🔒 fix: update refresh token handling to use plain token instead of hashed token (#5088)

* 🔒 fix: update refresh token handling to use plain token instead of hashed token * 🔒 fix: simplify logoutUser by using plain refresh token for session lookup
2025-09-22 08:12:00 +02:00 · 2024-12-23 18:38:16 +01:00 · 2024-12-23 18:38:16 +01:00 · d6f1ecf75c
commit d6f1ecf75c
parent 04923dd185
2 changed files with 4 additions and 11 deletions
--- a/api/server/controllers/AuthController.js
+++ b/api/server/controllers/AuthController.js
@ -7,7 +7,6 @@ const {
  requestPasswordReset,
 } = require('~/server/services/AuthService');
 const { findSession, getUserById, deleteAllUserSessions } = require('~/models');
-const { hashToken } = require('~/server/utils/crypto');
 const { logger } = require('~/config');

 const registrationController = async (req, res) => {
@ -74,11 +73,9 @@ const refreshController = async (req, res) => {
      return res.status(200).send({ token, user });
    }

-    // Hash the refresh token
-    const hashedToken = await hashToken(refreshToken);
-
    // Find the session with the hashed refresh token
-    const session = await findSession({ userId: userId, refreshToken: hashedToken });
+    const session = await findSession({ userId: userId, refreshToken: refreshToken });
+
    if (session && session.expiration > new Date()) {
      const token = await setAuthTokens(userId, res, session._id);
      res.status(200).send({ token, user });