';
+const {
+  registerUser,
+  requestPasswordReset,
+  resetPassword,
+  setAuthTokens,
+} = require('../services/AuthService');
+const jwt = require('jsonwebtoken');
+const Session = require('../../models/Session');
+const User = require('../../models/User');
+const crypto = require('crypto');
+const cookies = require('cookie');

 const registrationController = async (req, res) => {
  try {
    const response = await registerUser(req.body);
    if (response.status === 200) {
      const { status, user } = response;
-      const token = user.generateToken();
-      //send token for automatic login
-      res.cookie('token', token, {
-        expires: new Date(Date.now() + eval(process.env.SESSION_EXPIRY)),
-        httpOnly: false,
-        secure: isProduction,
-      });
+      let newUser = await User.findOne({ _id: user._id });
+      if (!newUser) {
+        newUser = new User(user);
+        await newUser.save();
+      }
+      const token = await setAuthTokens(user._id, res);
+      res.setHeader('Authorization', `Bearer ${token}`);
      res.status(status).send({ user });
    } else {
      const { status, message } = response;
@ -61,59 +69,47 @@ const resetPasswordController = async (req, res) => {
  }
 };

-// const refreshController = async (req, res, next) => {
-//   const { signedCookies = {} } = req;
-//   const { refreshToken } = signedCookies;
-//   TODO
-//   if (refreshToken) {
-//     try {
-//       const payload = jwt.verify(refreshToken, process.env.REFRESH_TOKEN_SECRET);
-//       const userId = payload._id;
-//       User.findOne({ _id: userId }).then(
-//         (user) => {
-//           if (user) {
-//             // Find the refresh token against the user record in database
-//             const tokenIndex = user.refreshToken.findIndex(item => item.refreshToken === refreshToken);
+const refreshController = async (req, res) => {
+  const refreshToken = req.headers.cookie ? cookies.parse(req.headers.cookie).refreshToken : null;
+  if (!refreshToken) {
+    return res.status(200).send('Refresh token not provided');
+  }

-//             if (tokenIndex === -1) {
-//               res.statusCode = 401;
-//               res.send('Unauthorized');
-//             } else {
-//               const token = req.user.generateToken();
-//               // If the refresh token exists, then create new one and replace it.
-//               const newRefreshToken = req.user.generateRefreshToken();
-//               user.refreshToken[tokenIndex] = { refreshToken: newRefreshToken };
-//               user.save((err) => {
-//                 if (err) {
-//                   res.statusCode = 500;
-//                   res.send(err);
-//                 } else {
-//                 //  setTokenCookie(res, newRefreshToken);
-//                   const user = req.user.toJSON();
-//                   res.status(200).send({ token, user });
-//                 }
-//               });
-//             }
-//           } else {
-//             res.statusCode = 401;
-//             res.send('Unauthorized');
-//           }
-//         },
-//         err => next(err)
-//       );
-//     } catch (err) {
-//       res.statusCode = 401;
-//       res.send('Unauthorized');
-//     }
-//   } else {
-//     res.statusCode = 401;
-//     res.send('Unauthorized');
-//   }
-// };
+  try {
+    const payload = jwt.verify(refreshToken, process.env.JWT_REFRESH_SECRET);
+    const userId = payload.id;
+    const user = await User.findOne({ _id: userId });
+    if (!user) {
+      return res.status(401).send('User not found');
+    }
+
+    if (process.env.NODE_ENV === 'development') {
+      const token = await setAuthTokens(userId, res);
+      const userObj = user.toJSON();
+      return res.status(200).send({ token, user: userObj });
+    }
+
+    // Hash the refresh token
+    const hash = crypto.createHash('sha256');
+    const hashedToken = hash.update(refreshToken).digest('hex');
+
+    // Find the session with the hashed refresh token
+    const session = await Session.findOne({ user: userId, refreshTokenHash: hashedToken });
+    if (session && session.expiration > new Date()) {
+      const token = await setAuthTokens(userId, res, session._id);
+      const userObj = user.toJSON();
+      res.status(200).send({ token, user: userObj });
+    } else {
+      res.status(401).send('Refresh token expired or not found for this user');
+    }
+  } catch (err) {
+    res.status(401).send('Invalid refresh token');
+  }
+};

 module.exports = {
  getUserController,
-  // refreshController,
+  refreshController,
  registrationController,
  resetPasswordRequestController,
  resetPasswordController,