Andreas/LibreChat
1
0
Fork 0
mirror of https://github.com/danny-avila/LibreChat.git synced 2025-12-17 17:00:15 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

🔒 fix: update refresh token handling to use plain token instead of hashed token (#5088)

Browse source 
* 🔒 fix: update refresh token handling to use plain token instead of hashed token

* 🔒 fix: simplify logoutUser by using plain refresh token for session lookup
This commit is contained in:
Marco Beretta 2024-12-23 18:38:16 +01:00 committed by GitHub
parent 04923dd185
commit d6f1ecf75c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 4 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

7
api/server/controllers/AuthController.js
View file

@ -7,7 +7,6 @@ const {
requestPasswordReset, requestPasswordReset,
} = require('~/server/services/AuthService'); } = require('~/server/services/AuthService');
const { findSession, getUserById, deleteAllUserSessions } = require('~/models'); const { findSession, getUserById, deleteAllUserSessions } = require('~/models');
const { hashToken } = require('~/server/utils/crypto');
const { logger } = require('~/config'); const { logger } = require('~/config');
const registrationController = async (req, res) => { const registrationController = async (req, res) => {
@ -74,11 +73,9 @@ const refreshController = async (req, res) => {
return res.status(200).send({ token, user }); return res.status(200).send({ token, user });
} }
// Hash the refresh token
const hashedToken = await hashToken(refreshToken);
// Find the session with the hashed refresh token // Find the session with the hashed refresh token
const session = await findSession({ userId: userId, refreshToken: hashedToken }); const session = await findSession({ userId: userId, refreshToken: refreshToken });
if (session && session.expiration > new Date()) { if (session && session.expiration > new Date()) {
const token = await setAuthTokens(userId, res, session._id); const token = await setAuthTokens(userId, res, session._id);
res.status(200).send({ token, user }); res.status(200).send({ token, user });

8
api/server/services/AuthService.js
View file

@ -22,7 +22,6 @@ const {
const { isEnabled, checkEmailConfig, sendEmail } = require('~/server/utils'); const { isEnabled, checkEmailConfig, sendEmail } = require('~/server/utils');
const { isEmailDomainAllowed } = require('~/server/services/domains'); const { isEmailDomainAllowed } = require('~/server/services/domains');
const { registerSchema } = require('~/strategies/validators'); const { registerSchema } = require('~/strategies/validators');
const { hashToken } = require('~/server/utils/crypto');
const { logger } = require('~/config'); const { logger } = require('~/config');
const domains = { const domains = {
@ -42,10 +41,7 @@ const genericVerificationMessage = 'Please check your email to verify your email
*/ */
const logoutUser = async (userId, refreshToken) => { const logoutUser = async (userId, refreshToken) => {
try { try {
const hash = await hashToken(refreshToken); const session = await findSession({ userId: userId, refreshToken: refreshToken });
// Find the session with the matching user and refreshTokenHash
const session = await findSession({ userId: userId, refreshToken: hash });
if (session) { if (session) {
try { try {
@ -343,7 +339,7 @@ const setAuthTokens = async (userId, res, sessionId = null) => {
let refreshTokenExpires; let refreshTokenExpires;
if (sessionId) { if (sessionId) {
session = await findSession({ sessionId: sessionId }); session = await findSession({ sessionId: sessionId }, { lean: false });
refreshTokenExpires = session.expiration.getTime(); refreshTokenExpires = session.expiration.getTime();
refreshToken = await generateRefreshToken(session); refreshToken = await generateRefreshToken(session);
} else { } else {